DupeZ is a Windows network-condition testing and diagnostics workspace for devices and local networks you own or are explicitly authorized to test. It combines scoped packet impairment, dry-run previews, automatic stop deadlines, crash-safe recovery, live diagnostics, and redacted support tooling in a PyQt6 desktop application.
The DayZ-oriented workflow focuses on reproducible connection testing: latency, jitter, loss, bandwidth pressure, temporary disconnects, server reachability, and local adapter/firewall health. The supported product boundary is owned-lab diagnostics only: private servers, local devices, explicit authorization, short automatic deadlines, and auditable rollback.
Installed builds keep mutable settings, histories, episodes, trained models,
logs, captures, reports, and crash dumps under %LOCALAPPDATA%\DupeZ rather
than beside binaries in Program Files. Upgrades perform a verified,
copy-only migration of recognized legacy files. Existing destination files win,
conflicts are reported, and legacy files are never deleted automatically.
DupeZ uses a three-tier fallback for packet disruption:
- Native WinDivert Engine — Pure Python, loads WinDivert.dll directly via ctypes. No GUI window, no external process. Batch API (RecvEx/SendEx) for up to 255 packets per syscall. Fastest startup, lowest overhead.
- Clumsy --silent — Launches clumsy.exe with
--silentflag (patched build). Hidden window, force-enables all modules. - Clumsy GUI Automation — Falls back to standard clumsy.exe with win32 automation.
The engine supports bounded lab scenarios such as drop, lag, throttle, bandwidth pressure, duplication, corruption, reordering, and temporary disconnect. Every controller-started active operation is checked against local CIDR policy and receives a hard automatic stop deadline.
Safety and support features include:
- First-run owned/authorized-network acknowledgement.
- Dry Run mode that validates and audits without loading the packet engine.
- Local-address and operator-defined CIDR scope checks.
- Crash-safe recovery of packet, firewall, and forwarding state.
- Redacted diagnostics, privacy inventory, and support-bundle exports.
- Stable CLI JSON schemas for support automation.
Statistical impairment models are available for reproducing burst loss, heavy-tail jitter, rate limiting, and correlated loss in controlled tests.
The DayZ workflow combines passive server reachability/query checks with latency, jitter, loss, route, adapter, firewall, and driver diagnostics. It is intended to help players and private-server operators reproduce and explain connection problems without claiming to manipulate public-server game state.
Lightweight plugin system for community-built extensions. Four plugin types: DisruptionPlugin, ScannerPlugin, UIPanelPlugin, GenericPlugin. JSON manifest + Python entry point in plugins/. Hot-reload via Tools menu or CLI.
Run DupeZ headless from the terminal. Subcommands: scan, disrupt, stop, status, devices, plugins. Interactive REPL with dupez-cli interactive. Script disruptions with --methods and --params flags for automation pipelines.
Network intelligence toolkit. Four core tabs — Live Traffic Monitor, Latency Overlay (floating transparent widget), Port Scanner, and Connection Mapper with gaming port detection and hostname resolution — plus AI / Smart Ops, GPC / Cronus Zen, and LAN Cut tabs that appear when their subsystems are available.
Ad-free embedded iZurvive with two-layer ad blocking. Supports Chernarus+ (Satellite/Topographic), Livonia, Namalsk, Sakhal, Deer Isle, Esseker, and Takistan.
Multi-account DayZ manager with full CRUD, XLSX/CSV import and export, and per-account status tracking. Features include: notes field per account, multi-select with right-click context menu (edit, duplicate, set status, delete), quick-filter status chips, duplicate account with auto-increment, row numbering, editable dropdown fields, last-modified timestamps, scoped bulk operations (all/selected/filtered), and filtered subset export.
Built-in interactive guide with 10+ collapsible sections covering every feature: Clumsy Control, iZurvive Map, Account Tracker, Network Tools, Settings & Themes, Voice Control, GPC/Cronus, Troubleshooting, and Keyboard Shortcuts. Accessible from the sidebar rocket icon (🚀).
