File Submitter: joakim
File Submitted: 06 Apr 2014
File Category: Security
Intro
This patched TrueCrypt version (experimental) can mount containers from arbitrary file offsets. The container can consist of a range of bytes, instead of the whole file or the rest of the file. That means TrueCrypt volumes can now be stuffed inside other file formats, and reduce chances of detection. That patch is based on the latest version, 7.1a.
The orignal version can only mount from offset 0, and uses the whole container.
What we have achieved with this patch, is to add a layer of steganography to the TrueCrypt puzzle. For the extremely paranoid people, this may seem appealing, especially when combined with hidden volumes (outer/inner).
How to use
First you must create a container and put it into another file (preferrably with a hex editor). See "Creating container".
The patched functionality can only be accessed by commandline mode, and is not available in the GUI.
The /i switch is for offset.
The /j switch is for lenght in bytes.
That means you can access directly a truecrypt disk hidden somewhere within another file. The original file format may be preserved as valid in certain scenarios, as the example below will show.
All other functionality is described in the official TrueCrypt documentation, and not here.
Example command line
truecrypt.exe /v "%CD%\sample-container\truecrypt-x64.sys" /lx /a /p joakim /i 231936 /j 299008The above command uses the original truecrypt driver for 64-bit as container, and holds an encrypted volume within the Authenticode signature. The password is joakim, the mountpoint is X:, the offset is 231936 and the size of the container is 299008 bytes. By mounting it with the above command, you will get at the patched source files. After the source files are retrieved and volume dismounted, verify that the digital signature is still valid. It just uses a cool trick..
Another nice file format to play with is mp3. Here's an example I made based on one of the default sample music files installed by Windows;
http://www.mediafire.com/listen/ad0j2zurk00biyb/Kalimba.mp3The injected container has 2 volumes, one standard and one hidden. The standard volume has password "mikaoj" without quotes. Mount the hidden volume with this command:
truecrypt.exe /v "%CD%\Kalimba.mp3" /lx /a /p joakim /i 4307968 /j 2097152Note
On 64-bit systems you must enable testsigning mode to use it. On 32-bit it is fine though.
On first mount operation, the volume must be formatted. On subsequent mounts, the volume is mounted just fine.
It has not been extensively tested, so expect there to be bugs.
Limitation
The file offset must be a multiple of sector size.
Does not (yet) support accessing arbitrary offsets on partitions/volumes.
Tested on Windows 7 SP1 32-bit and 64-bit.
Thanks to tateu for letting me look at the patch to ntvol.c that he made back in 2006. That helped.
Creating container
The procedure for creating containers suited for this patched version, goes something like this:
- Create a base container as you normally would, and specify size, encryption, password etc.
- Find a new host file, appropriate for hiding the base container.
- Modify the new host file and with a hex editor or other suitable tool, inject at appropriate offset the base container. This step would of course require a bit of knowledge about the file format specs of the new host file.
- Take a note of the offset where the base container is written.
- Take a note of the size of the base container.
- Now you are ready to mount the super hidden container.
- Since Windows will not detect the filesystem on the very first mount of this hidden container, you must let Windows format the volume. Now all hard work is done.
- Verify that it works by writing files to the volume. Dismount the volume, and remount it. Check that the file is still there.
- Check that the original file format of the new host file is still valid.
The steps for handling hidden volumes are similar, except for both the outer and inner volume, they both need to be re-formatted on the first mount. However, the concept with hidden volumes still work.
Building
This package was built with VS2010. Building the solution required quite a bit of work. I believe I got the setup instructions from;
http://stackoverflow.com/questions/13379644/how-do-i-build-truecrypt-on-windows
However, I ran into a number of issues.
- The driver build script, BuildDriver.cmd, needs modification to specify your own certificate to sign with.
- A .NET framework update messed things up, requiring a rename of all found cvtres.exe within the Visual Studio install path.
- Getting the 3rd party dependencies correct was not easy either.
- I think there was more, but because 1 year has gone since the actual patch was made, most is forgotten.
Click here to download this file