KeeFarce - Extracts passwords from a KeePass 2.x database, directly from memory

[Trevor]

KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url's are dumped into a CSV file in %AppData%

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).


The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Github Repo -> https://github.com/denandz/KeeFarce

[wopr]

Dang it, that's not cool. I like my keepass.

Gonna have to read this im sure it's for x86 systems, thanx for giving me work todo 

[Kulverstukas]

Thank god for the infinity of ports of Keepass available. <3 keepass4j2me and keepassdroid