adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Rex/Parser/BITLOCKER.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

1189 lines
60 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Class: Rex::Parser::BITLOCKER
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Rex::Parser::BITLOCKER";
relpath = '../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../_index.html">Index (B)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Parser.html" title="Rex::Parser (module)">Parser</a></span></span>
&raquo;
<span class="title">BITLOCKER</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Class: Rex::Parser::BITLOCKER
</h1>
<div class="box_info">
<dl>
<dt>Inherits:</dt>
<dd>
<span class="inheritName">Object</span>
<ul class="fullTree">
<li>Object</li>
<li class="next">Rex::Parser::BITLOCKER</li>
</ul>
<a href="#" class="inheritanceTree">show all</a>
</dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/rex/parser/fs/bitlocker.rb</dd>
</dl>
</div>
<h2>Overview</h2><div class="docstring">
<div class="discussion">
<p>This class parses the content of a Bitlocker partition file. Author : Danil Bazin &lt;<a href="at">danil.bazin</a>hsc.fr&gt; @danilbaz</p>
</div>
</div>
<div class="tags">
</div>
<h2>
Constant Summary
<small><a href="#" class="constants_summary_toggle">collapse</a></small>
</h2>
<dl class="constants">
<dt id="BLOCK_HEADER_SIZE-constant" class="">BLOCK_HEADER_SIZE =
</dt>
<dd><pre class="code"><span class='int'>64</span></pre></dd>
<dt id="METADATA_HEADER_SIZE-constant" class="">METADATA_HEADER_SIZE =
</dt>
<dd><pre class="code"><span class='int'>48</span></pre></dd>
<dt id="ENTRY_TYPE_NONE-constant" class="">ENTRY_TYPE_NONE =
</dt>
<dd><pre class="code"><span class='int'>0x0000</span></pre></dd>
<dt id="ENTRY_TYPE_VMK-constant" class="">ENTRY_TYPE_VMK =
</dt>
<dd><pre class="code"><span class='int'>0x0002</span></pre></dd>
<dt id="ENTRY_TYPE_FVEK-constant" class="">ENTRY_TYPE_FVEK =
</dt>
<dd><pre class="code"><span class='int'>0x0003</span></pre></dd>
<dt id="ENTRY_TYPE_STARTUP_KEY-constant" class="">ENTRY_TYPE_STARTUP_KEY =
</dt>
<dd><pre class="code"><span class='int'>0x0006</span></pre></dd>
<dt id="ENTRY_TYPE_DESC-constant" class="">ENTRY_TYPE_DESC =
</dt>
<dd><pre class="code"><span class='int'>0x0007</span></pre></dd>
<dt id="ENTRY_TYPE_HEADER-constant" class="">ENTRY_TYPE_HEADER =
</dt>
<dd><pre class="code"><span class='int'>0x000f</span></pre></dd>
<dt id="VALUE_TYPE_ERASED-constant" class="">VALUE_TYPE_ERASED =
</dt>
<dd><pre class="code"><span class='int'>0x0000</span></pre></dd>
<dt id="VALUE_TYPE_KEY-constant" class="">VALUE_TYPE_KEY =
</dt>
<dd><pre class="code"><span class='int'>0x0001</span></pre></dd>
<dt id="VALUE_TYPE_STRING-constant" class="">VALUE_TYPE_STRING =
</dt>
<dd><pre class="code"><span class='int'>0x0002</span></pre></dd>
<dt id="VALUE_TYPE_STRETCH_KEY-constant" class="">VALUE_TYPE_STRETCH_KEY =
</dt>
<dd><pre class="code"><span class='int'>0x0003</span></pre></dd>
<dt id="VALUE_TYPE_ENCRYPTED_KEY-constant" class="">VALUE_TYPE_ENCRYPTED_KEY =
</dt>
<dd><pre class="code"><span class='int'>0x0005</span></pre></dd>
<dt id="VALUE_TYPE_TPM-constant" class="">VALUE_TYPE_TPM =
</dt>
<dd><pre class="code"><span class='int'>0x0006</span></pre></dd>
<dt id="VALUE_TYPE_VALIDATION-constant" class="">VALUE_TYPE_VALIDATION =
</dt>
<dd><pre class="code"><span class='int'>0x0007</span></pre></dd>
<dt id="VALUE_TYPE_VMK-constant" class="">VALUE_TYPE_VMK =
</dt>
<dd><pre class="code"><span class='int'>0x0008</span></pre></dd>
<dt id="VALUE_TYPE_EXTERNAL_KEY-constant" class="">VALUE_TYPE_EXTERNAL_KEY =
</dt>
<dd><pre class="code"><span class='int'>0x0009</span></pre></dd>
<dt id="VALUE_TYPE_UPDATE-constant" class="">VALUE_TYPE_UPDATE =
</dt>
<dd><pre class="code"><span class='int'>0x000a</span></pre></dd>
<dt id="VALUE_TYPE_ERROR-constant" class="">VALUE_TYPE_ERROR =
</dt>
<dd><pre class="code"><span class='int'>0x000b</span></pre></dd>
<dt id="PROTECTION_TPM-constant" class="">PROTECTION_TPM =
</dt>
<dd><pre class="code"><span class='int'>0x0100</span></pre></dd>
<dt id="PROTECTION_CLEAR_KEY-constant" class="">PROTECTION_CLEAR_KEY =
</dt>
<dd><pre class="code"><span class='int'>0x0000</span></pre></dd>
<dt id="PROTECTION_STARTUP_KEY-constant" class="">PROTECTION_STARTUP_KEY =
</dt>
<dd><pre class="code"><span class='int'>0x0200</span></pre></dd>
<dt id="PROTECTION_RECOVERY_PASSWORD-constant" class="">PROTECTION_RECOVERY_PASSWORD =
</dt>
<dd><pre class="code"><span class='int'>0x0800</span></pre></dd>
<dt id="PROTECTION_PASSWORD-constant" class="">PROTECTION_PASSWORD =
</dt>
<dd><pre class="code"><span class='int'>0x2000</span></pre></dd>
