5/18/2023 0 Comments Veracrypt delete volume![]() Create a new object called C: inside the device map directory.Ģ) Mount a volume (not using the mount manager) and request the C: drive mapping. So to exploit this and remap the C: drive to the truecrypt volume we do the following:ġ) Set the current process’s device map to a new object directory. In particular we can set the \GLOBAL? directory itself. You can set any object directory to this which allows you DIRECTORY_TRAVERSE privilege, which is pretty much anything. This in itself would only cause problems for the current user if it wasn’t for the fact that there exists a way of replacing the current processes device map directory using the NtSetInformationProcess system call. This will cause ZwOpenSymbolicLink to fail with STATUS_OBJECT_TYPE_MISMATCH passing the check. So how to bypass the check? The simplest trick is to just create any other type of object with that name, such as an object directory. When the kernel creates a new object under \? is creates it in the per-user location instead so there’s no conflict with a drive symbolic link in \GLOBAL?. This is possible because with terminal services support the \DosDevices path points to a special fake path \? which first maps to a per-user writable location (under \Sessions\0\DosDevices) before falling back to \GLOBAL?. If we can cause the open to fail in any way then we can bypass this check and mount the volume over an existing drive letter. This means that any error opening the symbolic link will cause the drive letter to be assumed to not exist. The bug which allows you to bypass this is due to the use of the NT_SUCCESS macro. If (NT_SUCCESS (ZwOpenSymbolicLinkObject (
0 Comments
Leave a Reply. |