Bitdefender vulnerability researcher Radu Caragea presented today at the Hack In The Box Amsterdam conference a novel way to extract TLS keys from virtual machines, using an out-of-guest approach. The new technique works to detect the creation of TLS session keys in memory as the virtual machine is running.
The presentation covers a novel technique that not only works for virtualized machines but is also OS-agnostic and crypto-library-agnostic. With a minimal overhead both in terms of speed and in terms of setup, this new technique offers insight into dynamic malware analysis of infected machines.
For further details, the presentation will be available [here].