</dl>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#decrypt_aes_ccm_key-instance_method" title="#decrypt_aes_ccm_key (instance method)">#<strong>decrypt_aes_ccm_key</strong>(fve_entry, key) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fve_entries-instance_method" title="#fve_entries (instance method)">#<strong>fve_entries</strong>(metadata_entries) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Parse the metadata_entries and return a hashmap using the following format: metadata_entry_type =&gt; metadata_value_type =&gt; [fve_entry,…].</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fvek_entries-instance_method" title="#fvek_entries (instance method)">#<strong>fvek_entries</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Return FVEK entry, encrypted with the VMK.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fvek_from_recovery_password-instance_method" title="#fvek_from_recovery_password (instance method)">#<strong>fvek_from_recovery_password</strong>(recoverykey) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Extract FVEK using the provided recovery key.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#fvek_from_recovery_password_dislocker-instance_method" title="#fvek_from_recovery_password_dislocker (instance method)">#<strong>fvek_from_recovery_password_dislocker</strong>(recoverykey) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Extract FVEK and prefix it with the encryption methods integer on 2 bytes.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#initialize-instance_method" title="#initialize (instance method)">#<strong>initialize</strong>(file_handler) &#x21d2; BITLOCKER </a>
</span>
<span class="note title constructor">constructor</span>
<span class="summary_desc"><div class='inline'>
<p>A new instance of BITLOCKER.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#recovery_key_transformation-instance_method" title="#recovery_key_transformation (instance method)">#<strong>recovery_key_transformation</strong>(recoverykey) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>stretch all the Recovery key and returns it.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#strcpy-instance_method" title="#strcpy (instance method)">#<strong>strcpy</strong>(str_src, str_dst) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Dummy strcpy to use with metasm and string asignement.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#vmk_entries-instance_method" title="#vmk_entries (instance method)">#<strong>vmk_entries</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Produce a hash map using the following format: PROTECTION_TYPE =&gt; [fve_entry, fve_entry…].</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#vmk_from_recovery_password-instance_method" title="#vmk_from_recovery_password (instance method)">#<strong>vmk_from_recovery_password</strong>(recoverykey) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>stretch recovery key with all stretch key and try to decrypt all VMK encrypted with a recovery key.</p>
</div></span>
</li>
</ul>
<div id="constructor_details" class="method_details_list">
<h2>Constructor Details</h2>
<div class="method_details first">
<h3 class="signature first" id="initialize-instance_method">
#<strong>initialize</strong>(file_handler) &#x21d2; <tt><span class='object_link'><a href="" title="Rex::Parser::BITLOCKER (class)">BITLOCKER</a></span></tt>
</h3><div class="docstring">
<div class="discussion">
<p>Returns a new instance of BITLOCKER.</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 48</span>
<span class='kw'>def</span> <span class='id identifier rubyid_initialize'>initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_file_handler'>file_handler</span><span class='rparen'>)</span>
<span class='ivar'>@file_handler</span> <span class='op'>=</span> <span class='id identifier rubyid_file_handler'>file_handler</span>
<span class='id identifier rubyid_volume_header'>volume_header</span> <span class='op'>=</span> <span class='ivar'>@file_handler</span><span class='period'>.</span><span class='id identifier rubyid_read'>read</span><span class='lparen'>(</span><span class='int'>512</span><span class='rparen'>)</span>
<span class='ivar'>@fs_sign</span> <span class='op'>=</span> <span class='id identifier rubyid_volume_header'>volume_header</span><span class='lbracket'>[</span><span class='int'>3</span><span class='comma'>,</span> <span class='int'>8</span><span class='rbracket'>]</span>
<span class='kw'>unless</span> <span class='ivar'>@fs_sign</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>-FVE-FS-</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_fail'>fail</span> <span class='const'>ArgumentError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>File system signature does not match Bitlocker :
#@fs_sign}, bitlocker not used</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_caller'>caller</span>
<span class='kw'>end</span>
<span class='ivar'>@fve_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_volume_header'>volume_header</span><span class='lbracket'>[</span><span class='int'>176</span><span class='comma'>,</span> <span class='int'>8</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='ivar'>@file_handler</span><span class='period'>.</span><span class='id identifier rubyid_seek'>seek</span><span class='lparen'>(</span><span class='ivar'>@fve_offset</span><span class='rparen'>)</span>
<span class='ivar'>@fve_raw</span> <span class='op'>=</span> <span class='ivar'>@file_handler</span><span class='period'>.</span><span class='id identifier rubyid_read'>read</span><span class='lparen'>(</span><span class='int'>4096</span><span class='rparen'>)</span>
<span class='ivar'>@encryption_methods</span> <span class='op'>=</span> <span class='ivar'>@fve_raw</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#BLOCK_HEADER_SIZE-constant" title="Rex::Parser::BITLOCKER::BLOCK_HEADER_SIZE (constant)">BLOCK_HEADER_SIZE</a></span></span> <span class='op'>+</span> <span class='int'>36</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_size'>size</span> <span class='op'>=</span> <span class='ivar'>@fve_raw</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#BLOCK_HEADER_SIZE-constant" title="Rex::Parser::BITLOCKER::BLOCK_HEADER_SIZE (constant)">BLOCK_HEADER_SIZE</a></span></span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='op'>-</span>
