Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
BitLocker detect
#define BITLOCKER_SIGNATURE "-FVE-FS-"
#define BITLOCKER_SIGNATURE_SIZE sizeof(BITLOCKER_SIGNATURE)
#pragma pack(push,1)
typedef struct _FVEFS_BOOT_RECORD {
BYTE JumpCode[3]; //+0x0
BYTE Signature[8]; //+0x3
WORD SectorSize; //+0xB
BYTE SectorsPerCluster; //+0xD
WORD ReservedClusters; //+0xE
BYTE FatCount; //+0x10
WORD RootEntries; //+0x11
WORD Reserved1; //+0x13
BYTE MediaDescriptor; //+0x15
WORD SectorsPerFat; //+0x16
WORD SectorsPerTrack; //+0x18
WORD NumberOfHeads; //+0x1A
DWORD HiddenSectors; //+0x1C
DWORD Reserved2; //+0x20
BYTE Reserved3[4]; //+0x24
UINT64 Reserved4; //+0x28
UINT64 MFTStartCluster; //+0x30
union { //+0x38
UINT64 MetaDataLcn;
UINT64 MftMirror;
};
//incomplete
} FVEFS_BOOT_RECORD, *PFVEFS_BOOT_RECORD;
#pragma pack(pop)
/*
* supIsBitLockerVolume
*
* Purpose:
*
* Detect if the given volume is BitLocker encrypted.
*
* Remarks:
*
* Elevation required.
*
*/
BOOL supIsBitLockerVolume(
_In_ LPWSTR lpVolume
)
{
BOOL bResult = FALSE, bIoCtl = FALSE, bCond = FALSE;
HANDLE hVolume = NULL, hDisk = NULL;
DWORD BytesNeeded = 0;
NTSTATUS Status;
OBJECT_ATTRIBUTES Obja;
IO_STATUS_BLOCK IoSB;
UNICODE_STRING uStr;
PFVEFS_BOOT_RECORD BootRecord;
PVOLUME_DISK_EXTENTS VDExt;
BYTE DataBuffer[512];
WCHAR szPhysicalDrive[100];
PBYTE DiskData = NULL;
DWORD DiskDataSize = 0, c = 0, LastError = 0;
LARGE_INTEGER ByteOffset;
do {
//
// Open volume.
//
uStr.Buffer = NULL;
RtlInitUnicodeString(&uStr, lpVolume);
InitializeObjectAttributes(&Obja, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtCreateFile(&hVolume,
GENERIC_READ | SYNCHRONIZE,
&Obja,
&IoSB,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
NULL,
0);
if (!NT_SUCCESS(Status))
break;
//
// Query volume offset.
//
DiskDataSize = 4096;
do {
DiskData = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap,
HEAP_ZERO_MEMORY, DiskDataSize);
if (DiskData == NULL)
break;
DeviceIoControl(hVolume, IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS,
NULL,
0,
DiskData,
DiskDataSize,
&BytesNeeded,
NULL);
LastError = GetLastError();
if (LastError == ERROR_MORE_DATA) {
RtlFreeHeap(NtCurrentPeb()->ProcessHeap,
0,
DiskData);
DiskData = NULL;
DiskDataSize *= 2;
c++;
if (c > 5)
break;
}
} while (LastError == ERROR_MORE_DATA);
NtClose(hVolume);
hVolume = NULL;
if (DiskData == NULL)
break;
//
// Open disk as physical device.
//
VDExt = (PVOLUME_DISK_EXTENTS)DiskData;
_strcpy(szPhysicalDrive, L"\\??\\PhysicalDrive");
ultostr(VDExt->Extents[0].DiskNumber, _strend(szPhysicalDrive));
ByteOffset = VDExt->Extents[0].StartingOffset;
uStr.Buffer = NULL;
RtlInitUnicodeString(&uStr, szPhysicalDrive);
InitializeObjectAttributes(&Obja, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtCreateFile(&hDisk,
GENERIC_READ | SYNCHRONIZE,
&Obja,
&IoSB,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
NULL,
0);
if (!NT_SUCCESS(Status))
break;
//
// Read Volume boot record.
//
Status = NtReadFile(hDisk,
NULL,
NULL,
NULL,
&IoSB,
DataBuffer,
sizeof(DataBuffer),
&ByteOffset,
NULL);
NtClose(hDisk);
hDisk = NULL;
if (!NT_SUCCESS(Status))
break;
BootRecord = (PFVEFS_BOOT_RECORD)DataBuffer;
//
// Is BitLocker volume?
//
bResult = (_strncmpi_a(BootRecord->Signature,
BITLOCKER_SIGNATURE,
BITLOCKER_SIGNATURE_SIZE) == 0);
} while (bCond);
if (hVolume != NULL) NtClose(hVolume);
if (hDisk != NULL) NtClose(hDisk);
if (DiskData != NULL)
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, DiskData);
return bResult;
}
void main()
{
LPWSTR lpSystemRoot, lpVolume;
WCHAR szVolume[MAX_PATH * 2];
RtlSecureZeroMemory(szVolume, sizeof(szVolume));
lpSystemRoot = (LPWSTR)&USER_SHARED_DATA->NtSystemRoot;
_strcpy(szVolume, L"\\??\\");
lpVolume = _strend(szVolume);
while (*lpSystemRoot != 0) {
if (*lpSystemRoot == L'\\')
break;
*lpVolume = *lpSystemRoot;
lpVolume++;
lpSystemRoot++;
}
if (supIsBitLockerVolume(szVolume))
MessageBox(GetDesktopWindow(), TEXT("Volume is Bitlocker encrypted"), szVolume, MB_OK);
ExitProcess(0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment