diff --git a/doc/html/en/Command Line Usage.html b/doc/html/en/Command Line Usage.html index 5b380ab5..117921c5 100644 --- a/doc/html/en/Command Line Usage.html +++ b/doc/html/en/Command Line Usage.html @@ -185,7 +185,17 @@ Note that turning the password cache off will not clear it (use /w to clear the /protectMemory  -Activates a mechanism that protects VeraCrypt process memory from being accessed by other non-admin processes. +If it is followed by y or yes or if no parameter is specified: Activates a mechanism that protects VeraCrypt process memory from being accessed by other non-admin processes. +
+If it is followed by n or no (ONLY allowed for portable mode): disables the memory protection mechanism (e.g., /protectMemory n).
+ + + +/protectScreen  +If it is followed by y or yes or if no parameter is specified: Activates a mechanism that protects VeraCrypt against screenshots and screen recordings. +
+If it is followed by n or no (ONLY allowed for portable mode): disables the screen protection mechanism (e.g., /protectScreen n).
+ /signalExit  diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index 70f3c119..25b4da26 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -220,6 +220,7 @@ BOOL EMVSupportEnabled = FALSE; volatile BOOL NeedPeriodicDeviceListUpdate = FALSE; BOOL DisablePeriodicDeviceListUpdate = FALSE; BOOL EnableMemoryProtection = FALSE; +BOOL EnableScreenProtection = FALSE; BOOL MemoryProtectionActivated = FALSE; @@ -3697,11 +3698,9 @@ extern "C" { ActivateProcessMitigations(); #ifndef SETUP - // call ActivateMemoryProtection if corresponding setting has been enabled (default is enabled) - if (ReadMemoryProtectionConfig()) - { - ActivateMemoryProtection(); - } + // initiaize memory protection and screen protection settings using the registry + EnableMemoryProtection = ReadMemoryProtectionConfig(); + EnableScreenProtection = ReadScreenProtectionConfig(); #endif return wWinMainCRTStartup(); } @@ -16201,8 +16200,6 @@ cleanup: #include #include -static std::once_flag g_configOnce; // ensures one-time read -static std::atomic_bool g_screenProtectionEnabled; // readonly after init static thread_local HHOOK g_cbtHook = nullptr; // one per thread static thread_local int g_protectionRefCount = 0; @@ -16210,17 +16207,10 @@ std::map g_MenuWndProcs; std::map g_Initialized; std::mutex g_MenuMutex; -static void InitScreenProtectionFlag() -{ - // Runs exactly once thanks to std::call_once - BOOL enabled = ReadScreenProtectionConfig(); - g_screenProtectionEnabled.store(enabled, std::memory_order_release); -} - static bool IsScreenProtectionEnabled() { - std::call_once(g_configOnce, InitScreenProtectionFlag); - return g_screenProtectionEnabled.load(std::memory_order_acquire); + // EnableScreenProtection is populated at startup based on registry settings and command line options + return EnableScreenProtection? true: false; } diff --git a/src/Common/Dlgcode.h b/src/Common/Dlgcode.h index e7d78ce2..aee290f7 100644 --- a/src/Common/Dlgcode.h +++ b/src/Common/Dlgcode.h @@ -174,6 +174,7 @@ extern BOOL EMVSupportEnabled; extern volatile BOOL NeedPeriodicDeviceListUpdate; extern BOOL DisablePeriodicDeviceListUpdate; extern BOOL EnableMemoryProtection; +extern BOOL EnableScreenProtection; #ifndef SETUP extern BOOL bLanguageSetInSetup; diff --git a/src/ExpandVolume/WinMain.cpp b/src/ExpandVolume/WinMain.cpp index 10328d11..0eb35c87 100644 --- a/src/ExpandVolume/WinMain.cpp +++ b/src/ExpandVolume/WinMain.cpp @@ -885,16 +885,19 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) enum { OptionEnableMemoryProtection, + OptionEnableScreenProtection, }; argument args[]= { { OptionEnableMemoryProtection, L"/protectMemory", NULL, FALSE }, + { OptionEnableScreenProtection, L"/protectScreen", NULL, FALSE }, }; argumentspec as; int x; + wchar_t szTmp[32] = {0}; if (lpszCommandLineArgs[i] == NULL) continue; @@ -908,7 +911,33 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) { case OptionEnableMemoryProtection: - EnableMemoryProtection = TRUE; + if (HAS_ARGUMENT == GetArgumentValue (lpszCommandLineArgs, + &i, nNoCommandLineArgs, szTmp, ARRAYSIZE (szTmp))) + { + if ((!