When searching for information on your computer, you should remember that it is placed not only in permanent storage (solid state drives, hard drives, removable media, etc.), but also in RAM, in the processes that process it.
The information when placed on the hard disk and in the RAM is not always the same:
- can be encrypted on the hard drive, but not in the RAM (example: the VeraCrypt encrypted drive stores a text file with passwords, which is opened in a text editor – in this case the passwords from this file will be in plain text in RAM)
- information can be created in the process of calculations, or receiving data from the network (in this case the original information is not in permanent repositories)
Content analysis (dump) of the running process is often used in reverse engineering when the source file is encrypted: to execute the file must still be in RAM decrypted, so analyzing the running process makes reverse engineering easier.
You can also think of other ways of analyzing and searching through RAM:
- detecting applications that follow the clipboard
- assess the quality of programs designed to store passwords – if such programs contain passwords in RAM as plain text in the running form, it is strongly recommended not to use such programs
- search for an app that contains certain strings or connects to a certain host
mXtract is an open source tool for Linux that analyzes and stores the contents of processes in RAM. It is designed as an offensive penetration test tool, its main purpose is to scan RAM for private keys, IP addresses and passwords using regular expressions. Remember, your results are as good as your regular expressions.
-v Enable Verbose Output -s Suppress Banner -h Help -c suppress colored output -r= Regex DB -a Scan all memory ranges not just heap/stack -w Write raw memory to file Default directory is pid/ -o Write regex output to file -d= Custom Ouput Directory -p= Specify single pid to scan Either -r= or -w needed
Examples of launching mXtract.
Scan with verbal output (-v) process with PID equal to 4 (-p=4), doing a search by a simple regular expression to detect IP addresses (-r=example_regexes. db), scanning each data segment (-a), displaying information about the process (-i) and scanning work environment files (-e):
mxtract -p=4 -r=example_regexes.db -v -a -e -i
mxtract -p=4 -r=example_regexes.db -v -a -i
Non-verbal process scanning with a PID of 4 (-p=4), doing a search by a simple regular expression to detect IP addresses (-r=example_regexes. db), displaying information about the process (-i) and scanning work environment files (-e):
mxtract -p=4 -r=example_regexes.db -e -i
Installation in Kali Linux.
git clone //github.com/rek7/mXtract cd mXtract && sh compile.sh sudo mv bin/mxtract /usr/bin/ sudo mkdir -p /usr/share/doc/mxtract/ mv example_regexes.db /usr/share/doc/mxtract/
Invallation in BlackArch.
The program is pre-installed in BlackArch.
sudo pacman -S mxtract
When you start scanning processes, sometimes mXtract hangs and stops working normally until the next reboot. When creating regular expressions using wildcards (dot and asterisk), a “segmenting error” may occur.
Evaluation of password storage programs
Programs can store passwords as their primary function (different password managers), or store passwords for user convenience (FTP clients, web browsers, etc.). You can also test different ways to store passwords (e.g. in a simple text file but on an encrypted disk).
Instead of regular expressions, you can specify literal search strings. You can write down several passwords as these strings. Each regular expression has to be on separate lines. For example, you can create a file passwords.db and write there:
By the way, as for the letters of national alphabets (all except English letters), they are most likely processed by the computer in one or another encoding, so it is unlikely to find a literal coincidence of lines – first you need to write a string as a sequence of characters in the desired encoding).
After that you can run a search on the content of processes in RAM:
For example, passwords in an open text file, even if it is on an encrypted partition, are perfectly located this way.
Search for programs that have access to the clipboard
First, you need to remember that the data that is copied to the clipboard is often available as plain text (although it depends on the programs). Secondly, in this way you can find a program that watches the clipboard without your knowledge.
Let’s create a clipboard.db file and write any unique line into it, for example:
Let’s copy it to the clipboard and start scanning processes:
You will be able to detect programs that contain this line (the screenshot shows a legitimate program – I took it just as an example):