Capturing Windows 7 Credentials at Logon Using Custom Credential Provider

By | March 22, 2012

Source: Tyler Wrightson’s Security Blog

If you are interested on how to write a key logger for windows authentication. Code available.

In this article “I started testing my rootkit on a windows 7 box and luckily most of it worked.  The only thing that wasn’t working was the ability to log credentials typed in when a user first logs in to Windows.  I’ve had a custom GINA stub dll that’s worked great for a while that I wrote years ago, it works with Windows 2000, XP and 2003.  GINA is the Graphical Identification and Authentication component of Windows and handles the logon screen that we’re all familiar with.  In the past you could choose to write your own GINA dll from scratch, or you could simply ‘extend’ the functionality of other GINA modules by creating a GINA stub dll.

Microsoft in their infinite wisdom decided to completely change the API and move away from GINA and the GINA model.  Now to customize the logon experience you have to implement a Credential Provider, this is true for Windows Vista and newer (7 and 2008).  Microsoft claims the reasoning behind this is to make it easier for developers to meet the demands for next generation authentication technologies (like biometrics, two factor and single sign on).  Frankly in a way Credential Providers are a lot easier to work with, but in another (probably more accurate way) they’re a huge pain in the ass to create our nefarious dll.  From what I remember creating a GINA stub dll to log Windows credentials took me probably 3 hours.  To get a credential provider to do exactly what I want took probably a good 40 hours.  At this point I should probably thank my girlfriend for putting up with my obsessive programming and constant cursing.”

Leave a Reply