The Clumsy Control sections — Preset, Platform, Direction, Modules, and Live Stats — are wrapped in collapsible cards with ▶/▼ toggle headers and ▲/▼ reorder buttons. Collapse what you don't need, reorder to match your workflow. The scheduler/macro controls sit inline beneath the disrupt buttons; Smart Mode, Voice, and GPC/Cronus live in the Network Tools view.
Closed-loop lab verification for owned same-network devices and private DayZ servers. The verifier samples Source-query reachability during a bounded operation, records whether the private endpoint stayed healthy, degraded, or temporarily disconnected, and writes that summarized state to the local operation journal. The learning loop consumes only aggregate health outcomes so operators can compare lab presets without storing raw targets or packet payloads.
Vendor column now resolves against the full IEEE OUI database (~35k entries via scapy MANUFDB) instead of the 60-entry curated table — Ring, HUMAX, Murata, Texas Instruments, Chamberlain, HP, Samsung, Apple, and every other registered manufacturer populate correctly.
Same-network lab workflows now fail visibly instead of presenting a successful
operation when client isolation or adapter policy prevents observation. v5.7.2
keeps the isolation watchdog, raises the grace window to avoid false positives,
and falls back to clearly announced self-diagnostics when the owned peer path is
not available. params["_force_self_disrupt"] remains an explicit opt-in for
operators who are intentionally testing only their own traffic.
Six feature backends that shipped backend-only in v5.7.0/v5.7.1 are now reachable from the UI:
- Risk Score —
Tools → Risk Score…shows the live 0-100 score with the six-factor breakdown (active cuts, audit volume, kill-switch state, episode rate, server-integrity signal, network changes). - Diagnostics —
Tools → Diagnostics…(F2) runs all 8 self-checks (Npcap, WinDivert handle, IP forwarding, ARP table, audit log, episode store, signing key, update channel) with pass/warn/fail and per-check remediation hints. - Kill Switch — Panic Stop —
Tools → Kill Switch(Ctrl+Alt+X) immediately halts every active disruption. The manual half of the kill-switch feature; auto-triggers (server-integrity / risk threshold / packet rate) still pending a settings panel. - OBS Overlay Server —
Tools → Toggle OBS Overlay Serverstarts/stops the localhost-bound HTTP endpoint and shows the browser-source URL. Auto-starts on launch whensettings.obs_overlay_enabledis set. - Audit Webhook Fan-Out —
AuditLogger.log()now actually emits configured Discord/generic webhook events after the canonical JSONL write. Best-effort, daemon-threaded, never raises into the audit hot path. Configure under Settings → Audit. - Episode Store Rotation — 90-day / 5000-file retention now enforced once per launch; the JSONL episode store no longer grows unbounded.
Five post-audit fixes to the v5.6.9–v5.7.2 modules (added after the v5.6.2 nation-state cert sweep, never security-reviewed): backup restore path allowlist (app/data + app/config only — closed an arbitrary-code-execution path from hand-crafted bundles); decompression-bomb caps on backup restore; overlay server /state no longer ships wildcard CORS (was leaking live disruption state to any website the operator visited); webhook URL scheme allowlist (https:// or loopback http:// only — file:///ftp:// blocked); preset params underscore-key allowlist + 16 KB size cap so a shared preset can't inject engine control flags. 15 new security regression tests in tests/test_security_v573.py.
Proper Inno Setup installer registers DupeZ in Add/Remove Programs with full uninstall support. Windows application manifest and VS_VERSION_INFO resource for SmartScreen trust. In-app auto-updater checks GitHub Releases and can download + silently install new versions with progress feedback.
| Preset | Effect |
|---|---|
| Red Disconnect | 100% drop + 3000ms lag + 0 KB/s cap + full throttle + hard cut |
| Lag | Heavy sustained lag + drop — tune sliders after selecting (Light ~800/60 · Max ~5000/100) |
| Temporary Disconnect | Short, bounded interruption for authorized lab reconnect testing |
| Custom | Set your own parameters |
Platform-specific presets (pc_local, ps5_hotspot, xbox_hotspot) live in the game profile JSON and are auto-selected at disrupt time based on target subnet, MAC OUI, hostname, and device type — see app/firewall/target_profile.py::resolve_target_profile.