<span class='const'><span class='object_link'><a href="#METADATA_HEADER_SIZE-constant" title="Rex::Parser::BITLOCKER::METADATA_HEADER_SIZE (constant)">METADATA_HEADER_SIZE</a></span></span>
<span class='ivar'>@metadata_entries</span> <span class='op'>=</span> <span class='ivar'>@fve_raw</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#BLOCK_HEADER_SIZE-constant" title="Rex::Parser::BITLOCKER::BLOCK_HEADER_SIZE (constant)">BLOCK_HEADER_SIZE</a></span></span> <span class='op'>+</span> <span class='const'><span class='object_link'><a href="#METADATA_HEADER_SIZE-constant" title="Rex::Parser::BITLOCKER::METADATA_HEADER_SIZE (constant)">METADATA_HEADER_SIZE</a></span></span><span class='comma'>,</span>
<span class='id identifier rubyid_size'>size</span><span class='rbracket'>]</span>
<span class='ivar'>@version</span> <span class='op'>=</span> <span class='ivar'>@fve_raw</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#BLOCK_HEADER_SIZE-constant" title="Rex::Parser::BITLOCKER::BLOCK_HEADER_SIZE (constant)">BLOCK_HEADER_SIZE</a></span></span> <span class='op'>+</span> <span class='int'>4</span><span class='rbracket'>]</span>
<span class='ivar'>@fve_metadata_entries</span> <span class='op'>=</span> <span class='id identifier rubyid_fve_entries'>fve_entries</span><span class='lparen'>(</span><span class='ivar'>@metadata_entries</span><span class='rparen'>)</span>
<span class='ivar'>@vmk_entries_hash</span> <span class='op'>=</span> <span class='id identifier rubyid_vmk_entries'>vmk_entries</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="decrypt_aes_ccm_key-instance_method">
#<strong>decrypt_aes_ccm_key</strong>(fve_entry, key) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
107
108
109
110
111
112
113
114</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 107</span>
<span class='kw'>def</span> <span class='id identifier rubyid_decrypt_aes_ccm_key'>decrypt_aes_ccm_key</span><span class='lparen'>(</span><span class='id identifier rubyid_fve_entry'>fve_entry</span><span class='comma'>,</span> <span class='id identifier rubyid_key'>key</span><span class='rparen'>)</span>
<span class='id identifier rubyid_nonce'>nonce</span> <span class='op'>=</span> <span class='id identifier rubyid_fve_entry'>fve_entry</span><span class='lbracket'>[</span><span class='int'>0</span><span class='comma'>,</span> <span class='int'>12</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_mac'>mac</span> <span class='op'>=</span> <span class='id identifier rubyid_fve_entry'>fve_entry</span><span class='lbracket'>[</span><span class='int'>12</span><span class='comma'>,</span> <span class='int'>16</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_encrypted_data'>encrypted_data</span> <span class='op'>=</span> <span class='id identifier rubyid_fve_entry'>fve_entry</span><span class='lbracket'>[</span><span class='int'>28</span><span class='op'>..</span><span class='op'>-</span><span class='int'>1</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_ccm'>ccm</span> <span class='op'>=</span> <span class='const'>OpenSSL</span><span class='op'>::</span><span class='const'>CCM</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>AES</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='int'>16</span><span class='rparen'>)</span>
<span class='id identifier rubyid_decrypted_data'>decrypted_data</span> <span class='op'>=</span> <span class='id identifier rubyid_ccm'>ccm</span><span class='period'>.</span><span class='id identifier rubyid_decrypt'>decrypt</span><span class='lparen'>(</span><span class='id identifier rubyid_encrypted_data'>encrypted_data</span> <span class='op'>+</span> <span class='id identifier rubyid_mac'>mac</span><span class='comma'>,</span> <span class='id identifier rubyid_nonce'>nonce</span><span class='rparen'>)</span>
<span class='id identifier rubyid_decrypted_data'>decrypted_data</span><span class='lbracket'>[</span><span class='int'>12</span><span class='op'>..</span><span class='op'>-</span><span class='int'>1</span><span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fve_entries-instance_method">
#<strong>fve_entries</strong>(metadata_entries) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Parse the metadata_entries and return a hashmap using the following format: metadata_entry_type =&gt; metadata_value_type =&gt; [fve_entry,…]</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 119</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fve_entries'>fve_entries</span><span class='lparen'>(</span><span class='id identifier rubyid_metadata_entries'>metadata_entries</span><span class='rparen'>)</span>
<span class='id identifier rubyid_offset_entry'>offset_entry</span> <span class='op'>=</span> <span class='int'>0</span>
