S12cybersecurity/RDPCredentialStealer S12cybersecurity/RDPCredentialStealer

  • Stars
    star
    231
  • Rank 173,434 (Top 4 %)
  • Language
    C++
  • Created over 1 year ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
S12cybersecurity/RDPCredentialStealer
github

S12cybersecurity

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

RDPCredentialStealer it's a malware that steal credentials provided by users in RDP using API Hooking with Detours in C++

RDPCredentialStealer

RDPCredentialStealer it's a malware that steal credentials provided by users in RDP using API Hooking with Detours in C++

Proof-of-Concept Tool for Credential Theft

Let's try this:

First of all i transfer the DLL of the GitHub repository to the C:\Users\Public\Music path:

imagen

Now i open a RDP Connector Windows Application:

imagen

And now i execute the EXE in the GitHub repository:

imagen

And when i try to access into a rdp server:

imagen

I put the user: s12User and password: passwdtest

And now i check the file:Β  C:\Users\Public\Music\RDPCreds.txt

imagen

Code

RDPCredStealerDLL:

This code is an implementation of a hooking technique in C++ using the Detours library. It specifically targets the CredUnPackAuthenticationBufferW function from the credui.dll library, which is responsible for unpacking authentication buffers used in credential operations. Let's break down the code step by step: The necessary header files are included, such as windows.h, wincred.h, detours.h, and others. A function pointer type CredUnPackAuthenticationBufferW_t is defined, representing the original CredUnPackAuthenticationBufferW function's signature. The function pointer pCredUnPackAuthenticationBufferW is declared, which will be used to store the address of the original function.

The MyCredUnPackAuthenticationBufferW function is implemented, which serves as the hook for the original function. It is called when the hooked function is invoked. This function first calls the original function using the stored function pointer pCredUnPackAuthenticationBufferW. Then, it converts the retrieved username and password from wide strings (LPWSTR) to UTF-8 encoded strings (std::string).

Finally, it opens a file in append mode and writes the username and password to it. The DllMain function serves as the entry point for the hooking DLL. It is called when the DLL is loaded or unloaded. When ul_reason_for_call is DLL_PROCESS_ATTACH, indicating that the DLL is being loaded, it loads the credui.dll library using LoadLibraryA.

Then, it obtains the address of the original function CredUnPackAuthenticationBufferW using GetProcAddress. If successful, it starts the hooking process by calling DetourTransactionBegin, DetourUpdateThread, and DetourAttach. When ul_reason_for_call is DLL_PROCESS_DETACH, indicating that the DLL is being unloaded, it reverses the hooking process by calling DetourTransactionBegin, DetourUpdateThread, and DetourDetach.

The purpose of this code is to hook the CredUnPackAuthenticationBufferW function and intercept the credentials passed to it, allowing the hooking code to extract and log the username and password to a file. This technique can be used maliciously to capture sensitive information such as RDP credentials, which is a significant security concern.

Inject.h

This code provides functions for injecting a DLL (Dynamic Link Library) into a target process on the Windows operating system. Let's break down the code and understand its functionality:

The necessary header files are included, such as windows.h, stdio.h, and tlhelp32.h. These headers provide the required functions and data types for interacting with the Windows API.

The getPIDbyProcName function takes a process name as input and returns the corresponding process ID (PID). It uses the CreateToolhelp32Snapshot function to create a snapshot of the current processes, and then iterates through the snapshot using Process32FirstW and Process32NextW functions to find the process with a matching name. If found, it returns the process ID; otherwise, it returns 0.

The DLLinjector function takes a process ID (pid) and a DLL path as input. It injects the specified DLL into the target process. Here's how it works: a. It opens the target process using OpenProcess with the PROCESS_ALL_ACCESS flag. b. It retrieves the handle of the Kernel32 module using GetModuleHandleW. c. It obtains the address of the LoadLibraryW function within Kernel32 using GetProcAddress. d. It allocates memory in the target process using VirtualAllocEx. e. It writes the DLL path to the allocated memory in the target process using WriteProcessMemory. f. It creates a remote thread in the target process using CreateRemoteThread and passes the address of LoadLibraryW and the allocated memory as parameters. g. If the thread creation is successful, it returns true indicating that the DLL injection was successful. The main function is not provided in this code snippet. You can use these functions within your own application to inject a DLL into a target process by providing the process name and DLL path as input.