- Windows 10/11 (64-bit)
- Python 3.10+
- Administrator privileges (required for WinDivert kernel driver)
- Inno Setup 6+ — Required only to compile the installer (
isccmust be on PATH) - Code signing certificate — Optional for local builds, strongly recommended for releases. Set
DUPEZ_SIGN_CERTandDUPEZ_SIGN_PASSto Authenticode-signbuild.batoutputs and allbuild_variants.batrelease executables with SHA-256 timestamping.
The following must be present in app/firewall/:
WinDivert.dll— Kernel packet interception libraryWinDivert64.sys— WinDivert kernel driverclumsy.exe— Packet manipulation engine (fallback only)
# Clone
git clone https://github.com/GrihmLord/DupeZ.git
cd DupeZ
# Install dependencies
pip install -r requirements.txt
# Run GUI (auto-elevates via UAC)
python dupez.py
# Run CLI (headless)
python -m app.cli scan
python -m app.cli interactive
# Safe maintenance commands (no Administrator required)
python -m app.cli diagnostics
python -m app.cli diagnostics --json
python -m app.cli health
python -m app.cli health --json
python -m app.cli pktmon plan --port 2302 --protocol udp
python -m app.cli pktmon plan --port 2302 --protocol udp --json
python -m app.cli performance smoke
python -m app.cli performance smoke --json
python -m app.cli status --json
python -m app.cli report active --output-dir .\reports
python -m app.cli privacy scan
python -m app.cli privacy scan --json
python -m app.cli privacy retention
python -m app.cli privacy retention --max-age packet-capture=3 --json
python -m app.cli privacy scrub --apply
python -m app.cli recovery audit-status
python -m app.cli recovery audit-status --json
python -m app.cli recovery secret-store-status
python -m app.cli recovery secret-store-status --json
python -m app.cli recovery secret-store-repair-plan
python -m app.cli recovery secret-store-repair-plan --json
python -m app.cli safety status
python -m app.cli safety status --json
python -m app.cli safety acknowledge --owned-authorized-network
python -m app.cli storage status
python -m app.cli storage status --json
python -m app.cli support bundle
python -m app.cli support bundle --jsondiagnostics runs the same health checks exposed in the GUI, including
secret-store access, persistence integrity key mode, audit-chain health, and a
passive WiFi adapter route check. The safe JSON commands redact user-specific
local filesystem roots and report classified error codes such as
permission_denied so support output is useful without exposing local paths.
health combines those checks with aggregate adapter readiness, default-route
type, Pktmon/PCAPNG capability, safety-policy state, recovery status, a health
score, and prioritized recommendations. It excludes adapter names, raw IPs,
MACs, and packet payloads.
pktmon plan previews a filter-required Windows Packet Monitor capture without
changing system state. Actual capture requires Administrator rights plus both
--apply and --accept-sensitive-capture. Captures are capped at 30 seconds,
32 MB circular storage, NIC components, and 64 bytes per packet. DupeZ refuses
to alter pre-existing global Pktmon filters and never uploads capture files.
ETL/PCAPNG artifacts are included in privacy scan and quarantine workflows.
performance smoke runs local no-engine benchmarks for storage status,
retention planning, and scenario-report generation against conservative support
budgets; add --include-support-bundle when you also want to measure full
redacted support-bundle creation.
status --json includes a privacy-preserving active-operation snapshot with
masked targets and remaining automatic-stop time. report active writes a
deterministic scenario report using UTC timestamps and IPPM metric terminology.
