VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Driver
diff options
context:
space:
mode:
Diffstat (limited to 'src/Driver')
-rw-r--r--src/Driver/DriveFilter.c5
-rw-r--r--src/Driver/Ntdriver.c111
-rw-r--r--src/Driver/Ntdriver.h2
-rw-r--r--src/Driver/Ntvol.c3
4 files changed, 90 insertions, 31 deletions
diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c
index eba7c40c..a8752a5f 100644
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@@ -241,6 +241,7 @@ static void ComputeBootLoaderFingerprint(PDEVICE_OBJECT LowerDeviceObject, byte*
// compute Whirlpool+SHA512 fingerprint of bootloader including MBR
// we skip user configuration fields:
+ // TC_BOOT_SECTOR_PIM_VALUE_OFFSET = 400
// TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET = 402
// => TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE = 4
// TC_BOOT_SECTOR_USER_MESSAGE_OFFSET = 406
@@ -257,11 +258,11 @@ static void ComputeBootLoaderFingerprint(PDEVICE_OBJECT LowerDeviceObject, byte*
status = TCReadDevice (LowerDeviceObject, ioBuffer, offset, TC_SECTOR_SIZE_BIOS);
if (NT_SUCCESS (status))
{
- WHIRLPOOL_add (ioBuffer, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET * 8, &whirlpool);
+ WHIRLPOOL_add (ioBuffer, TC_BOOT_SECTOR_PIM_VALUE_OFFSET * 8, &whirlpool);
WHIRLPOOL_add (ioBuffer + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)) * 8, &whirlpool);
WHIRLPOOL_add (ioBuffer + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)) * 8, &whirlpool);
- sha512_hash (ioBuffer, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, &sha2);
+ sha512_hash (ioBuffer, TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &sha2);
sha512_hash (ioBuffer + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)), &sha2);
sha512_hash (ioBuffer + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)), &sha2);
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index 5153c67b..eeea7815 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -975,7 +975,7 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
InitializeObjectAttributes (&ObjectAttributes, &FullFileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
- if (opentest->bDetectTCBootLoader || opentest->DetectFilesystem)
+ if (opentest->bDetectTCBootLoader || opentest->DetectFilesystem || opentest->bMatchVolumeID)
access |= FILE_READ_DATA;
ntStatus = ZwCreateFile (&NtFileHandle,
@@ -986,8 +986,9 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
{
opentest->TCBootLoaderDetected = FALSE;
opentest->FilesystemDetected = FALSE;
+ opentest->VolumeIDMatched = FALSE;
- if (opentest->bDetectTCBootLoader || opentest->DetectFilesystem)
+ if (opentest->bDetectTCBootLoader || opentest->DetectFilesystem || opentest->bMatchVolumeID)
{
byte *readBuffer = TCalloc (TC_MAX_VOLUME_SECTOR_SIZE);
if (!readBuffer)
@@ -996,49 +997,99 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
}
else
{
- // Determine if the first sector contains a portion of the VeraCrypt Boot Loader
-
- offset.QuadPart = 0;
+ if (opentest->bDetectTCBootLoader || opentest->DetectFilesystem)
+ {
+ // Determine if the first sector contains a portion of the VeraCrypt Boot Loader
- ntStatus = ZwReadFile (NtFileHandle,
- NULL,
- NULL,
- NULL,
- &IoStatus,
- readBuffer,
- TC_MAX_VOLUME_SECTOR_SIZE,
- &offset,
- NULL);
+ offset.QuadPart = 0;
- if (NT_SUCCESS (ntStatus))
- {
- size_t i;
+ ntStatus = ZwReadFile (NtFileHandle,
+ NULL,
+ NULL,
+ NULL,
+ &IoStatus,
+ readBuffer,
+ TC_MAX_VOLUME_SECTOR_SIZE,
+ &offset,
+ NULL);
- if (opentest->bDetectTCBootLoader && IoStatus.Information >= TC_SECTOR_SIZE_BIOS)
+ if (NT_SUCCESS (ntStatus))
{
- // Search for the string "VeraCrypt"
- for (i = 0; i < TC_SECTOR_SIZE_BIOS - strlen (TC_APP_NAME); ++i)
+ size_t i;
+
+ if (opentest->bDetectTCBootLoader && IoStatus.Information >= TC_SECTOR_SIZE_BIOS)
{
- if (memcmp (readBuffer + i, TC_APP_NAME, strlen (TC_APP_NAME)) == 0)
+ // Search for the string "VeraCrypt"
