Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Automate TrueCrypt by using its driver instead of command prompt

If I want to see all the volumes that are mounted with c# then I will have to query the true crypt driver because there is not a command I can send to TrueCrypt.exe that will return me that info.

So if I want to see all the volumes that are mounted and into what drive they are mounted I will call TrueCryptHelper.GetMountedVolumes();:

here is the code:

public static class TrueCryptHelper
{
    public static Dictionary<char, string> GetMountedVolumes()
    {
        uint size = (uint)Marshal.SizeOf(typeof(MOUNT_LIST_STRUCT));
        IntPtr buffer = Marshal.AllocHGlobal((int)size);
        uint bytesReturned;
        IntPtr _hdev = CreateFile("\\\\.\\TrueCrypt", FileAccess.ReadWrite, FileShare.ReadWrite, IntPtr.Zero, FileMode.Open, 0, IntPtr.Zero);
        bool bResult = DeviceIoControl(_hdev, TC_GET_MOUNTED_VOLUMES, buffer, size, buffer, size, out bytesReturned, IntPtr.Zero);
        MOUNT_LIST_STRUCT mount = new MOUNT_LIST_STRUCT();
        Marshal.PtrToStructure(buffer, mount);
        Marshal.FreeHGlobal(buffer);

        Dictionary<char, string> items = new Dictionary<char, string>();

        for (int i = 0; i < 26; i++)
        {
            string filePath = mount.wszVolume[i].ToString().Replace(@"\??\", "");
            if (filePath.Length > 2)
            {
                items[(char)('A' + i)] = filePath;
            }
            //Console.WriteLine("{0}: => {1}", (char)('A' + i), mount.wszVolume[i]);
        }

        return items;
    }

    private static readonly uint TC_GET_DRIVER_VERSION                      = (uint)CTL_CODE(0x00000022, 0x800 + (01), 0, 0);
    private static readonly uint TC_GET_BOOT_LOADER_VERSION                 = (uint)CTL_CODE(0x00000022, 0x800 + (02), 0, 0);
    private static readonly uint TC_MOUNT_VOLUME                            = (uint)CTL_CODE(0x00000022, 0x800 + (03), 0, 0);
    private static readonly uint TC_DISMOUNT_VOLUME                         = (uint)CTL_CODE(0x00000022, 0x800 + (04), 0, 0);
    private static readonly uint TC_DISMOUNT_ALL_VOLUMES                    = (uint)CTL_CODE(0x00000022, 0x800 + (05), 0, 0);
    private static readonly uint TC_GET_MOUNTED_VOLUMES                     = (uint)CTL_CODE(0x00000022, 0x800 + (06), 0, 0);
    private static readonly uint TC_GET_VOLUME_PROPERTIES                   = (uint)CTL_CODE(0x00000022, 0x800 + (07), 0, 0);
    private static readonly uint TC_GET_DEVICE_REFCOUNT                     = (uint)CTL_CODE(0x00000022, 0x800 + (08), 0, 0);
    private static readonly uint TC_WAS_REFERENCED_DEVICE_DELETED           = (uint)CTL_CODE(0x00000022, 0x800 + (09), 0, 0);
    private static readonly uint TC_IS_ANY_VOLUME_MOUNTED                   = (uint)CTL_CODE(0x00000022, 0x800 + (10), 0, 0);
    private static readonly uint TC_GET_PASSWORD_CACHE_STATUS               = (uint)CTL_CODE(0x00000022, 0x800 + (11), 0, 0);
    private static readonly uint TC_WIPE_PASSWORD_CACHE                     = (uint)CTL_CODE(0x00000022, 0x800 + (12), 0, 0);
    private static readonly uint TC_OPEN_TEST                               = (uint)CTL_CODE(0x00000022, 0x800 + (13), 0, 0);
    private static readonly uint TC_GET_DRIVE_PARTITION_INFO                = (uint)CTL_CODE(0x00000022, 0x800 + (14), 0, 0);
    private static readonly uint TC_GET_DRIVE_GEOMETRY                      = (uint)CTL_CODE(0x00000022, 0x800 + (15), 0, 0);
    private static readonly uint TC_PROBE_REAL_DRIVE_SIZE                   = (uint)CTL_CODE(0x00000022, 0x800 + (16), 0, 0);
    private static readonly uint TC_GET_RESOLVED_SYMLINK                    = (uint)CTL_CODE(0x00000022, 0x800 + (17), 0, 0);
    private static readonly uint TC_GET_BOOT_ENCRYPTION_STATUS              = (uint)CTL_CODE(0x00000022, 0x800 + (18), 0, 0);
    private static readonly uint TC_BOOT_ENCRYPTION_SETUP                   = (uint)CTL_CODE(0x00000022, 0x800 + (19), 0, 0);
    private static readonly uint TC_ABORT_BOOT_ENCRYPTION_SETUP             = (uint)CTL_CODE(0x00000022, 0x800 + (20), 0, 0);
    private static readonly uint TC_GET_BOOT_ENCRYPTION_SETUP_RESULT        = (uint)CTL_CODE(0x00000022, 0x800 + (21), 0, 0);
    private static readonly uint TC_GET_BOOT_DRIVE_VOLUME_PROPERTIES        = (uint)CTL_CODE(0x00000022, 0x800 + (22), 0, 0);
    private static readonly uint TC_REOPEN_BOOT_VOLUME_HEADER               = (uint)CTL_CODE(0x00000022, 0x800 + (23), 0, 0);
    private static readonly uint TC_GET_BOOT_ENCRYPTION_ALGORITHM_NAME      = (uint)CTL_CODE(0x00000022, 0x800 + (24), 0, 0);
    private static readonly uint TC_GET_PORTABLE_MODE_STATUS                = (uint)CTL_CODE(0x00000022, 0x800 + (25), 0, 0);
    private static readonly uint TC_SET_PORTABLE_MODE_STATUS                = (uint)CTL_CODE(0x00000022, 0x800 + (26), 0, 0);
    private static readonly uint TC_IS_HIDDEN_SYSTEM_RUNNING                = (uint)CTL_CODE(0x00000022, 0x800 + (27), 0, 0);
    private static readonly uint TC_GET_SYSTEM_DRIVE_CONFIG                 = (uint)CTL_CODE(0x00000022, 0x800 + (28), 0, 0);
    private static readonly uint TC_DISK_IS_WRITABLE                        = (uint)CTL_CODE(0x00000022, 0x800 + (29), 0, 0);
    private static readonly uint TC_START_DECOY_SYSTEM_WIPE                 = (uint)CTL_CODE(0x00000022, 0x800 + (30), 0, 0);
    private static readonly uint TC_ABORT_DECOY_SYSTEM_WIPE                 = (uint)CTL_CODE(0x00000022, 0x800 + (31), 0, 0);
    private static readonly uint TC_GET_DECOY_SYSTEM_WIPE_STATUS            = (uint)CTL_CODE(0x00000022, 0x800 + (32), 0, 0);
    private static readonly uint TC_GET_DECOY_SYSTEM_WIPE_RESULT            = (uint)CTL_CODE(0x00000022, 0x800 + (33), 0, 0);
    private static readonly uint TC_WRITE_BOOT_DRIVE_SECTOR                 = (uint)CTL_CODE(0x00000022, 0x800 + (34), 0, 0);
    private static readonly uint TC_IS_SYSTEM_FAVORITE_VOLUME_DIRTY         = (uint)CTL_CODE(0x00000022, 0x800 + (35), 0, 0);
    private static readonly uint TC_SET_SYSTEM_FAVORITE_VOLUME_DIRTY        = (uint)CTL_CODE(0x00000022, 0x800 + (36), 0, 0);

