aes-finder
aes-finder copied to clipboard
Published
20 hours ago •
mmozeiko
mmozeiko
[ADD NEW FUTURE] Find AES Keys from Memory Dump Files
Add this code I tested it works
static void find_keys_file(const char *filename) {
FILE *fp = fopen(filename, "rb");
if (fp == NULL) {
printf("Failed to open file");
return;
}
uint64_t addr = 0;
uint64_t size = 0;
uint64_t total = 0;
uint64_t read = 0;
clock_t t0 = clock();
// Get size of the file
fseek(fp, 0, SEEK_END);
size = ftell(fp);
// Maximum file size 256MB
if (size > 268435456) {
printf("Unable to process maximum file size 256MB\n");
fclose(fp);
return;
}
// Reset to beginning
fseek(fp, 0, SEEK_SET);
uint8_t *buffer = (uint8_t*)malloc(size);
if (!buffer) {
printf("Out of memory, unable to allocate %lu bytes memory\n", size);
fclose(fp);
return;
}
uint64_t read_offset = 0;
do {
read = fread(buffer+read_offset, 1, size, fp);
total += read;
read_offset += read;
} while (read != 0);
uint32_t offset = 0;
if (total >= 60 * sizeof(uint32_t)) {
uint64_t avail = total;
while (offset <= avail - 60 * sizeof(uint32_t)) {
uint8_t key[32];
if (int len = aes_detect_enc((const uint32_t*)&buffer[offset], key)) {
printf("[%p] Found AES-%d encryption key: 0x", (void*)addr, len * 8);
for (int i = 0; i < len; i++) {
printf("%02X", key[i]);
}
printf("\n");
offset += 28 + len;
addr += 28 + len;
} else if (int len = aes_detect_dec((const uint32_t*)&buffer[offset], key)) {
printf("[%p] Found AES-%d decryption key: 0x", (void*)addr, len * 8);
for (int i = 0; i < len; i++) {
printf("%02X", key[i]);
}
printf("\n");
offset += 28 + len;
addr += 28 + len;
} else {
offset += 4;
addr += 4;
}
}
avail -= offset;
}
clock_t t1 = clock();
double time = double(t1 - t0) / CLOCKS_PER_SEC;
const double MB = 1024.0 * 1024.0;
printf("Processed %.2f MB, speed = %.2f MB/s\n", total / MB, total / MB / time);
free(buffer);
buffer = NULL;
fclose(fp);
}
Add extra parameters in argument
if (argc != 3) {
printf("Usage: aes-finder -p pid | -n process-name | -f dump-file\n");
return 0;
}
os_startup();
if (strcmp(argv[1], "-p") == 0) {
uint32_t pid = atoi(argv[2]);
find_keys(pid);
} else if (strcmp(argv[1], "-n") == 0) {
if (os_enum_start()) {
while (uint32_t pid = os_enum_next(argv[2])) {
find_keys(pid);
}
os_enum_end();
}
} else if (strcmp(argv[1], "-f") == 0) {
find_keys_file(argv[2]);
} else {
printf("Invalid option: %s\n", argv[1]);
return 1;
}
Output
$ $HOME/aes-finder -f dump-3488.bin Searching keys in the dump file... [0x1650c0] Found AES-256 encryption key: 0x27DFBADBB537388ACDE27A7C5F3EBC3721AF0AE0A7602D2D7F8A16548F37D394 [0x165280] Found AES-256 decryption key: 0x27DFBADBB537388ACDE27A7C5F3EBC3721AF0AE0A7602D2D7F8A16548F37D394 Processed 15.62 MB, speed = 1.03 MB/s Done!
You can also check out memory dump tool and modified aes-finder: https://github.com/halloweeks/memory-dump https://github.com/halloweeks/aes-finder