<span class='id identifier rubyid_entry_size'>entry_size</span> <span class='op'>=</span> <span class='id identifier rubyid_metadata_entries'>metadata_entries</span><span class='lbracket'>[</span><span class='int'>0</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_result'>result</span> <span class='op'>=</span> <span class='const'>Hash</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='lbrace'>{</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='kw'>while</span> <span class='id identifier rubyid_entry_size'>entry_size</span> <span class='op'>!=</span> <span class='int'>0</span>
<span class='id identifier rubyid_metadata_entry_type'>metadata_entry_type</span> <span class='op'>=</span> <span class='id identifier rubyid_metadata_entries'>metadata_entries</span><span class='lbracket'>[</span>
<span class='id identifier rubyid_offset_entry'>offset_entry</span> <span class='op'>+</span> <span class='int'>2</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_metadata_value_type'>metadata_value_type</span> <span class='op'>=</span> <span class='id identifier rubyid_metadata_entries'>metadata_entries</span><span class='lbracket'>[</span>
<span class='id identifier rubyid_offset_entry'>offset_entry</span> <span class='op'>+</span> <span class='int'>4</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_metadata_entry'>metadata_entry</span> <span class='op'>=</span> <span class='id identifier rubyid_metadata_entries'>metadata_entries</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset_entry'>offset_entry</span> <span class='op'>+</span> <span class='int'>8</span><span class='comma'>,</span> <span class='id identifier rubyid_entry_size'>entry_size</span> <span class='op'>-</span> <span class='int'>8</span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_result'>result</span><span class='lbracket'>[</span><span class='id identifier rubyid_metadata_entry_type'>metadata_entry_type</span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
<span class='id identifier rubyid_result'>result</span><span class='lbracket'>[</span><span class='id identifier rubyid_metadata_entry_type'>metadata_entry_type</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='lbrace'>{</span> <span class='id identifier rubyid_metadata_value_type'>metadata_value_type</span> <span class='op'>=&gt;</span> <span class='lbracket'>[</span>
<span class='id identifier rubyid_metadata_entry'>metadata_entry</span><span class='rbracket'>]</span> <span class='rbrace'>}</span>
<span class='kw'>else</span>
<span class='kw'>if</span> <span class='id identifier rubyid_result'>result</span><span class='lbracket'>[</span><span class='id identifier rubyid_metadata_entry_type'>metadata_entry_type</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='id identifier rubyid_metadata_value_type'>metadata_value_type</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_result'>result</span><span class='lbracket'>[</span><span class='id identifier rubyid_metadata_entry_type'>metadata_entry_type</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='id identifier rubyid_metadata_value_type'>metadata_value_type</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='lbracket'>[</span>
<span class='id identifier rubyid_metadata_entry'>metadata_entry</span><span class='rbracket'>]</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_result'>result</span><span class='lbracket'>[</span><span class='id identifier rubyid_metadata_entry_type'>metadata_entry_type</span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='id identifier rubyid_metadata_value_type'>metadata_value_type</span><span class='rbracket'>]</span> <span class='op'>+=</span> <span class='lbracket'>[</span>
<span class='id identifier rubyid_metadata_entry'>metadata_entry</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_offset_entry'>offset_entry</span> <span class='op'>+=</span> <span class='id identifier rubyid_entry_size'>entry_size</span>
<span class='kw'>if</span> <span class='id identifier rubyid_metadata_entries'>metadata_entries</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset_entry'>offset_entry</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span> <span class='op'>!=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_entry_size'>entry_size</span> <span class='op'>=</span> <span class='id identifier rubyid_metadata_entries'>metadata_entries</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset_entry'>offset_entry</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_entry_size'>entry_size</span> <span class='op'>=</span> <span class='int'>0</span>
<span class='kw'>end</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_result'>result</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fvek_entries-instance_method">
#<strong>fvek_entries</strong> &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Return FVEK entry, encrypted with the VMK</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
214
215
216
217</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 214</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fvek_entries'>fvek_entries</span>
<span class='ivar'>@fve_metadata_entries</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#ENTRY_TYPE_FVEK-constant" title="Rex::Parser::BITLOCKER::ENTRY_TYPE_FVEK (constant)">ENTRY_TYPE_FVEK</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span>
<span class='const'><span class='object_link'><a href="#VALUE_TYPE_ENCRYPTED_KEY-constant" title="Rex::Parser::BITLOCKER::VALUE_TYPE_ENCRYPTED_KEY (constant)">VALUE_TYPE_ENCRYPTED_KEY</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#ENTRY_TYPE_NONE-constant" title="Rex::Parser::BITLOCKER::ENTRY_TYPE_NONE (constant)">ENTRY_TYPE_NONE</a></span></span><span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fvek_from_recovery_password-instance_method">
#<strong>fvek_from_recovery_password</strong>(recoverykey) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Extract FVEK using the provided recovery key</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
100
101
102
103
104
105</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 100</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fvek_from_recovery_password'>fvek_from_recovery_password</span><span class='lparen'>(</span><span class='id identifier rubyid_recoverykey'>recoverykey</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vmk_recovery_password'>vmk_recovery_password</span> <span class='op'>=</span> <span class='id identifier rubyid_vmk_from_recovery_password'>vmk_from_recovery_password</span><span class='lparen'>(</span><span class='id identifier rubyid_recoverykey'>recoverykey</span><span class='rparen'>)</span>
<span class='id identifier rubyid_fvek_encrypted'>fvek_encrypted</span> <span class='op'>=</span> <span class='id identifier rubyid_fvek_entries'>fvek_entries</span>
<span class='id identifier rubyid_fvek'>fvek</span> <span class='op'>=</span> <span class='id identifier rubyid_decrypt_aes_ccm_key'>decrypt_aes_ccm_key</span><span class='lparen'>(</span><span class='id identifier rubyid_fvek_encrypted'>fvek_encrypted</span><span class='comma'>,</span> <span class='id identifier rubyid_vmk_recovery_password'>vmk_recovery_password</span><span class='rparen'>)</span>
<span class='id identifier rubyid_fvek'>fvek</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="fvek_from_recovery_password_dislocker-instance_method">
#<strong>fvek_from_recovery_password_dislocker</strong>(recoverykey) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Extract FVEK and prefix it with the encryption methods integer on 2 bytes</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
72
73
74
75</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 72</span>
<span class='kw'>def</span> <span class='id identifier rubyid_fvek_from_recovery_password_dislocker'>fvek_from_recovery_password_dislocker</span><span class='lparen'>(</span><span class='id identifier rubyid_recoverykey'>recoverykey</span><span class='rparen'>)</span>
<span class='lbracket'>[</span><span class='ivar'>@encryption_methods</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span> <span class='op'>+</span>
<span class='id identifier rubyid_fvek_from_recovery_password'>fvek_from_recovery_password</span><span class='lparen'>(</span><span class='id identifier rubyid_recoverykey'>recoverykey</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="recovery_key_transformation-instance_method">
#<strong>recovery_key_transformation</strong>(recoverykey) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>stretch all the Recovery key and returns it</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 159</span>
<span class='kw'>def</span> <span class='id identifier rubyid_recovery_key_transformation'>recovery_key_transformation</span><span class='lparen'>(</span><span class='id identifier rubyid_recoverykey'>recoverykey</span><span class='rparen'>)</span>
<span class='comment'># recovery key stretching phase 1
</span> <span class='id identifier rubyid_recovery_intermediate'>recovery_intermediate</span> <span class='op'>=</span> <span class='id identifier rubyid_recoverykey'>recoverykey</span><span class='period'>.</span><span class='id identifier rubyid_split'>split</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>-</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_map'>map</span><span class='lparen'>(</span><span class='op'>&amp;</span><span class='symbol'>:to_i</span><span class='rparen'>)</span>
<span class='id identifier rubyid_recovery_intermediate'>recovery_intermediate</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_n'>n</span><span class='op'>|</span>
<span class='id identifier rubyid_n'>n</span> <span class='op'>%</span> <span class='int'>11</span> <span class='op'>!=</span> <span class='int'>0</span> <span class='op'>&amp;&amp;</span> <span class='lparen'>(</span><span class='id identifier rubyid_fail'>fail</span> <span class='const'>ArgumentError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Invalid recovery key</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_recovery_intermediate'>recovery_intermediate</span> <span class='op'>=</span>
<span class='id identifier rubyid_recovery_intermediate'>recovery_intermediate</span><span class='period'>.</span><span class='id identifier rubyid_map'>map</span> <span class='lbrace'>{</span> <span class='op'>|</span><span class='id identifier rubyid_a'>a</span><span class='op'>|</span> <span class='lparen'>(</span><span class='id identifier rubyid_a'>a</span> <span class='op'>/</span> <span class='int'>11</span><span class='rparen'>)</span> <span class='rbrace'>}</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v*</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='comment'># recovery key stretching phase 2
</span> <span class='id identifier rubyid_recovery_keys'>recovery_keys</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_cpu'>cpu</span> <span class='op'>=</span> <span class='const'>Metasm</span><span class='period'>.</span><span class='id identifier rubyid_const_get'>const_get</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Ia32</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_exe'>exe</span> <span class='op'>=</span> <span class='const'>Metasm</span><span class='period'>.</span><span class='id identifier rubyid_const_get'>const_get</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Shellcode</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_cpu'>cpu</span><span class='rparen'>)</span>
<span class='id identifier rubyid_cp'>cp</span> <span class='op'>=</span> <span class='const'>Metasm</span><span class='op'>::</span><span class='const'>C</span><span class='op'>::</span><span class='const'>Parser</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_exe'>exe</span><span class='rparen'>)</span>
<span class='id identifier rubyid_bitlocker_struct_src'>bitlocker_struct_src</span> <span class='op'>=</span> <span class='heredoc_beg'>&lt;&lt;-EOS</span>
<span class='tstring_content'> typedef struct {
unsigned char updated_hash[32];
unsigned char password_hash[32];
unsigned char salt[16];
unsigned long long int hash_count;
} bitlocker_chain_hash_t;
</span><span class='heredoc_end'> EOS
</span> <span class='id identifier rubyid_cp'>cp</span><span class='period'>.</span><span class='id identifier rubyid_parse'>parse</span> <span class='id identifier rubyid_bitlocker_struct_src'>bitlocker_struct_src</span>
<span class='id identifier rubyid_btl_struct'>btl_struct</span> <span class='op'>=</span> <span class='const'>Metasm</span><span class='op'>::</span><span class='const'>C</span><span class='op'>::</span><span class='const'>AllocCStruct</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_cp'>cp</span><span class='comma'>,</span> <span class='id identifier rubyid_cp'>cp</span><span class='period'>.</span><span class='id identifier rubyid_find_c_struct'>find_c_struct</span><span class='lparen'>(</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>bitlocker_chain_hash_t</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vmk_protected_by_recovery_key'>vmk_protected_by_recovery_key</span> <span class='op'>=</span> <span class='ivar'>@vmk_entries_hash</span><span class='lbracket'>[</span>
<span class='const'><span class='object_link'><a href="#PROTECTION_RECOVERY_PASSWORD-constant" title="Rex::Parser::BITLOCKER::PROTECTION_RECOVERY_PASSWORD (constant)">PROTECTION_RECOVERY_PASSWORD</a></span></span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_vmk_protected_by_recovery_key'>vmk_protected_by_recovery_key</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_fail'>fail</span> <span class='const'>ArgumentError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>No recovery key on disk</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_vmk_protected_by_recovery_key'>vmk_protected_by_recovery_key</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_vmk_encrypted'>vmk_encrypted</span><span class='op'>|</span>
<span class='id identifier rubyid_vmk_encrypted_raw'>vmk_encrypted_raw</span> <span class='op'>=</span> <span class='id identifier rubyid_vmk_encrypted'>vmk_encrypted</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#ENTRY_TYPE_NONE-constant" title="Rex::Parser::BITLOCKER::ENTRY_TYPE_NONE (constant)">ENTRY_TYPE_NONE</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span>
<span class='const'><span class='object_link'><a href="#VALUE_TYPE_STRETCH_KEY-constant" title="Rex::Parser::BITLOCKER::VALUE_TYPE_STRETCH_KEY (constant)">VALUE_TYPE_STRETCH_KEY</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_stretch_key_salt'>stretch_key_salt</span> <span class='op'>=</span> <span class='id identifier rubyid_vmk_encrypted_raw'>vmk_encrypted_raw</span><span class='lbracket'>[</span><span class='int'>4</span><span class='comma'>,</span> <span class='int'>16</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_strcpy'>strcpy</span><span class='lparen'>(</span><span class='const'>Digest</span><span class='op'>::</span><span class='const'>SHA256</span><span class='period'>.</span><span class='id identifier rubyid_digest'>digest</span><span class='lparen'>(</span><span class='id identifier rubyid_recovery_intermediate'>recovery_intermediate</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='id identifier rubyid_btl_struct'>btl_struct</span><span class='period'>.</span><span class='id identifier rubyid_password_hash'>password_hash</span><span class='rparen'>)</span>
<span class='id identifier rubyid_strcpy'>strcpy</span><span class='lparen'>(</span><span class='id identifier rubyid_stretch_key_salt'>stretch_key_salt</span><span class='comma'>,</span> <span class='id identifier rubyid_btl_struct'>btl_struct</span><span class='period'>.</span><span class='id identifier rubyid_salt'>salt</span><span class='rparen'>)</span>
<span class='id identifier rubyid_btl_struct'>btl_struct</span><span class='period'>.</span><span class='id identifier rubyid_hash_count'>hash_count</span> <span class='op'>=</span> <span class='int'>0</span>
<span class='id identifier rubyid_sha256'>sha256</span> <span class='op'>=</span> <span class='const'>Digest</span><span class='op'>::</span><span class='const'>SHA256</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span>
