From a21b2270e8db93d231fa0a3d60776043c9a0f9bc Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 4 Dec 2021 23:55:41 +0100 Subject: Windows: Implement TESTSIGNING build configuration that allows running under Windows Vista,7, 8 and 8.1. --- src/Common/BootEncryption.cpp | 6 ++--- src/Common/BootEncryption.h | 10 -------- src/Common/Dlgcode.c | 54 +++++++++++++++++++++++++++++++++++++++++-- src/Common/Dlgcode.h | 24 +++++++++++++++++++ src/Common/Tcdefs.h | 2 ++ 5 files changed, 80 insertions(+), 16 deletions(-) (limited to 'src/Common') diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp index c8fc90bf..c3ce07ab 100644 --- a/src/Common/BootEncryption.cpp +++ b/src/Common/BootEncryption.cpp @@ -2218,7 +2218,6 @@ namespace VeraCrypt #endif // !SETUP - NtQuerySystemInformationFn NtQuerySystemInformationPtr = NULL; EfiBootConf::EfiBootConf() : passwordType (0), passwordMsg ("Password: "), @@ -2510,14 +2509,13 @@ namespace VeraCrypt ULONG len; NTSTATUS res; WCHAR tempBuf[1024]; + NtQuerySystemInformationFn NtQuerySystemInformationPtr = (NtQuerySystemInformationFn) GetProcAddress (GetModuleHandle (L"ntdll.dll"), "NtQuerySystemInformation"); memset(tempBuf, 0, sizeof(tempBuf)); // Load NtQuerySystemInformation function point if (!NtQuerySystemInformationPtr) { - NtQuerySystemInformationPtr = (NtQuerySystemInformationFn) GetProcAddress (GetModuleHandle (L"ntdll.dll"), "NtQuerySystemInformation"); - if (!NtQuerySystemInformationPtr) - throw SystemException (SRC_POS); + throw SystemException (SRC_POS); } res = NtQuerySystemInformationPtr((SYSTEM_INFORMATION_CLASS)SYSPARTITIONINFORMATION, tempBuf, sizeof(tempBuf), &len); diff --git a/src/Common/BootEncryption.h b/src/Common/BootEncryption.h index decacb8b..7f5c3b16 100644 --- a/src/Common/BootEncryption.h +++ b/src/Common/BootEncryption.h @@ -18,16 +18,6 @@ #include "Exception.h" #include "Platform/PlatformBase.h" #include "Volumes.h" -#include - -#define SYSPARTITIONINFORMATION 0x62 - -typedef NTSTATUS (WINAPI *NtQuerySystemInformationFn)( - SYSTEM_INFORMATION_CLASS SystemInformationClass, - PVOID SystemInformation, - ULONG SystemInformationLength, - PULONG ReturnLength -); typedef ULONG (WINAPI *RtlNtStatusToDosErrorFn)( NTSTATUS Status diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index 6462e319..049dc288 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -166,6 +166,8 @@ BOOL bHistory = FALSE; #ifndef SETUP BOOL bLanguageSetInSetup = FALSE; +#else +extern BOOL bMakePackage; #endif // Status of detection of hidden sectors (whole-system-drive encryption). @@ -3259,12 +3261,36 @@ void InitApp (HINSTANCE hInstance, wchar_t *lpszCommandLine) RemoteSession = GetSystemMetrics (SM_REMOTESESSION) != 0; +#ifndef VC_SKIP_OS_DRIVER_REQ_CHECK // OS version check: from version 1.25, only Windows XP, Windows 10 and Windows 11 are supported because of new driver signing requirements if (!(IsOSVersionAtLeast(WIN_10, 0) || (nCurrentOS == WIN_XP) || (nCurrentOS == WIN_XP64))) { MessageBoxW (NULL, GetString ("UNSUPPORTED_OS"), lpszTitle, MB_ICONSTOP); exit (1); } +#else + // in TESTSIGNING mode, we support only Windows Vista, Windows 7, Windows 8/8.1 + if ( !IsOSVersionAtLeast(WIN_VISTA, 0) +#ifndef SETUP + || IsOSVersionAtLeast(WIN_10, 0) +#else + || (IsOSVersionAtLeast(WIN_10, 0) && !bMakePackage) +#endif + ) + { + MessageBoxW (NULL, L"TESTSIGNING version of VeraCrypt targets only Windows Vista, Windows 7 and Windows 8/8.1.\n\nPlease use the standard version of VeraCrypt instead.", lpszTitle, MB_ICONSTOP); + exit (1); + } + else if ( !IsTestSigningModeEnabled() +#ifdef SETUP + && !bMakePackage +#endif + ) + { + MessageBoxW (NULL, L"Test-Signing Mode, which is required to run VeraCrypt TESTSIGNING binaries, is not enabled in Windows.