EvilZone

Other => Found it on the Webs => : Trevor October 31, 2015, 08:26:23 AM

: KeeFarce - Extracts passwords from a KeePass 2.x database, directly from memory
: Trevor October 31, 2015, 08:26:23 AM

KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url's are dumped into a CSV file in %AppData%

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).


The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Github Repo -> https://github.com/denandz/KeeFarce

: Re: KeeFarce - Extracts passwords from a KeePass 2.x database, directly from memory
: wopr October 31, 2015, 06:00:06 PM

Dang it, that's not cool. I like my keepass.

Gonna have to read this im sure it's for x86 systems, thanx for giving me work todo  :P

: Re: KeeFarce - Extracts passwords from a KeePass 2.x database, directly from memory
: Kulverstukas October 31, 2015, 07:48:49 PM

Thank god for the infinity of ports of Keepass available. <3 keepass4j2me and keepassdroid