Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2025-11-11 02:58:02 -06:00
Code Activity

Windows: Add extra checks for bootloader tampering.

Browse Source
This commit is contained in:
Mounir IDRASSI
2015-08-05 12:06:00 +02:00
parent a06c41c5c9
commit c2d0d5e344
2 changed files with 35 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/Common/BootEncryption.cpp
View File

@@ -1565,6 +1565,11 @@ namespace VeraCrypt
bRet = true; bRet = true;
} }
} }
catch (SystemException &e)
{
if (!bSilent && (GetLastError () != ERROR_INVALID_IMAGE_HASH))
e.Show (ParentWindow);
}
catch (Exception& e) catch (Exception& e)
{ {
if (!bSilent) if (!bSilent)

37
src/Driver/DriveFilter.c
View File

@@ -1764,17 +1764,40 @@ void GetBootLoaderFingerprint (PIRP irp, PIO_STACK_LOCATION irpSp)
{ {
if (ValidateIOBufferSize (irp, sizeof (BootLoaderFingerprintRequest), ValidateOutput)) if (ValidateIOBufferSize (irp, sizeof (BootLoaderFingerprintRequest), ValidateOutput))
{ {
if (BootArgsValid) irp->IoStatus.Information = 0;
if (BootArgsValid && BootDriveFound && BootDriveFilterExtension && BootDriveFilterExtension->DriveMounted && BootDriveFilterExtension->HeaderCryptoInfo)
{ {
BootLoaderFingerprintRequest *bootLoaderFingerprint = (BootLoaderFingerprintRequest *) irp->AssociatedIrp.SystemBuffer; BootLoaderFingerprintRequest *bootLoaderFingerprint = (BootLoaderFingerprintRequest *) irp->AssociatedIrp.SystemBuffer;
memcpy (bootLoaderFingerprint->Fingerprint, BootLoaderFingerprint, sizeof (BootLoaderFingerprint));
irp->IoStatus.Information = sizeof (BootLoaderFingerprintRequest); /* compute the fingerprint again and check if it is the same as the one retrieved during boot */
irp->IoStatus.Status = STATUS_SUCCESS; char *header = TCalloc (TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE);
if (!header)
{
irp->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
}
else
{
memcpy (bootLoaderFingerprint->Fingerprint, BootLoaderFingerprint, sizeof (BootLoaderFingerprint));
ComputeBootLoaderFingerprint (BootDriveFilterExtension->LowerDeviceObject, header);
burn (header, TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE);
TCfree (header);
if (0 == memcmp (bootLoaderFingerprint->Fingerprint, BootLoaderFingerprint, sizeof (BootLoaderFingerprint)))
{
irp->IoStatus.Information = sizeof (BootLoaderFingerprintRequest);
irp->IoStatus.Status = STATUS_SUCCESS;
}
else
{
/* fingerprint mismatch.*/
irp->IoStatus.Status = STATUS_INVALID_IMAGE_HASH;
}
}
} }
else else
{ {
irp->IoStatus.Status = STATUS_INVALID_PARAMETER; irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
irp->IoStatus.Information = 0;
} }
} }
} }