Obtain/Steal/Restore GPG Private Keys from gpg-agent cache/memory.
This POC demonstrates method for obtaining GPG private keys from
gpg-agent memory under Windows.
Normally this should be possible only within
10 minutes time frame (
housekeeping() function (which is responsible for cache cleanup) is executed only if you are using GPG (there is no timer there).
This means that in normal GPG usecase like:
you sign some file then close GUI and do other task you password is still in
gpg-agent memory (even if ttl expired).
Attacker, who has access to your current session, can use this for stealing private key without knowing your passphrase.
On victim computer:
powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile out.txt
out.txt to your machine and restore private keys:
- 05-03-2018: Release