volatilityfoundation
TrueCrypt Windows - PE data section not DWORD-aligned!
Offset Length Password
Traceback (most recent call last):
File "C:\Users\srv\Downloads\volatility3-develop\volatility3-develop\vol.py", line 10, in
Hello.
I ported the TrueCrypt cached passphrase finder from Volatility2 to Volatility3.
This error message occurs when the number of bytes in the data section isn't a multiple of DWORD_SIZE_BYTES (which is 4).
Volatility2's cached passphrase finder, running Python 2.6 ≤ x < 3, doesn't check for this alignment and instead iterates over the available DWORD_SIZE_BYTES-sized chunks, as evidenced by the relevant section of code in Volatility2's tcaudit.py
# Looking for the Length member, DWORD-aligned
ints = obj.Object("Array", targetType = "int",
offset = base, count = size / 4,
vm = addr_space)
which uses the integer quotient of size over 4.
I was unsure if this was intentional behaviour so I opted to raise an error when the situation arose.
If anybody else has further insight into the matter and can explain why the error message shouldn't be raised then I'm happy to propose a pull request with the necessary changes.
Otherwise, if you'd like to mimic Volatility2's behaviour, you can modify the following lines in volatility3\framework\plugins\windows\truecrypt.py
count, not_aligned = divmod(size, DWORD_SIZE_BYTES)
if not_aligned:
raise ValueError("PE data section not DWORD-aligned!")
to
count = size // DWORD_SIZE_BYTES
You could check if the excess bytes are always 00 and therefore suggests it's padding? If there's a total length field being used, that might also make sense?
Hello.
I ported the TrueCrypt cached passphrase finder from Volatility2 to Volatility3.
This error message occurs when the number of bytes in the data section isn't a multiple of
DWORD_SIZE_BYTES(which is 4).Volatility2's cached passphrase finder, running Python 2.6 ≤ x < 3, doesn't check for this alignment and instead iterates over the available
DWORD_SIZE_BYTES-sized chunks, as evidenced by the relevant section of code in Volatility2's tcaudit.py# Looking for the Length member, DWORD-aligned ints = obj.Object("Array", targetType = "int", offset = base, count = size / 4, vm = addr_space)which uses the integer quotient of
sizeover 4.I was unsure if this was intentional behaviour so I opted to raise an error when the situation arose.
If anybody else has further insight into the matter and can explain why the error message shouldn't be raised then I'm happy to propose a pull request with the necessary changes.
Otherwise, if you'd like to mimic Volatility2's behaviour, you can modify the following lines in
volatility3\framework\plugins\windows\truecrypt.pycount, not_aligned = divmod(size, DWORD_SIZE_BYTES) if not_aligned: raise ValueError("PE data section not DWORD-aligned!")to
count = size // DWORD_SIZE_BYTES
Hello @iyassou it's dumped file of Win11 that’s Vol2 is no use for me. I’m playing CTF challenge. If you want dump I can provide. Do you know any manual method to extract the key?
could help me with exact proper code.
I tried with 0,1,2 in Dword size byte that time it's show me blank result without error.
when I tried with 3,4++++ showing this dword error.
thanks
Hello.
I ported the TrueCrypt cached passphrase finder from Volatility2 to Volatility3.
This error message occurs when the number of bytes in the data section isn't a multiple of
DWORD_SIZE_BYTES(which is 4).Volatility2's cached passphrase finder, running Python 2.6 ≤ x < 3, doesn't check for this alignment and instead iterates over the available
DWORD_SIZE_BYTES-sized chunks, as evidenced by the relevant section of code in Volatility2's tcaudit.py# Looking for the Length member, DWORD-aligned ints = obj.Object("Array", targetType = "int", offset = base, count = size / 4, vm = addr_space)which uses the integer quotient of
sizeover 4.I was unsure if this was intentional behaviour so I opted to raise an error when the situation arose.
If anybody else has further insight into the matter and can explain why the error message shouldn't be raised then I'm happy to propose a pull request with the necessary changes.
Otherwise, if you'd like to mimic Volatility2's behaviour, you can modify the following lines in
volatility3\framework\plugins\windows\truecrypt.pycount, not_aligned = divmod(size, DWORD_SIZE_BYTES) if not_aligned: raise ValueError("PE data section not DWORD-aligned!")to
count = size // DWORD_SIZE_BYTES
I tried what you suggested.... it;s showing blank output. error is stopped
Be aware that truecrpyt doesn't always cache a password, it may only be the master keys held in memory. (Although the fact the plugin tried might mean that there is a password)
This blog post is a good place to start: https://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html
This issue is stale because it has been open for 200 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been inactive for 60 days since being marked as stale.