Jump to content











Photo
- - - - -

TrueCrypt Patched for supporting arbitrary offsets

steganography truecrypt

  • Please log in to reply
15 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 06 April 2014 - 05:50 PM

Posted Image

File Name: TrueCrypt Patched for supporting arbitrary offsets
File Submitter: joakim
File Submitted: 06 Apr 2014
File Updated: 27 Apr 2014
File Category: Security

Intro
This patched TrueCrypt version (experimental) can mount containers from arbitrary offsets in file or at disk. The container can consist of a range of bytes, instead of the whole file or the rest of the file. That means TrueCrypt volumes can now be stuffed inside other file formats Or it can be placed at arbitrary offsets on \\.\PhysicalDriveX, for instance in unallocated on disk. And thus reduce chances of detection. The patch is based on the latest version, 7.1a.

The orignal version is hardcoded to decrypt normal/outer header from offset 0 and hidden/inner header at offset 65536.

What we have achieved with this patch, is to add a layer of steganography to the TrueCrypt puzzle. For the extremely paranoid people, this may seem appealing, especially when combined with hidden volumes (outer/inner).

Since version 3 of patch, the broken partition patch of tateu has been merged. It was orginally made for version 4.2a: http://forums.truecr...opic.php?t=3820

How to use
First you must create a container and put it into another file (preferrably with a hex editor). See "Creating container".
The patched functionality can only be accessed by commandline mode, and is not available in the GUI.

The /i or /offset switch is for specifying the offset.
The /j or /sectors switch is only for broken partition usage.
The /n or /voltype switch is only for broken partition usage.

That means you can access directly a truecrypt disk hidden somewhere within another file. The original file format may be preserved as valid in certain scenarios, as the example below will show.

All other functionality is described in the official TrueCrypt documentation, and not here.

Example command line for container hidden in file:
truecrypt.exe /v "%CD%\sample-container\truecrypt-x64-original.sys" /lx /a /p joakim /i 231424
Example command line for container hidden in unallocated on PhysicalDrive2:
truecrypt.exe /v "\Device\Harddisk2\DR2" /lx /a /p joakim /offset 10733990400
http://i1100.photobu...zps140011bb.png

So how do you find the correct device for PhysicalDriveX?
Since \\.\PhysicalDrive2 not necessarily becomes \Device\Harddisk\DR2, it will help to download WinObj from Windows Sysinternals; http://technet.micro...s/bb896657.aspx and take a look in the GLOBAL?? page. Pay attention to casing as the TrueCrypts string parsing in that particular area is case sensitive.

The above command uses the original truecrypt driver for 64-bit as hostfile for container, and holds an encrypted volume within the Authenticode signature. The password is joakim, the mountpoint is X:, and the offset of container is 231424. By mounting it with the above command, you will get at the patched source files. After the source files are retrieved and volume dismounted, verify that the digital signature is still valid. It just uses a cool trick..

Another nice file format to play with is mp3. Here's an example I made based on one of the default sample music files installed by Windows;
http://www.mediafire.com/listen/ad0j2zurk00biyb/Kalimba.mp3
The injected container has 2 volumes, one standard and one hidden. The standard volume has password "mikaoj" without quotes. Mount the hidden volume with this command:
truecrypt.exe /v "%CD%\Kalimba.mp3" /lx /a /p joakim /i 4307968
Note
  • On 64-bit systems you must enable testsigning mode to use it. On 32-bit it is fine though. This is because my recompiled drivers are signed with a selfsigned certificate.
  • On first mount operation, the volume must be formatted. On subsequent mounts, the volume is mounted just fine.
  • The container offset must be at a multiple of sector size.
  • It has not been extensively tested, so there might be bugs. Encryption of system volumes has not at all been tested. Don't use it on that!
Tested on Windows 7 SP1 32-bit and 64-bit.

Creating container
The procedure for creating containers suited for this patched version, goes something like this:
  • Create a base container as you normally would, and specify size, encryption, password etc.
  • Find a new host file, appropriate for hiding the base container.
  • Modify the new host file and with a hex editor or other suitable tool, inject at appropriate offset the base container. This step would of course require a bit of knowledge about the file format specs of the new host file.
  • Take a note of the offset where the base container is written.
  • Take a note of the size of the base container.
  • Now you are ready to mount the super hidden container.
  • Since Windows will not detect the filesystem on the very first mount of this hidden container, you must let Windows format the volume. Now all hard work is done.
  • Verify that it works by writing files to the volume. Dismount the volume, and remount it. Check that the file is still there.
  • Check that the original file format of the new host file is still valid.
Step 3 might be the most difficult part here. For the example I had to modify the output of my DigitalSignatureTweaker tool, since it does not write its payload at sector size alignment within the executable. An easy approach would in most cases be to just put the container at end of file, but that would easy to detect though.

The steps for handling hidden volumes are similar, except for both the outer and inner volume, they both need to be re-formatted on the first mount. However, the concept with hidden volumes still work.

Other nice trick not described in official documentation
This trick works on the original unpatched version.
Idea taken from here: http://keyj.emphy.de...with-truecrypt/
Basically, since TrueCrypt will attempt loading the hidden volume inside container, and if decryption of the normal volume header (outer in this particular case), fails. It will move on and attempt decrypting the header of a possible hidden volume. The header of the outer volume is located in bytes 0 - 65535, and the header from bytes 65536.

Now to get this to work on unallocated on lets say \\.\PhysicalDrive2 we need to have some unallocated chunk with enough bytes to host our container, and it needs to be located on disk before the first partition. That means the first 512 bytes, which is the MBR, will be (from TrueCrypts perspective) a failed decryption of header for an outer volume, which means it move on to offset 0x10000 and try decrypting the inner volume. This way the disk will not appear like a standard Truecrypt disk/volume. It will look all fine from within Windows (actually this trick is independent of host OS). And it will work on the officially signed binaries. And don't forget to provide the password for the inner/hidden volume, and not the outer volume (they must be different!!). And just as important, remember to copy bytes from offset 0x10000 in container (and not from offset 0x0), and paste those bytes at offset 0x10000. Load it with a command like this one:
TrueCrypt.exe /v \Device\Harddisk2\DR2 /lx /a /p hiddenpassword 
The same concept, works on many different file formats too, as descrbed in the first link where an mp4 is modified. BMP is very easy.. EXE a bit tougher.

Tools to aid in tweaked container construction
Available in download section for several file formats:
  • MakeContainer-Authenticode
  • MakeContainer-Bmp
  • MakeContainer-Eof
  • MakeContainer-PEResource
  • MakeContainer-PESection
  • MakeContainer-Zip
The MakeContainer-Bmp tool utilizes the same trick as reference earlier about mp4, where certain hybrid formats can be supported by the legacy TrueCrypt version. It is thus possible to choose what kind of supported bmp to generate. The restrictions put in the original version limits what kind of file formats can be used for this, while the patched version obviously extends the opportunities of file formats to use/abuse.

The other tools only works with the patched version.