Please note that DLL injection is a technique with various applications, including both legitimate use cases (such as debugging and extending functionality) and malicious purposes (such as injecting malware or modifying the behavior of a process without authorization). Exercise caution and ensure you have the appropriate permissions and legal rights before using such techniques.

More Repositories

1

WinDefenderKiller

Windows Defender Killer | C++ Code Disabling Permanently Windows Defender using Registry Keys
C++
402
star
2

RedNeuron

RedNeuron - Framework Creator of Malware focused in attacking Windows but created to execute framework in Linux πŸ‘Ύ
C++
67
star
3

NinjaInjector

Classic Process Injection with Memory Evasion Techniques implemantation
C++
64
star
4

S12URootkit

User Mode Windows Rootkit
C++
49
star
5

Admin2Sys

Admin2Sys it's a C++ malware to escalate privileges from Administrator account to NT AUTORITY SYSTEM
C++
42
star
6

ShadowByte-Botnet

Complete Botnet Infrastucture with Malicious C&C Server And Malware Agents to infect Windows OS
C++
41
star
7

GhostShell

Interactive shell to execute commands anonymously using Proxychains and Tor
Shell
34
star
8

DumpLsass

C++ Code to perform a MiniDump of lsass.exe
C++
33
star
9

HTTP_POST-Login-BruteForce

HTTP_POST Login BruteForce
Python
33
star
10

RatInject

Rat Inject is C++ Executable to gain Undetectable Persistence in Windows via 4 Registry Keys
C++
24
star
11

Automatic-Blind-SQL-Injection

Automate Blind SQL Injection with Python.
Python
19
star
12

PrivilegeEscalationClass

C++ Privilege Escalation Class to execute Process As Admin from User and Process as NT AUTHORITY SYSTEM from Admin
C++
16
star
13

RansomwareS12

Simple Ransoware to attack Windows πŸŒŸβ€Š
C++
16
star
14

Backdoor

The best Python BackdoorπŸ‘Œ
Python
15
star
15

ExplorerUACStealer

ExplorerUACStealer it's a malware that steal credentials provided by users in UAC Auth in explorer using API Hooking with Detours in C++
C++
13
star
16

WindowInjector

Linux Malware creator to attack Windows System via Reverse Shell with FindWindow Process Code Injection
C++
13
star
17

AD-Pentest

Pentesting Tools to Automatize Active Directory Hacking
Python
12
star
18

bypass_magic_bytes

Bypassing File Upload Restriction using Magic Bytes
Shell
12
star
19

LFI-Paradise

Local File Inclusion Scanner and Exploiter
Python
12
star
20

CTF-s

Github repository with Write Up, AutoPwn, Tools, Videos of CTF's from HackTheBox and TryHackMe
12
star
21

Infinite-Backdoors

Bash Script with 4 ways to get persistence in Linux systems WITHOUT root permisions
Shell
11
star
22

Pivoting_Enum

Automate All Pivoting System Enumeration with this Bash Script
Shell
11
star
23

Scanner_Port

Easy Port Scanner with Python
Python
11
star
24

PDFTypeSpoofing

PDF Icon File Type Spoofer
C++
11
star
25

MalDev-Lib

Malware Libraries focused in help Malware Development
C
10
star
26

Broke-Login

Simple Python Modular Script to Broke Web Logins
Python
10
star
27

virus_downloader

Easy Python virus framework
Python
9
star
28

ReverseShell-Creator

Very basic Web created with HTML and JavaScript to create Online Payload to do Reverse Shells
JavaScript
9
star
29

pentweb

Bash script that creates directories and files to organize a pentesting
Shell
9
star
30

rfi_paradise

Python Scanner and Exploiter of Remote File Inclusion Vulnerabilitie
Python
8
star
31

FTP-Sniffer

MITM to Capture FTP Credentials
Python
8
star
32

ProcList

C++ Script to list active processes with name, PID, Parent PID and User running it
C++
7
star
33

Reverse-Shell-C-PlusPlus

Simple C++ Reverse Shell
C++
7
star
34

AdminX

AdminX it's a Malware to execute process as some users from a Windows OS
C++
7
star
35

