Decrypting WeChat Messages Without Physical Possession of a Mobile Device
A common problem in the world of digital forensics and insider threat investigations is that employees can use a third-party application, like WeChat, to exfiltrate data from a network, or to communicate with malicious third parties. More often than not, the employee abuses BYOD policies and uses encrypted messaging applications such as WeChat to thwart traditional mobile device management tools and prevent security teams from monitoring their malicious actions. While many BYOD policies address required access to personal devices, obstacles remain. In the case of suspected insider activity, actions may be delayed due to legal and cultural hurdles. As a result, delays often allow enough time for perpetrators to remove evidence and undermine investigations.
It is important to recognize that many encrypted messaging applications have desktop versions to allow for communications without a mobile device. These clients are often loaded on corporate devices and contain not only records of message activity from the desktop, but also records of message activity initiated from mobile devices. In the case of the WeChat desktop client, there are documented ways to recover encrypted messages. These methods need access to the mobile device and debugging the WeChat client, which requires the user to approve the client login and cooperate in the search without removing evidence.
Nisos recently supported a client that needed access without the assistance of the user. The following approach allowed us to recover encrypted messages without the user’s involvement or knowledge.
3 Steps to Decrypting WeChat without Mobile Device Access
Step 1: Remotely retrieve a memory dump of the workstation using an EDR solution or background process along with the contents of the Msg folder located in %USERPROFILE%\Documents\Wechat Files\<wxid_xxxxxxxxxxxxxx>\Msg
Step 2: Locate and extract the WeChat.exe process memory using the volatility framework.
- 2a. The memory allocated that contains the key is always 1023-bytes in size with RW permission.This can be found using the following command in volatility3:
Vol.py -f <memory dump> windows.vadinfo –pid <WeChat.exe process ID>
- 2b. Once the memory block containing the key is located, it can be extracted using the following command in volatility:
Vol.py -f <memory dump> windows.vadinfo –pid <WeChat.exe process ID> –address <Start VPN> –dump
In the case above, the start VPN is 0x86a000.
Step 3: The extracted memory block is iterated over 8-bytes at a time starting at offset 0xF00000 in order to find the raw AES-256 key value to decrypt the WeChat database.
- In the extract block above, the raw key 0x6f1c908985ee4bb9a20307ab37251b3c585c3c1739e3468a97b796d36e335505 was extracted from offset 0x010EC120.
- By applying the key to the first page in the database, 4KB by default, and then checking for the SQLite header we can quickly determine if the key is valid.
- Using a Python script to attempt key values, key extraction took less than 5 minutes but may take up to 4 hours depending on the system being used for key extraction.
This process was tested on a system running Microsoft Windows 10 running the WeChat 2.9.x client. However, the same process should work on the WeChat client for Mac due to the same need for storing keys in memory to encrypt/decrypt the database during execution.
https://github.com/ppwwyyxx/wechat-dump/blob/master/decrypt-db.py – Source for sqlcipher parameters
https://www.cnblogs.com/bh4lm/p/9334891.html – Background on debugging the client in order to obtain the encryption key