Just a PoC of an idea I had some days ago. Software like KeePass, to name one, have gone to great lengths in order to protect the sensible data on disk or even memory.
But everything has a weak link…
The idea is a small “post-exploitation” program which allows you to stalk debug the KeePass.exe module, attaching to it and waiting for an user action (copy an username/password to the clipboard.)
I found that between calls to the Win32 Clipboard API, the cleartext of the credentials is placed in a predictable place on the stack. A small “debugger” program attached to it can therefore pause execution at the corresponding function call and read the password from the stack :)
This isn’t in any way a robust solution, rather something I coded “quick and dirty” in Python, using PyDbg (what else?) but it should be easy to code a small Win32 program with exactly the same functionality.
Don’t forget that after all PyDbg is kind of a wrapper around the Win32 debugging API…
And using the douchey expression “without further ado”, here is a demo video.
KeePass Live Debugging from Carlos Garcia Prado on Vimeo.
The code can be downloaded here
319 828 534 116
