Скачать или смотреть VeraCrypt Cleartext Credentials by Win32 API Hooking

The open source program VeraCrypt (successor of Truecrypt) can be used for secure encryption (e.g. AES) of own data. There is currently no real vulnerability in the software itself, but since a few days it has been possible with the POC "VeraCryptThief" to read the plaintext credentials via API hooking as soon as a user mounts the respective database via password entry.

But how is this possible, is this a vulnerability of the software VeraCrypt? In my opinion not, because the reading of the entered plaintext credentials happens via Win32 API hooking. I think that if you understand the concept of API hooking, you will also understand that this POC is not a vulnerability in the classical sense. Rather, this POC impressively demonstrates that regardless of whether you are a developer or a malicious attacker. Under Windows, the same rules of the game apply to everyone and so also in the context of the architecture of WIN32 APIs. Here's a tip, if you want to learn more about Windows internals and understand how Win32 APIs work, you should visit the courses of Windows God Pavel Yosifovich.

https://lnkd.in/dWvsRFqf

It would be interesting to find out how to mitigate API hooking. One approach could be to run the process VeraCrypt.exe as Protected Process Light and thus prevent unwanted access to the address memory of the process VeraCrypt.exe. Whether or how this can be implemented programmatically without friction in practice or what the effects on the existing source code of VeraCrypt are, I can not judge at this point.

This POC also shows us how important it is to have a good AV/EDR solution that follows a sensible strategy in the area of Windows Win32 API hooking detection.

All creds to @snovvcrash
https://lnkd.in/dU9MDU5J