_wcsicmp (szTmp, L"no") || !_wcsicmp (szTmp, L"n")) && IsNonInstallMode()) + EnableMemoryProtection = FALSE; + else if (!_wcsicmp (szTmp, L"yes") || !_wcsicmp (szTmp, L"y")) + EnableMemoryProtection = TRUE; + else + AbortProcess ("COMMAND_LINE_ERROR"); + } + else + EnableMemoryProtection = TRUE; + break; + + case OptionEnableScreenProtection: + if (HAS_ARGUMENT == GetArgumentValue (lpszCommandLineArgs, + &i, nNoCommandLineArgs, szTmp, ARRAYSIZE (szTmp))) + { + if ((!_wcsicmp (szTmp, L"no") || !_wcsicmp (szTmp, L"n")) && IsNonInstallMode()) + EnableScreenProtection = FALSE; + else if (!_wcsicmp (szTmp, L"yes") || !_wcsicmp (szTmp, L"y")) + EnableScreenProtection = TRUE; + else + AbortProcess ("COMMAND_LINE_ERROR"); + } + else + EnableScreenProtection = TRUE; break; default: @@ -966,12 +995,6 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa RestoreDefaultKeyFilesParam (); } - if (EnableMemoryProtection) - { - /* Protect this process memory from being accessed by non-admin users */ - ActivateMemoryProtection (); - } - InitMainDialog (hwndDlg); // Quit @@ -1087,6 +1110,47 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpszCommandLine, int nCmdShow) { int status; + int argc; + LPWSTR *argv = CommandLineToArgvW (GetCommandLineW(), &argc); + + for (int i = 0; argv && i < argc; i++) + { + if (_wcsicmp (argv[i], L"/protectScreen") == 0) + { + if ((i < argc - 1) && _wcsicmp (argv[i + 1], L"no") == 0) + { + // Disabling screen protection is only allowed in portable mode + if (IsNonInstallMode()) + EnableScreenProtection = FALSE; + } + else + { + EnableScreenProtection = TRUE; + } + } + if (_wcsicmp (argv[i], L"/protectMemory") == 0) + { + if ((i < argc - 1) && _wcsicmp (argv[i + 1], L"no") == 0) + { + // Disabling memory protection is only allowed in portable mode + if (IsNonInstallMode()) + EnableMemoryProtection = FALSE; + } + else + { + EnableMemoryProtection = TRUE; + } + } + } + + LocalFree (argv); // free memory allocated by CommandLineToArgvW + + if (EnableMemoryProtection) + { + /* Protect this process memory from being accessed by non-admin users */ + ActivateMemoryProtection (); + } + ScreenCaptureBlocker blocker; atexit (VeraCryptExpander::localcleanup); SetProcessShutdownParameters (0x100, 0); diff --git a/src/Format/Tcformat.c b/src/Format/Tcformat.c index 168d88e0..7dabda00 100644 --- a/src/Format/Tcformat.c +++ b/src/Format/Tcformat.c @@ -6265,12 +6265,6 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa ExtractCommandLine (hwndDlg, (wchar_t *) lParam); - if (EnableMemoryProtection) - { - /* Protect this process memory from being accessed by non-admin users */ - ActivateMemoryProtection (); - } - if (ComServerMode) { InitDialog (hwndDlg); @@ -9175,6 +9169,7 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) OptionQuickFormat, OptionFastCreateFile, OptionEnableMemoryProtection, + OptionEnableScreenProtection, OptionKeyfile, OptionSecureDesktop, }; @@ -9201,6 +9196,7 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) { OptionQuickFormat, L"/quick", NULL, FALSE }, { OptionFastCreateFile, L"/fastcreatefile", NULL, FALSE }, { OptionEnableMemoryProtection, L"/protectMemory", NULL, FALSE }, + { OptionEnableScreenProtection, L"/protectScreen", NULL, FALSE }, { OptionKeyfile, L"/keyfile", L"/k", FALSE }, { OptionSecureDesktop, L"/secureDesktop", NULL, FALSE }, @@ -9564,9 +9560,39 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) break; case OptionEnableMemoryProtection: - EnableMemoryProtection = TRUE; + { + wchar_t szTmp[16] = { 0 }; + if (HAS_ARGUMENT == GetArgumentValue(lpszCommandLineArgs, + &i, nNoCommandLineArgs, szTmp, ARRAYSIZE(szTmp))) + { + if ((!