-1

My question: Is it possible to copy the contents of RAM to the file-system? (Windows)

Additionally, is it possible to copy the RAM contents for a specific process?

Reason:

This largely revolves around CryptoLocker (as well as similar malware) and making it possible to recover data quickly without having to pay for the private key that it uses.

While CryptoLocker doesn't store the private key anywhere on the file-system, it does need to keep it in memory to continuously encrypt files. So given that you can capture an active CryptoLocker process, know the length of the private key, and you know what encryption was used, you theoretically could loop through each bit attempting to decrypt a specific (small) file.

Nicholas Summers
  • 203
  • 4
  • 18
  • 1
    It is indeed possible, to dump all data in memory, on a Windows installation. Of course it wouldn't be very helpful since you would need to know the exact starting and ending address and you won't be able to determine that. Of course the key itself would appear to be random, so the likelyhood of you actually finding it, is so low it cannot even be expressed in words. There are better ways to avoid CryptoLocker, ways that actually stand a chance, of preventing the infection instead of allowing the infection to actually happen – Ramhound May 18 '16 at 15:40
  • 4
    Possible duplicate of [How can I dump the memory of a process in Windows 7?](http://superuser.com/questions/133938/how-can-i-dump-the-memory-of-a-process-in-windows-7), also see [How do I create a memory dump of my computer freeze or crash?](http://superuser.com/questions/224496/how-do-i-create-a-memory-dump-of-my-computer-freeze-or-crash) – Ƭᴇcʜιᴇ007 May 18 '16 at 15:42
  • It is possible, as that is what Hibernation does. – Keltari May 18 '16 at 15:43
  • 4
    Why this idea is unrealistic. All it would take is a shift operation, within CryptoLocker, to make the memory dump useless. In other words it would be trivial to protect the private key from such a basic action. There also the whole fact, what would be in memory would be the public key, not the private key..... *The private key is safetly stored on the criminal's server, only downloaded, when you pay them.* Incase you forgot about async encryption works -> Private = Decrypt; Public = Encrypt. – Ramhound May 18 '16 at 15:46
  • @Ramhhound your assumptions on how public and private Keys work are wrong public keys are identifiers they are not actually used for encryption. Two-way encryption requires one key to both encrypt and decrypt information. Public Keys only identify you – Nicholas Summers May 18 '16 at 16:00
  • Sorry @NickJ, but just because it is convention to use a public key to encrypt a session key for key exchange and then use *that* session key to do the encryption does not mean it is difficult or even impractical to just use the public key in the first place for encryption. It is perfectly reasonable to do a one time public/private key generation, send off the private key (destroying all evidence of it) and then encrypt all the files using the public key. Public/private keys rely on asymmetric encryption where only the public key can decrypt the content of a private message and vice versa. – Mokubai May 18 '16 at 16:23
  • Basically the public key *cannot* decrypt something that was encrypted using the public key, nor can the private key decrypt something encrypted with the private key, you need both parts of the key to perform decryption and this is something cryptolocker will work to prevent without you paying. http://searchsecurity.techtarget.com/definition/asymmetric-cryptography https://en.wikipedia.org/wiki/Public-key_cryptography – Mokubai May 18 '16 at 16:27
  • @Mokubai that is true, however if the developer stores the resulting key for encryption within a variable then that variable will be stored as plain text in memory – Nicholas Summers May 18 '16 at 16:30
  • But you only have one half of the key, the one you need for *encryption*. You do not have the part of the key required for decryption. The software doesn't need to care about keeping hold of the secret key so the only place it will be stored will be on a remote server for use once you've paid up. It doesn't *need* the second half of the key *at all* for the encryption process. Read the link I gave on public key cryptography. – Mokubai May 18 '16 at 16:35

1 Answers1

2

Dumping the contents of memory will not help you here if the software is even vaguely smart about the proper use of public key cryptography. If you need to forcibly dump your memory though, there's a handy answer on this question: How do I create a memory dump of my computer freeze or crash?

Public key cryptography makes use of asymmetric encryption, where one half of the key is used to encrypt a message and you must use the other half of the key to decrypt it. You cannot use the same half of the key to decrypt a message (or file) that was encrypted using that half of the key.

You can use a public key to decrypt a message made using the private key, or use the private key to decrypt a message created using the public key, but not private-private or public-public.

From the Cryptolocker Wikipedia page:

When first run, the payload installs itself in the user profile folder, and adds a key to the registry that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server generates a 2048-bit RSA key pair, and sends the public key back to the infected computer...

The payload then encrypts files across local hard drives and mapped network drives with the public key.

Because you only have one half of the key all that you can do is encrypt messages (files). You need the other part of the key to do the needful and recover your files.

In this case dumping the contents of memory will not be useful to you, because all it contains is the way to continue making things worse.

Your computer never holds both parts of the key, except after you have been given it.

To further elaborate...

One problem with public key cryptography is that due to the larger key sizes using it is computationally expensive compared to symmetric key (reversible) encryption. For this reason many systems use public key cryptography to securely exchange a symmetric key which is then used for further communication with lower overheads.

In this case though the use of the simpler symmetric key is unnecessary and would work against the malware author. If they used a symmetric key then you could, as you surmise, simply force all the memory to disk and start rubbing blocks of memory at your encrypted files until they open up. This is still going to take a long time though and I suspect would be infeasible given the amount of memory to check for keys. By eschewing a symmetric key stage they increase their impact at the cost of higher computational requirements.

Once the malware has started then you've already lost at least some files, and by being selective about the file types and file sizes they target they can do maximum damage with resources available. Even lower power modern CPUs could probably get a good amount encrypted before you'd notice, even with the more expensive asymmetric encryption.

By using public key cryptography they are ensuring that you need them to give you the unlocking key. Without them giving it to you there is nothing you can do.

Community
  • 1
Mokubai
  • 89,133
  • 25
  • 207
  • 233