Reading Password Input Controls

[wraithdu]

So I actually had the need for something like this a while back - lost a password, only had the dialog where it was entered - but when I realized the work involved it was quicker to find another app to do it at the time. I never put the idea down though, and finally got around to writing it. The app injects a simple DLL into the remote process, passes it some information, and the DLL calls GetWindowText() which in the context of the remote app can read the passworded controls. It works for any other control where text can be read as well.

I don't have XP or Vista to test anymore, just Win7, so I'd like to confirm it works on those OS's as well (it should). This app uses RtlCreateUserThread() to create the remote threads instead of CreateRemoteThread() because on Vista+ this function can create threads in processes that are in a different session than the logged on user. Now, I've read in many places that to do this one needs to follow this procedure:

1) Use RtlCreateUserThread() to create a suspended thread at kernel32!ExitThread

2) Use NtQueueApcThread() to create a queued APC - this points to our remote code

3) Resume the thread created in (1) which will then execute our APC (our code) in (2)

However I've found I get the same success simply using RtlCreateUserThread() to create the thread at the injected code directly. This is partly why I want to confirm this works on XP and Vista. Anyone have other insight to the above?

There is another method for Vista+ that uses NtCreateThreadEx() directly. However it uses highly undocumented structures, and while it worked for me on Vista it BSOD'd my Win7 machine. I deemed it too unsafe to use. It's a shame though because on Vista it was able to create threads in more processes than even RtlCreateUserThread().

This download contains my modified version of Zedna's Resources UDF to handle the cursor resource, the DLL and FreeBasic source, and the cursor and icon files, AU3 source, necessary includes, and the compiled binary. Simple instructions:

1) Download it

2) Compile it yourself or run the compiled version (running from Scite will not work for the cursor and icon resources)

3) Drag the target to a control and release, 'ESC' to exit

Update 1: 2009/10/04

- updated injection function to work on XP: now uses CreateRemoteThread() on XP and RtlCreateUserThread() on Vista+

Update 2: 2009/10/06

- fixed extraneous dependencies my last update caused, sorry

- better error checking in UDFs

Update 3: 2009/10/06

- workaround for AutoIt < 3.3.1.0 bug

Update 4: 2009/10/13

- updated GUI using familiar drag-drop target

- reworked icon / cursor resource handling

Update 5: 2009/10/13

- added control highlighting

Update 6: 2009/11/19

- switched to GDI+

- fixed some window redraw problems

Download GetWinTextRemote

(MD5: 3d29e19964f42a80947dfbe7c0257abc)

Edited November 20, 2009 by wraithdu

[FireFox]

@wraithdu

Nice work

Works fine on your example, I will test it on other apps !

Cheers, FireFox.

Edited September 23, 2009 by FireFox

[wraithdu]

Updated, see first post.

@FireFox

What OS did you test on? I got around to testing on XP, and RtlCreateUserThread() just hangs in my XP SP3 VM.

[wraithdu]

Updated/fixed, see first post.

[FireFox]

Updated, see first post.

@FireFox

What OS did you test on? I got around to testing on XP, and RtlCreateUserThread() just hangs in my XP SP3 VM.

It works on windows 7

Cheers, FireFox.

[wraithdu]

Workaround to remove the AutoIt >= 3.3.1.0 requirement.

[wraithdu]

Updated again. Thanks Lazycat for the Window Finder example.

[wraithdu]

Updated, added control highlighting. Thanks again Lazycat for the resource link inside your example