A few clarification points for the "KeeThief – A Case Study in Attacking KeePass Part 2" post:
-
KeeThief doesn't require local administrator rights, only rights to access the KeePass.exe process space you're targeting.
-
KeeThief.ps1 is fully-self self-contained (no dependencies and no files dropped to disk) and PowerShell Version 2 compliant (so it will work on Windows 7+).
-
Secure desktop doesn't matter/come into play as a keylogger isn't used or needed.
-
This approach is different from KeeFarce - KeeThief recovers the plaintext master password and other key material from memory instead of calling internal methods to export the database contents.