A plugin for x64dbg that allows you to hook the Local Security Authority Subsystem Service process to extract all possible TLS(On handshake, Import, Export or Generate) keys from the operating system using the SeDebugPrivilege escalation to make malware analysis faster and easier.
It is extremely important that before using it, you read the article I am going to suggest here. It will explain everything from how the plugin works to how to use it with detailed steps, and even applied to a real malware sample. I will also provide the exact version of the operating system and everything you need to apply it to your own VM.
There are two versions available for reading, the first one, obviously, in a language that everyone can understand, English:
Click here to read and understand the project.
For portuguese: Se você fala português, você não necessariamente precisa falar inglês para usar, você poder ler no seu idioma nativo:
Clique aqui para ler e entender o projeto
A video will be recorded soon (you can collaborate by recording one in your native language).
You need to use the Visual Studio console. I recommend Visual Studio 2022, and of course, you need to have CMake installed from the Visual Studio Installer.
With everything ready, you just need to open the Visual Studio console and type the following commands in the project root directory:
cmake -B build64 -A x64
cmake --build build64 --config Release
After that, you need to open the generated Visual Studio project and compile it.
I need to expand the project, can you help me by attaching your "ncrypt.dll" and the version of your operating system to an issue Or you could even collaborate with code (for that, open an issue so we can discuss and grant you permission on a branch).