<span class='id identifier rubyid_btl_struct_raw'>btl_struct_raw</span> <span class='op'>=</span> <span class='id identifier rubyid_btl_struct'>btl_struct</span><span class='period'>.</span><span class='id identifier rubyid_str'>str</span>
<span class='id identifier rubyid_btl_struct_hash_count_offset'>btl_struct_hash_count_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_btl_struct'>btl_struct</span><span class='period'>.</span><span class='id identifier rubyid_struct'>struct</span><span class='period'>.</span><span class='id identifier rubyid_fldoffset'>fldoffset</span><span class='lbracket'>[</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>hash_count</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='lparen'>(</span><span class='int'>1</span><span class='op'>..</span><span class='int'>0x100000</span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_c'>c</span><span class='op'>|</span>
<span class='id identifier rubyid_updated_hash'>updated_hash</span> <span class='op'>=</span> <span class='id identifier rubyid_sha256'>sha256</span><span class='period'>.</span><span class='id identifier rubyid_digest'>digest</span><span class='lparen'>(</span><span class='id identifier rubyid_btl_struct_raw'>btl_struct_raw</span><span class='rparen'>)</span>
<span class='id identifier rubyid_btl_struct_raw'>btl_struct_raw</span> <span class='op'>=</span> <span class='id identifier rubyid_updated_hash'>updated_hash</span> <span class='op'>+</span> <span class='id identifier rubyid_btl_struct_raw'>btl_struct_raw</span><span class='lbracket'>[</span><span class='id identifier rubyid_btl_struct'>btl_struct</span><span class='period'>.</span><span class='id identifier rubyid_updated_hash'>updated_hash</span><span class='period'>.</span><span class='id identifier rubyid_sizeof'>sizeof</span><span class='op'>..</span><span class='lparen'>(</span>
<span class='id identifier rubyid_btl_struct_hash_count_offset'>btl_struct_hash_count_offset</span> <span class='op'>-</span> <span class='int'>1</span><span class='rparen'>)</span><span class='rbracket'>]</span> <span class='op'>+</span> <span class='lbracket'>[</span><span class='id identifier rubyid_c'>c</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_pack'>pack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_sha256'>sha256</span><span class='period'>.</span><span class='id identifier rubyid_reset'>reset</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_recovery_keys'>recovery_keys</span> <span class='op'>+=</span> <span class='lbracket'>[</span><span class='id identifier rubyid_btl_struct_raw'>btl_struct_raw</span><span class='lbracket'>[</span><span class='id identifier rubyid_btl_struct'>btl_struct</span><span class='period'>.</span><span class='id identifier rubyid_updated_hash'>updated_hash</span><span class='period'>.</span><span class='id identifier rubyid_stroff'>stroff</span><span class='comma'>,</span>
<span class='id identifier rubyid_btl_struct'>btl_struct</span><span class='period'>.</span><span class='id identifier rubyid_updated_hash'>updated_hash</span><span class='period'>.</span><span class='id identifier rubyid_sizeof'>sizeof</span><span class='rbracket'>]</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_recovery_keys'>recovery_keys</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="strcpy-instance_method">
#<strong>strcpy</strong>(str_src, str_dst) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Dummy strcpy to use with metasm and string asignement</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
152
153
154
155
156</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 152</span>
<span class='kw'>def</span> <span class='id identifier rubyid_strcpy'>strcpy</span><span class='lparen'>(</span><span class='id identifier rubyid_str_src'>str_src</span><span class='comma'>,</span> <span class='id identifier rubyid_str_dst'>str_dst</span><span class='rparen'>)</span>
<span class='lparen'>(</span><span class='int'>0</span><span class='op'>..</span><span class='lparen'>(</span><span class='id identifier rubyid_str_src'>str_src</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>-</span> <span class='int'>1</span><span class='rparen'>)</span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_cpt'>cpt</span><span class='op'>|</span>
<span class='id identifier rubyid_str_dst'>str_dst</span><span class='lbracket'>[</span><span class='id identifier rubyid_cpt'>cpt</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_str_src'>str_src</span><span class='lbracket'>[</span><span class='id identifier rubyid_cpt'>cpt</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_ord'>ord</span>
<span class='kw'>end</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="vmk_entries-instance_method">
#<strong>vmk_entries</strong> &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Produce a hash map using the following format: PROTECTION_TYPE =&gt; [fve_entry, fve_entry…]</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
221
222
223
224
225
226
227
228
229
230
231
232</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 221</span>
<span class='kw'>def</span> <span class='id identifier rubyid_vmk_entries'>vmk_entries</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