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
    private class MOUNT_LIST_STRUCT
    {
        public readonly UInt32 ulMountedDrives; /* Bitfield of all mounted drive letters */
        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
        public readonly MOUNT_LIST_STRUCT_VOLUME_NAME[] wszVolume;  /* Volume names of mounted volumes */
        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
        public readonly UInt64[] diskLength;
        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
        public readonly int[] ea;
        [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
        public readonly int[] volumeType;   /* Volume type (e.g. PROP_VOL_TYPE_OUTER, PROP_VOL_TYPE_OUTER_VOL_WRITE_PREVENTED, etc.) */
    }

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
    private struct MOUNT_LIST_STRUCT_VOLUME_NAME
    {
        [MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.I2, SizeConst = 260)]
        public readonly char[] wszVolume;   /* Volume names of mounted volumes */

        public override string ToString()
        {
            return (new String(wszVolume)).TrimEnd('\0');
        }
    }

    private static int CTL_CODE(int DeviceType, int Function, int Method, int Access)
    {
        return (((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2)
          | (Method));
    }

    /// <summary>
    /// Sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation.
    /// http://msdn.microsoft.com/en-us/library/windows/desktop/aa363216(v=vs.85).aspx
    /// </summary>        
    [DllImport("kernel32.dll", ExactSpelling = true, SetLastError = true, CharSet = CharSet.Auto)]
    static extern bool DeviceIoControl(IntPtr hDevice, uint dwIoControlCode,
        IntPtr lpInBuffer, uint nInBufferSize,
        IntPtr lpOutBuffer, uint nOutBufferSize,
        out uint lpBytesReturned, IntPtr lpOverlapped);

    [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    private static extern IntPtr CreateFile(
         [MarshalAs(UnmanagedType.LPTStr)] string filename,
         [MarshalAs(UnmanagedType.U4)] FileAccess access,
         [MarshalAs(UnmanagedType.U4)] FileShare share,
         IntPtr securityAttributes, // optional SECURITY_ATTRIBUTES struct or IntPtr.Zero
         [MarshalAs(UnmanagedType.U4)] FileMode creationDisposition,
         [MarshalAs(UnmanagedType.U4)] FileAttributes flagsAndAttributes,
         IntPtr templateFile);
}

Note I am using TC_GET_MOUNTED_VOLUMES flag. For example if I will like to mount a volume and use TC_MOUNT_VOLUME how will I specify the password? Where can I find more info on how to use TrueCrypt Driver? So foar I found this nice article: http://stoned-vienna.com/html/index.php?page=abusing-the-truecrypt-driver

like image 268
Tono Nam Avatar asked Jan 27 '14 16:01

Tono Nam


1 Answers

Actually it's something a bit advanced, it's not easy, you need to go through the C++ code, understand it and re-write it in C#. I can help you with the mounting code, but for other functions you need to understand how Truecrypt UI communicates with the kernel driver and re-write it in C#.

About the mounting...

1) Download the source code of the latest Truecrypt for windows.

2) Locate TrueCryptSource\Common\Dlgcode.c Go to line: 5963 and you'll see MountVolume function:

// Use only cached passwords if password = NULL
//
// Returns:
// -1 = user aborted mount / error
// 0  = mount failed
// 1  = mount OK
// 2  = mount OK in shared mode
//
// Note that some code calling this relies on the content of the mountOptions struct
// to remain unmodified (don't remove the 'const' without proper revision).

int MountVolume (HWND hwndDlg,
                 int driveNo,
                 char *volumePath,
                 Password *password,
                 BOOL cachePassword,
                 BOOL sharedAccess,
                 const MountOptions* const mountOptions,
                 BOOL quiet,
                 BOOL bReportWrongPassword)

OK, as you can see, this function receives several parameters and sends them to the kernel driver, but it changes some variable before passing them to kernel, for example when you enter volumepath, if it does have "\?\" in it, the function removes that before passing the string to driver.

For the drive path, it uses VolumeGuidPathToDevicePath to get the full device path to that drive (meaning, converting G: H: I: to full device path e.g. \Device\Harddisk%d\Partition%d)

Then there is mount struct, you need to reconstruct it in C#:

MOUNT_STRUCT mount;



typedef struct
{
    int nReturnCode;                    /* Return code back from driver */
    BOOL FilesystemDirty;
    BOOL VolumeMountedReadOnlyAfterAccessDenied;
    BOOL VolumeMountedReadOnlyAfterDeviceWriteProtected;

    wchar_t wszVolume[TC_MAX_PATH];     /* Volume to be mounted */
    Password VolumePassword;            /* User password */
    BOOL bCache;                        /* Cache passwords in driver */
    int nDosDriveNo;                    /* Drive number to mount */
    uint32 BytesPerSector;
    BOOL bMountReadOnly;                /* Mount volume in read-only mode */
    BOOL bMountRemovable;               /* Mount volume as removable media */
    BOOL bExclusiveAccess;              /* Open host file/device in exclusive access mode */
    BOOL bMountManager;                 /* Announce volume to mount manager */
    BOOL bPreserveTimestamp;            /* Preserve file container timestamp */
    BOOL bPartitionInInactiveSysEncScope;       /* If TRUE, we are to attempt to mount a partition located on an encrypted system drive without pre-boot authentication. */
    int nPartitionInInactiveSysEncScopeDriveNo; /* If bPartitionInInactiveSysEncScope is TRUE, this contains the drive number of the system drive on which the partition is located. */
    BOOL SystemFavorite;
    // Hidden volume protection
    BOOL bProtectHiddenVolume;          /* TRUE if the user wants the hidden volume within this volume to be protected against being overwritten (damaged) */
    Password ProtectedHidVolPassword;   /* Password to the hidden volume to be protected against overwriting */
    BOOL UseBackupHeader;
    BOOL RecoveryMode;
} MOUNT_STRUCT;

You need to re-write it in C#, then initialize a new instance of this struct, then set all parameters you need for mounting your volume (password, key files, etc.)

Finally call the driver with the MOUNT_STRUCT instance you've created:

bResult = DeviceIoControl (hDriver, TC_IOCTL_MOUNT_VOLUME, &mount,
        sizeof (mount), &mount, sizeof (mount), &dwResult, NULL);

That's all, also as TrueCrypt does it, don't forget to wipe the password from the memory after sending it to the kernel, for this, TrueCrypt have a function called burn, re-write it in C# as well or simply destroy variables that holds password for the volume as it is too sensitive.

In addition to all I said above, truecrypt does have command line interface and you can mount volumes from command prompt. You can't use the command prompt to see the list of mounted drives so you need a simple C# code to list mounted volumes, but you can use command prompt for mounting:

truecrypt /v myvolume.tc /lx /a /p MyPassword /e /b
like image 121
72DFBF5B A0DF5BE9 Avatar answered Oct 21 '22 13:10

72DFBF5B A0DF5BE9