fl42
commented
4 months ago Hello,
It should work too. Would you mind sharing a minimal reproducible example?
Closed WhatDaniel closed 4 months ago
fl42
commented
4 months ago Hello,
It should work too. Would you mind sharing a minimal reproducible example?
WhatDaniel
commented
4 months ago Sorry, i can't share it with you directly, but you can use the file this url (https://www.virustotal.com/gui/file/d7df995dd45d5498770389d9e85064cdaa12f623ae9a22b6c61966c70eee5161/details) mentioned.
aurelf
commented
4 months ago This is a malware, and it is probably obfuscated. This means the memory diff may not contain the plain key, the key could be only in registers, masked, obfuscated, etc. This is a known limitation of the approach, that we mention in the paper. Of course it may work for some malware, and we could investigate specific cases to find some possible improvements, but those will be less generic. I propose to close the issue, but if you provide more details on how this malware is evading detection, and ways towards better support, we can reopen.
Have you ever tested with statically linked process? I tested failed, it didn't catch keys. And some processes they don't have [heap] section, would it influence the result?