This should also work on older Windows machines (win 7 with a recent service pack). You'll have to copy the KeeFarceDLL.dll files and files into the folder before executing, as these are architecture independent. The results will be spat out into dist/$architecture. Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit 'build'. In order to execute on the target host, the following files need to be in the same folder:Ĭopy these files across to the target and execute KeeFarce.exe Building Archives and their shasums can be found under the 'prebuilt' directory. Prebuilt PackagesĪn appropriate build of KeeFarce needs to be used depending on the KeePass target's architecture (32 bit or 64 bit). The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload). C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. KeeFarce uses DLL injection to execute code within the context of a running KeePass process. The cleartext information, including usernames, passwords, notes and url's are dumped into a CSV file in %AppData% General Design
KeeFarce allows for the extraction of KeePass 2.x password database information from memory.