FileExtractor

C++ Code to Extract Windows File and Receive in Linux Machine
C++
7
star
36

Decrypt-TeamViewer-Password

Python Script to Decrypt TeamViewer Password
Python
6
star
37

FreeThreadHijacking

Perform Thread Hijacking Shellcode Injection without OpenProcess and OpenThread mapping all the free handles in memory
C++
6
star
38

KeyloggerS12

C++ keylogger to save all the keys pressed into a local txt file
C++
6
star
39

MySQL-DataStealer

Post-Exploitation Tool to Steal MySQL Data, and with persistence extract all data from MySQL table every time that Windows are opened with a Server to receive the extracted Files
C++
6
star
40

JWTq

JWT parser with pretty view
Python
5
star
41

BruteSSH

SSH Bruteforce Basic Script created with C++ to Linux
C++
5
star
42

Groups_PrivEsc

Bash Script to Escalate Privilieges exploiting User Groups
Shell
5
star
43

AntiVM

C++ Class with various techniques to detect the execution in a virtualized environment
C++
5
star
44

ThreatHijacking

Threat Hijacking Simple Implementation
C++
5
star
45

ssrf_internal_ports

Python Script to Automate SSRF Internal Ports Discovery
Python
4
star
46

Reflective-DLL

Reflective DLL Injection Implementation
C++
4
star
47

chatpython

amazing simple chat with python🀣
Python
4
star
48

Idor-Hunter

Python Script to Find Idor Vulnerabilities
Python
4
star
49

Automatic_ReverseShell_Creator

Bash Script to Automate Shell conection in Linux Systems
Shell
4
star
50

VirtualAlloc-Implementation

My Own VirtualAlloc Implementation to use as alternative unknown for all the defense solutions of VirtualAlloc Win32 API Function
C++
4
star
51

RemoteFunctionPatcher

Patch (block) whatever function you want in a remote process. Adding a ret instruction at the first memory address of this function, the target function will be exited automatically all the times called by this process
C++
4
star
52

AntiDebugging

Anti Debugging C++ Class
C++
4
star
53

SandBox-Bypass

C++ Code to Bypass Sandbox and VM via RAM and Core victim info
C++
3
star
54

SysmonDetox

C++ Class with offensive Red Team techniques to target Sysmon
C++
3
star
55

IATHooking

Import Address Table Hooking Implementation
C++
3
star
56

Web_Enumerator

Python Script to enumerate Direcories Files and the HTTP Methods to Acces to the Discovered Resources
Python
3
star
57

smbc

Samba Client to Start Pentesting Enumeration
Shell
3
star
58

User-Enum_Time-Based

User Enumeration in Web Login with Time-Based Server Responses
Python
3
star
59

MapFreeMemoryHandles

Find all type of handles free in Windows Memory
C++
3
star
60

SecurityDetox

Detect and Delete Security Products
C++
2
star
61

BruteMySQL

Bruteforce MySQL Password with C++
C++
2
star
62

GeoLocateJS

A Geolocator made with JavaScript
HTML
2
star
63

UserEnum_DiffResponses

Python Script to enumerate Users via Different text Responses
Python
2
star
64

web_enum

Python Script to enumerate webpage
Python
2
star
65

SQLI-Defense

This PHP code is not perfect, but it can be used for a few days
PHP
2
star
66

tomcat_revshell

Tomcat Authenticated to Reverse Shell Bash Script
Shell
2
star
67

RWXFinder

Find Windows RWX Memory Regions depending on the memory space needed
C++
2
star
68

IPCObjects

C++ Code to perform IPC (Inter Process Connection) to share C++ Objects/Structures with other processes
C++
2
star
69

FreeLoaderInjector

Typical Process Injection using Opened Handle Process, RWX Memory Space
C++
2
star
70

HideProcessesDKOM

Taking advantatge of Direct Kernel Object Manipulation to hide process from the EPROCESS structure
C++
1
star
71

Rate_Limit_Discover

HTTP/HTTPS Discover of Rate Limit Discover
Python
1
star
72

S12Hash

Simple Hash Class to create a new Hash with a various simple math operations
C++
1
star