-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathCryKeX.sh
133 lines (123 loc) · 2.95 KB
/
CryKeX.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/usr/bin/env bash
#$ apt install gdb aeskeyfind rsakeyfind
echo -e "\033[01;33m"
echo '
###### ######## ## ## ## ## ######## ## ##
## ## ## ## ## ## ## ## ## ## ##
## ## ## #### ## ## ## ## ##
## ######## ## ##### ###### ###
## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
###### ## ## ## ## ## ######## ## ##
ad8888888888ba
dP'"'"' `"8b,
8 ,aaa, "Y888a ,aaaa, ,aaa, ,aa,
8 8'"'"' `8 "8baaaad""""baaaad""""baad""8b
8 8 8 """" """" "" 8b
8 8, ,8 ,aaaaaaaaaaaaaaaaaaaaaaaaddddd88P
8 `"""'"'"' ,d8""
Yb, ,ad8"
"Y8888888888P"
'
echo ' Linux Memory Cryptographic Keys Extractor
'
echo -e "\e[0m"
PROCESS=$1
if [[ ! "$PROCESS" ]]
then
echo 'Usage : CryKeX PROCESS/BINARY'
echo 'Example : CryKeX openssl'
echo 'Example : CryKeX cipher'
exit 1
fi
PID=$(pidof $PROCESS)
if [[ ! "$PID" ]]
then
PROCESS=${PROCESS,,}
PID=$(pidof $PROCESS)
fi
if [[ ! "$PID" ]]
then
echo '!!! PROCESS NOT FOUND !!!'
echo 'Enter the Process ID (PID) manually or "wrap" to wrap process and inject after execution or blank to exit :'
read PID
fi
if [[ ! "$PID" ]]
then
exit 2
fi
INJECTED=0
if [[ "$PID" == "wrap" ]]
then
echo 'Enter the binary path/name :'
read PROCESS
if [[ "$PROCESS" != *"/"* ]]
then
PROCESS=./$PROCESS
fi
echo 'Enter the delay in seconds after execution for injection (blank for 0.0003)'
read DELAY
if [[ ! "$DELAY" ]]
then
DELAY=0.0003
fi
echo 'WRAPPING PROCESS ...'
($PROCESS) & sleep $DELAY && kill -STOP $! &>/dev/null
if [[ $? -ne 0 ]]
then
for i in {1..250}
do
($PROCESS) & sleep $DELAY && kill -STOP $! &>/dev/null
if [[ $? -eq 0 ]]
then
break
fi
done
fi
PID=$(pidof $PROCESS)
if [[ ! "$PID" ]]
then
echo '!!! INJECTION FAILED !!!'
echo 'Retry or change delay'
exit 3
fi
INJECTED=1
fi
echo 'DUMPING MEMORY ...
'
cd /tmp
gcore $PID &> /dev/null
if [[ $? -ne 0 ]]
then
echo '!!! DUMP FAILED !!!'
echo 'Ensure that you have enough privileges for the process or run as root'
exit 4
fi
if [[ $INJECTED -eq 1 ]]
then
kill -CONT $PID &>/dev/null
fi
echo 'SEARCHING KEYS ...
'
for dump in $(ls core.*)
do
# ALGO=$(strings $dump | grep -i 'rsa-' | tail -n 1 | rev | cut -d ',' -f 1 | rev | cut -d '.' -f 1 | cut -d '@' -f 1)
ALGO=$(strings $dump | grep -i -o 'rsa-...' | tail -n 1)
if [[ "$ALGO" ]]
then
echo "*** ${ALGO^^} ***"
else
echo '*** POTENTIAL RSA ***'
fi
rsakeyfind $dump
# ALGO=$(strings $dump | grep -i 'aes[-,_,1-5]' | tail -n 2 | head -n 1 | rev | cut -d ',' -f 1 | rev | cut -d '.' -f 1 | cut -d '@' -f 1 | cut -d ':' -f 5)
ALGO=$(strings $dump | grep -i -o 'aes[-,_,1-5].......' | tail -n 2 | head -n 1)
if [[ "$ALGO" ]]
then
echo "*** ${ALGO^^} ***"
else
echo '*** POTENTIAL AES ***'
fi
aeskeyfind $dump
rm $dump
done