📄 drivefilter.c
字号:
NTSTATUS StartBootEncryptionSetup (PDEVICE_OBJECT DeviceObject, PIRP irp, PIO_STACK_LOCATION irpSp)
{
NTSTATUS status;
if (!UserCanAccessDriveDevice())
return STATUS_ACCESS_DENIED;
if (SetupInProgress || !BootDriveFound || !BootDriveFilterExtension
|| BootDriveFilterExtension->HiddenSystem
|| irpSp->Parameters.DeviceIoControl.InputBufferLength < sizeof (BootEncryptionSetupRequest))
return STATUS_INVALID_PARAMETER;
SetupRequest = *(BootEncryptionSetupRequest *) irp->AssociatedIrp.SystemBuffer;
EncryptionSetupThreadAbortRequested = FALSE;
KeInitializeSpinLock (&SetupStatusSpinLock);
SetupStatusEncryptedAreaEnd = BootDriveFilterExtension ? BootDriveFilterExtension->Queue.EncryptedAreaEnd : -1;
SetupInProgress = TRUE;
status = TCStartThread (SetupThreadProc, DeviceObject, &EncryptionSetupThread);
if (!NT_SUCCESS (status))
SetupInProgress = FALSE;
return status;
}
void GetBootDriveVolumeProperties (PIRP irp, PIO_STACK_LOCATION irpSp)
{
if (ValidateIOBufferSize (irp, sizeof (VOLUME_PROPERTIES_STRUCT), ValidateOutput))
{
DriveFilterExtension *Extension = BootDriveFilterExtension;
VOLUME_PROPERTIES_STRUCT *prop = (VOLUME_PROPERTIES_STRUCT *) irp->AssociatedIrp.SystemBuffer;
memset (prop, 0, sizeof (*prop));
if (!BootDriveFound || !Extension)
{
irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
irp->IoStatus.Information = 0;
}
else
{
prop->hiddenVolume = Extension->Queue.CryptoInfo->hiddenVolume;
prop->diskLength = Extension->ConfiguredEncryptedAreaEnd + 1 - Extension->ConfiguredEncryptedAreaStart;
prop->ea = Extension->Queue.CryptoInfo->ea;
prop->mode = Extension->Queue.CryptoInfo->mode;
prop->pkcs5 = Extension->Queue.CryptoInfo->pkcs5;
prop->pkcs5Iterations = Extension->Queue.CryptoInfo->noIterations;
#if 0
prop->volumeCreationTime = Extension->Queue.CryptoInfo->volume_creation_time;
prop->headerCreationTime = Extension->Queue.CryptoInfo->header_creation_time;
#endif
prop->volFormatVersion = Extension->Queue.CryptoInfo->LegacyVolume ? TC_VOLUME_FORMAT_VERSION_PRE_6_0 : TC_VOLUME_FORMAT_VERSION;
prop->totalBytesRead = Extension->Queue.TotalBytesRead;
prop->totalBytesWritten = Extension->Queue.TotalBytesWritten;
irp->IoStatus.Information = sizeof (VOLUME_PROPERTIES_STRUCT);
irp->IoStatus.Status = STATUS_SUCCESS;
}
}
}
void GetBootEncryptionStatus (PIRP irp, PIO_STACK_LOCATION irpSp)
{
/* IMPORTANT: Do NOT add any potentially time-consuming operations to this function. */
if (ValidateIOBufferSize (irp, sizeof (BootEncryptionStatus), ValidateOutput))
{
DriveFilterExtension *Extension = BootDriveFilterExtension;
BootEncryptionStatus *bootEncStatus = (BootEncryptionStatus *) irp->AssociatedIrp.SystemBuffer;
memset (bootEncStatus, 0, sizeof (*bootEncStatus));
if (BootArgsValid)
bootEncStatus->BootLoaderVersion = BootArgs.BootLoaderVersion;
bootEncStatus->DeviceFilterActive = DeviceFilterActive;
bootEncStatus->SetupInProgress = SetupInProgress;
bootEncStatus->SetupMode = SetupRequest.SetupMode;
bootEncStatus->TransformWaitingForIdle = TransformWaitingForIdle;
if (!BootDriveFound || !Extension)
{
bootEncStatus->DriveEncrypted = FALSE;
bootEncStatus->DriveMounted = FALSE;