Regarding tateu's broken partition patch
Can be used to scan for a lost encrypted volume, due to overwritten partition table. It is slow, and performs about 3 sectors per second. It generates and output file to C:\TC_Offsets_Found.txt. Sample command to scan 10000 sectors for a hidden volume starting from offset 0x600000 (6291456 in decimal);
truecrypt.exe /v \Device\Harddisk4\Partition0 /lx /a /p password /i 6291456 /j 10000 /n 2
Summary:
  • The original TrueCrypt will by default attempt decryption of header (for normal/outer) volume at offset 0x0 of file or disk/volume. If that fails, it will move on to offset 0x10000 and attempt decryption of header for hidden/inner volume.
  • The original TrueCrypt can in certain cases load hidden volumes if constructed as hybrid formats. It very much depends on the host format. Not all formats will allow this kind of tweaking. The hidden volume must always start at offset 0x10000 (both for file and physical disk). The first 65535 bytes can be something else, like MBR for physical disk or another file format header for file based containers.
  • The patched version can load both normal and hidden volumes at arbitrary offsets for both file and physical disk. Remember to comply with the rules as described earlier in this post (alignment of offset, formatting of volume on first mount).
Building
This package was built with VS2010. Building the solution required quite a bit of work. I believe I got the setup instructions from;
http://stackoverflow...rypt-on-windows
However, I ran into a number of issues.
  • The driver build script, BuildDriver.cmd, needs modification to specify your own certificate to sign with.
  • A .NET framework update messed things up, requiring a rename of all found cvtres.exe within the Visual Studio install path.
  • Getting the 3rd party dependencies correct was not easy either.
  • I think there was more, but because 1 year has gone since the actual patch was made, most is forgotten.

Click here to download this file

#2 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 06 April 2014 - 08:59 PM

Another nice file format to use for this is zip. For example, prepend the container at the beginning of a zip file. Then copy a chunk, lets say 512 bytes of the original zip header bytes and prepend those bytes before the container bytes. Then mount from offset 512 or whatever you chose. Drawback is that on Windows the built-in zip handler, like when opening zip files in explorer, will complain about corruption. Other software like 7-zip unpacks without complaints.

 

In addition to Authenticode signatures, executables on Windows like Portable Executable (normally just an exe) also can be used in other ways. For instance a resource (type RCData), would be a good place to hide a container. I made another example for this particular scenario;

http://www.mediafire...ResourceMod.zip

 

Inside the download is 2 batches for mounting the inner and outer volume from the container placed as a special resource in the resource section. When creating such a modded exe, remember to place the resource (or more specifically, the start of the container) at sector size boundary.



#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 06 April 2014 - 09:40 PM

And while at it, a simple jpg example; http://www.mediafire...Jpg-EOF-Mod.zip

 

This is probably the easiest type of mod as the container is simply just appended to the jpg at EOF, but with some bytes injected to make up for the alignment.

 

Or you could run this method on a bmp and inject it into an exe as a resource as described in previous post. So you can actually go ahead and start hiding in multiple layers like this, and use your creativity until bored.

 

If you have other good techniques, please share it.



#4 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 06 April 2014 - 10:30 PM

And before bored, a bmp header mod example; http://www.mediafire...-Header-Mod.zip

 

Basically, the OffsetPixelArray in header lets us decide at what offset the real bmp pixel bytes begins. Thus letting us inject the container in between the bmp header and the bmp pixel array.



#5 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 08 April 2014 - 10:46 PM

Had a little fun an made 4 programs to automate and prepare special containers for this patched version by using different methods of hiding data. All 4 available in this same download section.

 

  1. MakeContainer-Authenticode. Tool that hide container in the digital signature (Authenticode signature) of an executable.
  2. MakeContainer-Bmp. Tool that hide container inside BMP.
  3. MakeContainer-Eof. Tool that hide container at end of file (any file format).
  4. MakeContainer-PESection. Tool that hide container inside a Portable Executable (exe, dll, sys etc) by tweaking the section headers.


#6 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 11 April 2014 - 07:27 PM

Added 2 more container hiding utilities:

 

  1. MakeContainer-Zip. Hiding inside zip.
  2. MakeContainer-PEResource. Container added to Portable Executable as resource in resource section.


#7 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 12 April 2014 - 08:30 PM

The updated patched drivers now also works on direct disk access to PhysicalDrive. That means a truecrypt container can be placed in unallocated on the same disk as regular mounted volumes exist, and still be mountable. See first post for updated example commands. Also all 9 patched source files are included now.