Raw targets and parameter values are excluded; parameter sets are represented
by stable fingerprints so repeated configurations can be compared safely.
privacy scan inventories ignored local runtime artifacts such as audit logs,
episode telemetry, support bundles, reports, managed backup archives, old
privacy quarantines, packet captures, logs, crash reports, and device caches.
privacy retention previews conservative age-based cleanup windows for local
artifacts; add --apply to quarantine only expired items, or repeat
--max-age CATEGORY=DAYS to override a category.
privacy scrub --apply quarantines the full inventory under
app/data/privacy-quarantine-*. Add --include-account-data only when you
also want account tracker/profile files to participate. recovery audit-status reports whether the local tamper-evident audit chain is valid,
sealed, or running with a degraded key. recovery secret-store-status checks
whether the OS-backed key store is reachable and writable. Add --json to
safe maintenance commands when another tool needs parseable output. support bundle writes a redacted JSON support artifact containing diagnostics,
secret-store health, and privacy inventory metadata without raw logs, secrets,
account contents, raw IPs, MACs, or user-specific local paths. It includes
privacy category counts and retention eligibility by default; add
--include-file-list only when support needs exact runtime filenames.
safety status reports the versioned authorized-use acknowledgement. Active
CLI operations require it unless --dry-run is used. storage status reports
managed runtime roots, migration marker health, and legacy-file candidate
counts with local paths redacted in JSON/support output.
Run from the repo root. All build scripts and PyInstaller specs live in packaging\ but write output to repo-root dist\.
pip install pyinstaller
# Legacy single binary (requireAdministrator):
packaging\build.bat
# Output: dist\dupez.exe + dist\DupeZ_v5.7.8_Setup.exe (installer)
# Modern dual-variant build (RECOMMENDED):
packaging\build_variants.bat
# Output: dist\DupeZ-GPU.exe (asInvoker, split-arch, GPU map)
# dist\DupeZ-Compat.exe (requireAdministrator, inproc, legacy fallback)Download DupeZ_v5.7.8_Setup.exe from Releases (or use the stable DupeZ_Setup.exe alias which always points at the latest release). The installer:
- Installs to
Program Files\DupeZ— trusted path, no SmartScreen warnings after signing - Registers in Add/Remove Programs with version, publisher, and icon
- Creates Start Menu and Desktop shortcuts
- Preserves Windows trust metadata and relies on signatures/hashes instead of overriding SmartScreen or Windows Application Control
- Supports upgrade-in-place — re-run a newer installer without uninstalling first
- In-app auto-update — DupeZ checks GitHub Releases on launch and can download + install updates directly
dupez.py # Entry point (GUI mode)
dupez_helper.py # Elevated helper entry point (split-arch)
requirements.txt # Dependencies
requirements-locked.txt # Pinned dependency versions
packaging/ # All PyInstaller + Inno Setup build files
├── dupez.spec # Legacy single-binary PyInstaller spec
├── dupez_gpu.spec # DupeZ-GPU.exe spec (asInvoker, split)
├── dupez_compat.spec # DupeZ-Compat.exe spec (requireAdmin, inproc)
├── build_common.py # Shared Analysis/PYZ/EXE factory
├── dupez.manifest # Windows app manifest (GPU + legacy)
├── dupez_compat.manifest # Windows app manifest (Compat variant)
├── version_info.py # VS_VERSION_INFO resource for exe metadata
├── installer.iss # Inno Setup installer script
├── build.bat # 4-stage legacy pipeline (single binary)
└── build_variants.bat # Modern dual-variant pipeline (RECOMMENDED)
app/
├── main.py # UAC elevation, crash handler, Qt init
├── cli.py # CLI mode — headless terminal interface + REPL
├── core/
│ ├── controller.py # Scan, disrupt, block — main app logic
│ ├── state.py # Observable state + device model
│ ├── data_persistence.py # Atomic JSON persistence
│ ├── scheduler.py # Disruption scheduler + macro engine
│ ├── profiles.py # Named disruption profile system
│ ├── updater.py # Auto-updater via GitHub Releases API
│ ├── crypto.py # CNSA 2.0 cryptographic primitives
│ ├── secrets_manager.py # AES-256-GCM envelope encryption
│ ├── secure_http.py # TLS 1.3 hardened HTTP client
│ ├── validation.py # Strict allowlist input validation
│ └── patch_monitor.py # DayZ patch monitoring with HMAC integrity
├── plugins/
│ ├── base.py # Plugin base classes (4 types)
│ └── loader.py # Plugin discovery + lifecycle management
├── ai/
│ ├── smart_engine.py # ML-based disruption parameter optimizer
│ ├── network_profiler.py # Target connection profiler
│ ├── llm_advisor.py # Natural-language disruption tuning
│ ├── session_tracker.py # Session history + HMAC-verified persistence
│ └── voice_control.py # Push-to-talk voice commands via Whisper
├── gpc/
│ ├── gpc_parser.py # CronusZEN .gpc script parser
│ ├── gpc_generator.py # Accessibility/diagnostic .gpc script generator
│ └── device_bridge.py # Cronus USB device detection
├── firewall/
│ ├── native_divert_engine.py # WinDivert packet engine (ctypes, batch API)
│ ├── clumsy_network_disruptor.py # Dual-engine orchestrator (native + clumsy)
│ ├── engine_base.py # DisruptionManagerBase ABC
│ ├── packet_classifier.py # Real-time packet classification engine
│ ├── tick_sync.py # Legacy timing helper (not public-selectable)
│ ├── statistical_models.py # Gilbert-Elliott, Pareto, token bucket, correlated
│ ├── asymmetric_presets.py # 14 named directional presets
│ ├── blocker.py # netsh firewall rules (fallback)
│ └── modules/ # Extracted disruption modules
│ ├── lag.py # Connection-preserving lag (v5.2)
│ ├── drop.py # Random packet drop
│ ├── disconnect.py # Bounded temporary disconnect module
│ ├── duplicate.py # Packet flooding (N+1 copies)
│ ├── ood.py # Out-of-order reordering
│ ├── corrupt.py # Payload bit-flip corruption
│ ├── bandwidth.py # Token-bucket bandwidth cap
│ ├── throttle.py # Time-gated packet flow
│ └── rst.py # TCP RST injection
├── gui/
│ ├── dashboard.py # Sidebar rail + view stack
│ ├── clumsy_control.py # Device list + disruption controls
│ ├── network_tools.py # Traffic monitor, latency, port scanner
│ ├── dayz_map_gui_new.py # Ad-free iZurvive + map selector
│ ├── dayz_account_tracker.py # Multi-account tracker
│ ├── hotkey.py # Global hotkey listener
│ ├── settings_dialog.py # App settings
│ └── panels/ # Modular UI panels
│ ├── help_panel.py # Getting Started guide (collapsible sections)
│ ├── smart_mode_panel.py # AI auto-tune panel
│ ├── stats_panel.py # Live packet stats
│ ├── voice_panel.py # Voice control panel
│ └── gpc_panel.py # GPC/Cronus panel
├── network/
│ ├── device_scan.py # ARP/TCP device discovery
│ └── enhanced_scanner.py # Threaded scanner with signals
├── themes/ # QSS stylesheets (dark, hacker, light, rainbow)
├── logs/ # Rotating log files + tamper-evident audit trail
├── utils/ # Helpers and system utilities
├── config/ # JSON config + game profiles
│ └── game_profiles/ # Per-game tuning (ports, tick rates, defaults)
│ └── dayz.json
└── resources/ # App icons
plugins/ # Community plugins (each folder = one plugin)
└── example_ping_monitor/
tests/ # Broad unit/integration suite with hardware-gated checks
tools/ # Operator CLI utilities (scan/lag smoketest, etc.)
bench/ # Micro-benchmarks for hot paths
docs/
├── adr/ # Architecture Decision Records
├── release-notes/ # Per-version release notes + deploy checklists
├── audits/ # Deep-audit reports (WiFi disrupt, etc.)
