partitionhider

Dangerous and risky bash scripts to conceal and recover partitions using literal writes to MBR
git clone git://git.defalsify.org/partitionhider.git
Log | Files | Refs | README | LICENSE
commit f56067a848c74054de136fc5c63c98e0f4b19846
parent cbe241c3962e257190993667494e239c132065ea
Author: nolash <dev@holbrook.no>
Date:   Fri, 20 Apr 2018 13:50:28 +0200

README for initial shell script

Diffstat:

Ash-decrypt-and-hide/README.md | 84+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Rr.sh -> sh-decrypt-and-hide/r.sh | 0


Ash-decrypt-and-hide/w.sh | 144+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Dw.sh | 137-------------------------------------------------------------------------------


4 files changed, 228 insertions(+), 137 deletions(-)

diff --git a/sh-decrypt-and-hide/README.md b/sh-decrypt-and-hide/README.md
@@ -0,0 +1,84 @@
+# sh-decrypt-and-hide
+
+***WARNING WARNING WARNING***
+
+**This program messes around with raw partitions and the MBR. They can REALLY EASILY destroy data. This code is to be treated as sample code, not a working application. There is weak error handling, and may make a lot of dangerous assumptions. Author assumes NO liability for their usage**
+
+The imagined use case for this code is to temporarily conceal the existence of data on a block device. It encrypts the partition data into nonsensical random bytes, but also hides the fact that there was a partition there in the first place. The data and scripts required to restore the data partition are embedded in the encrypted blob itself.
+
+# hide
+
+First, manually make a note of the partition start sector and sector size. If this numbers are lost, the data cannot be recovered:
+
+```
+fdisk -l <device>
+
+eg.
+
+]$ sudo fdisk -l /dev/sda
+Disk /dev/sda: 111.8 GiB, 120034123776 bytes, 234441648 sectors
+Units: sectors of 1 * 512 = 512 bytes <==================================== sector size is here
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: dos
+Disk identifier: 0x6ca35cb5
+
+Device     Boot    Start       End   Sectors  Size Id Type
+/dev/sda1           2048  41945087  41943040   20G 83 Linux
+/dev/sda2  *    41945088  41947135      2048    1M  4 FAT16 <32M
+/dev/sda3       41947136  50335743   8388608    4G 82 Linux swap / Solaris
+/dev/sda4       50335744 234441647 184105904 87.8G 83 Linux
+
+                    ^========================= start sector is here
+```
+
+Then invoke the script:
+
+ 
+```
+w.sh <device> <partition number>
+
+eg.
+
+w.sh /dev/sda 4
+```
+
+The procedure will:
+
+* dump and encrypt a partition
+* dump the partition table entry for that partition
+* create an ext4 fs with the two scripts, plus device/partition information, the data offset, encryption password and size of data, and encrypt it
+    - this fs will be 1000 times the sector size.
+* write this data to the start sector pos of the partition, immediately following each other:
+    - the encrypted script/data fs
+    - the partition table entry
+    - the encrypted partition data itself
+* shred and remove data and password from disk, and optionally scripts aswell.
+
+# reveal
+
+```
+dd if=<device> bs=1 count=$(((<sector size>*1000)+32)) | ccrypt -d -c > <fsfile>
+mount <fsfile> <mntpnt>
+cd <mntpnt>
+sh r.sh
+```
+
+The procedure will:
+
+* Read the device, partition number, the absolute data offset and the encryption password from the stored data file.
+* calculates the data size from the LBA size field in the stored partition entry
+* writes the partition entry to the partition table
+* decrypts and dumps the data to a temporary file
+* writes the data back to the original sector offset on the partition
+* shreds and deletes the data file, and optionally copies the script files (back) to a desired location 
+
+# requirements
+
+This code has been successfully run using:
+
+- linux 4.15.13 (ARCH)
+- bash 4.4.19
+- coreutils 8.29 (dd, shred ...)
+- utils-linux 2.31.1 (fdisk, blockdev, hexdump)
+- ccrypt 1.10 
diff --git a/r.sh b/sh-decrypt-and-hide/r.sh
diff --git a/sh-decrypt-and-hide/w.sh b/sh-decrypt-and-hide/w.sh
@@ -0,0 +1,144 @@
+#!/bin/bash 
+
+if [ -z $2 ]; then
+	echo "usage: $0 <device> <partition-number>"
+	echo
+	echo eg. device /dev/sda5 is specified /dev/sda 5
+	exit 1
+fi
+
+which ccrypt 2> /dev/null || exit 2
+which blockdev 2> /dev/null || exit 2
+which hexdump 2> /dev/null || exit 2
+
+DEV=$1
+PART=$2
+
+tmpdir=`mktemp -d`
+if [ $? != 0 ]; then
+	exit 3
+fi
+
+mbroffset=$((446+(($PART-1)*16)))
+
+sizehex=`hexdump -e '1/4 "%08x"' -s$((mbroffset+8)) -n4 $DEV`
+echo $sizehex
+OFFSET=`printf "%d" 0x$sizehex`
+OFFSET_DATA=$(($OFFSET+1000))
+
+insize=`blockdev --getsize64 $DEV$PART`
+if [ $? != 0 ]; then
+	exit 4
+fi
+secsize=`blockdev --getss $DEV`
+if [ $? != 0 ]; then
+	exit 4
+fi
+
+outbytesoffset=$(($secsize*$OFFSET))
+
+echo "mbroffset $mbroffset"
+# ccrypt prepends a magic number of 32 bytes at start of file
+insize=$((insize+32))
+
+cat <<EOF
+*** WARNING WARNING WARNING ***
+
+This will write $(($insize+(4*$secsize))) bytes on $DEV at sector offset $OFFSET (byte $outbytesoffset)
+Any existing data will be destroyed!
+
+It will also overwrite the partition entry for $DEV$PART
+
+EOF
+
+read -p "proceed? (type uppercase YES): " confirm
+if [ -z "$confirm" ] || [ $confirm != "YES" ]; then
+	echo "aborted"
+	exit 1
+fi
+read -sp "encryption password: " pass
+echo
+echo $pass > ${tmpdir}/.pass
+
+echo using tmpdir ${tmpdir}
+echo "dumping data..."
+dd if=$DEV$PART of=${tmpdir}/foo 
+if [ $? != 0 ]; then
+	exit 5
+fi
+
+echo "encrypting data..."
+ccrypt ${tmpdir}/foo -k ${tmpdir}/.pass 
+if [ $? != 0 ]; then
+	exit 6 
+fi
+
+# TODO: check if its on a boundary
+
+echo "writing data..."
+dd if=$DEV of=$DEV skip=$mbroffset seek=$((($secsize*$OFFSET_DATA)+32)) bs=1 count=16
+dd if=${tmpdir}/foo.cpt of=$DEV seek=$((($secsize*$OFFSET_DATA)+16+32)) oflag=seek_bytes
+if [ $? != 0 ]; then
+	exit 7
+fi
+
+shred ${tmpdir}/foo.cpt
+
+# create a file fs to write the encrypted scripts to
+mkdir ${tmpdir}/mnt
+dd if=/dev/zero of=${tmpdir}/scripts_blocks bs=$secsize count=1000
+if [ $? != 0 ]; then
+	exit 8
+fi
+
+mkfs.ext4 ${tmpdir}/scripts_blocks
+if [ $? != 0 ]; then
+	exit 9
+fi
+
+mount ${tmpdir}/scripts_blocks ${tmpdir}/mnt
+if [ $? != 0 ]; then
+	exit 10
+fi
+
+# create a tar of the scripts
+cp w.sh r.sh ${tmpdir}/mnt
+if [ $? != 0 ]; then
+	exit 11
+fi
+cat <<eof > ${tmpdir}/mnt/data
+$DEV $PART $secsize $((($secsize*$OFFSET_DATA)+32)) $insize $pass
+eof
+
+umount ${tmpdir}/mnt
+if [ $? != 0 ]; then
+	exit 12
+fi
+
+# encrypt the scripts
+ccrypt ${tmpdir}/scripts_blocks -k ${tmpdir}/.pass
+if [ $? != 0 ]; then
+	exit 13
