VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Common
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2023-09-18 00:13:52 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2023-09-18 00:13:52 +0200
commitb1657e88e4f7922cda6795d843b5b7723b27102f (patch)
treedb79f9b9388a6a0b3a8bd064768ca3b0d6ce74e8 /src/Common
parentfb8ae98c7392ddfad4ca0481bb2b5de27987f302 (diff)
downloadVeraCrypt-b1657e88e4f7922cda6795d843b5b7723b27102f.tar.gz
VeraCrypt-b1657e88e4f7922cda6795d843b5b7723b27102f.zip
Windows Security: make memory protection enabled by default. Add process mitigation (ASLR, Dynamic code, extension points)
Memory protection can be disabled using registry value "VeraCryptEnableMemoryProtection" under the key "HKLM\SYSTEM\CurrentControlSet\Services\veracrypt"
Diffstat (limited to 'src/Common')
-rw-r--r--src/Common/Apidrvr.h2
-rw-r--r--src/Common/Dlgcode.c129
-rw-r--r--src/Common/Dlgcode.h4
-rw-r--r--src/Common/Tcdefs.h4
4 files changed, 136 insertions, 3 deletions
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h
index 7a3ea868..463d4fa6 100644
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -418,6 +418,8 @@ typedef struct
#define VC_ERASE_KEYS_SHUTDOWN DRIVER_STR("VeraCryptEraseKeysShutdown")
+#define VC_ENABLE_MEMORY_PROTECTION DRIVER_STR("VeraCryptEnableMemoryProtection")
+
// WARNING: Modifying the following values can introduce incompatibility with previous versions.
#define TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD 0x1
#define TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD_FOR_SYS_FAVORITES 0x2
diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c
index 7282b2ec..8f357208 100644
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -32,6 +32,9 @@
#include <process.h>
#include <Tlhelp32.h>
#endif
+#ifdef _WIN32_WINNT >= 0x0602
+#include "processthreadsapi.h""
+#endif
#include "Resource.h"
@@ -216,6 +219,9 @@ volatile BOOL NeedPeriodicDeviceListUpdate = FALSE;
BOOL DisablePeriodicDeviceListUpdate = FALSE;
BOOL EnableMemoryProtection = FALSE;
+BOOL MemoryProtectionActivated = FALSE;
+BOOL ProcessMitigationsActivated = FALSE;
+
BOOL WaitDialogDisplaying = FALSE;
/* Handle to the device driver */
@@ -3238,6 +3244,17 @@ uint32 ReadEncryptionThreadPoolFreeCpuCountLimit ()
return count;
}
+BOOL ReadMemoryProtectionConfig ()
+{
+ DWORD config;
+
+ if (!ReadLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_MEMORY_PROTECTION, &config))
+ {
+ // enabled by default
+ config = 1;
+ }
+ return (config)? TRUE: FALSE;
+}
BOOL LoadSysEncSettings ()
{
@@ -3431,6 +3448,17 @@ extern "C" {
// Force loading dlls from system32 directory only
SetDefaultDllDirectoriesFn (LOAD_LIBRARY_SEARCH_SYSTEM32);
}
+
+ // activate process mitigations (currently only ASLR, dynamic code and extensions points)
+ ActivateProcessMitigations();
+
+#ifndef SETUP
+ // call ActivateMemoryProtection if corresponding setting has been enabled (default is enabled)
+ if (ReadMemoryProtectionConfig())
+ {
+ ActivateMemoryProtection();
+ }
+#endif
return wWinMainCRTStartup();
}
}
@@ -14035,7 +14063,7 @@ BOOL BufferHasPattern (const unsigned char* buffer, size_t bufferLen, const void
*
* Reduce current user acess rights for this process to the minimum in order to forbid non-admin users from reading the process memory.
*/
-BOOL EnableProcessProtection()
+BOOL ActivateMemoryProtection()
{
BOOL bSuccess = FALSE;
@@ -14050,7 +14078,10 @@ BOOL EnableProcessProtection()
// Acces mask
DWORD dwAccessMask = SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE; // same as protected process
-
+
+ if (MemoryProtectionActivated)
+ return TRUE;
+
if (IsAdmin ())
{
// if we are running elevated, we allow CreateProcessXXX calls alongside PROCESS_DUP_HANDLE and PROCESS_QUERY_INFORMATION in order to be able
@@ -14113,6 +14144,9 @@ BOOL EnableProcessProtection()
NULL // do not change SACL
))? TRUE: FALSE;
+ if (bSuccess)
+ MemoryProtectionActivated = TRUE;
+
Cleanup:
if (pACL != NULL) {
@@ -14128,6 +14162,97 @@ Cleanup:
return bSuccess;
}
+// define missing structures Windows 8
+#if (_WIN32_WINNT < 0x0602)
+
+typedef struct _PROCESS_MITIGATION_ASLR_POLICY {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD EnableBottomUpRandomization : 1;
+ DWORD EnableForceRelocateImages : 1;
+ DWORD EnableHighEntropy : 1;
+ DWORD DisallowStrippedImages : 1;
+ DWORD ReservedFlags : 28;
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+} PROCESS_MITIGATION_ASLR_POLICY, *PPROCESS_MITIGATION_ASLR_POLICY;
+
+typedef struct _PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD DisableExtensionPoints : 1;
