segfault-bilibili
commented
6 months ago The header can actually look like this: 2c000[0-6]000[1-9]000[0-1]000[0-5]200000
Do you have explanation for that?
Open LuemmelSec opened 7 months ago
segfault-bilibili
commented
6 months ago The header can actually look like this: 2c000[0-6]000[1-9]000[0-1]000[0-5]200000
Do you have explanation for that?
LuemmelSec
commented
6 months ago The header can actually look like this: 2c000[0-6]000[1-9]000[0-1]000[0-5]200000
Do you have explanation for that?
Sure: https://luemmelsec.github.io/Go-away-BitLocker-you-are-drunk/ https://github.com/WithSecureLabs/bitlocker-spi-toolkit/pull/3 https://labs.withsecure.com/publications/sniff-there-leaks-my-bitlocker-key
zaphoxx
commented
6 months ago That might be very crude but you could check something like
// Generic VMK looks like
// 2C00|0X00|0X00|0000|0X20|0000
if((memcmp(message_buffer + popped, vmk_header, 2) == 0) && \
(memcmp(message_buffer + popped + 3, vmk_header + 3, 1) == 0) && \
memcmp(message_buffer + popped + 5, vmk_header + 5, 3) == 0 &&\
memcmp(message_buffer + popped + 9, vmk_header + 9, 3) == 0 )
{I tested that in my setup and it seems to work fine. so basically the comparison simply skips the variable bytes which is just 3 of 12 bytes which should still be good enough to find the correct match.
ChatGPT version of trying to take variable VMK headers into concideration. The header can actually look like this: 2c000[0-6]000[1-9]000[0-1]000[0-5]200000
I am not a programmer, would be cool if you could evaluate if this is okay or not. Or if there is maybe even a more sexy way to do it.