The problem is always the same: every data that is stored into volatile memory can be extracted with the correct tools/techniques.

I've already written a lot of posts about volatility and mimikatz, today i want to write something about KeeFarce.

KeeFarce is a windows command line tool, developed by Denis Andzakovic, that allows the extraction of KeePass 2.x usernames, passwords, notes and urls from the memory, and dumps it into a CSV file.

KeeFarce has been tested on KeePass 2.28, 2.29 and 2.30 - running on Windows 8.1 - both 32 and 64 bit.

KeeFarce uses DLL injection to execute code within the context of a running KeePass process, injecting an architecture-appropriate bootstrap DLL that spawns an instance of the dot net runtime within the app domain and execute the main payload (KeeFarceDLL.dll).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

What is ClrMD?

Microsoft.Diagnostics.Runtime.dll (nicknamed "CLR MD") is a process and crash dump introspection library useful to write tools and debugger plugins.

It offers the power and flexibility of SOS and PSSCOR debugger extensions in a simple C# API.

Features
  • Memory Diagnostics
  • Walking the GC Heap.
  • Walking roots in the process.
  • Walking all heaps that CLR owns, such as JIT code heaps, AppDomain heaps, etc.
  • Walk threads in the process to get managed callstacks.
  • Walk AppDomains in the process.
  • Walk COM wrappers in your process (v4.5+ only).

How to use KeeFarce?

Simply copy in the same folder this files:

  • BootstrapDLL.dll
  • KeeFarce.exe
  • KeeFarceDLL.dll
  • Microsoft.Diagnostic.Runtime.dll

...and execute KeeFarce.exe

You can also build KeeFarce from the sources, opening the KeeFarce.sln with Visual Studio and hitting 'build': the keefarge.exe will be builded into dist/$architecture.
You'll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.

More information and downloads

References