How to have pybde read from raw image with a volume offset?

[roboknight]

Wish I could label this a question instead of an issue. What I have is a full disk image. While I can pull out the Bitlocker partition, I'd prefer to just hand libbde the offset. I'm actually not even trying to mount the thing in general, but just use libbde to pull out parts of Bitlocker's data that I need. Everytime I try to give libbde the full disk image, it appears to fail, thinking that it isn't the correct type. Maybe you can suggest another way? Seeking to the offset of the bitlocker partition in a file object doesn't seem to work either. I'm working on a standalone machine, so its difficult to provide much data, but I get the following error, if it helps:

OSError: pybde_volume_open_file_object: unable to open volume. libbde_volume_header_read_data: unsupported volume boot entry point. libbde_volume_header_read_file_io_handle: unable to read volume header data. libbde_internal_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle.

According to that, it would seem that I can't actually read the file, but as I own the file, I'm unsure what is going on.

[roboknight]

I was able to use losetup to get around the issue, but it doesn't matter because I can't actually get the data I need from libbde. I was hoping I could dump the protector data "out-of-the-box". But that doesn't seem to be an option.

[joachimmetz]

Wish I could label this a question instead of an issue.

By default github allows limited access but I added the question label

You cannot pass the offset to the python binding / library you need to do this via a wrapper file object

If you need an example of that have a look at the DataRangeFileObject defined in https://gist.github.com/joachimmetz/58962c679370518d54065f0f4dad685a#file-vshadow-store-read-py-L33

I was hoping I could dump the protector data "out-of-the-box".

What do you mean "dump the protector data" ? bdeinfo shows you some information of the protectors, but if you purpose is to get the protector data for purposes of bruteforcing, then no. That is out of scope of this project.

[roboknight]

I probably don’t have enough characters to indicate how hard I laughed at the ‘brute force’ comment. I wanted to dump the TPM encoded block because I happen to have the decryption key. So I was looking for a better path than running dislocker-metadata… And I was looking for python bindings. But, I just punted and used the dislocker output.

[joachimmetz]

I probably don’t have enough characters to indicate how hard I laughed at the ‘brute force’ comment.

Unclear why you would laugh, folks with similar requests in the past have proposed this

I wanted to dump the TPM encoded block because I happen to have the decryption key.

(1) always useful to provide context when filing an issue (2) will that research be shared publicly?

[roboknight]

I laughed because that’s an actual key and I would be long dead before I could guess it. Unless I’m the luckiest person alive.

As far as context, it didn’t seem important. It just seemed like a natural ability for a library like this because it had the data.

As for the info, it’s not that useful, and the exploit I used is already public.