Extracting clear-text passwords from VeraCrypt.exe using API Hooking

Overview

VeraCryptThief

VeraCryptThief by itself is a standalone DLL that when injected in the VeraCrypt.exe process, will perform API hooking via Detours, extract the clear-text credentials and save them to a file.

An injector program makes use of sRDI technique to generate a reflective DLL shellcode and inject it into the target process with the help of DInvoke API.

DISCLAIMER. All information contained in this repository is provided for educational and research purposes only. The author is not responsible for any illegal use of this tool.

Demo

demo

Credits

  • SEKTOR7 Institute (@SEKTOR7net) for the RED TEAM Operator: Malware Development Intermediate Course.
  • @0x09AL for his RdpThief.
  • @monoxgas for his sRDI.
  • @TheWover and @FuzzySecurity for their DInvoke.
You might also like...
Typewriter Effect with Rich Text + *Correct* Text Wrapping
Typewriter Effect with Rich Text + *Correct* Text Wrapping

Typewriter Effect with Rich Text + Correct Text Wrapping I've spent way too long getting this right. This is meant as a base class for a UMG dialogue

Text - A spicy text library for C++ that has the explicit goal of enabling the entire ecosystem to share in proper forward progress towards a bright Unicode future.

ztd.text Because if text works well in two of the most popular systems programming languages, the entire world over can start to benefit properly. Thi

Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process
Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

Custom HellsGate Implementation Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe pr

A port of the FNF Sonic.EXE mod to PS1. (Sunky and Multiplayer Update)

PSXFunkin VS Sonic.EXE on the PS1 ooga booga hes gonna getcha Compilation Refer to COMPILE.md here Disclaimer This project is not endorsed by the orig

Protect files under a specific folder from deleting or moving by explorer.exe.
Protect files under a specific folder from deleting or moving by explorer.exe.

Explorer-Delete-Protection Protect files under a specific folder from deleting or moving by explorer.exe. Requierments: Microsoft Detours Library - ht

Inject dll to cmd.exe to prevent file execution.

Console-Process-Execution Inject dll to cmd.exe to prevent file execution. Requierments: Microsoft Detours Library - https://github.com/microsoft/Deto

idf.py.exe, wrapper tool to invoke idf.py on Windows

IDF wrapper tool (idf.py.exe) This tools helps invoke idf.py in Windows CMD shell. In Windows CMD shell, python scripts can be executed directly (by t

A rewrite of the old legacy software
A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.

Dependencies - An open-source modern Dependency Walker Download here (If you're running an AV, use this download instead) NB : due to limitations on /

Owner
snovvcrash
[C]RTO|OS{C,E}P|CEH(P)|CWAPT :: Pentester / Red Teamer :: HTB player
snovvcrash
A Windows API hooking library

Mhook - a Windows API hooking library Introduction How to use License Version history Acknowledgements Introduction This library was created as a free

Apriorit Inc. 166 Oct 31, 2022
A bright opening, a clear sight, a clean slate.

Skylight A bright opening, a clean window. Etymology According to dictionary.com, a "skylight" is: an opening in a roof or ceiling, fitted with glass,

null 51 Nov 21, 2022
Create a working USB CDC class starting from the clear template provided by ST

STM32F3 USB Classes from template The goal of this project is to provide a decent collection of guidelines for creating working USB classes to be used

Michele Perrone 0 Jul 16, 2022
EarlyBird: a poc of using the tech with syscalls on powershell.exe

EarlyBird: a poc of using the tech with syscalls on powershell.exe injecting cobalt strike shellcode to powershell.exe using EarlyBird Tech USAGE: fir

null 47 Jan 22, 2022
Stuff I've made/found for reversing/modding/extracting NieR:Replicant v1.224...

NieR:Replicant ver.1.22474487139 Tools Archive (.arc) Files Hex Signature: 28 B5 2F FD Can contain one or multiple compressed files. Files are compres

Woeful_Wolf 8 Jul 30, 2022
Generate representative samples from Pwned Passwords (HIBP)

Generate representative samples from Pwned Passwords (HIBP) This program generates representative samples from Pwned Passwords (HIBP), taking the coun

Solar Designer 11 Nov 24, 2022
A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

PE Import Enumerator BOF What is this? This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, thi

null 77 Nov 9, 2022
Generate Arista Type 7 Passwords in C

arista_type_7 Generate Arista Type 7 Passwords in C and Python A friend had the need to provision Arista Type 7 Passwords on switches. According to Ry

Kristian Koehntopp 4 Jun 9, 2022
Program that can be used for rating user passwords.

Rate_My_Password Program that can be used for rating user passwords. The criteria for rating passwords are: • Has a length of at least 8 characters •

Sabri 1 Dec 28, 2021
Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds.

Ramp Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds. Tested Windows 10 Warning Ramp has been created for the

Md. Ridwanul Islam Muntakim 21 Oct 21, 2022