diff --git a/xzre.c b/xzre.c
index c34df3f..71f6652 100644
--- a/xzre.c
+++ b/xzre.c
@@ -250,6 +250,18 @@ void main_shared(){
 				item->func_end ? PTRDIFF(item->func_end, elf_addr) : 0,
 				item->xref ? PTRDIFF(item->xref, elf_addr) : 0);
 	}
+
+
+	u64 code_size = 0, data_size = 0;
+	void *data_start = elf_get_data_segment(&einfo, &data_size, 0);
+	void *data_end = (void *)PTRADD(data_start, data_size);
+	void *code_start = elf_get_code_segment(&einfo, &code_size);
+	void *code_end = (void *)PTRADD(code_start, code_size);
+	void *ssh_host_keys = NULL;
+	if(sshd_get_host_keys_address(data_start, data_end, code_start, code_end, &strings, &ssh_host_keys)){
+		printf("sensitive_data.host_keys: %p\n", ssh_host_keys);
+	}
+
 	//xzre_backdoor_setup();
 	puts("main_shared(): OK");
 }
diff --git a/xzre.h b/xzre.h
index 2526260..32209c0 100644
--- a/xzre.h
+++ b/xzre.h
@@ -2201,6 +2201,25 @@ extern BOOL find_link_map_l_audit_any_plt_bitmask(
 	backdoor_data_handle_t *data,
 	instruction_search_ctx_t *search_ctx);
 
+/**
+ * @brief finds the address of `sensitive_data.host_keys` in sshd
+ * 
+ * @param data_start start of the sshd data segment
+ * @param data_end end of the sshd data segment
+ * @param code_start start of the sshd code segment
+ * @param code_end end of the sshd code segment
+ * @param string_refs info about resolved functions
+ * @param host_keys_out pointer to receive the address of the host keys (`struct sshkey` in sshd)
+ * @return BOOL TRUE if the address was found, FALSE otherwise
+ */
+extern BOOL sshd_get_host_keys_address(
+	uint8_t *data_start,
+	uint8_t *data_end,
+	uint8_t *code_start,
+	uint8_t *code_end,
+	string_references_t *string_refs,
+	void **host_keys_out);
+
 /**
  * @brief counts the number of times the IFUNC resolver is called
  * 
diff --git a/xzre.lds.in b/xzre.lds.in
index b7abbb0..e67ea04 100644
--- a/xzre.lds.in
+++ b/xzre.lds.in
@@ -100,6 +100,7 @@ SECTIONS_BEGIN()
 	DEFSYM(find_dl_naudit, .text.lzma_filter_flags_decoda)
 	DEFSYM(find_link_map_l_audit_any_plt, .text.lzma_index_hash_inia)
 	DEFSYM(find_link_map_l_audit_any_plt_bitmask, .text.lzma_index_iter_locata)
+	DEFSYM(sshd_get_host_keys_address, .text.lzma_bufcpa)
 SECTIONS_END(.text)
 
 SECTIONS_BEGIN()