0x0D, 0xC3, 0x9F, 0xEA, 0x37, 0x7B, 0xCB, 0xC3, 0x65, 0x8D, 0x71, 0xBA,

0x97, 0xA8, 0x4F, 0x69, 0x25, 0x36, 0x1D, 0x7F, 0x08, 0x54, 0xB2, 0x9A,

0x56, 0xA0, 0x8B, 0x2F, 0xBC, 0x77, 0x16, 0x89, 0xBF, 0x5C, 0xB0, 0xD2,

0xB1, 0xDA, 0x3C, 0x08, 0xD1, 0x8A, 0xC5, 0xB5, 0xA0, 0xED, 0xD1, 0xDF,

0xB1, 0xAE, 0x5F, 0x82, 0x26, 0xA4, 0x0A, 0x12, 0x1E, 0x1F, 0x18, 0x7D,

0x9E, 0x57, 0xE1, 0xA4, 0xCC, 0x90, 0x15, 0x79, 0xC9, 0x19, 0x95, 0x98,

0xCB, 0x86, 0x75, 0xC1, 0x45, 0x67, 0xD8, 0x1D, 0x02, 0x84, 0xC6, 0xF3,

0x50, 0xD7, 0xB8, 0xAB, 0x92, 0xD2, 0x4E, 0xFB, 0xA0, 0xFF, 0x28, 0xB5,

0x69, 0x17, 0xFD, 0xA9, 0x18, 0x07, 0xAB, 0xD3, 0xCD, 0x3A, 0xE7, 0xE7,

0x54, 0x61, 0x6B, 0x73, 0x88, 0xF0, 0xD9, 0xB9, 0xD6

};

bool ZipAdd (zip_t *z, const char* name, const unsigned char* pbData, DWORD cbData)

{

zip_error_t zerr;

zip_source_t* zin = zip_source_buffer_create (pbData, cbData, 0, &zerr);

if (!zin)

return false;

if (-1 == zip_file_add (z, name, zin, 0))

{

zip_source_free (zin);

return false;

}

return true;

}

{

BOOL bRet = FALSE;

const char* g_szStr1 = "Invalid partition table";

const char* g_szStr2 = "Error loading operating system";

const char* g_szStr3 = "Missing operating system";

if ((0 == memcmp (buffer, g_pbMsSignature, 4)) &&

(BufferContainsString (buffer, bufferSize, g_szStr1)

|| BufferContainsString (buffer, bufferSize, g_szStr2)

|| BufferContainsString (buffer, bufferSize, g_szStr3)

)

)

{

bRet = TRUE;

}

return bRet;

}

namespace VeraCrypt

{

#if !defined (SETUP)

class Elevator

{

public:

static void AddReference ()

{

++ReferenceCount;

}

if (result != ERROR_SUCCESS)

{

SetLastError (result);

throw SystemException(SRC_POS);

}

}

static void DeleteFile (const wstring &file)

{

Elevate();

CComBSTR fileBstr;

DWORD result;

BSTR bstr = W2BSTR(file.c_str());

if (bstr)

{

fileBstr.Attach (bstr);

result = ElevatedComInstance->DeleteFile (fileBstr);

}

else

{

result = ERROR_OUTOFMEMORY;

}

if (result != ERROR_SUCCESS)

{

SetLastError (result);

throw SystemException(SRC_POS);

}

}

{

Elevate();

DWORD result;

CComBSTR bufferBstr, fileBstr;

if (bufferBstr.AppendBytes ((const char *) buffer, size) != S_OK)

throw ParameterIncorrect (SRC_POS);

BSTR bstr = W2BSTR(filePath.c_str());

if (bstr)

{

fileBstr.Attach (bstr);

result = ElevatedComInstance->ReadWriteFile (write, device, fileBstr, &bufferBstr, offset, size, sizeDone);

}

else

{

result = ERROR_OUTOFMEMORY;

}

if (result != ERROR_SUCCESS)

{

SetLastError (result);

throw SystemException(SRC_POS);

}

if (!write)

memcpy (buffer, (BYTE *) bufferBstr.m_str, size);

}

static void GetFileSize (const wstring &filePath, unsigned __int64* pSize)

{

{

SetLastError (ERROR_INVALID_PARAMETER);

throw SystemException(SRC_POS);

}

DWORD result = ElevatedComInstance->GetEfiBootDeviceNumber (&outputBstr);

if (pSdn)

memcpy (pSdn, *(void **) &outputBstr, sizeof (STORAGE_DEVICE_NUMBER));

if (result != ERROR_SUCCESS)

{

SetLastError (result);

throw SystemException(SRC_POS);

}

}

static void GetSecureBootConfig (BOOL* pSecureBootEnabled, BOOL *pVeraCryptKeysLoaded)

{

Elevate();

DWORD result = ElevatedComInstance->GetSecureBootConfig (pSecureBootEnabled, pVeraCryptKeysLoaded);

if (result != ERROR_SUCCESS)

{

SetLastError (result);

throw SystemException(SRC_POS);

}

}

{

Elevate();

DWORD result;

CComBSTR customUserMessageBstr;

BSTR bstr = A2BSTR(customUserMessage.c_str());

if (bstr)

{

customUserMessageBstr.Attach (bstr);

result = ElevatedComInstance->WriteEfiBootSectorUserConfig ((DWORD) userConfig, customUserMessageBstr, pim, hashAlg);

}

else

{

result = ERROR_OUTOFMEMORY;

}

if (result != ERROR_SUCCESS)

{

SetLastError (result);

throw SystemException(SRC_POS);

}

}

static void UpdateSetupConfigFile (bool bForInstall)

{

Elevate();

DWORD result = ElevatedComInstance->UpdateSetupConfigFile (bForInstall ? TRUE : FALSE);

if (result != ERROR_SUCCESS)

{

{

ElevatedComInstance->Release();

ElevatedComInstance = nullptr;

CoUninitialize ();

}

}

static void SetDriverServiceStartType (DWORD startType)

{

Elevate();

DWORD result = ElevatedComInstance->SetDriverServiceStartType (startType);

if (result != ERROR_SUCCESS)

{

SetLastError (result);

throw SystemException(SRC_POS);

}

}

protected:

static void Elevate ()

{

if (IsAdmin())

{

SetLastError (ERROR_ACCESS_DENIED);

throw SystemException(SRC_POS);

}

if (!ElevatedComInstance || ElevatedComInstanceThreadId != GetCurrentThreadId())

{

ElevatedComInstance = GetElevatedInstance (GetActiveWindow() ? GetActiveWindow() : MainDlg);

ElevatedComInstanceThreadId = GetCurrentThreadId();

}

}

#if defined (TCMOUNT)

static ITrueCryptMainCom *ElevatedComInstance;

#elif defined (VOLFORMAT)

static ITrueCryptFormatCom *ElevatedComInstance;

#endif

static DWORD ElevatedComInstanceThreadId;

static int ReferenceCount;

};

#if defined (TCMOUNT)

ITrueCryptMainCom *Elevator::ElevatedComInstance;

#elif defined (VOLFORMAT)

ITrueCryptFormatCom *Elevator::ElevatedComInstance;

#endif

DWORD Elevator::ElevatedComInstanceThreadId;

int Elevator::ReferenceCount = 0;

#else // SETUP

class Elevator

{

public:

static void AddReference () { }

static void CallDriver (DWORD ioctl, void *input, DWORD inputSize, void *output, DWORD outputSize) { throw ParameterIncorrect (SRC_POS); }

static void RegisterFilterDriver (bool registerDriver, BootEncryption::FilterType filterType) { throw ParameterIncorrect (SRC_POS); }

static void Release () { }

static void SetDriverServiceStartType (DWORD startType) { throw ParameterIncorrect (SRC_POS); }

static void GetFileSize (const wstring &filePath, unsigned __int64 *pSize) { throw ParameterIncorrect (SRC_POS); }

static BOOL DeviceIoControl (BOOL readOnly, BOOL device, const wstring &filePath, DWORD dwIoControlCode, LPVOID input, DWORD inputSize, LPVOID output, DWORD outputSize) { throw ParameterIncorrect (SRC_POS); }

static void InstallEfiBootLoader (bool preserveUserConfig, bool hiddenOSCreation, int pim, int hashAlg) { throw ParameterIncorrect (SRC_POS); }

static void BackupEfiSystemLoader () { throw ParameterIncorrect (SRC_POS); }

static void RestoreEfiSystemLoader () { throw ParameterIncorrect (SRC_POS); }

static void GetEfiBootDeviceNumber (PSTORAGE_DEVICE_NUMBER pSdn) { throw ParameterIncorrect (SRC_POS); }

static void UpdateSetupConfigFile (bool bForInstall) { throw ParameterIncorrect (SRC_POS); }

static void GetSecureBootConfig (BOOL* pSecureBootEnabled, BOOL *pVeraCryptKeysLoaded) { throw ParameterIncorrect (SRC_POS); }

};

#endif // SETUP

File::File (wstring path, bool readOnly, bool create) : Elevated (false), FileOpen (false), ReadOnly (readOnly), LastError(0)

{

Handle = CreateFile (path.c_str(),

readOnly ? GENERIC_READ : GENERIC_READ | GENERIC_WRITE,

FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, create ? CREATE_ALWAYS : OPEN_EXISTING,

FILE_FLAG_RANDOM_ACCESS | FILE_FLAG_WRITE_THROUGH, NULL);

if (Handle != INVALID_HANDLE_VALUE)

{

FileOpen = true;

}

else

{

LastError = GetLastError();

if (LastError == ERROR_ACCESS_DENIED && IsUacSupported())

{

Elevated = true;

FileOpen = true;

}

}

FilePointerPosition = 0;

IsDevice = false;

Path = path;

}

void File::Close ()

{

if (Handle != INVALID_HANDLE_VALUE)

{

CloseHandle (Handle);

Handle = INVALID_HANDLE_VALUE;

}

FileOpen = false;

}

{

DWORD bytesRead;

if (!FileOpen)

{

SetLastError (LastError);

throw SystemException (SRC_POS);

}

if (Elevated)

{

Elevator::ReadWriteFile (false, IsDevice, Path, buffer, FilePointerPosition, size, &bytesRead);

FilePointerPosition += bytesRead;

return bytesRead;

}

if (!ReadFile (Handle, buffer, size, &bytesRead, NULL))

{

DWORD dwLastError = GetLastError();

if ((dwLastError == ERROR_INVALID_PARAMETER) && IsDevice && (size % 4096))

{

DWORD remainingSize = (size % 4096);

DWORD alignedSize = size - remainingSize;

LARGE_INTEGER offset;

if (alignedSize)

{

if (ReadFile (Handle, buffer, alignedSize, &bytesRead, NULL))

{

if (bytesRead < alignedSize)

}

void File::GetFileSize (unsigned __int64& size)

{

if (!FileOpen)

{

SetLastError (LastError);

throw SystemException (SRC_POS);

}

if (Elevated)

{

Elevator::GetFileSize (Path, &size);

}

else

{

LARGE_INTEGER lSize;

lSize.QuadPart = 0;

throw_sys_if (!GetFileSizeEx (Handle, &lSize));

size = (unsigned __int64) lSize.QuadPart;

}

}

void File::GetFileSize (DWORD& dwSize)

{

unsigned __int64 size64;

GetFileSize (size64);

dwSize = (DWORD) size64;

}

{

DWORD bytesWritten;

if (!FileOpen)

{

SetLastError (LastError);

throw SystemException (SRC_POS);

}

try

{

if (Elevated)

{

Elevator::ReadWriteFile (true, IsDevice, Path, buffer, FilePointerPosition, size, &bytesWritten);

FilePointerPosition += bytesWritten;

throw_sys_if (bytesWritten != size);

}

else

{

if (!WriteFile (Handle, buffer, size, &bytesWritten, NULL))

{

DWORD dwLastError = GetLastError ();

if ((ERROR_INVALID_PARAMETER == dwLastError) && IsDevice && !ReadOnly && (size % 4096))

{

bool bSuccess = false;

DWORD remainingSize = (size % 4096);

DWORD alignedSize = size - remainingSize;

DWORD bytesRead = 0;

bytesWritten = 0;

if (alignedSize)

}

}

// Finds the first partition physically located behind the active one and returns its properties

Partition BootEncryption::GetPartitionForHiddenOS ()

{

Partition candidatePartition;

memset (&candidatePartition, 0, sizeof(candidatePartition));

// The user may have modified/added/deleted partitions since the time the partition table was last scanned

InvalidateCachedSysDriveProperties();

SystemDriveConfiguration config = GetSystemDriveConfiguration ();

bool activePartitionFound = false;

bool candidateForHiddenOSFound = false;

if (!config.SystemPartition.IsGPT)

{

// throw ParameterIncorrect (SRC_POS); // It is assumed that CheckRequirements() had been called

// Find the first active partition on the system drive

foreach (const Partition &partition, config.Partitions)

{

if (partition.Info.BootIndicator)

{

if (partition.Info.PartitionNumber != config.SystemPartition.Number)

{

// If there is an extra boot partition, the system partition must be located right behind it

{

int64 minOffsetFound = config.DrivePartition.Info.PartitionLength.QuadPart;

Partition bootPartition = partition;

Partition partitionBehindBoot;

foreach (const Partition &partition, config.Partitions)

{

if (partition.Info.StartingOffset.QuadPart > bootPartition.Info.StartingOffset.QuadPart

&& partition.Info.StartingOffset.QuadPart < minOffsetFound)

{

minOffsetFound = partition.Info.StartingOffset.QuadPart;

partitionBehindBoot = partition;

}

}

if (minOffsetFound != config.DrivePartition.Info.PartitionLength.QuadPart

&& partitionBehindBoot.Number == config.SystemPartition.Number)

{

activePartitionFound = true;

break;

}

}

throw ErrorException (wstring (GetString ("SYSTEM_PARTITION_NOT_ACTIVE"))

+ GetRemarksOnHiddenOS(), SRC_POS);

}

activePartitionFound = true;

break;

}

wstring BootEncryption::GetRemarksOnHiddenOS ()

{

return (wstring (L"\n\n")

+ GetString ("TWO_SYSTEMS_IN_ONE_PARTITION_REMARK")

+ L"\n\n"

+ GetString ("FOR_MORE_INFO_ON_PARTITIONS"));

}

void BootEncryption::SetDriverServiceStartType (DWORD startType)

{

if (!IsAdmin() && IsUacSupported())

{

Elevator::SetDriverServiceStartType (startType);

return;

}

BOOL startOnBoot = (startType == SERVICE_BOOT_START);

SC_HANDLE serviceManager = OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS);

throw_sys_if (!serviceManager);

finally_do_arg (SC_HANDLE, serviceManager, { CloseServiceHandle (finally_arg); });

SC_HANDLE service = OpenService (serviceManager, L"veracrypt", SERVICE_CHANGE_CONFIG);

throw_sys_if (!service);

finally_do_arg (SC_HANDLE, service, { CloseServiceHandle (finally_arg); });

throw_sys_if (!ChangeServiceConfig (service, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE,

startOnBoot ? SERVICE_ERROR_SEVERE : SERVICE_ERROR_NORMAL,

startOnBoot ? L"Filter" : NULL,

NULL, NULL, NULL, NULL, NULL));

// ChangeServiceConfig() rejects SERVICE_BOOT_START with ERROR_INVALID_PARAMETER

throw_sys_if (!WriteLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", L"Start", startType));

}

void BootEncryption::ProbeRealSystemDriveSize ()

{

if (RealSystemDriveSizeValid)

return;

GetSystemDriveConfiguration();

ProbeRealDriveSizeRequest request;

StringCchCopyW (request.DeviceName, ARRAYSIZE (request.DeviceName), DriveConfig.DrivePartition.DevicePath.c_str());

CallDriver (TC_IOCTL_PROBE_REAL_DRIVE_SIZE, &request, sizeof (request), &request, sizeof (request));

DriveConfig.DrivePartition.Info.PartitionLength = request.RealDriveSize;

RealSystemDriveSizeValid = true;

if (request.TimeOut)

throw TimeOut (SRC_POS);

}

void BootEncryption::InvalidateCachedSysDriveProperties ()

{

#ifndef SETUP

DISK_GEOMETRY_EX BootEncryption::GetDriveGeometry (int driveNumber)

{

wstringstream devName;

devName << L"\\Device\\Harddisk" << driveNumber << L"\\Partition0";

DISK_GEOMETRY_EX geometry;

throw_sys_if (!::GetDriveGeometry (devName.str().c_str(), &geometry));

return geometry;

}

#endif // !SETUP

wstring BootEncryption::GetWindowsDirectory ()

{

wchar_t buf[MAX_PATH];

throw_sys_if (GetSystemDirectory (buf, ARRAYSIZE (buf)) == 0);

return wstring (buf);

}

uint16 BootEncryption::GetInstalledBootLoaderVersion ()

{

uint16 version;

CallDriver (TC_IOCTL_GET_BOOT_LOADER_VERSION, NULL, 0, &version, sizeof (version));

return version;

}

{

BootLoaderFingerprintRequest request;

CallDriver (VC_IOCTL_GET_BOOT_LOADER_FINGERPRINT, NULL, 0, &request, sizeof (request));

memcpy (fingerprint, request.Fingerprint, sizeof (request.Fingerprint));

}

#ifndef SETUP

// Note that this does not require admin rights (it just requires the driver to be running)

bool BootEncryption::IsBootLoaderOnDrive (wchar_t *devicePath)

{

try

{

OPEN_TEST_STRUCT openTestStruct;

memset (&openTestStruct, 0, sizeof (openTestStruct));

DWORD dwResult;

StringCchCopyW (&openTestStruct.wszFileName[0], ARRAYSIZE(openTestStruct.wszFileName),devicePath);

openTestStruct.bDetectTCBootLoader = TRUE;

return (DeviceIoControl (hDriver, TC_IOCTL_OPEN_TEST,

&openTestStruct, sizeof (OPEN_TEST_STRUCT),

&openTestStruct, sizeof (OPEN_TEST_STRUCT),

&dwResult, NULL) && openTestStruct.TCBootLoaderDetected);

}

catch (...)

{

return false;

}

}

#endif

BootEncryptionStatus BootEncryption::GetStatus ()

{

/* IMPORTANT: Do NOT add any potentially time-consuming operations to this function. */

BootEncryptionStatus status;

CallDriver (TC_IOCTL_GET_BOOT_ENCRYPTION_STATUS, NULL, 0, &status, sizeof (status));

return status;

}

void BootEncryption::GetVolumeProperties (VOLUME_PROPERTIES_STRUCT *properties)

{

if (properties == NULL)

throw ParameterIncorrect (SRC_POS);

CallDriver (TC_IOCTL_GET_BOOT_DRIVE_VOLUME_PROPERTIES, NULL, 0, properties, sizeof (*properties));

}

bool BootEncryption::IsHiddenSystemRunning ()

{

int hiddenSystemStatus;

CallDriver (TC_IOCTL_IS_HIDDEN_SYSTEM_RUNNING, nullptr, 0, &hiddenSystemStatus, sizeof (hiddenSystemStatus));

return hiddenSystemStatus != 0;

}

{

Device device (GetSystemDriveConfiguration().DevicePath, true);

device.CheckOpened (SRC_POS);

device.SeekAt (0);

device.Read (mbrBuf, sizeof (mbrBuf));

MBR *mbr = reinterpret_cast <MBR *> (mbrBuf);

if (mbr->Signature != 0xaa55)

throw ParameterIncorrect (SRC_POS);

for (size_t i = 0; i < array_capacity (mbr->Partitions); ++i)

{

if (mbr->Partitions[i].Type == type)

return true;

}

return false;

}

bool BootEncryption::SystemDriveContainsExtendedPartition ()

{

return SystemDriveContainsPartitionType (PARTITION_EXTENDED) || SystemDriveContainsPartitionType (PARTITION_XINT13_EXTENDED);

}

bool BootEncryption::SystemDriveContainsNonStandardPartitions ()

{

for (int partitionType = 1; partitionType <= 0xff; ++partitionType)

{

switch (partitionType)

{

case PARTITION_FAT_12:

case PARTITION_FAT_16:

case PARTITION_EXTENDED:

case PARTITION_HUGE:

case PARTITION_IFS:

case PARTITION_FAT32:

case PARTITION_FAT32_XINT13:

case PARTITION_XINT13:

case PARTITION_XINT13_EXTENDED:

continue;

}

return true;

}

return false;

}

bool BootEncryption::SystemDriveIsDynamic ()

{

GetSystemDriveConfigurationRequest request;

memset (&request, 0, sizeof (request));

StringCchCopyW (request.DevicePath, ARRAYSIZE (request.DevicePath), GetSystemDriveConfiguration().DeviceKernelPath.c_str());

CallDriver (TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG, &request, sizeof (request), &request, sizeof (request));

return request.DriveIsDynamic ? true : false;

}

SystemDriveConfiguration BootEncryption::GetSystemDriveConfiguration ()

{

if (DriveConfigValid)

return DriveConfig;

SystemDriveConfiguration config;

wstring winDir = GetWindowsDirectory();

// Scan all drives

for (int driveNumber = 0; driveNumber < 32; ++driveNumber)

{

config.DrivePartition = partitions.front();

partitions.pop_front();

config.Partitions = partitions;

config.InitialUnallocatedSpace = 0x7fffFFFFffffFFFFull;

config.TotalUnallocatedSpace = config.DrivePartition.Info.PartitionLength.QuadPart;

foreach (const Partition &part, config.Partitions)

{

if (part.Info.StartingOffset.QuadPart < config.InitialUnallocatedSpace)

config.InitialUnallocatedSpace = part.Info.StartingOffset.QuadPart;

config.TotalUnallocatedSpace -= part.Info.PartitionLength.QuadPart;

}

DriveConfig = config;

DriveConfigValid = true;

return DriveConfig;

}

}

throw ParameterIncorrect (SRC_POS);

}

bool BootEncryption::SystemPartitionCoversWholeDrive ()

{

SystemDriveConfiguration config = GetSystemDriveConfiguration();

&& config.ExtraBootPartitionPresent

&& config.DrivePartition.Info.PartitionLength.QuadPart - config.SystemPartition.Info.PartitionLength.QuadPart < 164 * BYTES_PER_MB)

{

return true;

}

return config.Partitions.size() == 1

&& config.DrivePartition.Info.PartitionLength.QuadPart - config.SystemPartition.Info.PartitionLength.QuadPart < 64 * BYTES_PER_MB;

}

{

uint32 sum = 0;

while (size-- > 0)

{

sum += *data++;

sum = _rotl (sum, 1);

}

return sum;

}

{

if (bufferSize < TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE)

throw ParameterIncorrect (SRC_POS);

ZeroMemory (buffer, bufferSize);

int ea = 0;

int pkcs5_prf = 0;

BOOL bIsGPT = GetSystemDriveConfiguration().SystemPartition.IsGPT;

if (GetStatus().DriveMounted)

{

try

{

GetBootEncryptionAlgorithmNameRequest request;

// since we added new field to GetBootEncryptionAlgorithmNameRequest since version 1.0f

// we zero all the structure so that if we are talking to an older driver, the field

// BootPrfAlgorithmName will be an empty string

ZeroMemory(&request, sizeof(request));

CallDriver (TC_IOCTL_GET_BOOT_ENCRYPTION_ALGORITHM_NAME, NULL, 0, &request, sizeof (request));

if (_stricmp (request.BootEncryptionAlgorithmName, "AES") == 0)

ea = AES;

ea = SERPENT;

else if (_stricmp (request.BootEncryptionAlgorithmName, "Twofish") == 0)

ea = TWOFISH;

if (_stricmp(request.BootPrfAlgorithmName, "SHA-256") == 0)

pkcs5_prf = SHA256;

pkcs5_prf = SHA512;

else if (_stricmp(request.BootPrfAlgorithmName, "Whirlpool") == 0)

pkcs5_prf = WHIRLPOOL;

else if (_stricmp(request.BootPrfAlgorithmName, "Streebog") == 0)

pkcs5_prf = STREEBOG;

else if (strlen(request.BootPrfAlgorithmName) == 0) // case of version < 1.0f

pkcs5_prf = BLAKE2S;

}

catch (...)

{

try

{

VOLUME_PROPERTIES_STRUCT properties;

GetVolumeProperties (&properties);

ea = properties.ea;

pkcs5_prf = properties.pkcs5;

}

catch (...) { }

}

if (pkcs5_prf == 0)

throw ParameterIncorrect (SRC_POS);

}

else

{

if (SelectedEncryptionAlgorithmId == 0 || SelectedPrfAlgorithmId == 0)

throw ParameterIncorrect (SRC_POS);

ea = SelectedEncryptionAlgorithmId;

pkcs5_prf = SelectedPrfAlgorithmId;

}

// Only BLAKE2s and SHA-256 are supported for MBR boot loader

if (!bIsGPT && pkcs5_prf != BLAKE2S && pkcs5_prf != SHA256)

throw ParameterIncorrect (SRC_POS);

case TWOFISH:

if (pkcs5_prf == SHA256)

{

bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_TWOFISH_SHA2 : IDR_BOOT_SECTOR_TWOFISH_SHA2;

bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_TWOFISH_SHA2 : IDR_BOOT_LOADER_TWOFISH_SHA2;

}

else

{

bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_TWOFISH : IDR_BOOT_SECTOR_TWOFISH;

bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_TWOFISH : IDR_BOOT_LOADER_TWOFISH;

}

break;

case CAMELLIA:

if (pkcs5_prf == SHA256)

{

bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_CAMELLIA_SHA2 : IDR_BOOT_SECTOR_CAMELLIA_SHA2;

bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_CAMELLIA_SHA2 : IDR_BOOT_LOADER_CAMELLIA_SHA2;

}

else

{

bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_CAMELLIA : IDR_BOOT_SECTOR_CAMELLIA;

bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_CAMELLIA : IDR_BOOT_LOADER_CAMELLIA;

}

break;

}

// Boot sector

DWORD size;

if (!bootSecResourceImg || size != TC_SECTOR_SIZE_BIOS)

throw ParameterIncorrect (SRC_POS);

memcpy (buffer, bootSecResourceImg, size);

*(uint16 *) (buffer + TC_BOOT_SECTOR_VERSION_OFFSET) = BE16 (VERSION_NUM);

if (rescueDisk && (ReadDriverConfigurationFlags() & TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION))

buffer[TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_RESCUE_DISABLE_HW_ENCRYPTION;

// Checksum of the backup header of the outer volume for the hidden system

if (hiddenOSCreation)

{

Device device (GetSystemDriveConfiguration().DevicePath);

device.CheckOpened (SRC_POS);

device.SeekAt (HiddenOSCandidatePartition.Info.StartingOffset.QuadPart + HiddenOSCandidatePartition.Info.PartitionLength.QuadPart - TC_VOLUME_HEADER_GROUP_SIZE + TC_VOLUME_HEADER_EFFECTIVE_SIZE);

device.Read (headerSector, sizeof (headerSector));

*(uint32 *) (buffer + TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET) = GetCrc32 (headerSector, sizeof (headerSector));

}

// Decompressor

if (!decompressor || size > TC_BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS)

throw ParameterIncorrect (SRC_POS);

memcpy (buffer + TC_SECTOR_SIZE_BIOS, decompressor, size);

// Compressed boot loader

if (!bootLoader || size > TC_MAX_BOOT_LOADER_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS)

throw ParameterIncorrect (SRC_POS);

memcpy (buffer + TC_SECTOR_SIZE_BIOS + TC_BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS, bootLoader, size);

// Boot loader and decompressor checksum

*(uint16 *) (buffer + TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET) = static_cast <uint16> (size);

*(uint32 *) (buffer + TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET) = GetChecksum (buffer + TC_SECTOR_SIZE_BIOS,

TC_BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS + size);

// Backup of decompressor and boot loader

if (size + TC_BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS <= TC_BOOT_LOADER_BACKUP_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS)

{

memcpy (buffer + TC_SECTOR_SIZE_BIOS + TC_BOOT_LOADER_BACKUP_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS,

buffer + TC_SECTOR_SIZE_BIOS, TC_BOOT_LOADER_BACKUP_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS);

buffer[TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_BACKUP_LOADER_AVAILABLE;

}

else if (!rescueDisk && bootLoaderId != IDR_BOOT_LOADER && bootLoaderId != IDR_BOOT_LOADER_SHA2)

{

throw ParameterIncorrect (SRC_POS);

}

}

// return false when the user cancel an elevation request

{

bool bCanceled = false, bExceptionOccured = false;

try

{

if (GetSystemDriveConfiguration().SystemPartition.IsGPT)

{

// for now, we don't support any boot config flags, like hidden OS one

if (config)

memset (config, 0, bufLength);

// call ReadESPFile only when needed since it requires elevation

if (userConfig || customUserMessage || bootLoaderVersion)

{

std::string confContent = ReadESPFile (L"\\EFI\\VeraCrypt\\DcsProp", true);

EfiBootConf conf;

conf.Load ((char*) confContent.c_str());

if (userConfig)

{

*userConfig = 0;

if (!conf.requestPim)

*userConfig |= TC_BOOT_USER_CFG_FLAG_DISABLE_PIM;

if (!conf.requestHash)

*userConfig |= TC_BOOT_USER_CFG_FLAG_STORE_HASH;

}

if (customUserMessage)

customUserMessage->clear();

}

catch (UserAbort&)

{

bCanceled = true;

bExceptionOccured= true;

}

catch (...)

{

bExceptionOccured = true;

}

if (bExceptionOccured)

{

if (config)

*config = 0;

if (userConfig)

*userConfig = 0;

if (customUserMessage)

customUserMessage->clear();

if (bootLoaderVersion)

*bootLoaderVersion = 0;

}

return !bCanceled;

}

{

Device device (GetSystemDriveConfiguration().DevicePath);

device.CheckOpened (SRC_POS);

device.SeekAt (0);

device.Read (mbr, sizeof (mbr));

memcpy (mbr + TC_BOOT_SECTOR_CONFIG_OFFSET, newConfig, TC_BOOT_CFG_FLAG_AREA_SIZE);

device.SeekAt (0);

device.Write (mbr, sizeof (mbr));

device.SeekAt (0);

device.Read (mbrVerificationBuf, sizeof (mbr));

if (memcmp (mbr, mbrVerificationBuf, sizeof (mbr)) != 0)

throw ErrorException ("ERROR_MBR_PROTECTED", SRC_POS);

}

{

if (!IsAdmin() && IsUacSupported())

{

Elevator::WriteEfiBootSectorUserConfig (userConfig, customUserMessage, pim, hashAlg);

}

else

{

EfiBootInst.PrepareBootPartition();

if (! (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM))

pim = -1;

if (! (userConfig & TC_BOOT_USER_CFG_FLAG_STORE_HASH))

hashAlg = -1;

EfiBootInst.UpdateConfig (L"\\EFI\\VeraCrypt\\DcsProp", pim, hashAlg, ParentWindow);

}

}

{

if (GetSystemDriveConfiguration().SystemPartition.IsGPT)

{

WriteEfiBootSectorUserConfig (userConfig, customUserMessage, pim, hashAlg);

}

else

{

Device device (GetSystemDriveConfiguration().DevicePath);

device.CheckOpened (SRC_POS);

device.SeekAt (0);

device.Read (mbr, sizeof (mbr));

if (!BufferContainsString (mbr, sizeof (mbr), TC_APP_NAME)

|| BE16 (*(uint16 *) (mbr + TC_BOOT_SECTOR_VERSION_OFFSET)) != VERSION_NUM)

{

return;

}

mbr[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] = userConfig;

memset (mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, 0, TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH);

if (!customUserMessage.empty())

{

if (customUserMessage.size() > TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)

throw ParameterIncorrect (SRC_POS);

memcpy (mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, customUserMessage.c_str(), customUserMessage.size());

}

if (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)

{

// PIM for pre-boot authentication can be encoded on two bytes since its maximum

// value is 65535 (0xFFFF)

memcpy (mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &pim, TC_BOOT_SECTOR_PIM_VALUE_SIZE);

}

else

memset (mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, 0, TC_BOOT_SECTOR_PIM_VALUE_SIZE);

device.SeekAt (0);

device.Write (mbr, sizeof (mbr));

device.SeekAt (0);

device.Read (mbrVerificationBuf, sizeof (mbr));

if (memcmp (mbr, mbrVerificationBuf, sizeof (mbr)) != 0)

throw ErrorException ("ERROR_MBR_PROTECTED", SRC_POS);

}

}

unsigned int BootEncryption::GetHiddenOSCreationPhase ()

{

ReadBootSectorConfig (configFlags, sizeof(configFlags));

return (configFlags[0] & TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE);

}

void BootEncryption::SetHiddenOSCreationPhase (unsigned int newPhase)

{

#if TC_BOOT_CFG_FLAG_AREA_SIZE != 1

# error TC_BOOT_CFG_FLAG_AREA_SIZE != 1; revise GetHiddenOSCreationPhase() and SetHiddenOSCreationPhase()

#endif

ReadBootSectorConfig (configFlags, sizeof(configFlags));

configFlags[0] |= newPhase;

WriteBootSectorConfig (configFlags);

}

#ifndef SETUP

void BootEncryption::StartDecoyOSWipe (WipeAlgorithmId wipeAlgorithm)

{

if (!IsHiddenOSRunning())

throw ParameterIncorrect (SRC_POS);

WipeDecoySystemRequest request;

ZeroMemory (&request, sizeof (request));

request.WipeAlgorithm = wipeAlgorithm;

if (Randinit() != ERR_SUCCESS)

{

if (CryptoAPILastError == ERROR_SUCCESS)

throw RandInitFailed (SRC_POS, GetLastError ());

else

throw CryptoApiFailed (SRC_POS, CryptoAPILastError);

}

/* force the display of the random enriching dialog */

SetRandomPoolEnrichedByUserStatus (FALSE);

DecoySystemWipeStatus BootEncryption::GetDecoyOSWipeStatus ()

{

DecoySystemWipeStatus status;

CallDriver (TC_IOCTL_GET_DECOY_SYSTEM_WIPE_STATUS, NULL, 0, &status, sizeof (status));

return status;

}

void BootEncryption::CheckDecoyOSWipeResult ()

{

CallDriver (TC_IOCTL_GET_DECOY_SYSTEM_WIPE_RESULT);

}

void BootEncryption::WipeHiddenOSCreationConfig ()

{

if (IsHiddenOSRunning())

throw ParameterIncorrect (SRC_POS);

if (Randinit() != ERR_SUCCESS)

{

if (CryptoAPILastError == ERROR_SUCCESS)

throw RandInitFailed (SRC_POS, GetLastError ());

else

throw CryptoApiFailed (SRC_POS, CryptoAPILastError);

}

Device device (GetSystemDriveConfiguration().DevicePath);

device.CheckOpened(SRC_POS);

device.SeekAt (0);

device.Read (mbr, sizeof (mbr));

finally_do_arg (BootEncryption *, this,

{

try

{

finally_arg->SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_NONE);

} catch (...) { }

});

#if PRAND_DISK_WIPE_PASSES > RNG_POOL_SIZE

# error PRAND_DISK_WIPE_PASSES > RNG_POOL_SIZE

#endif

if (!RandgetBytes (ParentWindow, randData, sizeof (randData), FALSE))

throw ParameterIncorrect (SRC_POS);

for (int wipePass = 0; wipePass < PRAND_DISK_WIPE_PASSES; wipePass++)

{

for (int i = 0; i < TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE; ++i)

{

mbr[TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET + i] = randData[wipePass];

}

mbr[TC_BOOT_SECTOR_CONFIG_OFFSET] |= randData[wipePass] & TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE;

if (wipePass == PRAND_DISK_WIPE_PASSES - 1)

memset (mbr + TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, 0, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE);

device.SeekAt (0);

device.Write (mbr, sizeof (mbr));

}

for (int wipePass = 0; wipePass < PRAND_DISK_WIPE_PASSES/4 + 1; wipePass++)

{

SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_NONE);

SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_CLONING);

SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_WIPING);

SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_WIPED);

}

SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_NONE);

}

#endif // !SETUP

EfiBootConf::EfiBootConf() : passwordType (0),

passwordMsg ("Password: "),

passwordPicture ("login.bmp"),

hashMsg ("(0) TEST ALL (1) SHA512 (2) WHIRLPOOL (3) SHA256 (4) BLAKE2S (5) STREEBOG\nHash: "),

hashAlgo (0),

requestHash (0),

pimMsg ("PIM (Leave empty for default): "),

pim (0),

XmlWriteHeader (configFile);

fputws (L"\n\t<configuration>", configFile);

WriteConfigInteger (configFile, configContent, "PasswordType", passwordType);

WriteConfigString (configFile, configContent, "PasswordMsg", passwordMsg.c_str());

WriteConfigString (configFile, configContent, "PasswordPicture", passwordPicture.c_str());

WriteConfigString (configFile, configContent, "HashMsg", hashMsg.c_str());

WriteConfigInteger (configFile, configContent, "Hash", hashAlgo);

WriteConfigInteger (configFile, configContent, "HashRqt", requestHash);

WriteConfigString (configFile, configContent, "PimMsg", pimMsg.c_str());

WriteConfigInteger (configFile, configContent, "Pim", pim);

WriteConfigInteger (configFile, configContent, "PimRqt", requestPim);

WriteConfigInteger (configFile, configContent, "AuthorizeVisible", authorizeVisible);

WriteConfigInteger (configFile, configContent, "AuthorizeRetry", authorizeRetry);

WriteConfigInteger (configFile, configContent, "DcsBmlLockFlags", bmlLockFlags);

WriteConfigInteger (configFile, configContent, "DcsBmlDriver", bmlDriverEnabled);

string fieldValue;

if (IsPostExecFileField(actionSuccessValue, fieldValue) && (0 == _stricmp(fieldValue.c_str(), "\\EFI\\Microsoft\\Boot\\bootmgfw.efi")))

{

// fix wrong configuration file since bootmgfw.efi is now a copy of VeraCrypt and if we don't fix the DcsProp

// file, veraCrypt bootloader will call itself

// We first check if bootmgfw.efi is original Microsoft one. If yes, we don't do anything, otherwise we set the field to bootmgfw_ms.vc

unsigned __int64 loaderSize = 0;

bool bModifiedMsBoot = true;

EfiBootInst.GetFileSize(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", loaderSize);

if (loaderSize > 32768)

{

EfiBootInst.ReadFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", &bootLoaderBuf[0], (DWORD) loaderSize);

// look for bootmgfw.efi identifiant string

const char* g_szMsBootString = "bootmgfw.pdb";

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

{

bModifiedMsBoot = false;

}

}

if (bModifiedMsBoot)

actionSuccessValue = "postexec file(EFI\\Microsoft\\Boot\\bootmgfw_ms.vc)";

}

WriteConfigString (configFile, configContent, "ActionSuccess", actionSuccessValue.c_str());

// Write unmodified values

char* xml = configContent;

char key[128], value[2048];

while (xml && (xml = XmlFindElement (xml, "config")))

{

XmlGetAttributeText (xml, "key", key, sizeof (key));

XmlGetNodeText (xml, value, sizeof (value));

fwprintf (configFile, L"\n\t\t<config key=\"%hs\">%hs</config>", key, value);

xml++;

}

fputws (L"\n\t</configuration>", configFile);

devicePath += BootVolumePath;

Device dev(devicePath.c_str(), TRUE);

try

{

dev.CheckOpened(SRC_POS);

}

catch (...)

{

if (!bDisableException)

throw;

}

if (dev.IsOpened())

{

bDeviceInfoValid = dev.IoCtl(IOCTL_STORAGE_GET_DEVICE_NUMBER, NULL, 0, &sdn, sizeof(sdn))

&& dev.IoCtl(IOCTL_DISK_GET_PARTITION_INFO_EX, NULL, 0, &partInfo, sizeof(partInfo));

DWORD dwLastError = GetLastError ();

dev.Close();

if (!bDeviceInfoValid && !bDisableException)

{

SetLastError (dwLastError);

throw SystemException(SRC_POS);

}

}

}

bool EfiBoot::IsEfiBoot() {

DWORD BootOrderLen;

BootOrderLen = GetFirmwareEnvironmentVariable(L"BootOrder", EfiVarGuid, tempBuf, sizeof(tempBuf));

}

void EfiBoot::DeleteStartExec(uint16 statrtOrderNum, wchar_t* type) {

// Check EFI

if (!IsEfiBoot()) {

}

wchar_t varName[256];

StringCchPrintfW(varName, ARRAYSIZE (varName), L"%s%04X", type == NULL ? L"Boot" : type, statrtOrderNum);

SetFirmwareEnvironmentVariable(varName, EfiVarGuid, NULL, 0);

wstring order = L"Order";

order.insert(0, type == NULL ? L"Boot" : type);

uint32 startOrderLen = GetFirmwareEnvironmentVariable(order.c_str(), EfiVarGuid, tempBuf, sizeof(tempBuf));

uint32 startOrderNumPos = UINT_MAX;

bool startOrderUpdate = false;

uint16* startOrder = (uint16*)tempBuf;

for (uint32 i = 0; i < startOrderLen / 2; i++) {

if (startOrder[i] == statrtOrderNum) {

startOrderNumPos = i;

break;

}

}

// delete entry if present

if (startOrderNumPos != UINT_MAX) {

for (uint32 i = startOrderNumPos; i < ((startOrderLen / 2) - 1); ++i) {

startOrder[i] = startOrder[i + 1];

}

startOrderLen -= 2;

startOrderUpdate = true;

}

if (startOrderUpdate) {

SetFirmwareEnvironmentVariable(order.c_str(), EfiVarGuid, startOrder, startOrderLen);

// remove ourselves from BootNext value

uint16 bootNextValue = 0;

wstring next = L"Next";

next.insert(0, type == NULL ? L"Boot" : type);

if ( (GetFirmwareEnvironmentVariable(next.c_str(), EfiVarGuid, &bootNextValue, 2) == 2)

&& (bootNextValue == statrtOrderNum)

)

{

SetFirmwareEnvironmentVariable(next.c_str(), EfiVarGuid, startOrder, 0);

}

}

}

void EfiBoot::SetStartExec(wstring description, wstring execPath, bool setBootEntry, bool forceFirstBootEntry, bool setBootNext, uint16 statrtOrderNum , wchar_t* type, uint32 attr) {

// Check EFI

if (!IsEfiBoot()) {

}

if (bDeviceInfoValid)

{

uint32 varSize = 56;

varSize += ((uint32) description.length()) * 2 + 2;

varSize += ((uint32) execPath.length()) * 2 + 2;

// Attributes (1b Active, 1000b - Hidden)

*(uint32 *)pVar = attr;

pVar += sizeof(uint32);

// Size Of device path + file path

*(uint16 *)pVar = (uint16)(50 + execPath.length() * 2 + 2);

pVar += sizeof(uint16);

// description

for (uint32 i = 0; i < description.length(); i++) {

*(uint16 *)pVar = description[i];

pVar += sizeof(uint16);

}

*(uint16 *)pVar = 0;

pVar += sizeof(uint16);

/* EFI_DEVICE_PATH_PROTOCOL (HARDDRIVE_DEVICE_PATH \ FILE_PATH \ END) */

// Type

// SubType

// HDD dev path length

*(uint16 *)pVar = 0x2A; // 42

pVar += sizeof(uint16);

// PartitionNumber

*(uint32 *)pVar = (uint32)partInfo.PartitionNumber;

pVar += sizeof(uint32);

// PartitionStart

*(uint64 *)pVar = partInfo.StartingOffset.QuadPart >> 9;

pVar += sizeof(uint64);

// PartitiontSize

*(uint64 *)pVar = partInfo.PartitionLength.QuadPart >> 9;

pVar += sizeof(uint64);

// GptGuid

memcpy(pVar, &partInfo.Gpt.PartitionId, 16);

pVar += 16;

// MbrType

// SigType

// Type and sub type 04 04 (file path)

*(uint16 *)pVar = 0x0404;

pVar += sizeof(uint16);

// SizeOfFilePath ((CHAR16)FullPath.length + sizeof(EndOfrecord marker) )

*(uint16 *)pVar = (uint16)(execPath.length() * 2 + 2 + sizeof(uint32));

pVar += sizeof(uint16);

// FilePath

for (uint32 i = 0; i < execPath.length(); i++) {

*(uint16 *)pVar = execPath[i];

pVar += sizeof(uint16);

}

*(uint16 *)pVar = 0;

pVar += sizeof(uint16);

// EndOfrecord

*(uint32 *)pVar = 0x04ff7f;

pVar += sizeof(uint32);

// Set variable

wchar_t varName[256];

StringCchPrintfW(varName, ARRAYSIZE (varName), L"%s%04X", type == NULL ? L"Boot" : type, statrtOrderNum);

// only set value if it doesn't already exist

DWORD existingVarLen = GetFirmwareEnvironmentVariableW (varName, EfiVarGuid, existingVar, varSize);

if ((existingVarLen != varSize) || (0 != memcmp (existingVar, startVar, varSize)))

SetFirmwareEnvironmentVariable(varName, EfiVarGuid, startVar, varSize);

delete [] startVar;

delete [] existingVar;

}

// Update order

wstring order = L"Order";

order.insert(0, type == NULL ? L"Boot" : type);

uint32 startOrderLen = GetFirmwareEnvironmentVariable(order.c_str(), EfiVarGuid, tempBuf, sizeof(tempBuf));

uint32 startOrderNumPos = UINT_MAX;

bool startOrderUpdate = false;

uint16* startOrder = (uint16*)tempBuf;

for (uint32 i = 0; i < startOrderLen / 2; i++) {

if (startOrder[i] == statrtOrderNum) {

startOrderNumPos = i;

break;

}

}

if (setBootEntry)

{

// check if first entry in BootOrder is Windows one

bool bFirstEntryIsWindows = false;

if (startOrderNumPos != 0)

{

wchar_t varName[256];

StringCchPrintfW(varName, ARRAYSIZE (varName), L"%s%04X", type == NULL ? L"Boot" : type, startOrder[0]);

DWORD existingVarLen = GetFirmwareEnvironmentVariableW (varName, EfiVarGuid, existingVar, 512);

if (existingVarLen > 0)

{

if (BufferContainsWideString (existingVar, existingVarLen, L"EFI\\Microsoft\\Boot\\bootmgfw.efi"))

bFirstEntryIsWindows = true;

}

delete [] existingVar;

}

// Create new entry if absent

if (startOrderNumPos == UINT_MAX) {

if (bDeviceInfoValid)

{

if (forceFirstBootEntry && bFirstEntryIsWindows)

{

for (uint32 i = startOrderLen / 2; i > 0; --i) {

startOrder[i] = startOrder[i - 1];

}

startOrder[0] = statrtOrderNum;

}

else

{

startOrder[startOrderLen/2] = statrtOrderNum;

}

startOrderLen += 2;

startOrderUpdate = true;

}

} else if ((startOrderNumPos > 0) && forceFirstBootEntry && bFirstEntryIsWindows) {

for (uint32 i = startOrderNumPos; i > 0; --i) {

startOrder[i] = startOrder[i - 1];

}

startOrder[0] = statrtOrderNum;

startOrderUpdate = true;

}

if (startOrderUpdate) {

SetFirmwareEnvironmentVariable(order.c_str(), EfiVarGuid, startOrder, startOrderLen);

}

}

if (setBootNext)

{

// set BootNext value

wstring next = L"Next";

next.insert(0, type == NULL ? L"Boot" : type);

SetFirmwareEnvironmentVariable(next.c_str(), EfiVarGuid, &statrtOrderNum, 2);

}

}

bool EfiBoot::CompareFiles (const wchar_t* fileName1, const wchar_t* fileName2)

{

bool bRet = false;

File f1 (fileName1, true);

File f2 (fileName2, true);

if (f1.IsOpened() && f2.IsOpened())

{

try

{

DWORD size1, size2;

f1.GetFileSize (size1);

f2.GetFileSize (size2);

if (size1 == size2)

{

// same size, so now we compare content

DWORD remainingBytes = size1, dataToRead;

while (remainingBytes)

{

dataToRead = VC_MIN (remainingBytes, (DWORD) file1Buf.size());

DWORD f1Bytes = f1.Read (file1Buf.data(), dataToRead);

DWORD f2Bytes = f2.Read (file2Buf.data(), dataToRead);

if ((f1Bytes != f2Bytes) || memcmp (file1Buf.data(), file2Buf.data(), (size_t) f1Bytes))

{

break;

}

else

{

remainingBytes -= f1Bytes;

}

}

if (0 == remainingBytes)

{

// content is the same

bRet = true;

}

}

}

catch (...) {}

}

f1.Close();

f2.Close();

return bRet;

}

{

bool bRet = false;

File f(fileName, true);

if (f.IsOpened ())

{

try

{

// check if the file has the same content

// if yes, don't perform any write operation to avoid changing its timestamp

DWORD existingSize = 0;

f.GetFileSize(existingSize);

if (existingSize == size)

{

DWORD remainingBytes = size, dataOffset = 0, dataToRead;

while (remainingBytes)

{

dataToRead = VC_MIN (remainingBytes, (DWORD) fileBuf.size());

dataToRead = f.Read (fileBuf.data(), dataToRead);

if (memcmp (data + dataOffset, fileBuf.data(), (size_t) dataToRead))

{

break;

}

else

{

dataOffset += dataToRead;

remainingBytes -= dataToRead;

}

}

if (0 == remainingBytes)

{

// content is the same

bRet = true;

}

}

}

catch (...){}

}

f.Close();

return bRet;

}

wstring path = EfiBootPartPath;

path += name;

if (!CompareFileData (path.c_str(), data, size))

{

File f(path, false, true);

f.Write(data, size);

f.Close();

}

}

bool EfiBoot::FileExists(const wchar_t* name) {

wstring path = EfiBootPartPath;

path += name;

File f(path, true);

bool bRet = f.IsOpened ();

f.Close();

return bRet;

}

void EfiBoot::GetFileSize(const wchar_t* name, unsigned __int64& size) {

wstring path = EfiBootPartPath;

path += name;

File f(path, true);

f.GetFileSize(size);

f.Close();

}

wstring path = EfiBootPartPath;

path += name;

File f(path, true);

f.Read(data, size);

f.Close();

}

void EfiBoot::CopyFile(const wchar_t* name, const wchar_t* targetName) {

wstring path = EfiBootPartPath;

path += name;

wstring targetPath;

if (targetName[0] == L'\\')

{

targetPath = EfiBootPartPath;

targetPath += targetName;

}

else

targetPath = targetName;

// if both files are the same, we don't perform copy operation

if (!CompareFiles (path.c_str(), targetPath.c_str()))

throw_sys_if (!::CopyFileW (path.c_str(), targetPath.c_str(), FALSE));

}

BOOL EfiBoot::RenameFile(const wchar_t* name, const wchar_t* nameNew, BOOL bForce) {

wstring path = EfiBootPartPath;

path += name;

wstring pathNew = EfiBootPartPath;

pathNew += nameNew;

}

}

}

void BootEncryption::InstallBootLoader (bool preserveUserConfig, bool hiddenOSCreation, int pim, int hashAlg)

{

Device device (GetSystemDriveConfiguration().DevicePath);

device.CheckOpened (SRC_POS);

InstallBootLoader (device, preserveUserConfig, hiddenOSCreation, pim, hashAlg);

}

void BootEncryption::InstallBootLoader (Device& device, bool preserveUserConfig, bool hiddenOSCreation, int pim, int hashAlg)

{

SystemDriveConfiguration config = GetSystemDriveConfiguration();

if (config.SystemPartition.IsGPT) {

if (!IsAdmin()) {

if (IsUacSupported())

{

Elevator::InstallEfiBootLoader (preserveUserConfig, hiddenOSCreation, pim, hashAlg);

return;

}

else

{

Warning ("ADMIN_PRIVILEGES_WARN_DEVICES", ParentWindow);

}

}

DWORD sizeDcsBoot;

#ifdef _WIN64

#else

#endif

if (!dcsBootImg)

throw ErrorException(L"Out of resource DcsBoot", SRC_POS);

DWORD sizeDcsInt;

#ifdef _WIN64

#else

#endif

if (!dcsIntImg)

throw ErrorException(L"Out of resource DcsInt", SRC_POS);

DWORD sizeDcsCfg;

#ifdef _WIN64

#else

#endif

if (!dcsCfgImg)

throw ErrorException(L"Out of resource DcsCfg", SRC_POS);

DWORD sizeLegacySpeaker;

#ifdef _WIN64

#else

#endif

if (!LegacySpeakerImg)

throw ErrorException(L"Out of resource LegacySpeaker", SRC_POS);

#ifdef VC_EFI_CUSTOM_MODE

DWORD sizeBootMenuLocker;

#ifdef _WIN64

#else

#endif

if (!BootMenuLockerImg)

throw ErrorException(L"Out of resource DcsBml", SRC_POS);

#endif

DWORD sizeDcsInfo;

#ifdef _WIN64

#else

#endif

if (!DcsInfoImg)

throw ErrorException(L"Out of resource DcsInfo", SRC_POS);

EfiBootInst.PrepareBootPartition(PostOOBEMode);

try

{

// Save modules

bool bAlreadyExist;

const char* g_szMsBootString = "bootmgfw.pdb";

unsigned __int64 loaderSize = 0;

const wchar_t * szStdEfiBootloader = Is64BitOs()? L"\\EFI\\Boot\\bootx64.efi": L"\\EFI\\Boot\\bootia32.efi";

const wchar_t * szBackupEfiBootloader = Is64BitOs()? L"\\EFI\\Boot\\original_bootx64.vc_backup": L"\\EFI\\Boot\\original_bootia32.vc_backup";

if (preserveUserConfig)

{

bool bModifiedMsBoot = true, bMissingMsBoot = false;;

if (EfiBootInst.FileExists (L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi"))

EfiBootInst.GetFileSize(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", loaderSize);

else

bMissingMsBoot = true;

// restore boot menu entry in case of PostOOBE

if (PostOOBEMode)

EfiBootInst.SetStartExec(L"VeraCrypt BootLoader (DcsBoot)", L"\\EFI\\VeraCrypt\\DcsBoot.efi", SetBootEntry, ForceFirstBootEntry, SetBootNext);

if (EfiBootInst.FileExists (L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc"))

{

if (loaderSize > 32768)

{

EfiBootInst.ReadFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", &bootLoaderBuf[0], (DWORD) loaderSize);

// look for bootmgfw.efi identifiant string

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

{

bModifiedMsBoot = false;

// replace the backup with this version

EfiBootInst.RenameFile (L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", TRUE);

}

}

}

else

{

// DcsBoot.efi is always smaller than 32KB

if (loaderSize > 32768)

{

EfiBootInst.ReadFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", &bootLoaderBuf[0], (DWORD) loaderSize);

// look for bootmgfw.efi identifiant string

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

bModifiedMsBoot = false;

}

if (!bModifiedMsBoot)

{

EfiBootInst.RenameFile (L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", TRUE);

}

else

{

bool bFound = false;

EfiBootConf conf;

if (EfiBootInst.ReadConfig (L"\\EFI\\VeraCrypt\\DcsProp", conf) && strlen (conf.actionSuccessValue.c_str()))

{

wstring loaderPath;

if (EfiBootConf::IsPostExecFileField (conf.actionSuccessValue, loaderPath))

{

// check that it is not bootmgfw.efi

if ( (0 != _wcsicmp (loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi"))

&& (EfiBootInst.FileExists (loaderPath.c_str()))

)

{

// look for bootmgfw.efi identifiant string

EfiBootInst.GetFileSize(loaderPath.c_str(), loaderSize);

EfiBootInst.ReadFile(loaderPath.c_str(), &bootLoaderBuf[0], (DWORD) loaderSize);

// look for bootmgfw.efi identifiant string

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

{

bFound = true;

EfiBootInst.RenameFile(loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", TRUE);

}

}

}

}

if (!bFound && !PostOOBEMode)

throw ErrorException ("WINDOWS_EFI_BOOT_LOADER_MISSING", SRC_POS);

}

}

if (PostOOBEMode && EfiBootInst.FileExists (L"\\EFI\\VeraCrypt\\DcsBoot.efi"))

{

// check if bootmgfw.efi has been set again to Microsoft version

// if yes, replace it with our bootloader after it was copied to bootmgfw_ms.vc

if (!bModifiedMsBoot || bMissingMsBoot)

EfiBootInst.CopyFile (L"\\EFI\\VeraCrypt\\DcsBoot.efi", L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi");

if (EfiBootInst.FileExists (szStdEfiBootloader))

{

// check if standard bootloader under EFI\Boot has been set to Microsoft version

// if yes, replace it with our bootloader

EfiBootInst.GetFileSize(szStdEfiBootloader, loaderSize);

if (loaderSize > 32768)

{

EfiBootInst.ReadFile(szStdEfiBootloader, &bootLoaderBuf[0], (DWORD) loaderSize);

// look for bootmgfw.efi identifiant string

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

{

EfiBootInst.RenameFile (szStdEfiBootloader, szBackupEfiBootloader, TRUE);

EfiBootInst.CopyFile (L"\\EFI\\VeraCrypt\\DcsBoot.efi", szStdEfiBootloader);

}

}

}

return;

}

}

EfiBootInst.MkDir(L"\\EFI\\VeraCrypt", bAlreadyExist);

EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsBoot.efi", dcsBootImg, sizeDcsBoot);

EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsInt.dcs", dcsIntImg, sizeDcsInt);

EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsCfg.dcs", dcsCfgImg, sizeDcsCfg);

EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\LegacySpeaker.dcs", LegacySpeakerImg, sizeLegacySpeaker);

#ifdef VC_EFI_CUSTOM_MODE

EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsBml.dcs", BootMenuLockerImg, sizeBootMenuLocker);

#endif

EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsInfo.dcs", DcsInfoImg, sizeDcsInfo);

if (!preserveUserConfig)

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\PlatformInfo");

EfiBootInst.SetStartExec(L"VeraCrypt BootLoader (DcsBoot)", L"\\EFI\\VeraCrypt\\DcsBoot.efi", SetBootEntry, ForceFirstBootEntry, SetBootNext);

if (EfiBootInst.FileExists (szStdEfiBootloader))

{

// check if standard bootloader under EFI\Boot is Microsoft one or if it is ours

// if both cases, replace it with our bootloader otherwise do nothing

EfiBootInst.GetFileSize(szStdEfiBootloader, loaderSize);

EfiBootInst.ReadFile(szStdEfiBootloader, &bootLoaderBuf[0], (DWORD) loaderSize);

// look for bootmgfw.efi or VeraCrypt identifiant strings

if ( ((loaderSize > 32768) && BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

)

{

EfiBootInst.RenameFile (szStdEfiBootloader, szBackupEfiBootloader, TRUE);

EfiBootInst.SaveFile(szStdEfiBootloader, dcsBootImg, sizeDcsBoot);

}

if ( ((loaderSize <= 32768) && BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, _T(TC_APP_NAME), strlen (TC_APP_NAME) * 2))

)

{

EfiBootInst.SaveFile(szStdEfiBootloader, dcsBootImg, sizeDcsBoot);

}

}

EfiBootInst.SaveFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", dcsBootImg, sizeDcsBoot);

// move configuration file from old location (if it exists) to new location

// we don't force the move operation if the new location already exists

EfiBootInst.RenameFile (L"\\DcsProp", L"\\EFI\\VeraCrypt\\DcsProp", FALSE);

EfiBootInst.RenameFile (L"\\DcsBoot", L"\\EFI\\VeraCrypt\\DcsBoot", FALSE);

// move the original bootloader backup from old location (if it exists) to new location

// we don't force the move operation if the new location already exists

if (Is64BitOs())

EfiBootInst.RenameFile (L"\\EFI\\Boot\\original_bootx64_vc_backup.efi", L"\\EFI\\Boot\\original_bootx64.vc_backup", FALSE);

else

EfiBootInst.RenameFile (L"\\EFI\\Boot\\original_bootia32_vc_backup.efi", L"\\EFI\\Boot\\original_bootia32.vc_backup", FALSE);

// Clean beta9

EfiBootInst.DelFile(L"\\DcsBoot.efi");

EfiBootInst.DelFile(L"\\DcsInt.efi");

EfiBootInst.DelFile(L"\\DcsCfg.efi");

EfiBootInst.DelFile(L"\\LegacySpeaker.efi");

EfiBootInst.DelFile(L"\\DcsBoot");

EfiBootInst.DelFile(L"\\DcsProp");

#ifndef VC_EFI_CUSTOM_MODE

// remove DcsBml if it exists since we don't use it in non-custom SecureBoot mode

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsBml.dcs");

#endif

}

catch (...)

{

throw;

}

EfiBootInst.WriteConfig (L"\\EFI\\VeraCrypt\\DcsProp", preserveUserConfig, pim, hashAlg, NULL, ParentWindow);

}

else

{

try

{

CreateBootLoaderInMemory (bootLoaderBuf, sizeof (bootLoaderBuf), false, hiddenOSCreation);

// Write MBR

device.SeekAt (0);

device.Read (mbr, sizeof (mbr));

if (preserveUserConfig && BufferContainsString (mbr, sizeof (mbr), TC_APP_NAME))

{

uint16 version = BE16 (*(uint16 *) (mbr + TC_BOOT_SECTOR_VERSION_OFFSET));

if (version != 0)

{

bootLoaderBuf[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] = mbr[TC_BOOT_SECTOR_USER_CONFIG_OFFSET];

memcpy (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH);

if (bootLoaderBuf[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)

{

if (pim >= 0)

{

memcpy (bootLoaderBuf + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &pim, TC_BOOT_SECTOR_PIM_VALUE_SIZE);

}

else

memcpy (bootLoaderBuf + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, TC_BOOT_SECTOR_PIM_VALUE_SIZE);

}

}

}

// perform actual write only if content is different and either we are not in PostOOBE mode or the MBR contains VeraCrypt/Windows signature.

// this last check is done to avoid interfering with multi-boot configuration where MBR belongs to a boot manager like Grub

if (memcmp (mbr, bootLoaderBuf, TC_MAX_MBR_BOOT_CODE_SIZE)

&& (!PostOOBEMode || BufferContainsString (mbr, sizeof (mbr), TC_APP_NAME) || IsWindowsMBR (mbr, sizeof (mbr))))

{

memcpy (mbr, bootLoaderBuf, TC_MAX_MBR_BOOT_CODE_SIZE);

device.SeekAt (0);

device.Write (mbr, sizeof (mbr));

device.SeekAt (0);

device.Read (mbrVerificationBuf, sizeof (mbr));

if (memcmp (mbr, mbrVerificationBuf, sizeof (mbr)) != 0)

throw ErrorException ("ERROR_MBR_PROTECTED", SRC_POS);

}

if (!PostOOBEMode)

{

// Write boot loader

device.SeekAt (TC_SECTOR_SIZE_BIOS);

device.Write (bootLoaderBuf + TC_SECTOR_SIZE_BIOS, sizeof (bootLoaderBuf) - TC_SECTOR_SIZE_BIOS);

}

}

catch (...)

{

if (!PostOOBEMode)

throw;

}

}

if (!IsAdmin() && IsUacSupported())

{

Elevator::UpdateSetupConfigFile (true);

}

else

{

UpdateSetupConfigFile (true);

}

}

#ifndef SETUP

bool BootEncryption::CheckBootloaderFingerprint (bool bSilent)

{

SystemDriveConfiguration config = GetSystemDriveConfiguration();

// return true for now when EFI system encryption is used until we implement

// a dedicated EFI fingerprinting mechanism in VeraCrypt driver

if (config.SystemPartition.IsGPT)

return true;

bool bRet = false;

try

{

// read bootloader fingerprint

GetInstalledBootLoaderFingerprint (fingerprint);

// compute expected fingerprint

CreateBootLoaderInMemory (bootLoaderBuf, sizeof (bootLoaderBuf), false, false);

::ComputeBootloaderFingerprint (bootLoaderBuf, sizeof (bootLoaderBuf), expectedFingerprint);

// compare values

if (0 == memcmp (fingerprint, expectedFingerprint, sizeof (expectedFingerprint)))

{

bRet = true;

}

}

catch (SystemException &e)

{

if (!bSilent && (GetLastError () != ERROR_INVALID_IMAGE_HASH))

e.Show (ParentWindow);

}

catch (Exception& e)

{

if (!bSilent)

e.Show (ParentWindow);

}

return bRet;

}

return path + L'\\' + TC_SYS_BOOT_LOADER_BACKUP_NAME;

}

void BootEncryption::RenameDeprecatedSystemLoaderBackup ()

{

WCHAR pathBuf[MAX_PATH];

if (SUCCEEDED (SHGetFolderPath (NULL, CSIDL_COMMON_APPDATA, NULL, 0, pathBuf)))

{

wstring path = wstring (pathBuf) + L"\\" _T(TC_APP_NAME) + L'\\' + TC_SYS_BOOT_LOADER_BACKUP_NAME_LEGACY;

if (FileExists (path.c_str()) && !FileExists (GetSystemLoaderBackupPath().c_str()))

throw_sys_if (_wrename (path.c_str(), GetSystemLoaderBackupPath().c_str()) != 0);

}

}

#ifndef SETUP

void BootEncryption::CreateRescueIsoImage (bool initialSetup, const wstring &isoImagePath)

{

BootEncryptionStatus encStatus = GetStatus();

if (encStatus.SetupInProgress)

throw ParameterIncorrect (SRC_POS);

BOOL bIsGPT = GetSystemDriveConfiguration().SystemPartition.IsGPT;

if (bIsGPT)

{

// create EFI disk structure

DWORD sizeDcsBoot;

#ifdef _WIN64

#else

#endif

if (!dcsBootImg)

throw ParameterIncorrect (SRC_POS);

DWORD sizeDcsInt;

#ifdef _WIN64

#else

#endif

if (!dcsIntImg)

throw ParameterIncorrect (SRC_POS);

DWORD sizeDcsCfg;

#ifdef _WIN64

#else

#endif

if (!dcsCfgImg)

throw ParameterIncorrect (SRC_POS);

DWORD sizeLegacySpeaker;

#ifdef _WIN64

#else

#endif

if (!LegacySpeakerImg)

throw ParameterIncorrect (SRC_POS);

#ifdef VC_EFI_CUSTOM_MODE

DWORD sizeBootMenuLocker;

#ifdef _WIN64

#else

#endif

if (!BootMenuLockerImg)

throw ParameterIncorrect (SRC_POS);

#endif

DWORD sizeDcsRescue;

#ifdef _WIN64

#else

#endif

if (!DcsRescueImg)

throw ParameterIncorrect (SRC_POS);

DWORD sizeDcsInfo;

#ifdef _WIN64

#else

#endif

if (!DcsInfoImg)

throw ParameterIncorrect (SRC_POS);

WCHAR szTmpPath[MAX_PATH + 1], szTmpFilePath[MAX_PATH + 1];

if (!GetTempPathW (MAX_PATH, szTmpPath))

throw SystemException (SRC_POS);

if (!GetTempFileNameW (szTmpPath, L"_vrd", 0, szTmpFilePath))

throw SystemException (SRC_POS);

finally_do_arg (WCHAR*, szTmpFilePath, { DeleteFileW (finally_arg);});

int ierr;

// convert szTmpFilePath to UTF-8 since this is what zip_open expected

char szUtf8Path[2*MAX_PATH + 1];

int utf8Len = WideCharToMultiByte (CP_UTF8, 0, szTmpFilePath, -1, szUtf8Path, sizeof (szUtf8Path), NULL, NULL);

if (utf8Len <= 0)

throw SystemException (SRC_POS);

zip_t* z = zip_open (szUtf8Path, ZIP_CREATE | ZIP_TRUNCATE | ZIP_CHECKCONS, &ierr);

if (!z)

throw ParameterIncorrect (SRC_POS);

finally_do_arg (zip_t**, &z, { if (*finally_arg) zip_discard (*finally_arg);});

if (!ZipAdd (z, Is64BitOs()? "EFI/Boot/bootx64.efi": "EFI/Boot/bootia32.efi", DcsRescueImg, sizeDcsRescue))

throw ParameterIncorrect (SRC_POS);

#ifdef VC_EFI_CUSTOM_MODE

if (!ZipAdd (z, "EFI/VeraCrypt/DcsBml.dcs", BootMenuLockerImg, sizeBootMenuLocker))

finally_do_arg (wstring, dcsPropFileName, { DeleteFileW (finally_arg.c_str()); });

if (conf.Save(dcsPropFileName.c_str(), ParentWindow))

{

DWORD fileSize = 0;

File propFile (dcsPropFileName, true, false);

propFile.CheckOpened (SRC_POS);

propFile.GetFileSize(fileSize);

propBuf.Resize (fileSize);

DWORD sizeDcsProp = propFile.Read (propBuf.Ptr (), fileSize);

if (!ZipAdd (z, "EFI/VeraCrypt/DcsProp", propBuf.Ptr (), sizeDcsProp))

throw ParameterIncorrect (SRC_POS);

}

else

throw ParameterIncorrect (SRC_POS);

// flush the zip content to the temporary file

if (zip_close (z) < 0)

throw ParameterIncorrect (SRC_POS);

z = NULL;

// read the zip data from the temporary file

FILE* ftmpFile = _wfopen (szTmpFilePath, L"rb");

if (!ftmpFile)

throw ParameterIncorrect (SRC_POS);

finally_do_arg (FILE*, ftmpFile, { fclose (finally_arg); });

unsigned long ulZipSize = (unsigned long) _filelength (_fileno (ftmpFile));

if (!RescueZipData)

throw bad_alloc();

if (ulZipSize != fread (RescueZipData, 1, ulZipSize, ftmpFile))

{

delete [] RescueZipData;

RescueZipData = NULL;

throw ParameterIncorrect (SRC_POS);

}

RescueZipSize = ulZipSize;

if (!isoImagePath.empty())

{

File isoFile (isoImagePath, false, true);

isoFile.Write (RescueZipData, RescueZipSize);

}

}

else

{

Buffer imageBuf (RescueIsoImageSize);

memset (image, 0, RescueIsoImageSize);

// Primary volume descriptor

const char* szPrimVolDesc = "\001CD001\001";

const char* szPrimVolLabel = "VeraCrypt Rescue Disk ";

memcpy (image + 0x8000, szPrimVolDesc, strlen(szPrimVolDesc) + 1);

memcpy (image + 0x7fff + 41, szPrimVolLabel, strlen(szPrimVolLabel) + 1);

*(uint32 *) (image + 0x7fff + 81) = RescueIsoImageSize / 2048;

*(uint32 *) (image + 0x7fff + 85) = BE32 (RescueIsoImageSize / 2048);

image[0x7fff + 121] = 1;

image[0x7fff + 124] = 1;

image[0x7fff + 125] = 1;

image[0x7fff + 128] = 1;

image[0x7fff + 130] = 8;

image[0x7fff + 131] = 8;

image[0x7fff + 133] = 10;

image[0x7fff + 140] = 10;

image[0x7fff + 141] = 0x14;

image[0x7fff + 157] = 0x22;

image[0x7fff + 159] = 0x18;

// Boot record volume descriptor

const char* szBootRecDesc = "CD001\001EL TORITO SPECIFICATION";

memcpy (image + 0x8801, szBootRecDesc, strlen(szBootRecDesc) + 1);

image[0x8800 + 0x47] = 0x19;

// Volume descriptor set terminator

const char* szVolDescTerm = "\377CD001\001";

memcpy (image + 0x9000, szVolDescTerm, strlen(szVolDescTerm) + 1);

throw ParameterIncorrect (SRC_POS);

memcpy (image + TC_CD_BOOTSECTOR_OFFSET + TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET, RescueVolumeHeader, TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE);

}

else

{

Device bootDevice (GetSystemDriveConfiguration().DevicePath, true);

bootDevice.CheckOpened (SRC_POS);

bootDevice.SeekAt (TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET);

bootDevice.Read (image + TC_CD_BOOTSECTOR_OFFSET + TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET, TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE);

}

// Original system loader

try

{

File sysBakFile (GetSystemLoaderBackupPath(), true);

sysBakFile.CheckOpened (SRC_POS);

sysBakFile.Read (image + TC_CD_BOOTSECTOR_OFFSET + TC_ORIG_BOOT_LOADER_BACKUP_SECTOR_OFFSET, TC_BOOT_LOADER_AREA_SIZE);

image[TC_CD_BOOTSECTOR_OFFSET + TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_RESCUE_DISK_ORIG_SYS_LOADER;

}

catch (Exception &e)

{

e.Show (ParentWindow);

Warning ("SYS_LOADER_UNAVAILABLE_FOR_RESCUE_DISK", ParentWindow);

}

// Boot loader backup

CreateBootLoaderInMemory (image + TC_CD_BOOTSECTOR_OFFSET + TC_BOOT_LOADER_BACKUP_RESCUE_DISK_SECTOR_OFFSET, TC_BOOT_LOADER_AREA_SIZE, false);

if (!RescueIsoImage)

throw bad_alloc();

memcpy (RescueIsoImage, image, RescueIsoImageSize);

if (!isoImagePath.empty())

{

File isoFile (isoImagePath, false, true);

isoFile.Write (image, RescueIsoImageSize);

}

}

}

#endif

bool BootEncryption::IsCDRecorderPresent ()

{

ICDBurn* pICDBurn;

BOOL bHasRecorder = FALSE;

if (SUCCEEDED( CoCreateInstance (CLSID_CDBurn, NULL,CLSCTX_INPROC_SERVER,IID_ICDBurn,(LPVOID*)&pICDBurn)))

{

if (pICDBurn->HasRecordableDrive (&bHasRecorder) != S_OK)

{

bHasRecorder = FALSE;

}

pICDBurn->Release();

}

return bHasRecorder? true : false;

}

}

return false;

}

#ifndef SETUP

void BootEncryption::CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5, int pim)

{

PCRYPTO_INFO cryptoInfo = NULL;

if (!IsRandomNumberGeneratorStarted())

throw ParameterIncorrect (SRC_POS);

throw_sys_if (CreateVolumeHeaderInMemory (ParentWindow, TRUE, (char *) VolumeHeader, ea, mode, password, pkcs5, pim, NULL, &cryptoInfo,

volumeSize, 0, encryptedAreaStart, 0, TC_SYSENC_KEYSCOPE_MIN_REQ_PROG_VERSION, TC_HEADER_FLAG_ENCRYPTED_SYSTEM, TC_SECTOR_SIZE_BIOS, FALSE) != 0);

finally_do_arg (PCRYPTO_INFO*, &cryptoInfo, { crypto_close (*finally_arg); });

// Initial rescue disk assumes encryption of the drive has been completed (EncryptedAreaLength == volumeSize)

memcpy (RescueVolumeHeader, VolumeHeader, sizeof (RescueVolumeHeader));

if (0 != ReadVolumeHeader (TRUE, (char *) RescueVolumeHeader, password, pkcs5, pim, NULL, cryptoInfo))

throw ParameterIncorrect (SRC_POS);

DecryptBuffer (RescueVolumeHeader + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo);

if (GetHeaderField32 (RescueVolumeHeader, TC_HEADER_OFFSET_MAGIC) != 0x56455241)

throw ParameterIncorrect (SRC_POS);

mputInt64 (fieldPos, volumeSize);

// CRC of the header fields

uint32 crc = GetCrc32 (RescueVolumeHeader + TC_HEADER_OFFSET_MAGIC, TC_HEADER_OFFSET_HEADER_CRC - TC_HEADER_OFFSET_MAGIC);

fieldPos = RescueVolumeHeader + TC_HEADER_OFFSET_HEADER_CRC;

mputLong (fieldPos, crc);

EncryptBuffer (RescueVolumeHeader + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo);

VolumeHeaderValid = true;

RescueVolumeHeaderValid = true;

}

void BootEncryption::InstallVolumeHeader ()

{

if (!VolumeHeaderValid)

throw ParameterIncorrect (SRC_POS);

Device device (GetSystemDriveConfiguration().DevicePath);

device.CheckOpened (SRC_POS);

device.SeekAt (TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET);

}

// For synchronous operations use AbortSetupWait()

void BootEncryption::AbortSetup ()

{

CallDriver (TC_IOCTL_ABORT_BOOT_ENCRYPTION_SETUP);

}

// For asynchronous operations use AbortSetup()

void BootEncryption::AbortSetupWait ()

{

CallDriver (TC_IOCTL_ABORT_BOOT_ENCRYPTION_SETUP);

BootEncryptionStatus encStatus = GetStatus();

while (encStatus.SetupInProgress)

{

Sleep (TC_ABORT_TRANSFORM_WAIT_INTERVAL);

encStatus = GetStatus();

}

}

void BootEncryption::BackupSystemLoader ()

{

if (GetSystemDriveConfiguration().SystemPartition.IsGPT)

{

if (!IsAdmin()) {

if (IsUacSupported())

{

Elevator::BackupEfiSystemLoader ();

return;

}

else

{

Warning ("ADMIN_PRIVILEGES_WARN_DEVICES", ParentWindow);

}

}

unsigned __int64 loaderSize = 0;

const wchar_t * szStdMsBootloader = L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi";

const wchar_t * szBackupMsBootloader = L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc";

const char* g_szMsBootString = "bootmgfw.pdb";

bool bModifiedMsBoot = true;

EfiBootInst.PrepareBootPartition();

EfiBootInst.GetFileSize(szStdMsBootloader, loaderSize);

bootLoaderBuf.resize ((size_t) loaderSize);

EfiBootInst.ReadFile(szStdMsBootloader, &bootLoaderBuf[0], (DWORD) loaderSize);

// DcsBoot.efi is always smaller than 32KB

if (loaderSize > 32768)

{

// look for bootmgfw.efi identifiant string

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

bModifiedMsBoot = false;

}

else

{

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, _T(TC_APP_NAME), wcslen (_T(TC_APP_NAME)) * 2))

{

if (AskWarnNoYes ("TC_BOOT_LOADER_ALREADY_INSTALLED", ParentWindow) == IDNO)

throw UserAbort (SRC_POS);

// check if backup exists already and if it has bootmgfw signature

if (EfiBootInst.FileExists (szBackupMsBootloader))

{

EfiBootInst.GetFileSize(szBackupMsBootloader, loaderSize);

bootLoaderBuf.resize ((size_t) loaderSize);

EfiBootInst.ReadFile(szBackupMsBootloader, &bootLoaderBuf[0], (DWORD) loaderSize);

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

{

// copy it to original location

EfiBootInst.CopyFile (szBackupMsBootloader, szStdMsBootloader);

bModifiedMsBoot = false;

}

}

if (bModifiedMsBoot)

return;

}

}

if (bModifiedMsBoot)

{

Error ("WINDOWS_EFI_BOOT_LOADER_MISSING", ParentWindow);

throw UserAbort (SRC_POS);

}

EfiBootInst.CopyFile (szStdMsBootloader, szBackupMsBootloader);

EfiBootInst.CopyFile (szStdMsBootloader, GetSystemLoaderBackupPath().c_str());

}

else

{

Device device (GetSystemDriveConfiguration().DevicePath, true);

device.CheckOpened (SRC_POS);

device.SeekAt (0);

device.Read (bootLoaderBuf, sizeof (bootLoaderBuf));

// Prevent TrueCrypt loader from being backed up

for (size_t i = 0; i < sizeof (bootLoaderBuf) - strlen (TC_APP_NAME); ++i)

{

if (memcmp (bootLoaderBuf + i, TC_APP_NAME, strlen (TC_APP_NAME)) == 0)

{

if (AskWarnNoYes ("TC_BOOT_LOADER_ALREADY_INSTALLED", ParentWindow) == IDNO)

throw UserAbort (SRC_POS);

return;

}

}

File backupFile (GetSystemLoaderBackupPath(), false, true);

backupFile.Write (bootLoaderBuf, sizeof (bootLoaderBuf));

}

}

void BootEncryption::RestoreSystemLoader ()

{

SystemDriveConfiguration config = GetSystemDriveConfiguration();

if (config.SystemPartition.IsGPT) {

if (!IsAdmin()) {

if (IsUacSupported())

{

Elevator::RestoreEfiSystemLoader ();

return;

{

Warning ("ADMIN_PRIVILEGES_WARN_DEVICES", ParentWindow);

}

}

EfiBootInst.PrepareBootPartition();

EfiBootInst.DeleteStartExec();

EfiBootInst.DeleteStartExec(0xDC5B, L"Driver"); // remove DcsBml boot driver it was installed

if (Is64BitOs())

EfiBootInst.RenameFile(L"\\EFI\\Boot\\original_bootx64.vc_backup", L"\\EFI\\Boot\\bootx64.efi", TRUE);

else

EfiBootInst.RenameFile(L"\\EFI\\Boot\\original_bootia32.vc_backup", L"\\EFI\\Boot\\bootia32.efi", TRUE);

if (!EfiBootInst.RenameFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", TRUE))

{

EfiBootConf conf;

if (EfiBootInst.ReadConfig (L"\\EFI\\VeraCrypt\\DcsProp", conf) && strlen (conf.actionSuccessValue.c_str()))

{

wstring loaderPath;

if (EfiBootConf::IsPostExecFileField (conf.actionSuccessValue, loaderPath))

{

// check that it is not bootmgfw_ms.vc or bootmgfw.efi

if ( (0 != _wcsicmp (loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc"))

&& (0 != _wcsicmp (loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi"))

)

{

const char* g_szMsBootString = "bootmgfw.pdb";

unsigned __int64 loaderSize = 0;

EfiBootInst.GetFileSize(loaderPath.c_str(), loaderSize);

EfiBootInst.ReadFile(loaderPath.c_str(), &bootLoaderBuf[0], (DWORD) loaderSize);

// look for bootmgfw.efi identifiant string

if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString)))

{

EfiBootInst.RenameFile(loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", TRUE);

}

}

}

}

}

EfiBootInst.DelFile(L"\\DcsBoot.efi");

EfiBootInst.DelFile(L"\\DcsInt.efi");

EfiBootInst.DelFile(L"\\DcsCfg.efi");

EfiBootInst.DelFile(L"\\LegacySpeaker.efi");

EfiBootInst.DelFile(L"\\DcsBoot");

EfiBootInst.DelFile(L"\\DcsProp");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsBoot.efi");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsInt.dcs");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsCfg.dcs");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\LegacySpeaker.dcs");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsBml.dcs");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsBoot");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsInfo.dcs");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\PlatformInfo");

EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsProp");

EfiBootInst.DelDir (L"\\EFI\\VeraCrypt");

}

else

{

File backupFile (GetSystemLoaderBackupPath(), true);

backupFile.CheckOpened(SRC_POS);

if (backupFile.Read (bootLoaderBuf, sizeof (bootLoaderBuf)) != sizeof (bootLoaderBuf))

throw ParameterIncorrect (SRC_POS);

Device device (GetSystemDriveConfiguration().DevicePath);

device.CheckOpened (SRC_POS);

// Preserve current partition table

device.SeekAt (0);

device.Read (mbr, sizeof (mbr));

memcpy (bootLoaderBuf + TC_MAX_MBR_BOOT_CODE_SIZE, mbr + TC_MAX_MBR_BOOT_CODE_SIZE, sizeof (mbr) - TC_MAX_MBR_BOOT_CODE_SIZE);

device.SeekAt (0);

device.Write (bootLoaderBuf, sizeof (bootLoaderBuf));

}

if (!IsAdmin() && IsUacSupported())

{

Elevator::UpdateSetupConfigFile (false);

}

else

{

UpdateSetupConfigFile (false);

}

}

#endif // SETUP

static bool CompareMultiString (const char* str1, const char* str2)

{

size_t l1, l2;

if (!str1 || !str2)

return false;

while (true)

{

l1 = strlen (str1);

l2 = strlen (str2);

if (l1 == l2)

bRet = true;

break;

}

offset = (DWORD) strlen (mszDest) + 1;

mszDest += offset;

remainingSize -= offset;

}

}

return bRet;

}

void BootEncryption::RegisterFilter (bool registerFilter, FilterType filterType, const GUID *deviceClassGuid)

{

string filter;

string filterReg;

HKEY regKey;

switch (filterType)

{

case DriveFilter:

case VolumeFilter:

filter = "veracrypt";

filterReg = "UpperFilters";

regKey = OpenDeviceClassRegKey (deviceClassGuid);

throw_sys_if (regKey == INVALID_HANDLE_VALUE);

break;

case DumpFilter:

filter = "veracrypt.sys";

filterReg = "DumpFilters";

SetLastError (RegOpenKeyEx (HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\CrashControl", 0, KEY_READ | KEY_WRITE, &regKey));

throw_sys_if (GetLastError() != ERROR_SUCCESS);

break;

default:

throw ParameterIncorrect (SRC_POS);

}

finally_do_arg (HKEY, regKey, { RegCloseKey (finally_arg); });

if (registerFilter)

{

if (filterType != DumpFilter)

{

// Register class filter below all other filters in the stack

size_t strSize = filter.size() + 1;

DWORD size = (DWORD) (sizeof (regKeyBuf) - strSize);

// SetupInstallFromInfSection() does not support prepending of values so we have to modify the registry directly

StringCchCopyA ((char *) regKeyBuf, ARRAYSIZE(regKeyBuf), filter.c_str());

if (RegQueryValueExA (regKey, filterReg.c_str(), NULL, NULL, regKeyBuf + strSize, &size) != ERROR_SUCCESS)

size = 1;

SetLastError (RegSetValueExA (regKey, filterReg.c_str(), 0, REG_MULTI_SZ, regKeyBuf, (DWORD) strSize + size));

throw_sys_if (GetLastError() != ERROR_SUCCESS);

}

else

{

// workaround rare SetupInstallFromInfSection which overwrite value instead of appending new value

// read initial value

DWORD strSize = (DWORD) filter.size() + 1, expectedSize;

Buffer expectedRegKeyBuf(65536), outputRegKeyBuf(65536);

DWORD initialSize = (DWORD) (expectedRegKeyBuf.Size() - strSize - 2);

if (RegQueryValueExA (regKey, filterReg.c_str(), NULL, NULL, pbExpectedRegKeyBuf, &initialSize) != ERROR_SUCCESS)

{

StringCchCopyA ((char *) pbExpectedRegKeyBuf, expectedRegKeyBuf.Size(), filter.c_str());

pbExpectedRegKeyBuf [strSize] = 0;

expectedSize = strSize + 1;