+ for (i = 0; i < TC_SECTOR_SIZE_BIOS - strlen (TC_APP_NAME); ++i)
{
- opentest->TCBootLoaderDetected = TRUE;
+ if (memcmp (readBuffer + i, TC_APP_NAME, strlen (TC_APP_NAME)) == 0)
+ {
+ opentest->TCBootLoaderDetected = TRUE;
+ break;
+ }
+ }
+ }
+
+ if (opentest->DetectFilesystem && IoStatus.Information >= sizeof (int64))
+ {
+ switch (BE64 (*(uint64 *) readBuffer))
+ {
+ case 0xEB52904E54465320: // NTFS
+ case 0xEB3C904D53444F53: // FAT16
+ case 0xEB58904D53444F53: // FAT32
+ case 0xEB76904558464154: // exFAT
+
+ opentest->FilesystemDetected = TRUE;
break;
}
}
}
+ }
- if (opentest->DetectFilesystem && IoStatus.Information >= sizeof (int64))
+ if (opentest->bMatchVolumeID)
+ {
+ int volumeType;
+ BYTE volumeID[VOLUME_ID_SIZE];
+
+ // Go through all volume types (e.g., normal, hidden)
+ for (volumeType = TC_VOLUME_TYPE_NORMAL;
+ volumeType < TC_VOLUME_TYPE_COUNT;
+ volumeType++)
{
- switch (BE64 (*(uint64 *) readBuffer))
+ /* Read the volume header */
+ switch (volumeType)
{
- case 0xEB52904E54465320: // NTFS
- case 0xEB3C904D53444F53: // FAT16
- case 0xEB58904D53444F53: // FAT32
- case 0xEB76904558464154: // exFAT
+ case TC_VOLUME_TYPE_NORMAL:
+ offset.QuadPart = TC_VOLUME_HEADER_OFFSET;
+ break;
- opentest->FilesystemDetected = TRUE;
+ case TC_VOLUME_TYPE_HIDDEN:
+
+ offset.QuadPart = TC_HIDDEN_VOLUME_HEADER_OFFSET;
break;
}
+
+ ntStatus = ZwReadFile (NtFileHandle,
+ NULL,
+ NULL,
+ NULL,
+ &IoStatus,
+ readBuffer,
+ TC_MAX_VOLUME_SECTOR_SIZE,
+ &offset,
+ NULL);
+
+ if (NT_SUCCESS (ntStatus))
+ {
+ /* compute the ID of this volume: SHA-256 of the effective header */
+ sha256 (volumeID, readBuffer, TC_VOLUME_HEADER_EFFECTIVE_SIZE);
+
+ if (0 == memcmp (volumeID, opentest->volumeID, VOLUME_ID_SIZE))
+ {
+ opentest->VolumeIDMatched = TRUE;
+ break;
+ }
+ }
}
}
@@ -1214,6 +1265,7 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
list->ulMountedDrives |= (1 << ListExtension->nDosDriveNo);
RtlStringCbCopyW (list->wszVolume[ListExtension->nDosDriveNo], sizeof(list->wszVolume[ListExtension->nDosDriveNo]),ListExtension->wszVolume);
RtlStringCbCopyW (list->wszLabel[ListExtension->nDosDriveNo], sizeof(list->wszLabel[ListExtension->nDosDriveNo]),ListExtension->wszLabel);
+ memcpy (list->volumeID[ListExtension->nDosDriveNo], ListExtension->volumeID, VOLUME_ID_SIZE);
list->diskLength[ListExtension->nDosDriveNo] = ListExtension->DiskLength;
list->ea[ListExtension->nDosDriveNo] = ListExtension->cryptoInfo->ea;
if (ListExtension->cryptoInfo->hiddenVolume)
@@ -1265,6 +1317,7 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
prop->uniqueId = ListExtension->UniqueVolumeId;
RtlStringCbCopyW (prop->wszVolume, sizeof(prop->wszVolume),ListExtension->wszVolume);
RtlStringCbCopyW (prop->wszLabel, sizeof(prop->wszLabel),ListExtension->wszLabel);
+ memcpy (prop->volumeID, ListExtension->volumeID, VOLUME_ID_SIZE);
prop->bDriverSetLabel = ListExtension->bDriverSetLabel;
prop->diskLength = ListExtension->DiskLength;
prop->ea = ListExtension->cryptoInfo->ea;
diff --git a/src/Driver/Ntdriver.h b/src/Driver/Ntdriver.h
index 21051e44..59634760 100644
--- a/src/Driver/Ntdriver.h
+++ b/src/Driver/Ntdriver.h
@@ -81,6 +81,8 @@ typedef struct EXTENSION
BOOL bIsNTFS;
BOOL bDriverSetLabel;
+ unsigned char volumeID[VOLUME_ID_SIZE];
+
LARGE_INTEGER fileCreationTime;
LARGE_INTEGER fileLastAccessTime;
LARGE_INTEGER fileLastWriteTime;
diff --git a/src/Driver/Ntvol.c b/src/Driver/Ntvol.c
index 46dd46fd..4f35323b 100644
--- a/src/Driver/Ntvol.c
+++ b/src/Driver/Ntvol.c
@@ -517,6 +517,9 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
Extension->cryptoInfo->bPartitionInInactiveSysEncScope = mount->bPartitionInInactiveSysEncScope;
+ /* compute the ID of this volume: SHA-512 of the effective header */
+ sha256 (Extension->volumeID, readBuffer, TC_VOLUME_HEADER_EFFECTIVE_SIZE);
+
if (volumeType == TC_VOLUME_TYPE_NORMAL)
{
if (mount->bPartitionInInactiveSysEncScope)