1Password is a password manager developed by AgileBits Inc., providing a place for users to store various passwords, software licenses, and other sensitive information in a virtual vaults secured with a PBKDF2 master password. Downloading a copy of the software and using it for awhile, I noticed that so long as 1Password remained unlocked, the passwords within it remained decrypted and readable in the UI. This was my initial motivation to dig into what’s happening under the hood.
One project that always has intrigued me is KeeThief, by Will and Lee Christensen. KeeThief leveraged the ClrMd debugging suite by Microsoft to walk the heap for .NET objects of interest and, since the 1Password client application is written in .NET, it felt like the perfect opportunity to get firsthand experience using it. Plus, who doesn’t like reading passwords?
A final note before proceeding — this post covers my methodology and thought process while attacking this problem. If you simply want to know what “worked,” I’d recommend skipping to the bottom and reading from “Attempt #4” onward.