KeeFarce: Extract Passwords From KeePass 2.x Database Directly From Memory

Posted: 31/10/2015 in Downloads, education, free stuff, Geek Stuff, Hacking
Tags: , , ,

tv crime2KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData%.

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Prebuilt Packages

An appropriate build of KeeFarce needs to be used depending on the KeePass target’s architecture (32 bit or 64 bit). Archives and their shasums can be found under the ‘prebuilt’ directory.


In order to execute on the target host, the following files need to be in the same folder:

  • BootstrapDLL.dll
  • KeeFarce.exe
  • KeeFarceDLL.dll
  • Microsoft.Diagnostic.Runtime.dll

Copy these files across to the target and execute KeeFarce.exe


Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit ‘build’. The results will be spat out into dist/$architecture. You’ll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.


KeeFarce has been tested on:
KeePass 2.28, 2.29 and 2.30 – running on Windows 8.1 – both 32 and 64 bit.
This should also work on older Windows machines (win 7 with a recent service pack). If you’re targeting something other than the above, then testing in a lab environment before hand is recommended.


  1. noname says:

    hi, tried it with win 7 64
    x32 executable and it looks like it injects cause it shows the process,
    however %appdata%/keepass/….xml is….empty:

    any idea? ty

    • Alan Cain says:

      So the application needs to be running to inject into it (KeePass.exe) and it will create a file called keepass_export.csv in C:\Users\YOURNAME\AppData\Roaming.
      If you are still having issues I will create a video for you.

      • Geezer says:

        Interesting that you say the application has to be running. You can run the app but if there is no file open does it still work? If it requires a file to be open then that assumes you know the master password. If you know the master password then why would you want to hack the app? Am I missing something?

      • Alan Cain says:

        Hi Geezer,
        If another user is running the application in their session you can pull the information from memory.So for instance if you have a shell session on another user’s machine or if you are sharing a terminal server ect you can use this to create a dump of the keepass database without knowing the password.
        Hope that explains it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.