_wcsicmp(szTmp, L"no") || !_wcsicmp(szTmp, L"n")) && IsNonInstallMode()) + EnableMemoryProtection = FALSE; + else if (!_wcsicmp(szTmp, L"yes") || !_wcsicmp(szTmp, L"y")) + EnableMemoryProtection = TRUE; + else + AbortProcess("COMMAND_LINE_ERROR"); + } + else + EnableMemoryProtection = TRUE; break; - + } + case OptionEnableScreenProtection: + { + wchar_t szTmp[16] = { 0 }; + if (HAS_ARGUMENT == GetArgumentValue(lpszCommandLineArgs, + &i, nNoCommandLineArgs, szTmp, ARRAYSIZE(szTmp))) + { + if ((!_wcsicmp(szTmp, L"no") || !_wcsicmp(szTmp, L"n")) && IsNonInstallMode()) + EnableScreenProtection = FALSE; + else if (!_wcsicmp(szTmp, L"yes") || !_wcsicmp(szTmp, L"y")) + EnableScreenProtection = TRUE; + else + AbortProcess("COMMAND_LINE_ERROR"); + } + else + EnableScreenProtection = TRUE; + break; + } case OptionHistory: { wchar_t szTmp[8] = {0}; @@ -10593,6 +10619,47 @@ static void AfterWMInitTasks (HWND hwndDlg) int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpszCommandLine, int nCmdShow) { int status; + int argc; + LPWSTR *argv = CommandLineToArgvW (GetCommandLineW(), &argc); + + for (int i = 0; argv && i < argc; i++) + { + if (_wcsicmp (argv[i], L"/protectScreen") == 0) + { + if ((i < argc - 1) && _wcsicmp (argv[i + 1], L"no") == 0) + { + // Disabling screen protection is only allowed in portable mode + if (IsNonInstallMode()) + EnableScreenProtection = FALSE; + } + else + { + EnableScreenProtection = TRUE; + } + } + if (_wcsicmp (argv[i], L"/protectMemory") == 0) + { + if ((i < argc - 1) && _wcsicmp (argv[i + 1], L"no") == 0) + { + // Disabling memory protection is only allowed in portable mode + if (IsNonInstallMode()) + EnableMemoryProtection = FALSE; + } + else + { + EnableMemoryProtection = TRUE; + } + } + } + + LocalFree (argv); // free memory allocated by CommandLineToArgvW + + if (EnableMemoryProtection) + { + /* Protect this process memory from being accessed by non-admin users */ + ActivateMemoryProtection (); + } + ScreenCaptureBlocker blocker; atexit (localcleanup); diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c index 1a47dee2..f62b7e87 100644 --- a/src/Mount/Mount.c +++ b/src/Mount/Mount.c @@ -7177,12 +7177,6 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa AbortProcess ("COMMAND_LINE_ERROR"); } - if (EnableMemoryProtection) - { - /* Protect this process memory from being accessed by non-admin users */ - ActivateMemoryProtection (); - } - if (ComServerMode) { InitDialog (hwndDlg); @@ -9238,6 +9232,7 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) OptionSecureDesktop, OptionDisableDeviceUpdate, OptionEnableMemoryProtection, + OptionEnableScreenProtection, OptionSignalExit, CommandUnmount, }; @@ -9269,6 +9264,7 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) { OptionSecureDesktop, L"/secureDesktop", NULL, FALSE }, { OptionDisableDeviceUpdate, L"/disableDeviceUpdate", NULL, FALSE }, { OptionEnableMemoryProtection, L"/protectMemory", NULL, FALSE }, + { OptionEnableScreenProtection, L"/protectScreen", NULL, FALSE }, { OptionSignalExit, L"/signalExit", NULL, FALSE }, { CommandUnmount, L"/unmount", L"/u", FALSE }, }; @@ -9368,10 +9364,39 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) break; case OptionEnableMemoryProtection: + { + wchar_t szTmp[16] = { 0 }; + if (HAS_ARGUMENT == GetArgumentValue(lpszCommandLineArgs, + &i, nNoCommandLineArgs, szTmp, ARRAYSIZE(szTmp))) { - EnableMemoryProtection = TRUE; + if ((!_wcsicmp(szTmp, L"no") || !_wcsicmp(szTmp, L"n")) && IsNonInstallMode()) + EnableMemoryProtection = FALSE; + else if (!_wcsicmp(szTmp, L"yes") || !_wcsicmp(szTmp, L"y")) + EnableMemoryProtection = TRUE; + else + AbortProcess("COMMAND_LINE_ERROR"); } + else + EnableMemoryProtection = TRUE; break; + } + case OptionEnableScreenProtection: + { + wchar_t szTmp[16] = { 0 }; + if (HAS_ARGUMENT == GetArgumentValue(lpszCommandLineArgs, + &i, nNoCommandLineArgs, szTmp, ARRAYSIZE(szTmp))) + { + if ((!_wcsicmp(szTmp, L"no") || !_wcsicmp(szTmp, L"n")) && IsNonInstallMode()) + EnableScreenProtection = FALSE; + else if (!_wcsicmp(szTmp, L"yes") || !_wcsicmp(szTmp, L"y")) + EnableScreenProtection = TRUE; + else + AbortProcess("COMMAND_LINE_ERROR"); + } + else + EnableScreenProtection = TRUE; + break; + } case OptionSignalExit: if (HAS_ARGUMENT == GetArgumentValue (lpszCommandLineArgs, &i, @@ -10172,14 +10197,18 @@ static BOOL StartSystemFavoritesService () int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpszCommandLine, int nCmdShow) { int argc; - ScreenCaptureBlocker blocker; LPWSTR *argv = CommandLineToArgvW (GetCommandLineW(), &argc); + // We don't need screen protection in the service or in the post OS upgrade process if (argv && argc == 2 && wstring (TC_SYSTEM_FAVORITES_SERVICE_CMDLINE_OPTION) == argv[1]) + { + LocalFree (argv); // free memory allocated by CommandLineToArgvW return StartSystemFavoritesService() ? 0 : 1; + } if (argv && argc == 2 && wstring (VC_WINDOWS_UPGRADE_POSTOOBE_CMDLINE_OPTION) == argv[1]) { + LocalFree (argv); // free memory allocated by CommandLineToArgvW InitOSVersionInfo(); try { @@ -10194,6 +10223,47 @@ int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpsz return 0; } + for (int i = 0; argv && i < argc; i++) + { + if (_wcsicmp (argv[i], L"/protectScreen") == 0) + { + if ((i < argc - 1) && _wcsicmp (argv[i + 1], L"no") == 0) + { + // Disabling screen protection is only allowed in portable mode + if (IsNonInstallMode()) + EnableScreenProtection = FALSE; + } + else + { + EnableScreenProtection = TRUE; + } + } + if (_wcsicmp (argv[i], L"/protectMemory") == 0) + { + if ((i < argc - 1) && _wcsicmp (argv[i + 1], L"no") == 0) + { + // Disabling memory protection is only allowed in portable mode + if (IsNonInstallMode()) + EnableMemoryProtection = FALSE; + } + else + { + EnableMemoryProtection = TRUE; + } + } + } + + LocalFree (argv); // free memory allocated by CommandLineToArgvW + + if (EnableMemoryProtection) + { + /* Protect this process memory from being accessed by non-admin users */ + ActivateMemoryProtection (); + } + + // activate screen protection if it is not disabled + ScreenCaptureBlocker blocker; + int status; atexit (localcleanup); SetProcessShutdownParameters (0x100, 0); @@ -11755,7 +11825,7 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_CPU_RNG), FALSE); } - if (IsRamEncryptionSupported()) + if (!IsNonInstallMode() && IsRamEncryptionSupported()) // RAM encryption is not supported in portable mode { CheckDlgButton (hwndDlg, IDC_ENABLE_RAM_ENCRYPTION, (driverConfig & VC_DRIVER_CONFIG_ENABLE_RAM_ENCRYPTION) ? BST_CHECKED : BST_UNCHECKED); } @@ -11765,8 +11835,26 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_RAM_ENCRYPTION), FALSE); } - CheckDlgButton (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, ReadMemoryProtectionConfig() ? BST_UNCHECKED : BST_CHECKED); - CheckDlgButton (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION, ReadScreenProtectionConfig() ? BST_UNCHECKED : BST_CHECKED); + if (IsNonInstallMode()) + { + CheckDlgButton (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, EnableMemoryProtection ? BST_UNCHECKED : BST_CHECKED); + EnableWindow (GetDlgItem (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION), FALSE); + + } + else + { + CheckDlgButton (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, ReadMemoryProtectionConfig() ? BST_UNCHECKED : BST_CHECKED); + } + + if (IsNonInstallMode()) + { + CheckDlgButton (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION, EnableScreenProtection ? BST_UNCHECKED : BST_CHECKED); + EnableWindow (GetDlgItem (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION), FALSE); + } + else + { + CheckDlgButton (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION, ReadScreenProtectionConfig() ? BST_UNCHECKED : BST_CHECKED); + } size_t cpuCount = GetCpuCount(NULL);