I’ve written a couple of times on the subject of boot loaders and full disk encryption, but I haven’t really explored it in more detail. With this blog post I hope to dive a bit deeper into how to actually start performing these type of analysis and why they are useful to perform.Cognitive learning theory in the classroom I’ll start with the usefulness first and then go into the part on how to do it, but will not be fully reversing a disk encryption boot loader.Cognitive learning theory in the classroom I won’t be doing a lot of hard-core reversing like finding vulnerabilities within the cryptographic operations or reversing custom filesystem implementations, but hopefully provide enough information to get started in the area of reversing unknown boot loaders.Cognitive learning theory in the classroom

The type of products with which you can use the approaches and techniques described in this blog post are the most useful when applied to full disk encryption (FDE) solutions that are configured to not require pre-boot authentication.Cognitive learning theory in the classroom the reason being, that you then could potentially obtain the disk decryption key. If the solution requires pre-boot authentication, the information that you can obtain, might be reduced to meta-data or ‘deleted’ files.Cognitive learning theory in the classroom which brings us to the whole, why are these type of analysis useful?

Based on the above list of items we can pretty much conclude that analysing FDE solutions is useful from an offensive as well as from a defensive point of view.Cognitive learning theory in the classroom it can either help us to breach a target network or obtain sensitive information as well as collect forensic evidence or aid us into understanding the specific cryptographic implementation to enable us to decrypt the disk and analyse it.Cognitive learning theory in the classroom the helper tools I’ve used in this blog post can be found here. Keep on reading if you want to know the rest of all the details and the process I usually follow.Cognitive learning theory in the classroom I’ll try to describe the following steps:

The other reason to use diskcryptor is the fact that it is open source, thus enabling people that want to get started with type of stuff to more easily understand difficult snippets of assembly.Cognitive learning theory in the classroom my personal approach to a lot of reversing challenges usually revolves around finding a similar open source variant first or finding the open source components used in the proprietary solution if applicable.Cognitive learning theory in the classroom reason being that it makes your life a lot easier to understand not only general concepts, but also specific code quirks. A very nice explanation on finding as much information as possible before your start reversing is given by alex ionescu in his offensive con keynote ‘reversing without reversing’.Cognitive learning theory in the classroom

The magical ‘in memory execution‘ option of meterpreter is of course one of the better options that we as attackers love to use. However if you want to store ‘random files’ in memory or need to execute more complex applications which contain dependencies on other files, there is no ‘in memory’ option for that as far as i know.Cognitive learning theory in the classroom to be more specific, on linux you can do it with build in commands, on windows you need to install third party software ( list of ram drive software).Cognitive learning theory in the classroom I decided to dig into it and see if I could achieve this through a meterpreter session. The reasons for wanting a ram disk are multiple, if you are still wondering:

cognitive learning theory in the classroom

The first reason allows me to better understand the under the hood stuff, the second reason allows me to use it on windows versions that require a signed driver.Cognitive learning theory in the classroom first thing I tried is to use the bundled tools, but it seems that the command line interface has a dependency on the control panel dll file.Cognitive learning theory in the classroom I tried a quick recompile, but then I thought, why not code my own version? The original version includes, amongst other things, the ability to load and save the ram disk as an image file and for the moment I won’t be needing that functionality.Cognitive learning theory in the classroom so i decided to code my own reduced functionality version of the original client. It would have been easier to just use the original client, but this was more fun and thought me a thing or two about driver communication.Cognitive learning theory in the classroom

The original source code was very very clear, which made it a breeze to hack together some code to talk to the driver. I still need to add way more error handling, but for now it does the job and you can use it through meterpreter.Cognitive learning theory in the classroom be aware of the fact that it still leaves traces on the regular hard disk, like explained in this blog. A short overview of the traces left behind:

cognitive learning theory in the classroom

For me the benefits of having an easy way to execute multiple files from memory outweigh the above mentioned forensic artefacts. In addition it becomes more difficult to retrieve the original files, unless the incident response team creates a memory image or has access to a pre-installed host agent which retrieves the files from the ram disk.Cognitive learning theory in the classroom let’s get practical, here is how to use it through a meterpreter session (I won’t go into details on how to obtain the meterpreter session):

cognitive learning theory in the classroom

Lately I’ve had to deal with setups which had transparent full disk encryption and were pretty hardened. If you are wondering what ‘transparent full disk encryption’ means, that’s how I call solutions that encrypt your hard disk, but don’t require any interaction from the user to boot into the operating system.Cognitive learning theory in the classroom they usually accomplish this because they:

Partially, because most of the options were not present and those that were present only gave me a cmd.Exe which was disabled with a local group policy.Cognitive learning theory in the classroom an interesting approach the defence side took was replacing explorer.Exe with an executable which did nothing. Even if you managed to break out of their application you still had nothing, no desktop, no menu, no buttons etc.Cognitive learning theory in the classroom for a few setups where the ‘startup-repair’ options seemed to work the encryption drivers did not load, resulting in an environment with no access to the target disk.Cognitive learning theory in the classroom in case you were wondering about network attacks, those were a no go as well, since the firewalls were strictly configured for ingress and egress traffic, based on ip/port/application and yes the connection themselves used TLS with client certificates and not vulnerable to man in the middle attacks.Cognitive learning theory in the classroom

Usually when I encounter these environment it still is possible to perform a variety of direct memory access (DMA) attacks using tools like inception or pcileech.Cognitive learning theory in the classroom in these cases however this was physically not possible, either because there were no DMA ports available or just because I didn’t have the correct hardware with me to perform the attacks.Cognitive learning theory in the classroom

A common issues with all those setups however was the fact that the disk encryption software did not seal the encryption keys to a hardware security device like a TPM.Cognitive learning theory in the classroom this enables an attacker to create an image from the hard disk and boot this image on another computer. If the attacker also got a hold of the enclosure (USB key, smart card, obfuscated algorithm, unencrypted partition) holding the encryption keys it becomes possible to boot the disk image and fully control the victim disk in an untrusted environment.Cognitive learning theory in the classroom

There are solutions available that probably would enable you to achieve the same result, but for my personal taste I prefer to have something much more lightweight that can be easily ported between QEMU versions.Cognitive learning theory in the classroom additionally you could also achieve the same result with the quick & dirty approach of booting the image in vmware, pausing the machine, editing the memory file, resuming the machine.Cognitive learning theory in the classroom however I prefer QEMU since it allows full control over the entire process, due to the build in GDB server as well as customising the inner workings by editing/adding code and recompiling it.Cognitive learning theory in the classroom the following existing projects already wrap QEMU with cool and handy features if you want to use these type of setups to analyse malware or other applications: