Sign in to follow this  
Followers 0
wraithdu

Reading Password Input Controls

8 posts in this topic

#1 ·  Posted (edited)

So I actually had the need for something like this a while back - lost a password, only had the dialog where it was entered - but when I realized the work involved it was quicker to find another app to do it at the time. I never put the idea down though, and finally got around to writing it. The app injects a simple DLL into the remote process, passes it some information, and the DLL calls GetWindowText() which in the context of the remote app can read the passworded controls. It works for any other control where text can be read as well.

I don't have XP or Vista to test anymore, just Win7, so I'd like to confirm it works on those OS's as well (it should). This app uses RtlCreateUserThread() to create the remote threads instead of CreateRemoteThread() because on Vista+ this function can create threads in processes that are in a different session than the logged on user. Now, I've read in many places that to do this one needs to follow this procedure:

1) Use RtlCreateUserThread() to create a suspended thread at kernel32!ExitThread

2) Use NtQueueApcThread() to create a queued APC - this points to our remote code

3) Resume the thread created in (1) which will then execute our APC (our code) in (2)

However I've found I get the same success simply using RtlCreateUserThread() to create the thread at the injected code directly. This is partly why I want to confirm this works on XP and Vista. Anyone have other insight to the above?

There is another method for Vista+ that uses NtCreateThreadEx() directly. However it uses highly undocumented structures, and while it worked for me on Vista it BSOD'd my Win7 machine. I deemed it too unsafe to use. It's a shame though because on Vista it was able to create threads in more processes than even RtlCreateUserThread().

This download contains my modified version of Zedna's Resources UDF to handle the cursor resource, the DLL and FreeBasic source, and the cursor and icon files, AU3 source, necessary includes, and the compiled binary. Simple instructions:

1) Download it

2) Compile it yourself or run the compiled version (running from Scite will not work for the cursor and icon resources)

3) Drag the target to a control and release, 'ESC' to exit

Update 1: 2009/10/04

- updated injection function to work on XP: now uses CreateRemoteThread() on XP and RtlCreateUserThread() on Vista+

Update 2: 2009/10/06

- fixed extraneous dependencies my last update caused, sorry

- better error checking in UDFs

Update 3: 2009/10/06

- workaround for AutoIt < 3.3.1.0 bug

Update 4: 2009/10/13

- updated GUI using familiar drag-drop target

- reworked icon / cursor resource handling

Update 5: 2009/10/13

- added control highlighting

Update 6: 2009/11/19

- switched to GDI+

- fixed some window redraw problems

Download GetWinTextRemote

(MD5: 3d29e19964f42a80947dfbe7c0257abc)

Edited by wraithdu

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

@wraithdu

Nice work :D

Works fine on your example, I will test it on other apps !

Cheers, FireFox.

Edited by FireFox

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Updated, see first post.

@FireFox

What OS did you test on? I got around to testing on XP, and RtlCreateUserThread() just hangs in my XP SP3 VM.

Share this post


Link to post
Share on other sites

Updated/fixed, see first post.

Share this post


Link to post
Share on other sites

Updated, see first post.

@FireFox

What OS did you test on? I got around to testing on XP, and RtlCreateUserThread() just hangs in my XP SP3 VM.

It works on windows 7 :)

Cheers, FireFox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Workaround to remove the AutoIt >= 3.3.1.0 requirement.

Share this post


Link to post
Share on other sites

Updated again. Thanks Lazycat for the Window Finder example.

Share this post


Link to post
Share on other sites

Updated, added control highlighting. Thanks again Lazycat for the resource link inside your example :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0