Decrypting WeChat Messages Without Physical Possession of a Mobile Device

by | Mar 17, 2021 | Adversary Research, Blog

A common problem in the world of digital forensics and insider threat investigations is that employees can use a third-party application, like WeChat, to exfiltrate data from a network, or to communicate with malicious third parties. More often than not, the employee abuses BYOD policies and uses encrypted messaging applications such as WeChat to thwart traditional mobile device management tools and prevent security teams from monitoring their malicious actions. While many BYOD policies address required access to personal devices, obstacles remain. In the case of suspected insider activity, actions may be delayed due to legal and cultural hurdles. As a result, delays often allow enough time for perpetrators to remove evidence and undermine investigations.

It is important to recognize that many encrypted messaging applications have desktop versions to allow for communications without a mobile device. These clients are often loaded on corporate devices and contain not only records of message activity from the desktop, but also records of message activity initiated from mobile devices. In the case of the WeChat desktop client, there are documented ways to recover encrypted messages. These methods need access to the mobile device and debugging the WeChat client, which requires the user to approve the client login and cooperate in the search without removing evidence.

Nisos recently supported a client that needed access without the assistance of the user. The following approach allowed us to recover encrypted messages without the user’s involvement or knowledge.


3 Steps to Decrypting WeChat without Mobile Device Access


Step 1: Remotely retrieve a memory dump of the workstation using an EDR solution or background process along with the contents of the Msg folder located in %USERPROFILE%\Documents\Wechat Files\<wxid_xxxxxxxxxxxxxx>\Msg


Step 2: Locate and extract the WeChat.exe process memory using the volatility framework.

  • 2a. The memory allocated that contains the key is always 1023-bytes in size with RW permission.This can be found using the following command in volatility3: -f <memory dump> windows.vadinfo –pid <WeChat.exe process ID>
  • 2b. Once the memory block containing the key is located, it can be extracted using the following command in volatility: -f <memory dump> windows.vadinfo –pid <WeChat.exe process ID> –address <Start VPN> –dump
    In the case above, the start VPN is 0x86a000.


Step 3: The extracted memory block is iterated over 8-bytes at a time starting at offset 0xF00000 in order to find the raw AES-256 key value to decrypt the WeChat database.

  • In the extract block above, the raw key 0x6f1c908985ee4bb9a20307ab37251b3c585c3c1739e3468a97b796d36e335505 was extracted from offset 0x010EC120.
  • By applying the key to the first page in the database, 4KB by default, and then checking for the SQLite header we can quickly determine if the key is valid.
  • Using a Python script to attempt key values, key extraction took less than 5 minutes but may take up to 4 hours depending on the system being used for key extraction.

This process was tested on a system running Microsoft Windows 10 running the WeChat 2.9.x client. However, the same process should work on the WeChat client for Mac due to the same need for storing keys in memory to encrypt/decrypt the database during execution.

Acknowledgements: – Source for sqlcipher parameters – Background on debugging the client in order to obtain the encryption key

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks