{"id":840,"date":"2025-07-07T07:21:24","date_gmt":"2025-07-07T07:21:24","guid":{"rendered":"https:\/\/reversea.me\/?p=840"},"modified":"2025-07-07T07:21:24","modified_gmt":"2025-07-07T07:21:24","slug":"extracting-cryptographic-keys-from-windows-live-processes-with-keyreaper","status":"publish","type":"post","link":"https:\/\/reversea.me\/index.php\/extracting-cryptographic-keys-from-windows-live-processes-with-keyreaper\/","title":{"rendered":"Extracting Cryptographic Keys from Windows Live Processes with KeyReaper"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p><strong>TL;DR<\/strong>: Ransomware encrypts victims&#8217; files with keys that must exist in memory at runtime. If defenders can access those keys while the malware is still running, they could decrypt files without paying a ransom. We introduce <a href=\"https:\/\/github.com\/reverseame\/KeyReaper\" data-type=\"link\" data-id=\"https:\/\/github.com\/reverseame\/KeyReaper\"><code>KeyReaper<\/code><\/a>: a live memory analysis tool designed to extract cryptographic keys from running Windows processes in real time. By targeting heap memory and using key-specific heuristics, <code>KeyReaper<\/code> enables fast and reliable key recovery, even in real-world ransomware cases like WannaCry or Avaddon. If you&#8217;re curious to learn more, <a href=\"https:\/\/www.dimva.org\/dimva2025\/\" data-type=\"link\" data-id=\"https:\/\/www.dimva.org\/dimva2025\/\">visit our poster session at DIMVA 2025<\/a> this week or <a href=\"https:\/\/dx.doi.org\/10.1007\/978-3-031-97620-9_12\" data-type=\"link\" data-id=\"https:\/\/dx.doi.org\/10.1007\/978-3-031-97620-9_12\">read the full paper here<\/a> (or <a href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/AbascalR-DIMVA-25.pdf\" data-type=\"link\" data-id=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/AbascalR-DIMVA-25.pdf\">here<\/a>) or <a href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/posters\/AbascalR-DIMVA-25-poster.pdf\" data-type=\"link\" data-id=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/posters\/PelayoBenedetRG-DIMVA-25.pdf\">our poster here<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ransomware&#8217;s Achilles&#8217; Heel: Runtime Keys in Memory<\/h2>\n\n\n\n<p>Ransomware continues to dominate the cyberthreat landscape, attacking availability by encrypting files and holding them hostage. While attackers often employ strong cryptographic algorithms, those keys must be generated and stored in memory during execution. This brief moment offers a unique opportunity for defenders.<\/p>\n\n\n\n<p>Traditionally, forensic analysts have relied on static, often post-mortem, memory dumps, which limits their effectiveness. But what if we could pause ransomware during execution, inspect its memory in real time, and extract the encryption keys directly? That&#8217;s the core idea of <code>\u200b\u200b<a href=\"https:\/\/github.com\/reverseame\/KeyReaper\">KeyReaper<\/a><\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Meet KeyReaper<\/h2>\n\n\n\n<p><code>KeyReaper<\/code> is an open-source tool specifically designed to locate cryptographic keys in active Windows processes using live memory analysis. It does not detect ransomware, but is designed to be deployed after an antivirus or EDR solution detects a process.<\/p>\n\n\n\n<p>The tool focuses on heap memory, where dynamic key material is typically stored during encryption operations. By limiting the scope, <code>KeyReaper<\/code> improves performance and accuracy while minimizing false positives.<\/p>\n\n\n\n<p><code>KeyReaper<\/code> is structured around three main modules, as depicted in Figure 1:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Process Capture<\/strong>: Pauses the ransomware process to stabilize memory.<\/li>\n\n\n\n<li><strong>Heap Extraction<\/strong>: Isolates and copies heap segments from the paused process.<\/li>\n\n\n\n<li><strong>Key Scanning<\/strong>: Applies pluggable detection algorithms to locate key structures in memory.<\/li>\n<\/ul>\n\n\n\n<p>These modules are orchestrated using a command-line interface ideal for integration into automated incident response workflows.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"236\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.06-1024x236.png\" alt=\"\" class=\"wp-image-845\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.06-1024x236.png 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.06-300x69.png 300w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.06-768x177.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.06-1536x354.png 1536w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.06-1440x332.png 1440w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.06.png 1968w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 1: System architecture and workflow of <code>KeyReaper<\/code>.<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">How It Works<\/h2>\n\n\n\n<p>The key scanning phase leverages multiple analysis modules:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AES Round Key Reconstruction<\/strong>: Reconstructs AES keys using derived round key patterns, even if the original key is not stored directly.<\/li>\n\n\n\n<li><strong>CryptoAPI Key Scanner<\/strong>: Detects keys managed using Microsoft&#8217;s CryptoAPI, commonly used by malware such as Avaddon and WannaCry.<\/li>\n<\/ul>\n\n\n\n<p>These modules rely on techniques such as DLL injection, pattern matching, and heap structure analysis, using APIs such as <code>NtSuspendProcess<\/code> and <code>ReadProcessMemory<\/code>. The heavy lifting is handled in C++, ensuring low overhead and fast execution.<\/p>\n\n\n\n<p>Evaluation Highlights<\/p>\n\n\n\n<p>We rigorously tested <code>KeyReaper<\/code> in four dimensions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reaction Time<\/strong>: Efficient heap copying and scanning, with the CryptoAPI scanner significantly outperforming the generic AES module.<\/li>\n\n\n\n<li><strong>False Positives<\/strong>: Zero false detections on noisy synthetic heaps and innocuous software such as Audacity or Notepad++.<\/li>\n\n\n\n<li><strong>Key Accurac<\/strong>y: Keys extracted by <code>KeyReaper<\/code> exactly matched those exported using legitimate CryptoAPI functions in over 1,000 test runs.