Windows: Implement TESTSIGNING build configuration that allows running under Windows Vista,7, 8 and 8.1.

2026-01-03 12:18:11 -06:00 · 2021-12-04 23:55:41 +01:00
parent 0bc3e36f76
commit a21b2270e8
13 changed files with 735 additions and 41 deletions
--- a/src/Common/BootEncryption.cpp
+++ b/src/Common/BootEncryption.cpp
@@ -2218,7 +2218,6 @@ namespace VeraCrypt

 #endif // !SETUP

-	NtQuerySystemInformationFn NtQuerySystemInformationPtr = NULL;

 	EfiBootConf::EfiBootConf() : passwordType (0),
 		passwordMsg ("Password: "),
@@ -2510,14 +2509,13 @@ namespace VeraCrypt
 			ULONG    len;
 			NTSTATUS res;
 			WCHAR tempBuf[1024];
+			NtQuerySystemInformationFn NtQuerySystemInformationPtr = (NtQuerySystemInformationFn) GetProcAddress (GetModuleHandle (L"ntdll.dll"), "NtQuerySystemInformation");
 			memset(tempBuf, 0, sizeof(tempBuf));

 			// Load NtQuerySystemInformation function point
 			if (!NtQuerySystemInformationPtr)
 			{
-				NtQuerySystemInformationPtr = (NtQuerySystemInformationFn) GetProcAddress (GetModuleHandle (L"ntdll.dll"), "NtQuerySystemInformation");
-				if (!NtQuerySystemInformationPtr)
-					throw SystemException (SRC_POS);
+				throw SystemException (SRC_POS);
 			}

 			res = NtQuerySystemInformationPtr((SYSTEM_INFORMATION_CLASS)SYSPARTITIONINFORMATION, tempBuf, sizeof(tempBuf), &len);
--- a/src/Common/BootEncryption.h
+++ b/src/Common/BootEncryption.h
@@ -18,16 +18,6 @@
 #include "Exception.h"
 #include "Platform/PlatformBase.h"
 #include "Volumes.h"
-#include <Winternl.h>
-
-#define SYSPARTITIONINFORMATION 0x62
-
-typedef NTSTATUS (WINAPI *NtQuerySystemInformationFn)(
-		SYSTEM_INFORMATION_CLASS SystemInformationClass,
-		PVOID                    SystemInformation,
-      ULONG                    SystemInformationLength,
-		PULONG                   ReturnLength
-);

 typedef ULONG (WINAPI *RtlNtStatusToDosErrorFn)(
  NTSTATUS Status
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -166,6 +166,8 @@ BOOL bHistory = FALSE;

 #ifndef SETUP
 BOOL bLanguageSetInSetup = FALSE;
+#else
+extern BOOL bMakePackage;
 #endif

 // Status of detection of hidden sectors (whole-system-drive encryption). 
@@ -3259,12 +3261,36 @@ void InitApp (HINSTANCE hInstance, wchar_t *lpszCommandLine)

 	RemoteSession = GetSystemMetrics (SM_REMOTESESSION) != 0;

+#ifndef VC_SKIP_OS_DRIVER_REQ_CHECK
 	// OS version check: from version 1.25, only Windows XP, Windows 10 and Windows 11 are supported because of new driver signing requirements
 	if (!(IsOSVersionAtLeast(WIN_10, 0) || (nCurrentOS == WIN_XP) || (nCurrentOS == WIN_XP64)))
 	{
 		MessageBoxW (NULL, GetString ("UNSUPPORTED_OS"), lpszTitle, MB_ICONSTOP);
 		exit (1);
 	}
+#else
+	// in TESTSIGNING mode, we support only Windows Vista, Windows 7, Windows 8/8.1
+	if (	!IsOSVersionAtLeast(WIN_VISTA, 0) 
+#ifndef SETUP
+		||	IsOSVersionAtLeast(WIN_10, 0)
+#else
+		||	(IsOSVersionAtLeast(WIN_10, 0) && !bMakePackage)
+#endif
+		)
+	{
+		MessageBoxW (NULL, L"TESTSIGNING version of VeraCrypt targets only Windows Vista, Windows 7 and Windows 8/8.1.\n\nPlease use the standard version of VeraCrypt instead.", lpszTitle, MB_ICONSTOP);
+		exit (1);
+	}
+	else if (  !IsTestSigningModeEnabled()
+#ifdef SETUP
+			&& !bMakePackage
+#endif
+		)
+	{
+		MessageBoxW (NULL, L"Test-Signing Mode, which is required to run VeraCrypt TESTSIGNING binaries, is not enabled in Windows.\n\nExecution aborted!", lpszTitle, MB_ICONSTOP);
+		exit (1);
+	}
+#endif
 	else
 	{
 		// Service pack check & warnings about critical MS issues
@@ -14035,7 +14061,7 @@ INT_PTR SecureDesktopDialogBoxParam(