+ DWORD ReservedFlags : 31;
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+} PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PPROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY;
+
+typedef struct _PROCESS_MITIGATION_DYNAMIC_CODE_POLICY {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD ProhibitDynamicCode : 1;
+ DWORD AllowThreadOptOut : 1;
+ DWORD AllowRemoteDowngrade : 1;
+ DWORD AuditProhibitDynamicCode : 1;
+ DWORD ReservedFlags : 28;
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+} PROCESS_MITIGATION_DYNAMIC_CODE_POLICY, *PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY;
+
+typedef enum _PROCESS_MITIGATION_POLICY {
+ ProcessDEPPolicy,
+ ProcessASLRPolicy,
+ ProcessDynamicCodePolicy,
+ ProcessStrictHandleCheckPolicy,
+ ProcessSystemCallDisablePolicy,
+ ProcessMitigationOptionsMask,
+ ProcessExtensionPointDisablePolicy,
+ ProcessControlFlowGuardPolicy,
+ ProcessSignaturePolicy,
+ ProcessFontDisablePolicy,
+ ProcessImageLoadPolicy,
+ ProcessSystemCallFilterPolicy,
+ ProcessPayloadRestrictionPolicy,
+ ProcessChildProcessPolicy,
+ ProcessSideChannelIsolationPolicy,
+ ProcessUserShadowStackPolicy,
+ MaxProcessMitigationPolicy
+} PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY;
+
+#endif
+
+void ActivateProcessMitigations()
+{
+ if (ProcessMitigationsActivated)
+ return;
+
+ // we load the function pointer of SetProcessMitigationPolicy dynamically because we are building with Windows 7 SDK that does not have the definition of this function
+ typedef BOOL (WINAPI *SetProcessMitigationPolicyFunc) (PROCESS_MITIGATION_POLICY MitigationPolicy, PVOID lpBuffer, SIZE_T dwLength);
+ SetProcessMitigationPolicyFunc SetProcessMitigationPolicy = (SetProcessMitigationPolicyFunc) GetProcAddress (GetModuleHandle (L"kernel32.dll"), "SetProcessMitigationPolicy");
+ if (SetProcessMitigationPolicy)
+ {
+ PROCESS_MITIGATION_ASLR_POLICY aslrPolicy = { 0 };
+ PROCESS_MITIGATION_DYNAMIC_CODE_POLICY dynCodePolicy = { 0 };
+ PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY extensionPointDisablePolicy = { 0 };
+
+ aslrPolicy.EnableBottomUpRandomization = TRUE;
+ aslrPolicy.EnableForceRelocateImages = TRUE;
+ aslrPolicy.EnableHighEntropy = TRUE;
+
+ dynCodePolicy.ProhibitDynamicCode = TRUE;
+
+ extensionPointDisablePolicy.DisableExtensionPoints = TRUE;
+
+ SetProcessMitigationPolicy (ProcessASLRPolicy, &aslrPolicy, sizeof (aslrPolicy));
+ SetProcessMitigationPolicy (ProcessDynamicCodePolicy, &dynCodePolicy, sizeof (dynCodePolicy));
+ SetProcessMitigationPolicy (ProcessExtensionPointDisablePolicy, &extensionPointDisablePolicy, sizeof (extensionPointDisablePolicy));
+ }
+
+ ProcessMitigationsActivated = TRUE;
+}
+
// Based on sample code from:
// https://blogs.msdn.microsoft.com/aaron_margosis/2009/06/06/faq-how-do-i-start-a-program-as-the-desktop-user-from-an-elevated-app/
// start a program non-elevated as the desktop user from an elevated app
diff --git a/src/Common/Dlgcode.h b/src/Common/Dlgcode.h
index 12957232..245df6c1 100644
--- a/src/Common/Dlgcode.h
+++ b/src/Common/Dlgcode.h
@@ -349,6 +349,7 @@ BOOL IsTrueCryptInstallerRunning (void);
uint32 ReadDriverConfigurationFlags ();
uint32 ReadServiceConfigurationFlags ();
uint32 ReadEncryptionThreadPoolFreeCpuCountLimit ();
+BOOL ReadMemoryProtectionConfig ();
BOOL LoadSysEncSettings ();
int LoadNonSysInPlaceEncSettings (WipeAlgorithmId *wipeAlgorithm);
void RemoveNonSysInPlaceEncNotifications (void);
@@ -582,7 +583,8 @@ BOOL VerifyModuleSignature (const wchar_t* path);
void GetInstallationPath (HWND hwndDlg, wchar_t* szInstallPath, DWORD cchSize, BOOL* pbInstallPathDetermined);
BOOL GetSetupconfigLocation (wchar_t* path, DWORD cchSize);
BOOL BufferHasPattern (const unsigned char* buffer, size_t bufferLen, const void* pattern, size_t patternLen);
-BOOL EnableProcessProtection();
+void ActivateProcessMitigations();
+BOOL ActivateMemoryProtection();
void SafeOpenURL (LPCWSTR szUrl);
BitLockerEncryptionStatus GetBitLockerEncryptionStatus(WCHAR driveLetter);
BOOL IsTestSigningModeEnabled ();
diff --git a/src/Common/Tcdefs.h b/src/Common/Tcdefs.h
index 1b6189a3..8027f58b 100644
--- a/src/Common/Tcdefs.h
+++ b/src/Common/Tcdefs.h
@@ -344,8 +344,12 @@ extern BOOLEAN VC_KeAreAllApcsDisabled (VOID);
#ifndef TC_LOCAL_WIN32_WINNT_OVERRIDE
# undef _WIN32_WINNT
+#ifdef _M_ARM64
+# define _WIN32_WINNT 0x0A00
+#else
# define _WIN32_WINNT 0x0601 /* Does not apply to the driver */
#endif
+#endif
#include <windows.h> /* Windows header */
#include <commctrl.h> /* The common controls */