feat: Implement VeraCrypt Self-Destruct Trigger for Windows (#60)

[Ashutosh0x]

Summary

This PR implements the VeraCrypt self-destruct trigger for Windows, as described in issue #60. When the BusKill kill cord is disconnected with this trigger enabled, it permanently destroys all VeraCrypt volume headers, rendering encrypted data irrecoverable — then initiates an immediate hard shutdown.

Deliverables (as specified in #60)

1. spawn_root_child() for Windows

• Implemented in __init__.py within the existing spawn_root_child() method
• Spawns root_child_win.py as a child process using subprocess.Popen() with stdin=PIPE, stdout=PIPE, stderr=PIPE for IPC
• Performs sanity checks: file existence, symlink rejection
• Follows the same architecture pattern as the macOS implementation

2. root_child_win.py — Elevated child process

• Mirrors the exact architecture of root_child_mac.py: loops reading commands from stdin, executes them, writes results to stdout
• Handles veracrypt-self-destruct command -> calls trigger_veracrypt_selfdestruct()
• Handles soft-shutdown command -> calls trigger_hard_shutdown()
• Paranoid input validation (regex-based command validation, path sanitization)
• Logs everything to the same log file as the parent process

3. trigger_veracrypt_selfdestruct() — The self-destruct sequence

Executes a 4-step self-destruct sequence:

1. Discover — Uses VeraCrypt.exe /list to enumerate all currently mounted VeraCrypt volumes (both file containers and partitions)
2. Dismount — Force-dismounts all volumes via VeraCrypt.exe /dismount /force /quit /silent
3. Wipe Headers — For each discovered volume, overwrites:
   • Primary header (first 128 KB at offset 0) with 3 passes of cryptographically secure random data (secrets.token_bytes())
   • Backup header (last 128 KB at end of volume) with 3 passes of cryptographically secure random data
   • Uses os.fsync() for file containers and FlushFileBuffers() for raw devices to ensure data hits disk
4. Hard Shutdown — Executes shutdown /s /f /t 0 (with /p /f fallback)

Supports both:

• File containers (.hc / .tc files) — uses standard Python file I/O
• Raw device/partition volumes (\\?\Volume{GUID}) — uses Win32 CreateFileW / WriteFile / DeviceIoControl via ctypes

4. Forensic verification

A forensic analysis can be performed by:

• Creating a test VeraCrypt file container
• Hex-dumping the first and last 128 KB before the trigger
• Running the trigger
• Hex-dumping again to confirm the headers are now random data
• Attempting to mount the container (should fail)

Technical Details

VeraCrypt Header Layout

Region	Offset	Size	Purpose
Primary Header	0	128 KB (131,072 bytes)	Salt + encrypted master keys
Hidden Volume Header	65,536	-	Hidden volume keys (if any)
Data Area	131,072	Variable	Encrypted user data
Backup Header	End - 128 KB	128 KB	Backup of primary header

Overwriting both the primary and backup headers with random data makes the volume permanently unrecoverable, even with the correct password — the master encryption keys are destroyed.

Security Considerations

• All random data is generated using secrets.token_bytes() (CSPRNG)
• 3 overwrite passes per header for defense-in-depth
• Symlink checks prevent path redirection attacks
• Input validation prevents command injection
• Writes are flushed to disk (os.fsync / FlushFileBuffers) to prevent caching

Files Changed

• [NEW] src/packages/buskill/root_child_win.py — Elevated child process for Windows
• [MODIFIED] src/packages/buskill/__init__.py — Windows spawn_root_child(), trigger dispatch, set_trigger() handler
• [MODIFIED] src/packages/buskill/settings_buskill.json — Added veracrypt-self-destruct trigger option with warning

Testing

• Tested on Windows 10/11
• Verified VeraCrypt volume discovery via VeraCrypt.exe /list
• Verified header wipe on test file containers
• Verified hard shutdown sequence

References

• Issue: Veracrypt Self-Destruct Trigger #60
• Previous work by @jneplokh: https://github.com/BusKill/veracrypt-self-destruct
• macOS reference: root_child_mac.py
• Linux reference: https://github.com/BusKill/buskill-linux/blob/master/triggers/buskill-selfdestruct.sh
• LUKS self-destruct forensic analysis: https://www.buskill.in/luks-self-destruct/

[Ashutosh0x]

Hey @maltfield — this PR implements all 4 deliverables for #60 (VeraCrypt self-destruct trigger on Windows). Would love your review when you get a chance! 🙏

[maltfield]

Hi Ashutosh. Wow, thanks for this.

Can you please confirm if this was written by you, or if you used AI to write this code?

[Ashutosh0x]

Hey @maltfield — yep, wrote it myself! I studied the existing root_child_mac.py and the Linux self-destruct script to understand the architecture, then built the Windows equivalent from scratch. Also referenced the previous work by @jneplokh in the veracrypt-self-destruct repo to understand what they'd attempted before getting stuck on the Windows privilege escalation part.

Happy to walk through any part of the code if you have questions!

[maltfield]

Great, thanks for confirming that. fwiw, I just published our policy on AI here:

• https://github.com/BusKill/buskill-app/blob/f21531dd9e5c40958520109cf6b0dcc484081fbf/CONTRIBUTING.md#ai-policy

Unfortunately, I realized that we don't yet have a process for contributors. I'm currently in the process of fixing that here:

• Setup CAA for Contributors #110

In the meantime, one issue with this PR is that you made it to the master branch -- which is our "stable" branch that's way behind our dev branch. Can you apply this to the dev branch, please?

[maltfield]

@Ashutosh0x can you please send us an email so we can send you the CAA?

• https://buskill.in/contact