Extracting Cryptographic Keys from .NET Applications

Shaun Mc Brearty (Institute of Technology, Sligo, Ireland)
William Farrelly (Letterkenny Institute of Technology, Letterkenny, Ireland)
Kevin Curran (Ulster University, Derry, United Kingdom)

Article ID: 3347


In the absence of specialized encryption hardware,cryptographic operations must be performed in main memory.As such,it is common place for cyber criminals to examine the content of main memory with a view to retrieving high-value data in plaintext form and/or the associated decryption key.In this paper,the author presents a number of simple methods for identifying and extracting cryptographic keys from memory dumps of software applications that utilize the Microsoft .NET Framework,as well as sourcecode level countermeasures to protect against same.Given the EXE file of an application and a basic knowledge of the cryptographic libraries utilized in the .NET Framework,the author shows how to create a memory dump of a running application and how to extract cryptographic keys from same using WinDBG - without any prior knowledge of the cryptographic key utilized.Whilst the proof-of-concept application utilized as part of this paper uses an implementation of the DES cipher,it should be noted that the steps shown can be utilized against all three generations of symmetric and asymmetric ciphers supported within the .NET Framework.


Cryptography;Cryptanalysis;Memory dump analysis;Memory hygiene;Key finding attack;Secure coding;.NET framework

Full Text:



[1] D. Kleiman et al., “Windows and Linux Forensics,” in The Official CHFI Study Guide (Exam 312-49),Syngress, 2007, pp. 287-349.

[2] J. M. Porup, “What is Mimikatz? And how this passwordstealing tool works,” 2019.[Online].Available:https://www.csoonline.com/article/3353416/what-is-mimikatzand-how-to-defend-against-this-password-stealing-tool.html. [Accessed: 05-Jun-2021].

[3] J. Fruhlinger, “Petya ransomware and NotPetya malware: What you need to know now,”2017.[Online].Available:https://www.csoonline.com/article/3233210/petya-ransomware-and-notpetya-malware-what-youneed-to-know-now.html. [Accessed: 09-Jun-2021].

[4] S. Ragan, “BadRabbit ransomware attacks multiple media outlets,” 2017. [Online].Available:https://www.csoonline.com/article/3234691/badrabbitransomware-attacks-multiple-media-outlets.html.[Accessed: 09-Jun-2021].

[5] G. Keizer, “Hackers spied on 300,000 Iranians using fake Google certificate,” 2011.[Online].Available:https://www.computerworld.com/article/2510951/hackers-spied-on-300-000-iranians-using-fakegoogle-certificate.html. [Accessed: 09-Jun-2021].

[6] Independent Security Evaluators (ISE), “Password Managers: Under the Hood of Secrets Management,”2019. [Online]. Available:https://www.securityevaluators.com/casestudies/password-manager-hacking/.[Accessed: 05-Jun-2021].

[7] J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum,“Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation,” in USENIX Security Symposium, 2005.

[8] Microsoft, “Introduction to the C# Language and the .NET Framework | Microsoft Docs.” [Online].Available:https://docs.microsoft.com/en-us/dotnet/csharp/getting-started/introduction-to-the-csharplanguage-and-the-net-framework. [Accessed: 31-May-2021].

[9] Microsoft, “System.Security.Cryptography Namespace.”[Online].Available:https://msdn.microsoft.com/en-us/library/system.security.cryptography(v=vs.110).aspx.[Accessed: 31-May-2021].

[10] Microsoft, “Getting Started with WinDbg (UserMode) | Microsoft Docs.” [Online].Available:https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg. [Accessed: 31-May-2021].

[11] Microsoft, “extern modifier - C# Reference,” 2015.[Online].Available:https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/extern.[Accessed: 05-Jun-2021].

[12] A. Shamir and N. van Someren, “Playing ‘Hide and Seek’ with Stored Keys,” in International Conference on Financial Cryptography, 1999, pp. 118-124.

[13] T. Klein, “All your private keys are belong to us Extracting RSA private keys and certificates out of the process memory,” 2006.

