Contenido principal

KeePassLogger - KeePass Two-Channel Auto-Type Obfuscation Bypass

Febrero 3, 2016

Two-Channel Auto-Type obfuscation is a security mechanism from KeePass to protect auto-typed passwords from being captured by "standard" keyloggers. It uses clipboard and keyboard emulation as primary channels to transfer passwords to their final input:

KeePass TCATO Two-Channel Auto-Type Obfuscation

This scheme is secure while none or just one channel is compromised. We are going to focus on clipboard protection, the following section from KeePass TCATO FAQ was removed after the bug was reported and rejected:

KeePass Clipboard Event Blocker

The old way

Clipboard protection is heavily based on the old clipboard viewer chain from Windows, the diagram shows the windows message flow in the viewer chain, the flow must be followed by all the applications that want to listen to clipboard changes. The operating system sends a message to the first window, then each window is required to pass the message to the next one until there is no window left:

Windows Clipboard Viewer Chain

Here comes into play the Clipboard Event Blocker from KeePass, it first calls SetClipboardViewer to add himself as the first window in the viewer chain, and then when the WM_DRAWCLIPBOARD message is received it blocks this message from being passed to the next window:

Windows Clipboard Viewer Chain KeePass

There are two ways to bypass this protection:

:arrow: Add a window to the viewer chain after KeePass protection is executed
:arrow: Use newer API functions to listen to clipboard changes

The new way

A clipboard listener was introduced in Windows Vista as a new way to listen to clipboard changes, developers are encouraged to use the system-mantained clipboard format listener instead of the old one. The operating system is now responsible for sending the message to each window, preventing the flow to be blocked by applications:

Windows Clipboard Viewer Chain KeePass


Using the new clipboard listener and a standard keylogger we can retrieve the content of both channels and reassemble the secret. The next video shows a proof of concept for the "specialized" keylogger:

Source code

KeePassLogger source code:
:arrow: KeePassLogger github repository

Archivado en: Seguridad |

Deja un comentario