eurecom-s3 / x-ray-tls

Generic and transparent TLS inspection for local programs
https://dl.acm.org/doi/10.1145/3634737.3637654
17 stars 5 forks source link

statically link process test #2

Closed WhatDaniel closed 4 months ago

WhatDaniel commented 5 months ago

Have you ever tested with statically linked process? I tested failed, it didn't catch keys. And some processes they don't have [heap] section, would it influence the result?

fl42 commented 4 months ago

Hello,

It should work too. Would you mind sharing a minimal reproducible example?

WhatDaniel commented 4 months ago

Sorry, i can't share it with you directly, but you can use the file this url (https://www.virustotal.com/gui/file/d7df995dd45d5498770389d9e85064cdaa12f623ae9a22b6c61966c70eee5161/details) mentioned.

aurelf commented 4 months ago

This is a malware, and it is probably obfuscated. This means the memory diff may not contain the plain key, the key could be only in registers, masked, obfuscated, etc. This is a known limitation of the approach, that we mention in the paper. Of course it may work for some malware, and we could investigate specific cases to find some possible improvements, but those will be less generic. I propose to close the issue, but if you provide more details on how this malware is evading detection, and ways towards better support, we can reopen.