#---------------------------------------------------------------------
# Simple IDA script to extract RSA private keys and certificates.
# kyprizel, 2010
#
# Based on original idea and PoC by Tobias Klein
# http://www.trapkit.de/research/sslkeyfinder/
#---------------------------------------------------------------------
import os
import idaapi
from idautils import *
#OUTFOLDER = 'c:\\temp\\'
OUTFOLDER = os.path.dirname(GetInputFilePath())
patterns = (
dict(name='X.509 Public Key Infrastructure Certificates',
sig='30 82 ? ? 30 82 ? ?',
outfile='%s.crt'
),
dict(name='PKCS #8: Private-Key Information Syntax Standard',
sig='30 82 ? ? 02 01 00',
outfile='%s.key'
),)
def find_sig(next_seg, pat, dump_cb):
"""
Scan binary image for pattern and run dump callback function.
@param next_seg: Start address
@param pat: Dict with config
@param dump_cb: Certificate dump callback
"""
ea = SegStart(next_seg)
seg_end = SegEnd(next_seg)
Message('Searching for %s\n' % pat['name'])
# Message('Current Seg %s\n' % SegName(next_seg))
while next_seg != BADADDR:
ea = idaapi.find_binary(ea, seg_end, pat['sig'], 16, 1)
if ea != BADADDR:
ea = dump_cb(ea, pat)
else:
next_seg = ea = NextSeg(seg_end)
seg_end = SegEnd(next_seg)
def dump_func(ea, pat):
"""
Dumps certificate/key from target address to file.
@param ea: Target address
@param pat: Dict with config
@return: address to continue search
"""
size = (Byte(ea+2) << 8 & 0xffff) + Byte(ea+3)
outfile = os.path.join(OUTFOLDER, pat['outfile'] % str(ea))
Message('found at %s, size: %d, saved: %s\n' % (atoa(ea), size, outfile))
SaveFile(outfile, 0, ea, size+4)
return ea+size+4
for pat in patterns:
find_sig(FirstSeg(), pat, dump_func)
Message('Key scan complete.\n')
| 
发表于 2011-1-16 12:41
发表于 2011-6-9 17:00
