Analyzing network traffic is a task that comes up often in the context of malware analysis: both before infection, in malware delivery from sites and after infection, in the communication with the C&C servers. Having this information is vital when doing dynamic analysis. However, the current solutions to this issue involve either adding a root CA (certificate authority) to the machine, splitting the traffic and resigning certificates on-the-fly or modifying crypto libraries to log extra information (a solution usually deemed non-portable) or using mechanisms already present that log such information (such as the SSLKEYLOGFILE environment variable). All these methods rely, in the end, on modifications in the guest; modifications that are visible and can be detected by the malware itself.
An ingenious solution to this problem is to exfiltrate the data using an out-of-guest approach such as the one present in “Tappan Zee (North) Bridge: Mining Memory Accesses for Introspection”. Although elegant, the approach has several drawbacks: both in terms of speed (the machine is emulated, not virtualized) and in terms of setup.
In this presentation, we first do away with the performance overhead of the previous approach by replicating the process using memory introspection techniques similar to the ones employed in DRAKVUF and then present a novel technique that not only works for virtualized machines with a minimal overhead but is actually OS-agnostic and crypto-library-agnostic: no assumptions about these are required to obtain the TLS keys. We also cover the issue that the TLS context has multiple parameters: encryption keys, IVs/nonces, MAC keys and would imply that searching for them in the “micro memory dump” takes quadratic or even cubic time. However, we have developed techniques for each cipher that require only linear time.