search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.73k stars 463 forks source link

TrueCrypt Windows - PE data section not DWORD-aligned! #1159

Open srvlocalr00t opened 5 months ago

srvlocalr00t commented 5 months ago

Offset Length Password Traceback (most recent call last): File "C:\Users\srv\Downloads\volatility3-develop\volatility3-develop\vol.py", line 10, in volatility3.cli.main() File "C:\Users\srv\Downloads\volatility3-develop\volatility3-develop\volatility3\cli__init.py", line 871, in main CommandLine().run() File "C:\Users\srv\Downloads\volatility3-develop\volatility3-develop\volatility3\cli__init__.py", line 469, in run renderer.render(grid) File "C:\Users\srv\Downloads\volatility3-develop\volatility3-develop\volatility3\cli\text_renderer.py", line 198, in render grid.populate(visitor, outfd) File "C:\Users\srv\Downloads\volatility3-develop\volatility3-develop\volatility3\framework\renderers\init__.py", line 245, in populate for level, item in self._generator: File "C:\Users\srv\Downloads\volatility3-develop\volatility3-develop\volatility3\framework\plugins\windows\truecrypt.py", line 131, in _generator for offset, password in self.scan_module( File "C:\Users\srv\Downloads\volatility3-develop\volatility3-develop\volatility3\framework\plugins\windows\truecrypt.py", line 83, in scan_module raise ValueError("PE data section not DWORD-aligned!") ValueError: PE data section not DWORD-aligned!

iyassou commented 5 months ago

Hello.

I ported the TrueCrypt cached passphrase finder from Volatility2 to Volatility3.

This error message occurs when the number of bytes in the data section isn't a multiple of DWORD_SIZE_BYTES (which is 4).

Volatility2's cached passphrase finder, running Python 2.6 ≤ x < 3, doesn't check for this alignment and instead iterates over the available DWORD_SIZE_BYTES-sized chunks, as evidenced by the relevant section of code in Volatility2's tcaudit.py

# Looking for the Length member, DWORD-aligned 
ints = obj.Object("Array", targetType = "int", 
                  offset = base, count = size / 4, 
                  vm = addr_space)

which uses the integer quotient of size over 4.

I was unsure if this was intentional behaviour so I opted to raise an error when the situation arose.

If anybody else has further insight into the matter and can explain why the error message shouldn't be raised then I'm happy to propose a pull request with the necessary changes.

Otherwise, if you'd like to mimic Volatility2's behaviour, you can modify the following lines in volatility3\framework\plugins\windows\truecrypt.py

count, not_aligned = divmod(size, DWORD_SIZE_BYTES)
if not_aligned:
    raise ValueError("PE data section not DWORD-aligned!")

to

count = size // DWORD_SIZE_BYTES
ikelos commented 5 months ago

You could check if the excess bytes are always 00 and therefore suggests it's padding? If there's a total length field being used, that might also make sense?

ikelos commented 5 months ago

Sorry, my comment was aimed at @iyassou

srvlocalr00t commented 5 months ago

Hello.

I ported the TrueCrypt cached passphrase finder from Volatility2 to Volatility3.

This error message occurs when the number of bytes in the data section isn't a multiple of DWORD_SIZE_BYTES (which is 4).

Volatility2's cached passphrase finder, running Python 2.6 ≤ x < 3, doesn't check for this alignment and instead iterates over the available DWORD_SIZE_BYTES-sized chunks, as evidenced by the relevant section of code in Volatility2's tcaudit.py

# Looking for the Length member, DWORD-aligned 
ints = obj.Object("Array", targetType = "int", 
                  offset = base, count = size / 4, 
                  vm = addr_space)

which uses the integer quotient of size over 4.

I was unsure if this was intentional behaviour so I opted to raise an error when the situation arose.

If anybody else has further insight into the matter and can explain why the error message shouldn't be raised then I'm happy to propose a pull request with the necessary changes.

Otherwise, if you'd like to mimic Volatility2's behaviour, you can modify the following lines in volatility3\framework\plugins\windows\truecrypt.py

count, not_aligned = divmod(size, DWORD_SIZE_BYTES)
if not_aligned:
    raise ValueError("PE data section not DWORD-aligned!")

to

count = size // DWORD_SIZE_BYTES

Hello @iyassou it's dumped file of Win11 that’s Vol2 is no use for me. I’m playing CTF challenge. If you want dump I can provide. Do you know any manual method to extract the key?

could help me with exact proper code.

I tried with 0,1,2 in Dword size byte that time it's show me blank result without error.

when I tried with 3,4++++ showing this dword error.

thanks

srvlocalr00t commented 5 months ago

Hello.

I ported the TrueCrypt cached passphrase finder from Volatility2 to Volatility3.

This error message occurs when the number of bytes in the data section isn't a multiple of DWORD_SIZE_BYTES (which is 4).

Volatility2's cached passphrase finder, running Python 2.6 ≤ x < 3, doesn't check for this alignment and instead iterates over the available DWORD_SIZE_BYTES-sized chunks, as evidenced by the relevant section of code in Volatility2's tcaudit.py

# Looking for the Length member, DWORD-aligned 
ints = obj.Object("Array", targetType = "int", 
                  offset = base, count = size / 4, 
                  vm = addr_space)

which uses the integer quotient of size over 4.

I was unsure if this was intentional behaviour so I opted to raise an error when the situation arose.

If anybody else has further insight into the matter and can explain why the error message shouldn't be raised then I'm happy to propose a pull request with the necessary changes.

Otherwise, if you'd like to mimic Volatility2's behaviour, you can modify the following lines in volatility3\framework\plugins\windows\truecrypt.py

count, not_aligned = divmod(size, DWORD_SIZE_BYTES)
if not_aligned:
    raise ValueError("PE data section not DWORD-aligned!")

to

count = size // DWORD_SIZE_BYTES

I tried what you suggested.... it;s showing blank output. error is stopped

image

eve-mem commented 5 months ago

Be aware that truecrpyt doesn't always cache a password, it may only be the master keys held in memory. (Although the fact the plugin tried might mean that there is a password)

srvlocalr00t commented 5 months ago

Do you have any idea to solve or retrieve it manually?

eve-mem commented 5 months ago

This blog post is a good place to start: https://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html