Extracting clear-text passwords from VeraCrypt.exe using API Hooking

Last update: Aug 15, 2022

Related tags

Overview

VeraCryptThief

VeraCryptThief by itself is a standalone DLL that when injected in the VeraCrypt.exe process, will perform API hooking via Detours, extract the clear-text credentials and save them to a file.

An injector program makes use of sRDI technique to generate a reflective DLL shellcode and inject it into the target process with the help of DInvoke API.

DISCLAIMER. All information contained in this repository is provided for educational and research purposes only. The author is not responsible for any illegal use of this tool.

Demo

Credits

SEKTOR7 Institute (@SEKTOR7net) for the RED TEAM Operator: Malware Development Intermediate Course.
@0x09AL for his RdpThief.
@monoxgas for his sRDI.
@TheWover and @FuzzySecurity for their DInvoke.

You might also like...

Typewriter Effect with Rich Text + Correct Text Wrapping

Typewriter Effect with Rich Text + Correct Text Wrapping I've spent way too long getting this right. This is meant as a base class for a UMG dialogue

30 Nov 29, 2022

Text - A spicy text library for C++ that has the explicit goal of enabling the entire ecosystem to share in proper forward progress towards a bright Unicode future.

ztd.text Because if text works well in two of the most popular systems programming languages, the entire world over can start to benefit properly. Thi

228 Dec 25, 2022

Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

12 Dec 26, 2022

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

Custom HellsGate Implementation Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe pr

90 Oct 18, 2022

A port of the FNF Sonic.EXE mod to PS1. (Sunky and Multiplayer Update)

PSXFunkin VS Sonic.EXE on the PS1 ooga booga hes gonna getcha Compilation Refer to COMPILE.md here Disclaimer This project is not endorsed by the orig

3 Sep 29, 2021

Protect files under a specific folder from deleting or moving by explorer.exe.

Explorer-Delete-Protection Protect files under a specific folder from deleting or moving by explorer.exe. Requierments: Microsoft Detours Library - ht

6 Nov 14, 2022

Inject dll to cmd.exe to prevent file execution.

Console-Process-Execution Inject dll to cmd.exe to prevent file execution. Requierments: Microsoft Detours Library - https://github.com/microsoft/Deto

5 Sep 25, 2022

idf.py.exe, wrapper tool to invoke idf.py on Windows

IDF wrapper tool (idf.py.exe) This tools helps invoke idf.py in Windows CMD shell. In Windows CMD shell, python scripts can be executed directly (by t

3 Dec 13, 2021

A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.

Dependencies - An open-source modern Dependency Walker Download here (If you're running an AV, use this download instead) NB : due to limitations on /

5.8k Dec 29, 2022

Owner

snovvcrash

[C]RTO|OS{C,E}P|CEH(P)|CWAPT :: Pentester / Red Teamer :: HTB player

GitHub

A Windows API hooking library

Mhook - a Windows API hooking library Introduction How to use License Version history Acknowledgements Introduction This library was created as a free

167 Dec 26, 2022

A bright opening, a clear sight, a clean slate.

Skylight A bright opening, a clean window. Etymology According to dictionary.com, a "skylight" is: an opening in a roof or ceiling, fitted with glass,

52 Dec 24, 2022

Create a working USB CDC class starting from the clear template provided by ST

STM32F3 USB Classes from template The goal of this project is to provide a decent collection of guidelines for creating working USB classes to be used

0 Jul 16, 2022

EarlyBird: a poc of using the tech with syscalls on powershell.exe

EarlyBird: a poc of using the tech with syscalls on powershell.exe injecting cobalt strike shellcode to powershell.exe using EarlyBird Tech USAGE: fir

47 Jan 22, 2022

Stuff I've made/found for reversing/modding/extracting NieR:Replicant v1.224...

NieR:Replicant ver.1.22474487139 Tools Archive (.arc) Files Hex Signature: 28 B5 2F FD Can contain one or multiple compressed files. Files are compres

8 Jul 30, 2022

Generate representative samples from Pwned Passwords (HIBP)

Generate representative samples from Pwned Passwords (HIBP) This program generates representative samples from Pwned Passwords (HIBP), taking the coun

11 Nov 24, 2022

A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

PE Import Enumerator BOF What is this? This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, thi

78 Dec 1, 2022

Generate Arista Type 7 Passwords in C

arista_type_7 Generate Arista Type 7 Passwords in C and Python A friend had the need to provision Arista Type 7 Passwords on switches. According to Ry

5 Nov 29, 2022

Program that can be used for rating user passwords.

Rate_My_Password Program that can be used for rating user passwords. The criteria for rating passwords are: • Has a length of at least 8 characters •

1 Dec 28, 2021

Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds.

Ramp Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds. Tested Windows 10 Warning Ramp has been created for the

24 Dec 24, 2022