\n\nExecution aborted!", lpszTitle, MB_ICONSTOP); + exit (1); + } +#endif else { // Service pack check & warnings about critical MS issues @@ -14035,7 +14061,7 @@ INT_PTR SecureDesktopDialogBoxParam( #endif -#ifdef NDEBUG +#if !defined(NDEBUG) && !defined(VC_SKIP_OS_DRIVER_REQ_CHECK) static BOOL InitializeWintrust() { if (!hWinTrustLib) @@ -14086,7 +14112,7 @@ static void FinalizeWintrust() BOOL VerifyModuleSignature (const wchar_t* path) { -#ifdef NDEBUG +#if !defined(NDEBUG) && !defined (VC_SKIP_OS_DRIVER_REQ_CHECK) BOOL bResult = FALSE; HRESULT hResult; GUID gActionID = WINTRUST_ACTION_GENERIC_VERIFY_V2; @@ -15233,3 +15259,27 @@ BOOL GetHibernateStatus (BOOL& bHibernateEnabled, BOOL& bHiberbootEnabled) return bResult; } +/* return TRUE if Windows is in Test Signing mode */ +/* ref: https://social.msdn.microsoft.com/Forums/Windowsapps/en-US/e6c1be93-7003-4594-b8e4-18ab4a75d273/detecting-testsigning-onoff-via-api */ +BOOL IsTestSigningModeEnabled () +{ + BOOL bEnabled = FALSE; + NtQuerySystemInformationFn NtQuerySystemInformationPtr = (NtQuerySystemInformationFn) GetProcAddress (GetModuleHandle (L"ntdll.dll"), "NtQuerySystemInformation"); + if(NtQuerySystemInformationPtr) + { + SYSTEM_CODEINTEGRITY_INFORMATION info = {0}; + ULONG cbReturnedData = 0; + info.Length = sizeof(info); + if ( (NtQuerySystemInformationPtr((SYSTEM_INFORMATION_CLASS) SYSTEMCODEINTEGRITYINFORMATION, &info, sizeof(info), &cbReturnedData) >= 0) + && (cbReturnedData == sizeof(info)) + ) + { + if ((info.CodeIntegrityOptions & (CODEINTEGRITY_OPTION_TESTSIGN | CODEINTEGRITY_OPTION_ENABLED)) == (CODEINTEGRITY_OPTION_TESTSIGN | CODEINTEGRITY_OPTION_ENABLED)) + { + bEnabled = TRUE; + } + } + } + + return bEnabled; +} diff --git a/src/Common/Dlgcode.h b/src/Common/Dlgcode.h index 6370c2a7..3d521a21 100644 --- a/src/Common/Dlgcode.h +++ b/src/Common/Dlgcode.h @@ -18,6 +18,7 @@ #include "Apidrvr.h" #include "Keyfiles.h" #include "Wipe.h" +#include #ifdef __cplusplus extern "C" { @@ -250,6 +251,28 @@ typedef enum BitLockerEncryptionStatus BL_Status_Protected } BitLockerEncryptionStatus; +#ifndef CODEINTEGRITY_OPTION_ENABLED + +#define CODEINTEGRITY_OPTION_ENABLED 0x01 +#define CODEINTEGRITY_OPTION_TESTSIGN 0x02 + +typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION { + ULONG Length; + ULONG CodeIntegrityOptions; +} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION; + +#endif + +#define SYSPARTITIONINFORMATION 0x62 +#define SYSTEMCODEINTEGRITYINFORMATION 0x67 + +typedef NTSTATUS (WINAPI *NtQuerySystemInformationFn)( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength +); + #define DEFAULT_VOL_CREATION_WIZARD_MODE WIZARD_MODE_FILE_CONTAINER @@ -560,6 +583,7 @@ BOOL BufferHasPattern (const unsigned char* buffer, size_t bufferLen, const void BOOL EnableProcessProtection(); void SafeOpenURL (LPCWSTR szUrl); BitLockerEncryptionStatus GetBitLockerEncryptionStatus(WCHAR driveLetter); +BOOL IsTestSigningModeEnabled (); #ifdef _WIN64 void GetAppRandomSeed (unsigned char* pbRandSeed, size_t cbRandSeed); #endif diff --git a/src/Common/Tcdefs.h b/src/Common/Tcdefs.h index d7dc73d2..d25bf7d5 100644 --- a/src/Common/Tcdefs.h +++ b/src/Common/Tcdefs.h @@ -59,6 +59,8 @@ extern unsigned short _rotl16(unsigned short value, unsigned char shift); #ifdef VC_EFI_CUSTOM_MODE #define VERSION_STRING_SUFFIX "-CustomEFI" +#elif defined(VC_SKIP_OS_DRIVER_REQ_CHECK) +#define VERSION_STRING_SUFFIX "-TESTSIGNING" #else #define VERSION_STRING_SUFFIX "" #endif -- cgit v1.2.3