Closed WhatDaniel closed 4 months ago
Hello,
It should work too. Would you mind sharing a minimal reproducible example?
Sorry, i can't share it with you directly, but you can use the file this url (https://www.virustotal.com/gui/file/d7df995dd45d5498770389d9e85064cdaa12f623ae9a22b6c61966c70eee5161/details) mentioned.
This is a malware, and it is probably obfuscated. This means the memory diff may not contain the plain key, the key could be only in registers, masked, obfuscated, etc. This is a known limitation of the approach, that we mention in the paper. Of course it may work for some malware, and we could investigate specific cases to find some possible improvements, but those will be less generic. I propose to close the issue, but if you provide more details on how this malware is evading detection, and ways towards better support, we can reopen.
Have you ever tested with statically linked process? I tested failed, it didn't catch keys. And some processes they don't have [heap] section, would it influence the result?