pico-tpmsniffer icon indicating copy to clipboard operation
pico-tpmsniffer copied to clipboard

Published 20 hours ago verified publisher icon stacksmashing

Variable vmk header

Open LuemmelSec opened this issue 1 year ago • 3 comments

ChatGPT version of trying to take variable VMK headers into concideration. The header can actually look like this: 2c000[0-6]000[1-9]000[0-1]000[0-5]200000

I am not a programmer, would be cool if you could evaluate if this is okay or not. Or if there is maybe even a more sexy way to do it.

LuemmelSec avatar Feb 11 '24 18:02 LuemmelSec

The header can actually look like this: 2c000[0-6]000[1-9]000[0-1]000[0-5]200000

Do you have explanation for that?

segfault-bilibili avatar Feb 29 '24 21:02 segfault-bilibili

The header can actually look like this: 2c000[0-6]000[1-9]000[0-1]000[0-5]200000

Do you have explanation for that?

Sure: https://luemmelsec.github.io/Go-away-BitLocker-you-are-drunk/ https://github.com/WithSecureLabs/bitlocker-spi-toolkit/pull/3 https://labs.withsecure.com/publications/sniff-there-leaks-my-bitlocker-key

LuemmelSec avatar Mar 01 '24 07:03 LuemmelSec

That might be very crude but you could check something like

// Generic VMK looks like
        // 2C00|0X00|0X00|0000|0X20|0000
        if((memcmp(message_buffer + popped, vmk_header, 2) == 0) && \
            (memcmp(message_buffer + popped + 3, vmk_header + 3, 1) == 0) && \
             memcmp(message_buffer + popped + 5, vmk_header + 5, 3) == 0 &&\
             memcmp(message_buffer + popped + 9, vmk_header + 9, 3) == 0 ) 
        {

I tested that in my setup and it seems to work fine. so basically the comparison simply skips the variable bytes which is just 3 of 12 bytes which should still be good enough to find the correct match.

zaphoxx avatar Mar 06 '24 21:03 zaphoxx