Python script used to parse a memory dump in hexadecimal format in order to identify and extract a BitLocker VMK (Volume Master Key) still present in memory.
This type of key can be recovered when BitLocker is unlocked and the key has not yet been cleared from RAM.
- Pre-boot DMA attack with RAM dump
- Logic analyzer output parsing
The script reads a file containing a memory dump in hexadecimal format and searches for a known structure used by BitLocker to store the VMK in memory.
This structure includes:
- an identifiable BitLocker header
- followed by 32 bytes corresponding to the VMK
When this sequence is found, the VMK is extracted and converted into a binary file.
It was first used during DMA attacks PoC. Memory dump was done during Windows pre-boot (on UEFI EXIT_BOOT_SERVICES()) just before winload.exe takes control.
Needed to traduce the raw dump into hex dump format :
xxd -p -c 0 memdump.bin > memdump.hex
Then you can simply use it like this :
python3 vmkfinder.py -f memdump.hexOutpul looks like this :
