diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2015-08-05 12:06:00 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2015-08-06 00:03:56 +0200 |
commit | c2d0d5e344fe250591e06208f118519d819324b2 (patch) | |
tree | aa8e54e1a08d27962fadc7c3cc37d5f13f80395e | |
parent | a06c41c5c9b7e7f1625a0f8b5e06e08016094bc0 (diff) | |
download | VeraCrypt-c2d0d5e344fe250591e06208f118519d819324b2.tar.gz VeraCrypt-c2d0d5e344fe250591e06208f118519d819324b2.zip |
Windows: Add extra checks for bootloader tampering.
-rw-r--r-- | src/Common/BootEncryption.cpp | 5 | ||||
-rw-r--r-- | src/Driver/DriveFilter.c | 37 |
2 files changed, 35 insertions, 7 deletions
diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp index d9570062..5da2988e 100644 --- a/src/Common/BootEncryption.cpp +++ b/src/Common/BootEncryption.cpp @@ -1565,6 +1565,11 @@ namespace VeraCrypt bRet = true;
}
}
+ catch (SystemException &e)
+ {
+ if (!bSilent && (GetLastError () != ERROR_INVALID_IMAGE_HASH))
+ e.Show (ParentWindow);
+ }
catch (Exception& e)
{
if (!bSilent)
diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c index 4b9117eb..566aacda 100644 --- a/src/Driver/DriveFilter.c +++ b/src/Driver/DriveFilter.c @@ -1764,17 +1764,40 @@ void GetBootLoaderFingerprint (PIRP irp, PIO_STACK_LOCATION irpSp) {
if (ValidateIOBufferSize (irp, sizeof (BootLoaderFingerprintRequest), ValidateOutput))
{
- if (BootArgsValid)
+ irp->IoStatus.Information = 0;
+ if (BootArgsValid && BootDriveFound && BootDriveFilterExtension && BootDriveFilterExtension->DriveMounted && BootDriveFilterExtension->HeaderCryptoInfo)
{
- BootLoaderFingerprintRequest *bootLoaderFingerprint = (BootLoaderFingerprintRequest *) irp->AssociatedIrp.SystemBuffer;
- memcpy (bootLoaderFingerprint->Fingerprint, BootLoaderFingerprint, sizeof (BootLoaderFingerprint));
- irp->IoStatus.Information = sizeof (BootLoaderFingerprintRequest);
- irp->IoStatus.Status = STATUS_SUCCESS;
+ BootLoaderFingerprintRequest *bootLoaderFingerprint = (BootLoaderFingerprintRequest *) irp->AssociatedIrp.SystemBuffer;
+
+ /* compute the fingerprint again and check if it is the same as the one retrieved during boot */
+ char *header = TCalloc (TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE);
+ if (!header)
+ {
+ irp->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
+ }
+ else
+ {
+ memcpy (bootLoaderFingerprint->Fingerprint, BootLoaderFingerprint, sizeof (BootLoaderFingerprint));
+ ComputeBootLoaderFingerprint (BootDriveFilterExtension->LowerDeviceObject, header);
+
+ burn (header, TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE);
+ TCfree (header);
+
+ if (0 == memcmp (bootLoaderFingerprint->Fingerprint, BootLoaderFingerprint, sizeof (BootLoaderFingerprint)))
+ {
+ irp->IoStatus.Information = sizeof (BootLoaderFingerprintRequest);
+ irp->IoStatus.Status = STATUS_SUCCESS;
+ }
+ else
+ {
+ /* fingerprint mismatch.*/
+ irp->IoStatus.Status = STATUS_INVALID_IMAGE_HASH;
+ }
+ }
}
else
{
- irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
- irp->IoStatus.Information = 0;
+ irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
}
}
}
|