{
	"id": "806a475a-a52a-4eab-9c8f-cf2cfbecef27",
	"created_at": "2026-04-06T00:16:00.293542Z",
	"updated_at": "2026-04-10T13:11:42.846016Z",
	"deleted_at": null,
	"sha1_hash": "d62395b4636c90ec3cb61224419a8b40651da807",
	"title": "GitHub - GhostPack/KeeThief: Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41042,
	"plain_text": "GitHub - GhostPack/KeeThief: Methods for attacking KeePass 2.X\r\ndatabases, including extracting of encryption key material from\r\nmemory.\r\nBy HarmJ0y\r\nArchived: 2026-04-05 13:57:41 UTC\r\nAllows for the extraction of KeePass 2.X key material from memory, as well as the backdooring and enumeration\r\nof the KeePass trigger system.\r\nAuthor: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y)\r\nLicense: BSD 3-Clause\r\nRequired Dependencies: None\r\nOptional Dependencies: None\r\nThis project includes a number of components:\r\nDecryptionShellcode\r\nA modified version of Matt Graeber (@mattifestation)'s PIC_Bindshell position-independent shellcode project,\r\nlicensed under the 3-clause BSD license.\r\nModifications were made to build shellcode to inject into a KeePass.exe process that decrypts DPAPI blobs using\r\nRtlDecryptMemory.\r\nKeePass-2.34-Source-Patched\r\nPatched source code of the KeePass project (version 2.34), licensed under the GNU GENERAL PUBLIC\r\nLICENSE with the specific KeePass license located here. Modifications were made to allow the manual\r\nspecification of key data (in the form of base64 strings) when decrypting a database. Changes are to\r\nKeePromptForm.cs, KeePromptForm.Designer.cs, KcpKeyFile.cs, and KcpUserAccount.cs.\r\nKeeTheft\r\nThe main KeeThief code, \"where the magic happens\".\r\nKeeThief's GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all\r\nCLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the\r\nm_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey.\r\nhttps://github.com/HarmJ0y/KeeThief\r\nPage 1 of 2\n\nIf a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount)\r\nis extracted, including the RtlEncryptMemory() encrypted data blobs of key data. For any encrypted blobs found,\r\nshellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the memory blobs,\r\nreturning the plaintext/unprotected key data.\r\nThis is a different approach than denandz' excellent KeeFarce project, which injects code to load a bootstrap DLL\r\ninto the KeePass process, which then loads an C# assembly along with CLR MD, and executes the 'Export'\r\nmethod on a KeePass.DataExchange.Formats.KeePassCsv1x object in order to export all existing passwords to\r\ndisk. KeeTheft walks the heap for composite key information and injects shellcode to decrypt each encryption\r\nmaterial component as appropriate.\r\nIncluded in the project is a .NET 2.0 backport of the CLR MD project (necessary for PowerShell v2\r\ncompatibility). The CLR MD project is licensed by Microsoft under the MIT license.\r\nOn building the project, a merged .\\KeeTheft\\bin\\ReleaseKeeTheft.exe binary containing KeeTheft and the CLR\r\nMD will be produced.\r\nPowerShell\r\nThe KeeThief.ps1 PowerShell file contains Get-KeePassDatabaseKey, which loads/executes the KeeTheft\r\nassembly in memory to extract KeePass material from an KeePass.exe process with an open database.\r\nThe KeePassConfig.ps1 file contains method to enumerate KeePass config files on a system (Find-KeePassconfig), retrieve the set triggers for a KeePass.config.xml file (Get-KeePassConfigTrigger), add\r\nmalicious KeePass triggers (Add-KeePassConfigTrigger), and remove KeePass triggers (Remove-KeePassConfigTrigger).\r\nKeeThief License\r\nThe KeeThief project and all individual scripts are under the BSD 3-Clause license unless explicitly noted\r\notherwise.\r\nSource: https://github.com/HarmJ0y/KeeThief\r\nhttps://github.com/HarmJ0y/KeeThief\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/HarmJ0y/KeeThief"
	],
	"report_names": [
		"KeeThief"
	],
	"threat_actors": [],
	"ts_created_at": 1775434560,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d62395b4636c90ec3cb61224419a8b40651da807.pdf",
		"text": "https://archive.orkl.eu/d62395b4636c90ec3cb61224419a8b40651da807.txt",
		"img": "https://archive.orkl.eu/d62395b4636c90ec3cb61224419a8b40651da807.jpg"
	}
}