├── user_guides/ # End-user how-to docs
├── integration/ # Integration and platform notes
└── reports/ # Audit and research reports (DOCX deliverables)
logs/
└── archive/ # Quarantined crash dumps and stale traces
DupeZ supports two runtime architectures, selectable at build time:
- Split (GPU variant) — Medium-integrity GUI process with an elevated helper subprocess for WinDivert operations. Launches via
asInvokermanifest; UAC prompt only for the helper. Enables GPU-accelerated map rendering. - In-process (Compat variant) — Single elevated process with
requireAdministratormanifest. Legacy fallback for systems where split-arch IPC fails.
The active architecture is displayed in the About dialog as the ARCH field.
app.guiowns presentation and may depend on backend services.app.coreowns orchestration, persistence, diagnostics, presets, and reusable platform capability probes. It must not importapp.gui.app.firewall_helperowns the elevated split-process boundary and must not importapp.gui.- Built-in preset definitions live in
app.core.builtin_presets; the GUI exposes a compatibility alias but does not own the data. - GPU capability detection lives in
app.core.gpu_probe, allowing the GUI and helper architecture selector to share the probe without crossing layers. AppControllerowns its service lifecycle explicitly. Dependencies can be injected, construction can be inert withauto_start=False, and startup, shutdown, scheduler, plugin, engine, and scan-thread ownership are idempotent.
These rules are enforced by tests/test_architecture_boundaries.py.
DupeZ v5.0.0+ implements defense-in-depth security hardening:
- Cryptography: AES-256-GCM envelope encryption with machine-bound KEK, HMAC-SHA384 data integrity, SHA-384/512 hashing, PBKDF2-SHA-512 key derivation (600K iterations). CNSA 2.0 compliant. No MD5/SHA-1/RC4.
- Input Validation: Strict allowlist validation at every trust boundary. WinDivert filter strings tokenized and checked against an allowlist. All parameters range-validated.
- Network Hardening: TLS 1.3 minimum for all outbound HTTP. Certificate verification always enabled. URL scheme/host validation.
- Data Persistence: Atomic writes (tmp → fsync → replace). HMAC companion files for integrity verification. Hash-chained JSONL audit logging (tamper-evident).
- Secrets Management: Encrypted at-rest storage with machine-bound keys. No plaintext secrets in config files.
- IP Masking: All target IPs masked via
mask_ip()in every log statement. Zero raw IPs in any log output.
The Help → Hotkeys dialog (F1) self-generates from the live menu bar, so it can never drift from the table below.
| Key | Action |
|---|---|
| Ctrl+S | Scan network |
| Ctrl+D | Stop all disruptions |
| Ctrl+1 / 2 / 3 / 4 | Switch views (Clumsy Control / Map / Accounts / Network Tools) |
| Ctrl+, | Settings |
| Ctrl+E | Export device data |
| Ctrl+Q | Exit |
| Ctrl+Shift+D | Toggle tray visibility |
| Ctrl+Shift+P | Custom Preset Editor |
| Ctrl+Alt+A | Next account (multi-account quick-switch) |
| Ctrl+Alt+Shift+A | Previous account |
| F1 | Help → Hotkeys dialog |
| F2 | Diagnostics wizard (v5.7.5) |
| Ctrl+Alt+X | Kill Switch — Panic Stop (v5.7.5) |
See CHANGELOG.md for full details and ROADMAP.md for what's coming next.
- Clumsy by jagt (Chen Tao) — The original network condition simulator for Windows using WinDivert.
- Clumsy Keybind Edition (v0.3.4) by Kalirenegade — Fork with keybind support, timer, and disconnect modules.
Proprietary. All rights reserved.
Built by GrihmLord