KeeFarce

KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData%

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Installation

Download the needed files below.

  • KeeFarce.zip (1193 kb)
  • Usage

    .\KeeFarce.exe
    

    Examples

    $ .\KeeFarce.exe
    [.] Injecting BootstrapDLL into 9128
    CallExport: returning.
    [.] Done! Check %APPDATA%/keepass_export.csv
    

    URL list