FormThief: Spoofing desktop login applications with WinForms and WPF
FormThief
FormThief is a project designed for spoofing Windows desktop login applications using WinForms and WPF.
Windows Forms (WinForms) and Windows Presentation Foundation (WPF) are two powerful UI frameworks provided by Microsoft for building desktop applications on the Windows platform. While they are primarily used for developing software, they also offer a unique opportunity for spoofing login functions for legitimate Windows desktop applications.
The idea behind this was to identify desktop applications used by the target organization, tailor a malicious forms application to the specific victim, and then load the spoofed login application via beacon to capture user credentials.
Prereqs
Information on application process executables, prereqs for creating convincing dialogs, and example attack vectors:
| Application | Executables | Prereqs | Example Attack Vector |
|---|---|---|---|
| Cisco AnyConnect | vpnui.exe/vpnagent.exe | procsearch ui process for “Connected”, should show ‘Connected to xyz…’ .
An XML file located in |
Identify the current connection gateway -> kill process -> pop new auth dialog with identified gateway |
| KeePass | KeePass.exe | Identify any .kdbx files on the host (trying to dump the active .kdbx db with procsearch fails) | Kill process -> pop new auth dialog with .kdbx file path |
| LastPass | lpwinmetro.exe | procsearch LastPass process for “email” to identify an active email address | Kill process -> pop new auth dialog with identified email |
| OpenVPN | openvpn.exe | procsearch OpenVPN process for “.ovpn” to identify an active profile | Kill process -> pop new auth dialog with target VPN profile |
| Windows Security (Outlook) | OUTLOOK.exe/olk.exe | procsearch Outlook process for “email” to identify an active email address | Kill process -> pop new auth dialog with extracted email |
Functionality within the included applications is fairly modular so it can be easily copied/pasted when creating new forms. Several items in proctools, which were created whilst working on this project, may also come in handy.
