Bitdefender vulnerability researcher Radu Caragea presented today at the Hack In The Box Amsterdam conference a novel way to extract TLS keys from virtual machines, using an out-of-guest approach. The new technique works to detect the creation of TLS session keys in memory as the virtual machine is running.



The presentation covers a novel technique that not only works for virtualized machines but is also OS-agnostic and crypto-library-agnostic. With a minimal overhead both in terms of speed and in terms of setup, this new technique offers insight into dynamic malware analysis of infected machines.