This is just a PoC done in a couple of hours so not exactly the definition of stable. More interesting than the PoC itself, would be to fully understand why this happens. The creator seems to have fixed it on Windows by using different WinAPI functions for getting/setting the TextBox directly, but he reports they still persist for some lenghts, so this might be a Windows/Mono issue, we'll have to see with the next release. Although the garbage collector will eventually clean up these residual strings, they persist temporarily in memory. Perhaps because of the conversion of the StringBuilder as a string, or maybe setting this.Text and modifying the text content. This seems to be because of the temporary strings created while processing user input and updating the TextBox display. In short, KeePass' custom text box, SecureTextBoċx, creates leftover strings in memory. Gcc dump_pwd.c -o dump and you're ready to go. You can find some other functionality by looking at the code. It'll parse the memory to try and find leftover strings from when the user typed his master password, strings that look like so This would be a primitive behaviour to dump the memory of any process on Linux. It'll then store the memory of all those maps into a buffer by taking advantage of /proc//mem. It'll then acquire the adresses of memory maps in /proc//maps that aren't directly associated with a library, meaning they have an empty file path. KeePass 2.53/cmdline files and store the pid of ones with the keyword KeePass in their commandline argument.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |