KeyReaper v1.7

Changelog for v1.7

• Improved heap detection.

Context

With bigger heaps, the memory regions that contain the keys start to split up, and may not only be contained within the default heap, or be in the same region as the process heaps.

Solution

We noticed that the keys were being generated in regions that were classified by other tools such as VMMap as heap. This made us wonder what criteria was used to classify the region as heap. Following different researches about Windows heap, we stumbled upon different resources:

• Chris Valasek - Understanding the Low Fragmentation Heap
• MS Learn - MEMORY_BASIC_INFORMATION
• Terminus Project - PEB
• Terminus Project - HEAP SEGMENT

Thanks to them, we noticed that, in the beginning of each heap region, either the _HEAP_SEGMENT or the _HEAP structure appeared. Thanks to its fields BaseAddress and Heap, we could determine the presence of a heap segmete on the page. Fortunately, both structures start the same, and a difference we could notice was having the Heap field different.
We acknowledge that some of the structures used are may not be the same across different versions of Windows, and it has only been tested in W10. According to Terminus Project, this heuristic won't work on WinXP.

How to use it

To enable this option, set the -x flag when the scan subcommand is issued.