Jump to content











Photo
- - - - -

TrueCrypt protects you against malware !

truecrypt ramdisk ramdisk.sys malware virus virtual pc

  • Please log in to reply
4 replies to this topic

#1 gid

gid
  • Members
  • 9 posts
  •  
    France

Posted 02 December 2014 - 12:43 PM

TrueCrypt can protect your bootable ramdisk image against malware infection. 1 - Install Windows XP in Microsoft Virtual PC 2007 and encrypt the system drive with TrueCrypt. 2 - Make a small bootable XP image (<500 MB) and install XP's ramdisk.sys driver. DON'T install Truecrypt in this Windows installation. 3 - Copy the XP image file to the root of the encrypted Virtual PC drive and add an entry in boot.ini that points to XP image file. Reboot the virtual machine, enter your TrueCrypt Pre Boot Authentication and boot the XP image to check if everything works fine. 4 - Copy the encrypted VHD file and the TrueCrypt Rescue Disc ISO file to the boot drive of your computer. 5 - Make a Grub4DOS menu entry that maps the VHD file and that boots from the Rescue Disk ISO file. 6 - Restart your computer boot your XP ramdisk. When you get to the desktop go to disk management and watch the magic. Disk management does not show the C drive. It is still there in RAM and it is accessible in explorer but the mapping of the encrypted VHD file that contains the ramdisk image got lost somewhere during the boot process. Malware can not find the bootable image and mount it to infect it !

#2 gid

gid
  • Members
  • 9 posts
  •  
    France

Posted 02 December 2014 - 01:57 PM

Sorry about the big blob of text I just posted.

I'm encountering problems with the forum using Firefox.

The parser of the forum doesn't seem to process my line feeds correctly and other things like editing post don't work.

Posting this message with Opera.

 

I hope that resolves the problems...

 

Edit: problems solved.

 

Firefox must have some strange problem that causes it to misbehave.

 

@ Admins: Feel free to edit my first post adding some line feeds and stuff...  :)


Edited by gid, 02 December 2014 - 02:00 PM.


#3 dog

dog

    Frequent Member

  • Expert
  • 236 posts

Posted 04 December 2014 - 05:02 PM

If you skipped truecrypt and just mapped any PE image to ram you'd get much the same effect - a writeable PE in ram, and the backing image on the disk not mounted.



#4 gid

gid
  • Members
  • 9 posts
  •  
    France

Posted 05 December 2014 - 12:10 PM

Sure..  :)

That will work for a PE iso image.

But how to proceed with a real XP ?

A virus could mount the boot drive, mount the img files it contains and infect them !

I've got a pile of brand new XP compatible motherboards and I will keep using XP as my main OS the next 20+ years.

No more security updates from Microsoft, so I need to find ways to protect myself from malware.

 

So, I discovered this TrueCrypt "hack" and I think it is cool and extremely effective.

You can mount the encrypted drive with TrueCrypt in traveler mode and after entering the password TrueCrypt will mount the VHD file and you will be able to update the source image of the running OS with IMG_XP_Update.exe


Edited by gid, 05 December 2014 - 12:19 PM.


#5 gid

gid
  • Members
  • 9 posts
  •  
    France

Posted 05 December 2014 - 12:34 PM

The TrueCrypt hack is also the only method that I'm aware of that allows Pre Boot Authentication to work with a ramdisk image.
It works only with microsoft's ramdisk.sys driver.
I tried using WinVBlock and Firadisk but it doesn't boot with these drivers.


Edited by gid, 05 December 2014 - 12:41 PM.






Also tagged with one or more of these keywords: truecrypt, ramdisk, ramdisk.sys, malware, virus, virtual pc

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users