#8 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 15 April 2014 - 09:17 PM

Instruction for how to generate hybrid file formats that may work on legacy TrueCrypt version, as described here; http://keyj.emphy.de...with-truecrypt/  added.

 

Which also got me testing on physical disk in unallocated, as well, for which it works (under certain conditions). See first post.

 

And, an updated MakeContainer-Bmp is added that supports generation of hybrid bmp's that works in either Legacy or patched, or both versions.



#9 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 26 April 2014 - 06:05 PM

New version uploaded with bugfix for inner/outer volumes that did not work properly. Also merged tateu's patch (originally for version 4.2a!) for broken partitions, meaning this version can be used to scan from an arbitrary offset and attempt decryption. Original link: http://forums.truecr...opic.php?t=3820 The parameters has consequently changed slightly:

/i or /offset
/j or /sectors
/n or /voltype
  • For regular arbitrary offset usage, now only requires /i or /offset. Offset must be given in decimal.
  • For scanning broken partition, also use last 2 parameters. Sectos is number of sectors to scan. Voltype is either 0 for normal or 2 for hidden. This feature is dead slow, like it was in the original patch, and performs roughly 3 sectors per sec. Generates an output file with results on c:\TC_Offsets_Found.txt.

 

All the MakeContainer tools are updated to support the syntax of patch version 3.



#10 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 27 April 2014 - 06:22 PM

Another bug fixed that caused offsets beyond int (int64) to not be interpreted correctly. Offsets within dword was not affected by the bug.



#11 Scooby

Scooby

    Member

  • Members
  • 62 posts
  •  
    Sweden

Posted 24 May 2014 - 06:42 PM

Do you thik it is possible to apply your patches to truecrypt( or tcplay) on linux and be able to build it?

 

 

And if so would the sources of your MakeContainer-XXX programs be made availible for porting

to linux?

 

Then again when I think about it file formats is different in linux right so for MakeContainer-PESection

at least it probably would be different?


Edited by Scooby, 24 May 2014 - 06:43 PM.


#12 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 25 May 2014 - 06:23 PM

I guess the truecrypt patch for linux would be somewhat easy to implement. However, I never looked at it, and if preparing a build environment is as tricky as on Windows, that might be the biggest challenge. Maybe I can take a look at it..

Those makecontainer apps are written in autoit, so can't be recompiled for linux. Porting would be required and is beyond me. Sure the exe related container tools produces an output that will not execute on linux. But the data would still be hidden. It's like an elf binary with hidden data on a Windows system.

#13 joakim

joakim

    Silver Member

  • Team Reboot
  • 909 posts
  • Location:Bergen
  •  
    Norway

Posted 29 May 2014 - 08:27 PM

Seems like TrueCrypt's life ended last night. In a very strange way.. But I belive it still is secure enough. After all the recent security audit of it, did not reveil anything big.



#14 v77

v77

    Silver Member

  • Team Reboot
  • 521 posts
  •  
    France

Posted 29 May 2014 - 09:47 PM

A very bad news indeed...
I now understand the recent rise of the number of download of ProxyCrypt... Even at a public holiday, this was unusual.
I wonder what software will be chosen as successor. Not mine of course, but... There is so many users, it's a bit frightening.



#15 homes32

homes32

    Gold Member

  • .script developer
  • 1021 posts
  • Location:Minnesota
  •  
    United States

Posted 30 May 2014 - 10:31 PM

very surprising indeed and more than a little suspect.

 

Diskcrypter is a good alternative and still works fine though :)



#16 gid

gid
  • Members
  • 9 posts
  •  
    France

Posted 10 June 2014 - 04:29 PM

Nice work!

 

I would like to find a way to patch the standard truecrypt bootloader so it supports image files mounted with Grub4DOS like the bootloader of the TC rescue CD does.

 

Any suggestions or ideas ?


Edited by gid, 10 June 2014 - 04:31 PM.






Also tagged with one or more of these keywords: steganography, truecrypt

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users