KeeFarce
#Access Control#IAM
Command-line password manager with GnuPG encryption and colorful interface.
KeeFarce enables the extraction of KeePass 2 password database information from memory
KeeFarce allows users to extract KeePass 2 password database information directly from memory.
The Cleartext Information, Including Usernames and More
The cleartext information, which includes usernames, passwords, notes, and URLs, is exported into a CSV file located in %AppData%. KeeFarce utilizes DLL injection to run code within the context of an active KeePass process. The execution of C# code is accomplished by first injecting a bootstrap DLL that is appropriate for the system architecture.
This initiates an instance of
This initiates an instance of the .NET runtime within the designated app domain, and then executes KeeFarceDLL.dll, which is the primary C# payload.
The KeeFarceDLL Utilizes CLRMD to
The KeeFarceDLL utilizes CLRMD to locate the necessary object within the heap of the KeePass processes. It identifies pointers to essential sub-objects using specific offsets and employs reflection to invoke an export method. It is important to use the correct build of KeeFarce based on the architecture of the KeePass target, either 32-bit or 64-bit. You can find the archives and their corresponding SHA sums in the 'prebuilt' directory. To run on the target host, ensure that the following files are present in the same folder: BootstrapDLL.dll, KeeFarce.exe, KeeFarceDLL.dll, and Microsoft.Diagnostic.Runtime.dll. Transfer these files to the target and execute Kee.
