GitHub公開「Wannakey」找出WannaCry的加密鍵
本帖最後由 salesman 於 2017-5-22 14:58 編輯
Introduction
This software allows to recover the prime numbers of the RSA private key that are used by Wanacry.
It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.
This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I've tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won't work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : "After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.". So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.
If you are lucky (that is the associated memory hasn't been reallocated and erased), these prime numbers might still be in memory.
That's what this software tries to achieve.
https://github.com/aguinet/wannakey
WARNING
This software has only been tested and known to work under Windows XP, 7 x86, 2003, Vista and Windows Server 2008 (tests by @msuiche).
Please also note that you need some luck for this to work (see below), and so it might not work in every case! |
|
|