[14] B. Taubmann, O. Alabduljaleel, and H. P. Reiser,“DroidKex: Fast extraction of ephemeral TLS keys from the memory of Android apps,” Digit. Investig.,vol. 26, pp. S67-S76, Jul. 2018.

[15] J. A. Halderman et al., “Lest We Remember: Cold Boot Attacks on Encryption Keys,” Commun.ACM,vol. 52, no. 5, p. 91, May 2009.

[16] S. F. Yitbarek, M. T. Aga, R. Das, and T. Austin, “Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors,” in 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2017, pp. 313-324.

[17] R. Zahno, “Key Recovery from Decayed Memory Images and Obfuscation of Cryptographic Algorithms,”Concordia University, 2012.

[18] Microsoft, .“NET Framework Cryptography Model,”2017. [Online]. Available:https://docs.microsoft.com/en-us/dotnet/standard/security/cryptographymodel. [Accessed:05-Jun-2021].

[19] Microsoft, “GCHandle Structure (System.Runtime.InteropServices),” 2018. [Online]. Available:https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.gchandle?redirectedfrom=MSDN&view=netframework-4.7.2. [Accessed: 31-May-2021].

[20] Microsoft, “RtlZeroMemory macro (wdm.h),” 2018.[Online]. Available:https://docs.microsoft.com/enus/windows-hardware/drivers/ddi/content/wdm/nfwdm-RtlZeroMemory. [Accessed: 05-Jun-2021].

[21] Microsoft, “Fundamentals of Garbage Collection| Microsoft Docs.” [Online]. Available: https://docs.microsoft.com/en-us/dotnet/standard/garbagecollection/fundamentals. [Accessed:31-May-2021].

[22] Microsoft, “SOS.dll (SOS Debugging Extension),”2017. [Online].Available:https://docs.microsoft.com/en-us/dotnet/framework/tools/sos-dll-sosdebugging-extension.[Accessed: 31-May-2021].

[23] Microsoft, “How to create a user-mode process dump file in Windows,” 2017. [Online]. Available:https://support.microsoft.com/en-us/help/931673/how-tocreate-a-user-mode-process-dump-file-in-windows.[Accessed: 31-May-2021].https://doi.org/10.30564/ssid.v3i2.3347

[24] OWASP, “Insecure Cryptographic Storage,” 2010.[Online].Available:https://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage.[Accessed: 05-Jun-2021].

[25] Microsoft, .“NET.” [Online]. Available: https://www.microsoft.com/net.[Accessed:31-May-2021].

[26] Ponemon Institute LLC, “HSM Global Market Study,” 2014.

[27] Microsoft, “How to encrypt and decrypt a file using Visual C#,” 2005. [Online]. Available: https://www.dropbox.com/s/gg2dpvkl9e00qyx/03 Application Source Code Explained.pdf?dl=0.[Accessed: 31-May-2021].

[28] Microsoft, “How to encrypt and decrypt a file using Visual C#,” 2012. [Online]. Available:https://web.archive.org/web/20170113084447/https://support.microsoft.com/en-us/kb/307010. [Accessed: 31-May-2021].

[29] R. Parks, “Dear Microsoft, This is How You Encrypt a File,” 2017. [Online].Available:https://hackernoon.com/dear-microsoft-this-is-how-you-encrypt-a-file-779cc0a19bfc.[Accessed: 31-May-2021].

[30] R. Parks, “How Not to Encrypt a File — Courtesy of Microsoft,” 2017. [Online].Available:https://medium.com/@bob_parks1/how-not-to-encrypt-afile-courtesy-of-microsoft-bfadf2b0273d. [Accessed:31-May-2021].

[31] Microsoft, “Debugging Managed Code Using the Windows Debugger,” 2017. [Online]. Available:https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-managed-code.[Accessed: 31-May-2021].

DOI: https://doi.org/10.30564/ssid.v3i2.3347


  • There are currently no refbacks.
Copyright © 2021 Shaun Mc Brearty

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.