<\/li>\n\n\n\n<li><strong>Real Ransomware<\/strong>: <code>KeyReaper<\/code> successfully extracted usable keys from Avaddon and WannaCry, enabling decryption of test files by comparing their SHA256 hashes after decryption.<\/li>\n<\/ul>\n\n\n\n<p>Figure 2 show the time-to-memory ratio of each scanning module and confirm the tool&#8217;s reliability in real-world situations.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"448\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.17-1024x448.png\" alt=\"\" class=\"wp-image-846\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.17-1024x448.png 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.17-300x131.png 300w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.17-768x336.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.17-1536x672.png 1536w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.17-2048x895.png 2048w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/Screenshot-2025-06-30-at-10.34.17-1440x630.png 1440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 2: Comparison of performance for the two key scanning modules.<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Why this matters?<\/h2>\n\n\n\n<p><code>KeyReaper<\/code> offers defenders a practical, real-time method to recover encryption keys before irreversible damage is achieved. It improves ransomware mitigation by enabling:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Live key recovery for decryption, avoiding ransom demands.<\/li>\n\n\n\n<li>Malware reverse engineering by separating malicious logic from built-in cryptographic operations.<\/li>\n\n\n\n<li>Compliance testing by validating how the software handles key material in memory.<\/li>\n<\/ul>\n\n\n\n<p>It bridges the gap between detection and remediation, helping SOCs and analysts respond more quickly and effectively.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What&#8217;s next?<\/h2>\n\n\n\n<p>We are actively developing new features, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Support for additional cryptographic libraries such as OpenSSL and Crypto++.<\/li>\n\n\n\n<li>Detection of more algorithms, such as Salsa20.<\/li>\n\n\n\n<li>Case dump analysis for offline forensics.<\/li>\n\n\n\n<li>Support for new heap types, such as the Windows segmented heap.<\/li>\n\n\n\n<li>Integration with audit and compliance workflows using legitimate encryption tools.<\/li>\n<\/ul>\n\n\n\n<p>We are also planning to explore heap evasion and obfuscation techniques used by ransomware authors to stay ahead as defenders.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Funding Acknowledgment<\/strong>s<\/h2>\n\n\n\n<p>This research was supported in part by grant PID2023-151467OA-I00 (CRAPER), funded by MICIU\/AEI\/10.13039\/501100011033 and by ERDF\/EU, by grant TED2021-131115A-I00 (MIMFA), funded by MICIU\/AEI\/10.13039\/501100011033 and by the European Union NextGenerationEU\/PRTR, and the University of Zaragoza, by grant <em>Proyecto Estrat\u00e9gico Ciberseguridad EINA UNIZAR<\/em>, funded by the Spanish National Cybersecurity Institute (INCIBE) and the European Union NextGenerationEU\/PRTR, and by grant <em>Programa de Proyectos Estrat\u00e9gicos de Grupos de Investigaci\u00f3n<\/em> (T21-23R), funded by the University, Industry and Innovation Department of the Aragonese Government.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"89\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1024x89.png\" alt=\"\" class=\"wp-image-844\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1024x89.png 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-300x26.png 300w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-768x67.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1536x134.png 1536w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-2048x179.png 2048w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1440x126.png 1440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><em>And that&#8217;s all, folks! In this post, we introduce <code><a href=\"https:\/\/github.com\/reverseame\/KeyReaper\">KeyReaper<\/a><\/code>, our tool for live cryptographic key extraction from active Windows processes: a practical advancement in ransomware mitigation and digital forensics investigation. If you&#8217;re attending <a href=\"https:\/\/www.dimva.org\/dimva2025\/\" data-type=\"link\" data-id=\"https:\/\/www.dimva.org\/dimva2025\/\">DIMVA 2025<\/a>, please visit our poster session and let&#8217;s chat! We&#8217;d love to hear your thoughts, answer your questions, and explore collaboration ideas. In the meantime, feel free to dig deeper into our paper, contact us, or contribute to the project as we continue to improve our static and dynamic malware analysis tools. Thanks for reading, and stay secure!<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">Declaration of Generative AI Technologies in the Writing Process<\/h4>\n\n\n\n<p>During the preparation of this post, the author used ChatGPT (GPT4-o model) to improve readability and language. After using this tool, the author reviewed and edited the content as necessary and takes full responsibility for the content of this publication.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>TL;DR: Ransomware encrypts victims&#8217; files with keys that must exist in memory at runtime. If defenders can access those keys while the malware is still running, they could decrypt files without paying a ransom. We introduce KeyReaper: a live memory analysis tool designed to extract cryptographic keys from running Windows processes in real time. By [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,17,27,15],"tags":[55,54,28,14],"class_list":["post-840","post","type-post","status-publish","format-standard","hentry","category-forensics","category-malware","category-reverse-engineering","category-tools","tag-cryptography","tag-incident-response","tag-malware","tag-windows","no-featured-image"],"_links":{"self":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/comments?post=840"}],"version-history":[{"count":3,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/840\/revisions"}],"predecessor-version":[{"id":854,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/840\/revisions\/854"}],"wp:attachment":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/media?parent=840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/categories?post=840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/tags?post=840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}