Hi Fengwei, I wouldn't want to do the work in your place myself, but it's pretty straightforward. It's relatively easy to open the openssh .h files that describe the data structures and scan for matching patterns in the memory. For instance, a pointer would point to either some mapped memory or 0, when it would be unlikely for an integer to be a valid pointer. Also, all cryptographic primitives (like AES) leave very distinct traces in the memory. "all" you have to do is to find pointers referencing them and scan the memory bottom-up. I also think many data structures are allocated on the bss. In that case it's not even needed to bruteforce the memory to find what you need. Regards, Aris Le 7/05/14 00:01, Fengwei Zhang a écrit : > Hello Cal, > > Thanks for sharing these great links. These articles use a characteristic of RSA/DSA structure, and search the structure in process memory to extract the private key. > It verifies the structure by using the RSA/DSA algorithm. > > However, my goal is to find the session key (in the struct session_state), and the techniques from the articles won't work because we cannot validate the session_state (or the related) structures (i.e., no validating algorithm). > > So I am wondering if there is any SSH data structure with a fixed offset from somewhere (e.g., 0xdead from text_base). Or if there is any data structure with a characteristic that I can search? > > Thanks, > Fengwei > > On May 4, 2014, at 4:49 PM, Cal Leeming [Simplicity Media Ltd] <cal.leeming@xxxxxxxxxxxxxxxxxxxxxxxx> wrote: > >> Although I cannot speak with any authority on the data structures of SSH, I can at least point you in the right direction on tools already available. >> >> Looks like someone also wrote a tool already to do SSH key extraction from memory; >> https://github.com/kholia/passe-partout >> >> Have a look at volatility framework; >> https://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6 >> http://www.forensicswiki.org/wiki/Volatility_Framework >> http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins >> >> Also these; >> http://sneakygcr.tumblr.com/post/52514790216/how-to-extract-the-private-key-from-a-running-ssh >> http://c0decstuff.blogspot.co.uk/2011/01/in-memory-extraction-of-ssl-private.html >> http://www.vnsecurity.net/2009/10/how-to-recover-rsa-private-key-in-a-coredump-of-ssh-agent-sapheads-hackjam-2009-challenge-6/ >> >> Hope this helps >> >> Cal >> >> >> >> On Sun, May 4, 2014 at 9:37 PM, Fengwei Zhang <namedylan@xxxxxxxxx> wrote: >> Hello List, >> >> One of my project needs memory forensics of OpenSSH. Here is a brief description of the problem: >> >> I have a raw memory dump, and all of the kernel data structures (e.g., task_struct, mm_struct) have been figured out. Now, I want to retrieve the data structures (e.g., struct session_state) of an SSH process instance. Finding a session key (active_state->newkeys) could be an example. In order to find these information, I think I need a starting point (i.e., memory address) of the OpenSSH data structures. >> >> Does anyone know how to tackle this problem? Any comments and suggestions are much appreciated. >> >> Thanks, >> Fengwei >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev