AES Finder - Utility To Find AES Keys In Running Processes

Follow me on twitter Follow @RedPacketSec and join the Telegram channel

Utility to find AES keys in running process memory. Works for 128, 192 and 256-bit keys.

Usage

Open aes-finder.sln solution in Visual Studio 2013 to compile source. Alternatively use gcc/clang:

g++ -O3 -march=native -fomit-frame-pointer aes-finder.cpp -o aes-finder

To search for keys in process with id = 123, execute following:

aes-finder.exe -123

To search for keys in any process with name chrome.exe, execute following:

aes-finder.exe chrome.exe

Now you can see what kind of AES keys are used in your favorite application!

Putty

C:>aes-finder.exe putty.exe
Searching PID 2180 ...
[0016C904] Found AES-256 encryption key: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
[0016C9F4] Found AES-256 decryption key: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
[00AA4540] Found AES-256 encryption key: e2855dae921dba978ffd713e89540101144de13f468fd5da8623608255387dbc
[00AA4720] Found AES-256 decryption key: e2855dae921dba978ffd713e89540101144de13f468fd5da8623608255387dbc
[00AA5458] Found AES-256 encryption key: 892372c26c5601a28e5dd20a64976faa219907c6c9a33a9d1ff3376609bd53f7
[00AA5638] Found AES-256 decryption key: 892372c26c5601a28e5dd20a64976faa219907c6c9a33a9d1ff3376609bd53f7
Done!

Dropbox

C:>aes-finder.exe dropbox.exe
Searching PID 2204 ...
[00F5DDE8] Found AES-128 encryption key: e73c856f10e56d8ded0510e964e71b33
... many identical keys
[0363A708] Found AES-128 encryption key: e73c856f10e56d8ded0510e964e71b33
[03710A24] Found AES-128 encryption key: 0e7484bb0230b137eb582bae6ea17e09
[03710C40] Found AES-128 encryption key: 0e7484bb0230b137eb582bae6ea17e09
[03716388] Found AES-128 encryption key: e73c856f10e56d8ded0510e964e71b33
... many identical keys
[03747888] Found AES-128 encryption key: e73c856f10e56d8ded0510e964e71b33
[038721A8] Found AES-256 encryption key: 90e804d380d6c279de1d0373a24010ffcbccb8a177f4fffaaa007fa2b07bbe35
[03872318] Found AES-256 decryption key: 69d292fb3bc5edb2008e2687b40321f01ce1077c0570819ef666f5079b233064
[0388480C] Found AES-128 encryption key: 0e7484bb0230b137eb582bae6ea17e09
[03884A28] Found AES-128 encryption key: 0e7484bb0230b137eb582bae6ea17e09
[03892330] Found AES-2   56 encryption key: 8843f5b83b0bc88ffefcdc4a6fb1dbec2a2216001d23ef714e3fcad2b106fa4a
[038E6F88] Found AES-256 decryption key: 845e5cd8a07200ed53df003b4524872e5a1b8faa931c285602ef4b091c80a8f6
[038FD6E0] Found AES-128 encryption key: 6108ca5991b2d070ba9109ca92895f5d
[03918310] Found AES-256 encryption key: 55a832a0756807b89d26bfeb2fd0c20affec0444ccc5f8826f1e4c0097bc4961
[0391DD68] Found AES-256 encryption key: 0495d0bc9b05b893ada8eb36c5fbbfefab3cccd4566accbf18c1a078faae970d
[0391DF00] Found AES-256 decryption key: fd4c481f479f9a66677adc42060689d1bb95529b217265fec7664e0fd0e990b2
[0393AB48] Found AES-256 decryption key: 471c720862d7d1329d0a1320a5eaea4ce7a8693ac75e9c732a0c4392aeb3d21e
[039480A0] Found AES-128 encryption key: 6108ca5991b2d070ba9109ca92895f5d
[0394B508] Found AES-128 encryption key: 6108ca5991b2d070ba9109ca92895f5d
[03950418] Found AES-256 encryption key: bbc3ede28857b90389452846e4b80ca5e262ef57ce918ce17c89b6598993faa4
[039E1A24] Foun   d AES-128 encryption key: afde7f5a3184111f877f0e8b61f85ad8
[039E1C40] Found AES-128 encryption key: afde7f5a3184111f877f0e8b61f85ad8
[039F5668] Found AES-256 encryption key: b48ac86c598e3051e1e00f17cb47256c0e6735a694ab3c1282ee9086d38d2647
[039F5870] Found AES-256 decryption key: 9e12c27da800ada221a60112171ac32b7b2c4781a7d45407fc6aaff2800b67d9
[03A0BD18] Found AES-128 encryption key: 6108ca5991b2d070ba9109ca92895f5d
[03A0EA7C] Found AES-256 encryption key: 28ad3cba4b91556825a3f301358901416eb16253b0bc7e43be0303caa53a001e
[03A0EB6C] Found AES-256 decryption key: 28ad3cba4b91556825a3f301358901416eb16253b0bc7e43be0303caa53a001e
[071868B0] Found AES-256 decryption key: 7a1d726b3b7c81a65887e12296d3102ead96a3a71a100fd4c48ccbc421f3d570
Done!

Chrome

C:>aes-finder.exe chrome.exe
Searching PID 1792 ...
[08D8302C] Found AES-256 decryption key: c73159441a23df68b292a666a082418048a844813dfe8636126e875204813291
[08D8326C] Found AES-256 encryption key: a85f43b1515c848bcb99a94f8b3ff815bcab2ff37b67954d21231c9744651f80
[08D834AC] Found AES-256 decryption key: 22715913a08a86472a85c711fe7674180c07cc19cc0683e95dd9f0c7526387c6
[08D8446C] Found AES-256 decryption key: 2c7d5043ae8d2800cef6b5fe82776eaaa13a1911f97f15d34172aaf4e0cf1d74
... lot of random keys
[0907326C] Found AES-256 decryption key: 28e941c0801544a85c1832510e935d44a3ae096397bbdeb5eb8608d2b1fcc18f
[090734AC] Found AES-256 encryption key: 4ffc20368848fdc739bb3420cbd5d8333ab6f478ba601309e2bab7db0427047b
[0907392C] Found AES-256 encryption key: f857325597da770d3a4589b5a585671d33221c108aab002c30a181b79c3c99ed
[09073B6C] Found AES-128 decryption key: d5f782a86d7f1e3c403cbe349c2844c1
[09073DAC] Found AES-128 encryption key: cdfb40a   1b13d7cfd0f7fd2687848d3de
[09073FEC] Found AES-128 decryption key: ce3be55b440620be4aa73e33c325456f
[0907422C] Found AES-128 encryption key: 1954a522cf12287a245d66786d78bba5
[0907446C] Found AES-128 decryption key: 7972ca8c29805c44bacc6a70691a606d
[090746AC] Found AES-128 encryption key: 266ffef00c92cd372d8dce1436a124d7
[090748EC] Found AES-128 decryption key: 1afa9ef367fe19278cdd7d060b397813
[09074B2C] Found AES-128 encryption key: b7fcd6a9915be8d562f376f8e30b34a3
[09074D6C] Found AES-128 decryption key: 4e150e928eb9f4366c93d7d664b53587
[090F702C] Found AES-128 encryption key: 6f3701e7a085102e9b69ffa1c5a7d52d
[090F726C] Found AES-128 decryption key: 71a46909719d714ebe29e1fb13ba3bc1
[090F74AC] Found AES-128 encryption key: 526d886eaa03c0a7e36918eb741ba4a9
Searching PID 2744 ...
Searching PID 3592 ...
Done!

Python + PyCrypto

C:>start python -c "from Crypto.Cipher import AES; a=AES.new('x42'*24, AES.MODE_ECB); input()"

C:>aes-finder.exe python.exe
Searching PID 264 ...
[00B84074] Found AES-192 encryption key: 424242424242424242424242424242424242424242424242
[00B84164] Found AES-192 decryption key: 424242424242424242424242424242424242424242424242
Done!

sshd on Linux

$ sudo ./aes-finder sshd
Searching PID 3307 ...
Searching PID 10428 ...
Searching PID 10430 ...
[0x7fc39b3132d0] Found AES-128 encryption key: df435cfcd8830df858203c0ad2db51ca
[0x7fc39b313450] Found AES-128 encryption key: 0ad922797aba3078841bc298104bb39a
Done!

iTunes on Mac OS X

$ sudo ./aes-finder iTunes
Searching PID 40912 ...
[0x7fe073e7dd3c] Found AES-128 encryption key: 743554fb48b78d29ad73fbd231373982
[0x7fe073e7de00] Found AES-128 encryption key: 743554fb48b78d29ad73fbd231373982
[0x7fe0758aaa88] Found AES-128 encryption key: dc4b5af0c373c4b3cf1158fe0a42022f
[0x7fe0758aab78] Found AES-128 decryption key: dc4b5af0c373c4b3cf1158fe0a42022f
[0x7fe0758aac6c] Found AES-128 encryption key: 000102030405060708090a0b0c0d0e0f
[0x7fe0758aad5c] Found AES-128 decryption key: 000102030405060708090a0b0c0d0e0f
Done!

Notes

does not work on whitebox AES keys
32-bit binary can search only in 32-bit processes, 64-bit binary can search in both – 32 and 64-bit ones
“encryption key” means that this key can be used for encryption or decryption
“decryption key” means that this key most likely is used only for decryption
on Linux requires at least v3.2 kernel (process_vm_readv syscall)

Download Aes-Finder

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Want to Support the Site, Become a Patron!

AES Finder – Utility To Find AES Keys In Running Processes

Original Source