}

else

{

expectedSize = initialSize;

AppendToMultiString ((char *) pbExpectedRegKeyBuf, (DWORD) expectedRegKeyBuf.Size(), expectedSize, filter.c_str());

}

RegisterDriverInf (registerFilter, filter, filterReg, ParentWindow, regKey);

// check if operation successful

initialSize = (DWORD) outputRegKeyBuf.Size() - 2;

if (RegQueryValueExA (regKey, filterReg.c_str(), NULL, NULL, pbOutputRegKeyBuf, &initialSize) != ERROR_SUCCESS)

{

pbOutputRegKeyBuf [0] = 0;

pbOutputRegKeyBuf [1] = 0;

}

else

{

// append two \0 at the end if they are missing

if (pbOutputRegKeyBuf [initialSize - 1] != 0)

{

pbOutputRegKeyBuf [initialSize] = 0;

pbOutputRegKeyBuf [initialSize + 1] = 0;

}

else if (pbOutputRegKeyBuf [initialSize - 2] != 0)

{

pbOutputRegKeyBuf [initialSize] = 0;

}

}

if (!CompareMultiString ((char *) pbExpectedRegKeyBuf, (char *) pbOutputRegKeyBuf))

{

// Set value manually

SetLastError (RegSetValueExA (regKey, filterReg.c_str(), 0, REG_MULTI_SZ, pbExpectedRegKeyBuf, expectedSize));

throw_sys_if (GetLastError() != ERROR_SUCCESS);

}

}

}

else

{

RegisterDriverInf (registerFilter, filter, filterReg, ParentWindow, regKey);

// remove value in case it was not done properly

Buffer regKeyBuf(65536);

DWORD initialSize = (DWORD) regKeyBuf.Size() - 2;

if ( (RegQueryValueExA (regKey, filterReg.c_str(), NULL, NULL, pbRegKeyBuf, &initialSize) == ERROR_SUCCESS)

&& (initialSize >= ((DWORD) filter.size()))

)

{

// append two \0 at the end if they are missing

if (pbRegKeyBuf [initialSize - 1] != 0)

{

pbRegKeyBuf [initialSize] = 0;

pbRegKeyBuf [initialSize + 1] = 0;

initialSize += 2;

}

else if (pbRegKeyBuf [initialSize - 2] != 0)

{

pbRegKeyBuf [initialSize] = 0;

initialSize ++;

}

if (RemoveFromMultiString ((char*) pbRegKeyBuf, initialSize, filter.c_str()))

{

// Set value manually

SetLastError (RegSetValueExA (regKey, filterReg.c_str(), 0, REG_MULTI_SZ, pbRegKeyBuf, initialSize));

throw_sys_if (GetLastError() != ERROR_SUCCESS);

}

}

}

}

NULL,

NULL,

NULL,

NULL,

_T(TC_APP_NAME) L" System Favorites"));

}

else

{

RegisterSystemFavoritesService (TRUE, TRUE);

}

}

void BootEncryption::SetDriverConfigurationFlag (uint32 flag, bool state)

{

DWORD configMap = ReadDriverConfigurationFlags();

if (state)

configMap |= flag;

else

configMap &= ~flag;

#ifdef SETUP

WriteLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", TC_DRIVER_CONFIG_REG_VALUE_NAME, configMap);

#else

WriteLocalMachineRegistryDwordValue (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", TC_DRIVER_CONFIG_REG_VALUE_NAME, configMap);

#endif

}

void BootEncryption::SetServiceConfigurationFlag (uint32 flag, bool state)

{

if (state)

configMap |= flag;

else

configMap &= ~flag;

#ifdef SETUP

WriteLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\" TC_SYSTEM_FAVORITES_SERVICE_NAME, TC_SYSTEM_FAVORITES_SERVICE_NAME L"Config", configMap);

#else

WriteLocalMachineRegistryDwordValue (L"SYSTEM\\CurrentControlSet\\Services\\" TC_SYSTEM_FAVORITES_SERVICE_NAME, TC_SYSTEM_FAVORITES_SERVICE_NAME L"Config", configMap);

#endif

}

#ifndef SETUP

void BootEncryption::RegisterSystemFavoritesService (BOOL registerService)

{

if (!IsAdmin() && IsUacSupported())

{

Elevator::RegisterSystemFavoritesService (registerService);

return;

}

RegisterSystemFavoritesService (registerService, FALSE);

}

void BootEncryption::GetEfiBootDeviceNumber (PSTORAGE_DEVICE_NUMBER pSdn)

{

SystemDriveConfiguration config = GetSystemDriveConfiguration ();

if (config.SystemPartition.IsGPT && pSdn)

{

throw ErrorException (wstring (GetString ("USER_PROFILE_NOT_ON_SYS_PARTITION"))

+ GetString ("LEAKS_OUTSIDE_SYSPART_UNIVERSAL_EXPLANATION"), SRC_POS);

}

// Temporary files

if (towupper (GetTempPathString()[0]) != windowsDrive)

{

throw ErrorException (wstring (GetString ("TEMP_NOT_ON_SYS_PARTITION"))

+ GetString ("LEAKS_OUTSIDE_SYSPART_UNIVERSAL_EXPLANATION"), SRC_POS);

}

}

// This operation may take a long time when an antivirus is installed and its real-time protection enabled.

// Therefore, if calling it without the wizard displayed, it should be called with displayWaitDialog set to true.

void BootEncryption::Deinstall (bool displayWaitDialog)

{

BootEncryptionStatus encStatus = GetStatus();

if (encStatus.DriveEncrypted || encStatus.DriveMounted)

throw ParameterIncorrect (SRC_POS);

SystemDriveConfiguration config = GetSystemDriveConfiguration ();

if (!config.SystemPartition.IsGPT) {

if (encStatus.VolumeHeaderPresent)

{

// Verify CRC of header salt

Device device(config.DevicePath, true);

device.CheckOpened(SRC_POS);

device.SeekAt(TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET);

device.Read(header, sizeof(header));

throw ParameterIncorrect(SRC_POS);

}

}

try

{

RegisterFilterDriver (false, DriveFilter);

RegisterFilterDriver (false, VolumeFilter);

RegisterFilterDriver (false, DumpFilter);

SetDriverServiceStartType (SERVICE_SYSTEM_START);

}

catch (...)

{

try

{

RegisterBootDriver (IsHiddenSystemRunning());

}

catch (...) { }

throw;

}

SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_NONE); // In case RestoreSystemLoader() fails

try

{

RegisterSystemFavoritesService (FALSE);

}

catch (...) { }

char header[TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE];

Device device (config.DevicePath);

device.CheckOpened (SRC_POS);

// Only one algorithm is currently supported

if (pkcs5 != 0)

throw ParameterIncorrect (SRC_POS);

int64 headerOffset = TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET;

int64 backupHeaderOffset = -1;

if (encStatus.HiddenSystem)

{

headerOffset = encStatus.HiddenSystemPartitionStart + TC_HIDDEN_VOLUME_HEADER_OFFSET;

// Find hidden system partition

foreach (const Partition &partition, config.Partitions)

{

if (partition.Info.StartingOffset.QuadPart == encStatus.HiddenSystemPartitionStart)

{

backupHeaderOffset = partition.Info.StartingOffset.QuadPart + partition.Info.PartitionLength.QuadPart - TC_VOLUME_HEADER_SIZE;

break;

}

}

if (backupHeaderOffset == -1)

throw ParameterIncorrect (SRC_POS);

}

device.SeekAt (headerOffset);

PCRYPTO_INFO cryptoInfo = NULL;

int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, old_pim, &cryptoInfo, NULL);

finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); });

if (status != 0)

{

handleError (hwndDlg, status, SRC_POS);

return status;

}

// Change the PKCS-5 PRF if requested by user

if (pkcs5 != 0)

{

cryptoInfo->pkcs5 = pkcs5;

RandSetHashFunction (pkcs5);

}

if (Randinit() != 0)

{

if (CryptoAPILastError == ERROR_SUCCESS)

throw RandInitFailed (SRC_POS, GetLastError ());

else

throw CryptoApiFailed (SRC_POS, CryptoAPILastError);

}

finally_do ({ RandStop (FALSE); });

/* force the display of the random enriching dialog */

SetRandomPoolEnrichedByUserStatus (FALSE);

NormalCursor();

UserEnrichRandomPool (hwndDlg);

WaitCursor();

/* The header will be re-encrypted wipePassCount times to prevent adversaries from using

PCRYPTO_INFO tmpCryptoInfo = NULL;

status = CreateVolumeHeaderInMemory (hwndDlg, !encStatus.HiddenSystem,

header,

cryptoInfo->ea,

cryptoInfo->mode,

newPassword,

cryptoInfo->pkcs5,

pim,

(char *) cryptoInfo->master_keydata,

&tmpCryptoInfo,

cryptoInfo->VolumeSize.Value,

cryptoInfo->hiddenVolumeSize,

cryptoInfo->EncryptedAreaStart.Value,

cryptoInfo->EncryptedAreaLength.Value,

cryptoInfo->RequiredProgramVersion,

cryptoInfo->HeaderFlags | TC_HEADER_FLAG_ENCRYPTED_SYSTEM,

cryptoInfo->SectorSize,

wipePass < wipePassCount - 1);

if (tmpCryptoInfo)

crypto_close (tmpCryptoInfo);

if (status != 0)

{

handleError (hwndDlg, status, SRC_POS);

return status;

}

device.SeekAt (headerOffset);

headerUpdated = true;

}

if (!encStatus.HiddenSystem || backupHeader)

break;

backupHeader = TRUE;

headerOffset = backupHeaderOffset;

}

}

catch (Exception &e)

{

e.Show (hwndDlg);

result = ERR_OS_ERROR;

}

if (headerUpdated)

{

bool storedPimUpdateNeeded = false;

ReopenBootVolumeHeaderRequest reopenRequest;

reopenRequest.VolumePassword = *newPassword;

reopenRequest.pkcs5_prf = cryptoInfo->pkcs5;

reopenRequest.pim = pim;

finally_do_arg (ReopenBootVolumeHeaderRequest*, &reopenRequest, { burn (finally_arg, sizeof (*finally_arg)); });

if (old_pim != pim)

{

try

{

// check if PIM is stored in MBR

if ( ReadBootSectorConfig (nullptr, 0, &userConfig)

&& (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)

)

{

storedPimUpdateNeeded = true;

}

}

catch (...)

{

}

}

try

{

// force update of bootloader if fingerprint doesn't match or if the stored PIM changed

if (storedPimUpdateNeeded || !CheckBootloaderFingerprint (true))

InstallBootLoader (device, true, false, pim, cryptoInfo->pkcs5);

}

catch (...)

{}

CallDriver (TC_IOCTL_REOPEN_BOOT_VOLUME_HEADER, &reopenRequest, sizeof (reopenRequest));

}

return result;

}

void BootEncryption::CheckEncryptionSetupResult ()

{

void BootEncryption::DeleteFileAdmin (const wstring &file)

{

if (!IsAdmin() && IsUacSupported())

Elevator::DeleteFile (file);

else

throw_sys_if (!::DeleteFile (file.c_str()));

}

#endif // !SETUP

uint32 BootEncryption::ReadDriverConfigurationFlags ()

{

DWORD configMap;

if (!ReadLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", TC_DRIVER_CONFIG_REG_VALUE_NAME, &configMap))

configMap = 0;

return configMap;

}

uint32 BootEncryption::ReadServiceConfigurationFlags ()

{

DWORD configMap;

if (!ReadLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\" TC_SYSTEM_FAVORITES_SERVICE_NAME, TC_SYSTEM_FAVORITES_SERVICE_NAME L"Config", &configMap))

configMap = 0;

return configMap;

}

{

WriteBootDriveSectorRequest request;

request.Offset.QuadPart = offset;

memcpy (request.Data, data, sizeof (request.Data));

CallDriver (TC_IOCTL_WRITE_BOOT_DRIVE_SECTOR, &request, sizeof (request), NULL, 0);

}

void BootEncryption::RegisterBootDriver (bool hiddenSystem)

{

SetDriverServiceStartType (SERVICE_BOOT_START);

try

{

RegisterFilterDriver (false, DriveFilter);

RegisterFilterDriver (false, VolumeFilter);

RegisterFilterDriver (false, DumpFilter);

}

catch (...) { }

try

{

RegisterFilterDriver (true, DriveFilter);

if (hiddenSystem)

RegisterFilterDriver (true, VolumeFilter);

RegisterFilterDriver (true, DumpFilter);

}

catch (...)