bootEncStatus->VolumeHeaderPresent = FALSE;
}
else
{
bootEncStatus->DriveMounted = Extension->DriveMounted;
bootEncStatus->VolumeHeaderPresent = Extension->VolumeHeaderPresent;
bootEncStatus->DriveEncrypted = Extension->Queue.EncryptedAreaStart != -1;
bootEncStatus->BootDriveLength = BootDriveLength;
bootEncStatus->ConfiguredEncryptedAreaStart = Extension->ConfiguredEncryptedAreaStart;
bootEncStatus->ConfiguredEncryptedAreaEnd = Extension->ConfiguredEncryptedAreaEnd;
bootEncStatus->EncryptedAreaStart = Extension->Queue.EncryptedAreaStart;
if (SetupInProgress)
{
KIRQL irql;
KeAcquireSpinLock (&SetupStatusSpinLock, &irql);
bootEncStatus->EncryptedAreaEnd = SetupStatusEncryptedAreaEnd;
KeReleaseSpinLock (&SetupStatusSpinLock, irql);
}
else
bootEncStatus->EncryptedAreaEnd = Extension->Queue.EncryptedAreaEnd;
bootEncStatus->VolumeHeaderSaltCrc32 = Extension->VolumeHeaderSaltCrc32;
bootEncStatus->HibernationPreventionCount = HibernationPreventionCount;
bootEncStatus->HiddenSysLeakProtectionCount = HiddenSysLeakProtectionCount;
bootEncStatus->HiddenSystem = Extension->HiddenSystem;
if (Extension->HiddenSystem)
bootEncStatus->HiddenSystemPartitionStart = BootArgs.HiddenSystemPartitionStart;
}
irp->IoStatus.Information = sizeof (BootEncryptionStatus);
irp->IoStatus.Status = STATUS_SUCCESS;
}
}
void GetBootLoaderVersion (PIRP irp, PIO_STACK_LOCATION irpSp)
{
if (ValidateIOBufferSize (irp, sizeof (uint16), ValidateOutput))
{
if (BootArgsValid)
{
*(uint16 *) irp->AssociatedIrp.SystemBuffer = BootArgs.BootLoaderVersion;
irp->IoStatus.Information = sizeof (uint16);
irp->IoStatus.Status = STATUS_SUCCESS;
}
else
{
irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
irp->IoStatus.Information = 0;
}
}
}
void GetBootEncryptionAlgorithmName (PIRP irp, PIO_STACK_LOCATION irpSp)
{
if (ValidateIOBufferSize (irp, sizeof (GetBootEncryptionAlgorithmNameRequest), ValidateOutput))
{
if (BootDriveFilterExtension && BootDriveFilterExtension->DriveMounted)
{
GetBootEncryptionAlgorithmNameRequest *request = (GetBootEncryptionAlgorithmNameRequest *) irp->AssociatedIrp.SystemBuffer;
EAGetName (request->BootEncryptionAlgorithmName, BootDriveFilterExtension->Queue.CryptoInfo->ea);
irp->IoStatus.Information = sizeof (GetBootEncryptionAlgorithmNameRequest);
irp->IoStatus.Status = STATUS_SUCCESS;
}
else
{
irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
irp->IoStatus.Information = 0;
}
}
}
NTSTATUS GetSetupResult()
{
return SetupResult;
}
BOOL IsBootDriveMounted ()
{
return BootDriveFilterExtension && BootDriveFilterExtension->DriveMounted;
}
BOOL IsBootEncryptionSetupInProgress ()
{
return SetupInProgress;
}
BOOL IsHiddenSystemRunning ()
{
return BootDriveFilterExtension && BootDriveFilterExtension->HiddenSystem;
}
CRYPTO_INFO *GetSystemDriveCryptoInfo ()
{
return BootDriveFilterExtension->Queue.CryptoInfo;
}
NTSTATUS AbortBootEncryptionSetup ()
{
if (!IoIsSystemThread (PsGetCurrentThread()) && !UserCanAccessDriveDevice())
return STATUS_ACCESS_DENIED;
if (!SetupInProgress)
return STATUS_SUCCESS;
EncryptionSetupThreadAbortRequested = TRUE;
TCStopThread (EncryptionSetupThread, NULL);
return STATUS_SUCCESS;
}
static VOID DecoySystemWipeThreadProc (PVOID threadArg)
