Skip to content

Foxtrot

Jump to bottom
hkx3upper edited this page Jun 18, 2022 · 2 revisions

Description:

Foxtrot is a double-cachemap transparent encryption and decryption filter driver using the minifilter driver, which automatically encrypts files when the process has a tendency to write files with specific file extensions (such as txt, docx).
When the authorized process wants to read the ciphertext file, it will be automatically decrypted, and the unauthorized process will not decrypt it, display the ciphertext, and do not allow the ciphertext to be modified.
The PocUserPanel.exe can send privileged encryption and privileged decryption commands to encrypt or decrypt files individually; or configure process permissions, confidential folders, and file types to be encrypted.

1. This project uses double cachemap, and the authorized process and the unauthorized process use 
   plaintext cachemap and ciphertext cachemap respectively;   
2. Use StreamContext to store the file information when the driver is running, 
   and use the 4KB tailer at the end of the file to store the information required for decryption;   
3. Use AES-128 ECB mode, within 16 bytes, 
   expand the file size to 16 bytes in SetInfo->EOF and WriteCachedIo respectively, 
   if it is greater than 16 bytes, use the method of ciphertext stealing to pad plaintext.  
4. Write and Read use SwapBuffers for transparent encryption and decryption;   
5. Use Reentry for privileged encryption and privileged decryption 
   to enable the driver to encrypt and decrypt files;   
6. Encrypt files in FileRenameInformationEx and FileRenameInformation When renaming operations, 
   it can automatically encrypt and decrypt docx, doc, pptx, ppt, xlsx, xls and other files 
   that are read and written using the .tmp file renaming method;   
7. Register process notify routines, and use linked lists to control processes; 
   Register process and thread object callback, protect process EPROCESS, ETHREAD objects; 
   perform integrity check on the .text segment of authorized process.   
8. Set a confidential folder, the file will be transparently encrypted under this folder, 
   and you can configure the confidential folder and the file extension to be controlled 
   from the PocUserPanel.exe @wangzhankun   
9. PostOperation uses the function FltDoCompletionProcessingWhenSafed (except PostRead), 
   when InstanceSetup Use Dpc+WorkItem callback (encapsulated as PocDoCompletionProcessingWhenSafe) 
   to avoid bsod such as IRQL_NOT_LESS_OR_EQUAL when DISPATCH_LEVEL;   
10. Create a thread for PostClose, wait for all authorized processes to operate the file to end, 
   and then reentry to encrypt or write the tail into files, 
   which solves the deadlock problem of writing docx files;   
11. Change ULONG to LONGLONG, in principle, it can support files over 4GB 
   (currently privileged encryption and privileged decryption do not support files over 4GB, 
   and in the case of limited memory, Privileged decryption may fail due to the lack of NonPagedPool. 
   Here, you can read and write large files in a loop.)   
12. WPF is used to write the user interface, you can configure the authorization process, 
   the type of files to be controlled, and confidential files folder, 
   and privileged encrypted and decrypted files.  
13. Add process permissions: Backup permission processes, such as VMTools and explorer.exe, 
   can copy the complete ciphertext file from the virtual machine, or from the confidential file.    
14. After Write encryption, ObDereferenceObject, a previously built FileObject, 
   triggers the creation of PostCloseOperaton Thread prepares to write tail or reentrant encryption.

Build & Installation:

  1. It is recommended to run in Windows 10 x64, NTFS filesystem
Tested system and software version:
Windows 10 x64 1809(17763.2928) LTSC Enterprise [WPS 11.1.0.11365]
Windows 10 x64 1903(18362.30) Education [Microsoft Office Professional Plus 2021 x64]
                                    [WPS 11.1.0.11744] [360 Security Guard 15.0.0.1061]
Windows 10 x64 1909(18363.592) Education [WPS 11.1.0.11744]
Windows Server 2019 DataCenter 1809(17763.379)
  1. The system turns on the test mode, cmd is run as an administrator, enter bcdedit /set testsigning on and restart the computer
  2. Drive log output (optional)
Find the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
Create a new one Debug Print Filter, create a new dword value "default" under this key, the hexadecimal is 0xF, and then restart the computer
DebugView as administrator, set `Capture->Capture Kernel` to display driver log
  1. Download the installation packageDownload
    If ​​you download the installation package, you don't need to compile the project manually, you can skip to step 10 directly
  2. Install and import the CNG library
https://www.microsoft.com/en-us/download/details.aspx?id=30688
You need to download the Cryptographic Provider Development Kit from Microsoft's official website,
Project->Properties include directory of VC++ directory, library directory to set the corresponding location
Linker->General->Additional Libraries Directory C:\Windows Kits\10\Cryptographic Provider Development Kit\Lib\x64
Enter->Additional Dependencies ksecdd.lib
  1. Set the target file extension, secret folder, and authorization process in Config.c
  2. Use Visual Studio 2019 to compile the Debug x64 Poc driver, UserDll (optional) and UserPanel (optional)
  3. Add privilege encryption and privilege decryption functions to the right mouse button menu (optional)
This function can directly select a file with the right mouse button, and then click privileged encryption or privileged decryption, no cmd command line is required.
Create a new registry key: HKEY_CLASSES_ROOT\*\shell\Encrypt, change the "default" data of this key to "privileged encryption"
New registry key: HKEY_CLASSES_ROOT\*\shell\Encrypt\command,
Change the data for the "default" value of this key to "path\PocUserPanel.exe" 8 "%1"

Create a new registry key: HKEY_CLASSES_ROOT\*\shell\Decrypt, change the "default" data of this key to "privileged decryption"
New registry key: HKEY_CLASSES_ROOT\*\shell\Decrypt\command,
Change the data for the "default" value of this key to "path\PocUserPanel.exe" 4 "%1"
  1. If you use a loader such as OsrLoader to load the driver, please select Minifilter for Type, or you can use cmd to load, as follows
::install
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132 Path\Poc.inf
net start Poc
pause
::uninstall
net stop Poc
rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 Path\Poc.inf
  1. After the driver is loaded, test whether it works normally (see TestManual.md for details)
Write some data to the txt file with notepad.exe (configured as an authorized process by default),
Then use wordpad.exe (the default configuration is an unauthorized process) to open it, and only see the messy data, 
indicating that the encryption is successful.
P.S. After the file is encrypted, even if the driver is closed (without restarting the computer), 
Notepad will still see the plaintext (because there is a cache map);
The encryption tail can only be seen when the driver is turned off and restarted without opening the driver.

bandicam-2022-06-07-14-17-43-706

  1. Use the PocUserPanel in the compiled or installed package to configure various path

Clone this wiki locally