 #endif

-#ifdef NDEBUG
+#if !defined(NDEBUG) && !defined(VC_SKIP_OS_DRIVER_REQ_CHECK)
 static BOOL InitializeWintrust()
 {
 	if (!hWinTrustLib)
@@ -14086,7 +14112,7 @@ static void FinalizeWintrust()

 BOOL VerifyModuleSignature (const wchar_t* path)
 {
-#ifdef NDEBUG
+#if !defined(NDEBUG) && !defined (VC_SKIP_OS_DRIVER_REQ_CHECK)
 	BOOL bResult = FALSE;
 	HRESULT hResult;
 	GUID gActionID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
@@ -15233,3 +15259,27 @@ BOOL GetHibernateStatus (BOOL& bHibernateEnabled, BOOL& bHiberbootEnabled)
 	return bResult;
 }

+/* return TRUE if Windows is in Test Signing mode */
+/* ref: https://social.msdn.microsoft.com/Forums/Windowsapps/en-US/e6c1be93-7003-4594-b8e4-18ab4a75d273/detecting-testsigning-onoff-via-api */
+BOOL IsTestSigningModeEnabled ()
+{
+	BOOL bEnabled = FALSE;
+	NtQuerySystemInformationFn NtQuerySystemInformationPtr = (NtQuerySystemInformationFn) GetProcAddress (GetModuleHandle (L"ntdll.dll"), "NtQuerySystemInformation");
+	if(NtQuerySystemInformationPtr)
+	{
+		SYSTEM_CODEINTEGRITY_INFORMATION info = {0};
+		ULONG cbReturnedData = 0;
+		info.Length = sizeof(info);
+		if (	(NtQuerySystemInformationPtr((SYSTEM_INFORMATION_CLASS) SYSTEMCODEINTEGRITYINFORMATION, &info, sizeof(info), &cbReturnedData) >= 0) 
+			&&	(cbReturnedData == sizeof(info))
+			)
+		{
+			if ((info.CodeIntegrityOptions & (CODEINTEGRITY_OPTION_TESTSIGN | CODEINTEGRITY_OPTION_ENABLED)) == (CODEINTEGRITY_OPTION_TESTSIGN | CODEINTEGRITY_OPTION_ENABLED))
+			{
+				bEnabled = TRUE;
+			}
+		}
+	}
+
+	return bEnabled;
+}
--- a/src/Common/Dlgcode.h
+++ b/src/Common/Dlgcode.h
@@ -18,6 +18,7 @@
 #include "Apidrvr.h"
 #include "Keyfiles.h"
 #include "Wipe.h"
+#include <Winternl.h>

 #ifdef __cplusplus
 extern "C" {
@@ -250,6 +251,28 @@ typedef enum BitLockerEncryptionStatus
    BL_Status_Protected
 } BitLockerEncryptionStatus;

+#ifndef CODEINTEGRITY_OPTION_ENABLED
+
+#define CODEINTEGRITY_OPTION_ENABLED                        0x01
+#define CODEINTEGRITY_OPTION_TESTSIGN                       0x02
+
+typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
+    ULONG   Length;
+    ULONG   CodeIntegrityOptions;
+} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
+
+#endif
+
+#define SYSPARTITIONINFORMATION 0x62
+#define SYSTEMCODEINTEGRITYINFORMATION	0x67
+
+typedef NTSTATUS (WINAPI *NtQuerySystemInformationFn)(
+		SYSTEM_INFORMATION_CLASS SystemInformationClass,
+		PVOID                    SystemInformation,
+		ULONG                    SystemInformationLength,
+		PULONG                   ReturnLength
+);
+

 #define DEFAULT_VOL_CREATION_WIZARD_MODE	WIZARD_MODE_FILE_CONTAINER

@@ -560,6 +583,7 @@ BOOL BufferHasPattern (const unsigned char* buffer, size_t bufferLen, const void
 BOOL EnableProcessProtection();
 void SafeOpenURL (LPCWSTR szUrl);
 BitLockerEncryptionStatus GetBitLockerEncryptionStatus(WCHAR driveLetter);
+BOOL IsTestSigningModeEnabled ();
 #ifdef _WIN64
 void GetAppRandomSeed (unsigned char* pbRandSeed, size_t cbRandSeed);
 #endif
--- a/src/Common/Tcdefs.h
+++ b/src/Common/Tcdefs.h
@@ -59,6 +59,8 @@ extern unsigned short _rotl16(unsigned short value, unsigned char shift);

 #ifdef VC_EFI_CUSTOM_MODE
 #define VERSION_STRING_SUFFIX			"-CustomEFI"
+#elif defined(VC_SKIP_OS_DRIVER_REQ_CHECK)
+#define VERSION_STRING_SUFFIX			"-TESTSIGNING"
 #else
 #define VERSION_STRING_SUFFIX			""
 #endif