{
DriveFilterExtension *Extension = BootDriveFilterExtension;
LARGE_INTEGER offset;
UINT64_STRUCT dataUnit;
ULONG wipeBlockSize = TC_ENCRYPTION_SETUP_IO_BLOCK_SIZE;
CRYPTO_INFO *wipeCryptoInfo = NULL;
byte *wipeBuffer = NULL;
byte *wipeRandBuffer = NULL;
byte wipeRandChars[TC_WIPE_RAND_CHAR_COUNT];
size_t wipePass;
int ea = Extension->Queue.CryptoInfo->ea;
KIRQL irql;
NTSTATUS status;
DecoySystemWipeResult = STATUS_UNSUCCESSFUL;
wipeBuffer = TCalloc (TC_ENCRYPTION_SETUP_IO_BLOCK_SIZE);
if (!wipeBuffer)
{
DecoySystemWipeResult = STATUS_INSUFFICIENT_RESOURCES;
goto ret;
}
wipeRandBuffer = TCalloc (TC_ENCRYPTION_SETUP_IO_BLOCK_SIZE);
if (!wipeRandBuffer)
{
DecoySystemWipeResult = STATUS_INSUFFICIENT_RESOURCES;
goto ret;
}
wipeCryptoInfo = crypto_open();
if (!wipeCryptoInfo)
{
DecoySystemWipeResult = STATUS_INSUFFICIENT_RESOURCES;
goto ret;
}
wipeCryptoInfo->ea = ea;
wipeCryptoInfo->mode = Extension->Queue.CryptoInfo->mode;
if (EAInit (ea, WipeDecoyRequest.WipeKey, wipeCryptoInfo->ks) != ERR_SUCCESS)
{
DecoySystemWipeResult = STATUS_INVALID_PARAMETER;
goto ret;
}
memcpy (wipeCryptoInfo->k2, WipeDecoyRequest.WipeKey + EAGetKeySize (ea), EAGetKeySize (ea));
if (!EAInitMode (wipeCryptoInfo))
{
DecoySystemWipeResult = STATUS_INVALID_PARAMETER;
goto err;
}
EncryptDataUnits (wipeRandBuffer, &dataUnit, wipeBlockSize / ENCRYPTION_DATA_UNIT_SIZE, wipeCryptoInfo);
memcpy (wipeRandChars, wipeRandBuffer, sizeof (wipeRandChars));
burn (WipeDecoyRequest.WipeKey, sizeof (WipeDecoyRequest.WipeKey));
offset.QuadPart = Extension->ConfiguredEncryptedAreaStart;
Dump ("Wiping decoy system: start offset = %I64d\n", offset.QuadPart);
while (!DecoySystemWipeThreadAbortRequested)
{
if (offset.QuadPart + wipeBlockSize > Extension->ConfiguredEncryptedAreaEnd + 1)
wipeBlockSize = (ULONG) (Extension->ConfiguredEncryptedAreaEnd + 1 - offset.QuadPart);
if (offset.QuadPart > Extension->ConfiguredEncryptedAreaEnd)
break;
for (wipePass = 1; wipePass <= GetWipePassCount (WipeDecoyRequest.WipeAlgorithm); ++wipePass)
{
if (!WipeBuffer (WipeDecoyRequest.WipeAlgorithm, wipeRandChars, wipePass, wipeBuffer, wipeBlockSize))
{
dataUnit.Value = offset.QuadPart / ENCRYPTION_DATA_UNIT_SIZE;
EncryptDataUnits (wipeRandBuffer, &dataUnit, wipeBlockSize / ENCRYPTION_DATA_UNIT_SIZE, wipeCryptoInfo);
memcpy (wipeBuffer, wipeRandBuffer, wipeBlockSize);
}
while (!NT_SUCCESS (EncryptedIoQueueHoldWhenIdle (&Extension->Queue, 500)))
{
if (DecoySystemWipeThreadAbortRequested)
goto abort;
}
status = TCWriteDevice (BootDriveFilterExtension->LowerDeviceObject, wipeBuffer, offset, wipeBlockSize);
if (!NT_SUCCESS (status))
{
DecoySystemWipeResult = status;
goto err;
}
EncryptedIoQueueResumeFromHold (&Extension->Queue);
}
offset.QuadPart += wipeBlockSize;
KeAcquireSpinLock (&DecoySystemWipeStatusSpinLock, &irql);
DecoySystemWipedAreaEnd = offset.QuadPart - 1;
KeReleaseSpinLock (&DecoySystemWipeStatusSpinLock, irql);
}
abort:
DecoySystemWipeResult = STATUS_SUCCESS;
err:
if (EncryptedIoQueueIsSuspended (&Extension->Queue))
EncryptedIoQueueResumeFromHold (&Extension->Queue);
Dump ("Wipe end: DecoySystemWipedAreaEnd=%I64d (%I64d)\n", DecoySystemWipedAreaEnd, DecoySystemWipedAreaEnd / 1024 / 1024);