+fi
+dd if=${tmpdir}/scripts_blocks.cpt of=$DEV seek=$OFFSET
+if [ $? != 0 ]; then
+	exit 14
+fi
+
+shred ${tmpdir}/.pass
+shred ${tmpdir}/scripts_blocks.cpt
+rm ${tmpdir} -rf
+
+echo "removing partition entry"
+dd if=/dev/zero of=$DEV seek=$mbroffset bs=1 count=16
+if [ $? != 0 ]; then
+	exit 15
+fi
+
+read -p "Remove script files? (type uppercase YES):" y
+if [ $y == "YES" ]; then
+	shred w.sh
+	shred r.sh
+	rm -v w.sh
+	rm -v r.sh
+fi
diff --git a/w.sh b/w.sh
@@ -1,137 +0,0 @@
-#!/bin/bash 
-
-which ccrypt 2> /dev/null || exit 2
-which blockdev 2> /dev/null || exit 2
-which hexdump 2> /dev/null || exit 2
-
-DEV=$1
-PART=$2
-
-tmpdir=`mktemp -d`
-if [ $? != 0 ]; then
-	exit 3
-fi
-
-mbroffset=$((446+(($PART-1)*16)))
-
-sizehex=`hexdump -e '1/4 "%08x"' -s$((mbroffset+8)) -n4 $DEV`
-echo $sizehex
-OFFSET=`printf "%d" 0x$sizehex`
-OFFSET_DATA=$(($OFFSET+1000))
-
-insize=`blockdev --getsize64 $DEV$PART`
-if [ $? != 0 ]; then
-	exit 4
-fi
-secsize=`blockdev --getss $DEV`
-if [ $? != 0 ]; then
-	exit 4
-fi
-
-outbytesoffset=$(($secsize*$OFFSET))
-
-echo "mbroffset $mbroffset"
-# ccrypt prepends a magic number of 32 bytes at start of file
-insize=$((insize+32))
-
-cat <<EOF
-*** WARNING WARNING WARNING ***
-
-This will write $(($insize+(4*$secsize))) bytes on $DEV at sector offset $OFFSET (byte $outbytesoffset)
-Any existing data will be destroyed!
-
-It will also overwrite the partition entry for $DEV$PART
-
-EOF
-
-read -p "proceed? (type uppercase YES): " confirm
-if [ -z "$confirm" ] || [ $confirm != "YES" ]; then
-	echo "aborted"
-	exit 1
-fi
-read -sp "encryption password: " pass
-echo
-echo $pass > ${tmpdir}/.pass
-
-echo using tmpdir ${tmpdir}
-echo "dumping data..."
-dd if=$DEV$PART of=${tmpdir}/foo 
-if [ $? != 0 ]; then
-	exit 5
-fi
-
-echo "encrypting data..."
-ccrypt ${tmpdir}/foo -k ${tmpdir}/.pass 
-if [ $? != 0 ]; then
-	exit 6 
-fi
-
-# TODO: check if its on a boundary
-
-echo "writing data..."
-dd if=$DEV of=$DEV skip=$mbroffset seek=$((($secsize*$OFFSET_DATA)+32)) bs=1 count=16
-dd if=${tmpdir}/foo.cpt of=$DEV seek=$((($secsize*$OFFSET_DATA)+16+32)) oflag=seek_bytes
-if [ $? != 0 ]; then
-	exit 7
-fi
-
-shred ${tmpdir}/foo.cpt
-
-# create a file fs to write the encrypted scripts to
-mkdir ${tmpdir}/mnt
-dd if=/dev/zero of=${tmpdir}/scripts_blocks bs=$secsize count=1000
-if [ $? != 0 ]; then
-	exit 8
-fi
-
-mkfs.ext4 ${tmpdir}/scripts_blocks
-if [ $? != 0 ]; then
-	exit 9
-fi
-
-mount ${tmpdir}/scripts_blocks ${tmpdir}/mnt
-if [ $? != 0 ]; then
-	exit 10
-fi
-
-# create a tar of the scripts
-cp w.sh r.sh ${tmpdir}/mnt
-if [ $? != 0 ]; then
-	exit 11
-fi
-cat <<eof > ${tmpdir}/mnt/data
-$DEV $PART $secsize $((($secsize*$OFFSET_DATA)+32)) $insize $pass
-eof
-
-umount ${tmpdir}/mnt
-if [ $? != 0 ]; then
-	exit 12
-fi
-
-# encrypt the scripts
-ccrypt ${tmpdir}/scripts_blocks -k ${tmpdir}/.pass
-if [ $? != 0 ]; then
-	exit 13
-fi
-dd if=${tmpdir}/scripts_blocks.cpt of=$DEV seek=$OFFSET
-if [ $? != 0 ]; then
-	exit 14
-fi
-
-shred ${tmpdir}/.pass
-shred ${tmpdir}/scripts_blocks.cpt
-rm ${tmpdir} -rf
-
-echo "removing partition entry"
-dd if=/dev/zero of=$DEV seek=$mbroffset bs=1 count=16
-if [ $? != 0 ]; then
-	exit 15
-fi
-
-read -p "Remove script files? (type uppercase YES):" y
-if [ $y == "YES" ]; then
-	shred w.sh
-	shred r.sh
-	rm -v w.sh
-	rm -v r.sh
-fi