Cyber security

FormThief – A Deceptive Approach To Spoofing Windows Desktop Logins

FormThief is a project designed for spoofing Windows desktop login applications using WinForms and WPF. Below is an example run for KeePass 

Windows Forms (WinForms) and Windows Presentation Foundation (WPF) are two powerful UI frameworks provided by Microsoft for building desktop applications on the Windows platform.

While they are primarily used for developing software, they also offer a unique opportunity for spoofing login functions for legitimate Windows desktop applications.

The idea behind this was to identify desktop applications used by the target organisation, tailor a malicious forms application to the specific victim, then load the spoofed login application via beacon to capture user credentials.

I’m working on several others and will keep adding to this repo. Bitwarden is nearly finished; however, I encountered limitations with WinForms when replicating Bitwarden and LastPass. I will be porting both to WPF as soon as possible.

Improvements could be made to incorporate greater application functionality, I’ve only attempted to replicate the processes necessary to capture user credentials.

If users are persistant in trying to access other areas of the application I’ve added click counters which will trigger an exit or ‘crash’ the app so the victim doesn’t become too suspicious when things aren’t working as they normally would.

Prereqs

Information on application process executables, prereqs for creating convincing dialogs, and example attack vectors:

ApplicationExecutablesPrereqsExample Attack Vector
Cisco AnyConnectvpnui.exe/vpnagent.exeprocsearch ui process for “Connected”, should show ‘Connected to xyz…’ .

An XML file located in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ should also contain available hostnames/gateways for the host
Identify the current connection gateway -> kill process -> pop new auth dialog with identified gateway
KeePassKeePass.exeIdentify any .kdbx files on the host (trying to dump the active .kdbx db with procsearch fails)Kill process -> pop new auth dialog with .kdbx file path
LastPasslpwinmetro.exeprocsearch LastPass process for “email” to identify active email addressKill process -> pop new auth dialog with identified email
OpenVPNopenvpn.exeprocsearch OpenVPN process for “.ovpn” to identify active profileKill process -> pop new auth dialog with target VPN profile
Windows Security (Outlook)OUTLOOK.exe/olk.exeprocsearch Outlook process for “email” to identify active email addressKill process -> pop new auth dialog with extracted email

Functionality within the included applications is fairly modular so it can be easily copy/pasted when creating new forms. Several items in proctools, which was created whilst working on this project, may also come in handy.

Usage

Clone the repo. Load the target application solution. Allow unsafe code and untick Prefer 32-bit. Build.

All applications except Windows Security (Outlook) work via inlineExecute-Assembly and bofnet_executeassembly.

I’ve inlcuded a simple C# script (wpfRunner.cs) for downloading the WPF Outlook.exe to the victim’s %TEMP% and executing directly from the host, not ideal but it works fine. Will update with a workaround.

NOTE: Only tested on Windows 10, NOT tested on Windows 11

All code confirmed working locally and via beacon at time of release. Please don’t hesitate to reach out with any issues or contributions.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

1 day ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 day ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 day ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 day ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 day ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

1 day ago