FormThief: Spoofing desktop login applications with WinForms and WPF

FormThief

FormThief is a project designed for spoofing Windows desktop login applications using WinForms and WPF.

Windows Forms (WinForms) and Windows Presentation Foundation (WPF) are two powerful UI frameworks provided by Microsoft for building desktop applications on the Windows platform. While they are primarily used for developing software, they also offer a unique opportunity for spoofing login functions for legitimate Windows desktop applications.

The idea behind this was to identify desktop applications used by the target organization, tailor a malicious forms application to the specific victim, and then load the spoofed login application via beacon to capture user credentials.

Prereqs

Information on application process executables, prereqs for creating convincing dialogs, and example attack vectors:

Application Executables Prereqs Example Attack Vector
Cisco AnyConnect vpnui.exe/vpnagent.exe procsearch ui process for “Connected”, should show ‘Connected to xyz…’ .

An XML file located in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ should also contain available hostnames/gateways for the host

Identify the current connection gateway -> kill process -> pop new auth dialog with identified gateway
KeePass KeePass.exe Identify any .kdbx files on the host (trying to dump the active .kdbx db with procsearch fails) Kill process -> pop new auth dialog with .kdbx file path
LastPass lpwinmetro.exe procsearch LastPass process for “email” to identify an active email address Kill process -> pop new auth dialog with identified email
OpenVPN openvpn.exe procsearch OpenVPN process for “.ovpn” to identify an active profile Kill process -> pop new auth dialog with target VPN profile
Windows Security (Outlook) OUTLOOK.exe/olk.exe procsearch Outlook process for “email” to identify an active email address Kill process -> pop new auth dialog with extracted email

Functionality within the included applications is fairly modular so it can be easily copied/pasted when creating new forms. Several items in proctools, which were created whilst working on this project, may also come in handy.

Install & Use