ret:
if (wipeCryptoInfo)
crypto_close (wipeCryptoInfo);
if (wipeRandBuffer)
TCfree (wipeRandBuffer);
if (wipeBuffer)
TCfree (wipeBuffer);
DecoySystemWipeInProgress = FALSE;
PsTerminateSystemThread (DecoySystemWipeResult);
}
NTSTATUS StartDecoySystemWipe (PDEVICE_OBJECT DeviceObject, PIRP irp, PIO_STACK_LOCATION irpSp)
{
NTSTATUS status;
WipeDecoySystemRequest *request;
if (!UserCanAccessDriveDevice())
return STATUS_ACCESS_DENIED;
if (!IsHiddenSystemRunning()
|| irpSp->Parameters.DeviceIoControl.InputBufferLength < sizeof (WipeDecoySystemRequest))
return STATUS_INVALID_PARAMETER;
if (DecoySystemWipeInProgress)
return STATUS_SUCCESS;
request = (WipeDecoySystemRequest *) irp->AssociatedIrp.SystemBuffer;
WipeDecoyRequest = *request;
burn (request->WipeKey, sizeof (request->WipeKey));
DecoySystemWipeThreadAbortRequested = FALSE;
KeInitializeSpinLock (&DecoySystemWipeStatusSpinLock);
DecoySystemWipedAreaEnd = BootDriveFilterExtension->ConfiguredEncryptedAreaStart;
DecoySystemWipeInProgress = TRUE;
status = TCStartThread (DecoySystemWipeThreadProc, DeviceObject, &DecoySystemWipeThread);
if (!NT_SUCCESS (status))
DecoySystemWipeInProgress = FALSE;
return status;
}
BOOL IsDecoySystemWipeInProgress()
{
return DecoySystemWipeInProgress;
}
void GetDecoySystemWipeStatus (PIRP irp, PIO_STACK_LOCATION irpSp)
{
if (ValidateIOBufferSize (irp, sizeof (DecoySystemWipeStatus), ValidateOutput))
{
DecoySystemWipeStatus *wipeStatus = (DecoySystemWipeStatus *) irp->AssociatedIrp.SystemBuffer;
if (!IsHiddenSystemRunning())
{
irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
irp->IoStatus.Information = 0;
}
else
{
wipeStatus->WipeInProgress = DecoySystemWipeInProgress;
wipeStatus->WipeAlgorithm = WipeDecoyRequest.WipeAlgorithm;
if (DecoySystemWipeInProgress)
{
KIRQL irql;
KeAcquireSpinLock (&DecoySystemWipeStatusSpinLock, &irql);
wipeStatus->WipedAreaEnd = DecoySystemWipedAreaEnd;
KeReleaseSpinLock (&DecoySystemWipeStatusSpinLock, irql);
}
else
wipeStatus->WipedAreaEnd = DecoySystemWipedAreaEnd;
irp->IoStatus.Information = sizeof (DecoySystemWipeStatus);
irp->IoStatus.Status = STATUS_SUCCESS;
}
}
}
NTSTATUS GetDecoySystemWipeResult()
{
return DecoySystemWipeResult;
}
NTSTATUS AbortDecoySystemWipe ()
{
if (!IoIsSystemThread (PsGetCurrentThread()) && !UserCanAccessDriveDevice())
return STATUS_ACCESS_DENIED;
if (DecoySystemWipeInProgress)
{
DecoySystemWipeThreadAbortRequested = TRUE;
TCStopThread (DecoySystemWipeThread, NULL);
}
return STATUS_SUCCESS;
}
uint64 GetBootDriveLength ()
{
return BootDriveLength.QuadPart;
}
NTSTATUS WriteBootDriveSector (PIRP irp, PIO_STACK_LOCATION irpSp)
{
WriteBootDriveSectorRequest *request;
if (!UserCanAccessDriveDevice())
return STATUS_ACCESS_DENIED;
if (!BootDriveFilterExtension
|| irpSp->Parameters.DeviceIoControl.InputBufferLength < sizeof (WriteBootDriveSectorRequest))
return STATUS_INVALID_PARAMETER;
request = (WriteBootDriveSectorRequest *) irp->AssociatedIrp.SystemBuffer;
return TCWriteDevice (BootDriveFilterExtension->LowerDeviceObject, request->Data, request->Offset, sizeof (request->Data));
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -