Releases · reverseame/KeyReaper

16 May 02:13

leonav-unizar

v1.8

e6be1c0

KeyReaper v1.8 Latest

Latest

What's Changed

Improved CryptoAPI scanning to extarct DSSENH keys BRANCH
Fixed path detection on DLL injections
Fixed bug when checking if a process is alive
CRYPT_ARCHIVABLE also set when forcing an RSAENH key to export
Some code cleanup

Assets 4

02 Apr 01:28

leonav-unizar

v1.7

29332a9

KeyReaper v1.7

Changelog for v1.7

Improved heap detection.

Context

With bigger heaps, the memory regions that contain the keys start to split up, and may not only be contained within the default heap, or be in the same region as the process heaps.

Solution

We noticed that the keys were being generated in regions that were classified by other tools such as VMMap as heap. This made us wonder what criteria was used to classify the region as heap. Following different researches about Windows heap, we stumbled upon different resources:

Thanks to them, we noticed that, in the beginning of each heap region, either the _HEAP_SEGMENT or the _HEAP structure appeared. Thanks to its fields BaseAddress and Heap, we could determine the presence of a heap segmete on the page. Fortunately, both structures start the same, and a difference we could notice was having the Heap field different.
We acknowledge that some of the structures used are may not be the same across different versions of Windows, and it has only been tested in W10. According to Terminus Project, this heuristic won't work on WinXP.