n4sm/rsakeyfinder_ida.py

## rsakeyfinder_ida.py
#---------------------------------------------------------------------
#    Simple IDA script to extract RSA private keys and certificates.
#    kyprizel, 2010
#
#    Based on original idea and PoC by Tobias Klein
#    http://www.trapkit.de/research/sslkeyfinder/
#---------------------------------------------------------------------
import os
import idaapi
from idautils import *

#OUTFOLDER = 'c:\\temp\\'
OUTFOLDER = os.path.dirname(get_input_file_path())

patterns = (
    dict(name='X.509 Public Key Infrastructure Certificates',
        sig='30 82 ? ? 30 82 ? ?',
        outfile='%s.crt'
    ),
    dict(name='PKCS #8: Private-Key Information Syntax Standard',
        sig='30 82 ? ? 02 01 00',
        outfile='%s.key'
    ),)

def find_sig(next_seg, pat, dump_cb):
    """
    Scan binary image for pattern and run dump callback function.

    @param next_seg:   Start address
    @param pat:        Dict with config
    @param dump_cb:    Certificate dump callback
    """
    ea = get_segm_start(next_seg)
    seg_end = get_segm_end(next_seg)
    msg('Searching for %s\n' % pat['name'])
#    Message('Current Seg %s\n' % SegName(next_seg))
    while next_seg != BADADDR:
        ea = idaapi.find_binary(ea, seg_end, pat['sig'], 16, 1)
        if ea != BADADDR:
            ea = dump_cb(ea, pat)
        else:
            next_seg = ea = get_next_seg(seg_end)
            seg_end = get_segm_end(next_seg)


def dump_func(ea, pat):
    """
    Dumps certificate/key from target address to file.

    @param ea:   Target address
    @param pat:  Dict with config

    @return: address to continue search
    """
    size = (Byte(ea+2) << 8 & 0xffff) + Byte(ea+3)
    outfile = os.path.join(OUTFOLDER, pat['outfile'] % str(ea))
    msg('found at %s, size: %d, saved: %s\n' % (atoa(ea), size, outfile))
    SaveFile(outfile, 0, ea, size+4)
    return ea+size+4

for pat in patterns:
    find_sig(get_first_seg(), pat, dump_func)

msg('Key scan complete.\n')
	#---------------------------------------------------------------------
	# Simple IDA script to extract RSA private keys and certificates.
	# kyprizel, 2010
	#
	# Based on original idea and PoC by Tobias Klein
	# http://www.trapkit.de/research/sslkeyfinder/
	#---------------------------------------------------------------------
	import os
	import idaapi
	from idautils import *

	#OUTFOLDER = 'c:\\temp\\'
	OUTFOLDER = os.path.dirname(get_input_file_path())

	patterns = (
	dict(name='X.509 Public Key Infrastructure Certificates',
	sig='30 82 ? ? 30 82 ? ?',
	outfile='%s.crt'
	),
	dict(name='PKCS #8: Private-Key Information Syntax Standard',
	sig='30 82 ? ? 02 01 00',
	outfile='%s.key'
	),)

	def find_sig(next_seg, pat, dump_cb):
	"""
	Scan binary image for pattern and run dump callback function.

	@param next_seg: Start address
	@param pat: Dict with config
	@param dump_cb: Certificate dump callback
	"""
	ea = get_segm_start(next_seg)
	seg_end = get_segm_end(next_seg)
	msg('Searching for %s\n' % pat['name'])
	# Message('Current Seg %s\n' % SegName(next_seg))
	while next_seg != BADADDR:
	ea = idaapi.find_binary(ea, seg_end, pat['sig'], 16, 1)
	if ea != BADADDR:
	ea = dump_cb(ea, pat)
	else:
	next_seg = ea = get_next_seg(seg_end)
	seg_end = get_segm_end(next_seg)


	def dump_func(ea, pat):
	"""
	Dumps certificate/key from target address to file.

	@param ea: Target address
	@param pat: Dict with config

	@return: address to continue search
	"""
	size = (Byte(ea+2) << 8 & 0xffff) + Byte(ea+3)
	outfile = os.path.join(OUTFOLDER, pat['outfile'] % str(ea))
	msg('found at %s, size: %d, saved: %s\n' % (atoa(ea), size, outfile))
	SaveFile(outfile, 0, ea, size+4)
	return ea+size+4

	for pat in patterns:
	find_sig(get_first_seg(), pat, dump_func)

	msg('Key scan complete.\n')