KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and URL's are dumped into a CSV file in %AppData%.

This tool uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).





It uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.





In order to execute on the target host, the following files need to be in the same folder:

BootstrapDLL.dll

KeeFarce.exe

KeeFarceDLL.dll

Microsoft.Diagnostic.Runtime.dll

Copy these files across to the target and execute KeeFarce.exe





KeeFarce has been tested on:

KeePass 2.28, 2.29 and 2.30 - running on Windows 8.1 - both 32 and 64 bit.