<span class='lparen'>(</span><span class='ivar'>@fve_metadata_entries</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#ENTRY_TYPE_VMK-constant" title="Rex::Parser::BITLOCKER::ENTRY_TYPE_VMK (constant)">ENTRY_TYPE_VMK</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#VALUE_TYPE_VMK-constant" title="Rex::Parser::BITLOCKER::VALUE_TYPE_VMK (constant)">VALUE_TYPE_VMK</a></span></span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_vmk'>vmk</span><span class='op'>|</span>
<span class='id identifier rubyid_protection_type'>protection_type</span> <span class='op'>=</span> <span class='id identifier rubyid_vmk'>vmk</span><span class='lbracket'>[</span><span class='int'>26</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_protection_type'>protection_type</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_protection_type'>protection_type</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='id identifier rubyid_fve_entries'>fve_entries</span><span class='lparen'>(</span><span class='id identifier rubyid_vmk'>vmk</span><span class='lbracket'>[</span><span class='int'>28</span><span class='op'>..</span><span class='op'>-</span><span class='int'>1</span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='rbracket'>]</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_protection_type'>protection_type</span><span class='rbracket'>]</span> <span class='op'>+=</span> <span class='lbracket'>[</span><span class='id identifier rubyid_fve_entries'>fve_entries</span><span class='lparen'>(</span><span class='id identifier rubyid_vmk'>vmk</span><span class='lbracket'>[</span><span class='int'>28</span><span class='op'>..</span><span class='op'>-</span><span class='int'>1</span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_res'>res</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="vmk_from_recovery_password-instance_method">
#<strong>vmk_from_recovery_password</strong>(recoverykey) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>stretch recovery key with all stretch key and try to decrypt all VMK encrypted with a recovery key</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/bitlocker.rb', line 79</span>
<span class='kw'>def</span> <span class='id identifier rubyid_vmk_from_recovery_password'>vmk_from_recovery_password</span><span class='lparen'>(</span><span class='id identifier rubyid_recoverykey'>recoverykey</span><span class='rparen'>)</span>
<span class='id identifier rubyid_recovery_keys_stretched'>recovery_keys_stretched</span> <span class='op'>=</span> <span class='id identifier rubyid_recovery_key_transformation'>recovery_key_transformation</span><span class='lparen'>(</span><span class='id identifier rubyid_recoverykey'>recoverykey</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vmk_encrypted_in_recovery_password_list'>vmk_encrypted_in_recovery_password_list</span> <span class='op'>=</span> <span class='ivar'>@vmk_entries_hash</span><span class='lbracket'>[</span>
<span class='const'><span class='object_link'><a href="#PROTECTION_RECOVERY_PASSWORD-constant" title="Rex::Parser::BITLOCKER::PROTECTION_RECOVERY_PASSWORD (constant)">PROTECTION_RECOVERY_PASSWORD</a></span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_vmk_recovery_password'>vmk_recovery_password</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_vmk_encrypted_in_recovery_password_list'>vmk_encrypted_in_recovery_password_list</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_vmk'>vmk</span><span class='op'>|</span>
<span class='id identifier rubyid_vmk_encrypted'>vmk_encrypted</span> <span class='op'>=</span> <span class='id identifier rubyid_vmk'>vmk</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#ENTRY_TYPE_NONE-constant" title="Rex::Parser::BITLOCKER::ENTRY_TYPE_NONE (constant)">ENTRY_TYPE_NONE</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#VALUE_TYPE_ENCRYPTED_KEY-constant" title="Rex::Parser::BITLOCKER::VALUE_TYPE_ENCRYPTED_KEY (constant)">VALUE_TYPE_ENCRYPTED_KEY</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_recovery_keys_stretched'>recovery_keys_stretched</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_recovery_key'>recovery_key</span><span class='op'>|</span>
<span class='id identifier rubyid_vmk_recovery_password'>vmk_recovery_password</span> <span class='op'>=</span> <span class='id identifier rubyid_decrypt_aes_ccm_key'>decrypt_aes_ccm_key</span><span class='lparen'>(</span>
<span class='id identifier rubyid_vmk_encrypted'>vmk_encrypted</span><span class='comma'>,</span> <span class='id identifier rubyid_recovery_key'>recovery_key</span><span class='rparen'>)</span>
<span class='kw'>break</span> <span class='kw'>if</span> <span class='id identifier rubyid_vmk_recovery_password'>vmk_recovery_password</span> <span class='op'>!=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='kw'>break</span> <span class='kw'>if</span> <span class='id identifier rubyid_vmk_recovery_password'>vmk_recovery_password</span> <span class='op'>!=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_vmk_recovery_password'>vmk_recovery_password</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_fail'>fail</span> <span class='const'>ArgumentError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Wrong decryption, bad recovery key?</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_vmk_recovery_password'>vmk_recovery_password</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:04:14 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink