Gnome Keyring Daemon Extraction Details (beta 2.0) deprecated
This research has been deprecated in favor of the original "needle" technique which supports a wider range of targets.
The gnome-keyring-daemon is passed the user's password through stdin during login using the gnome gui. The password is stored inside of a "secure-memory" region where it is never properly removed/overwritten until the user logs out.
The password retrieval is done inside of read_login_password(). Here a "secure-memory" region is allocated using egg_secure_alloc() which is a wrapper for egg_secure_alloc_full(). The user password is then read into this memory region.
Next, a new memory region is allocated using egg_secure_realloc() which is a wrapper for egg_secure_realloc_full(). Strncat is used to copy the user password from the first memory buffer into the second. A pointer to this final memory buffer is returned and stored inside of the global variable login_password inside of main(). It is not until the process terminates (atexit()) that the memory buffer holding the user's password is cleared and overwritten with 0xaa's.
By using the known offset/address of login_password inside of the .bss section of popular gnome-keyring-daemon release builds, we can reliably and quickly PTRACE into the gnome-keyring-daemon for each logged in user and extract their cleartext password.
The above method still works for release builds compiled as PIE - however instead of using the exact address of login_password we must calculate it's offset from the image base and determine this at compile time. Mimipenguin beta-2.0 currently supports this. See the target definition for version has the PIE flag enabled and uses an offset instead of an address 3.28.0.2 target