July 2000

Ginastub.dll - 1.0 - by txGreg
"A WinLogon password grabber"

Some Stats:
Size  :  3,584 Bytes
MD5   :  07F5ED4A418790A773F76DCBBA2FDDE3
CRC-32:  18985C78
SHA-1 :  AAE4D45A8A97508BBCD51D897D374E075780D620


////////////////////////////////////////////////////////////////////////////////
///////// STANDARD WARNING /////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
THE TOOL IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR 
IMPLIED. WITHOUT LIMITATION. YOU ASSUME ALL RISK IN USING THIS TOOL.
IN NO EVENT I WILL BE LIABLE FOR INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES,
INCLUDING, WITHOUT LIMITATION, LOSS OF INCOME, LOSS OF USE, OR
LOSS OF INFORMATION. IN NO EVENT I WILL BE LIABLE FOR ANY DAMAGES.
////////////////////////////////////////////////////////////////////////////////
///////// SINCERE ADVICE  //////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
DON'T BE AN IDIOT.
////////////////////////////////////////////////////////////////////////////////



///////  Table of Contents /////////////////////////////////////////////////////
1)  Abstract
2)  Usage
3)  Notes
4)  Contact me
////////////////////////////////////////////////////////////////////////////////


//////// Abstract   ////////////////////////////////////////////////////////////

If you've been searching for a keystroke logger for WinNT, you've probably found
some really feature-rich tools out there, but most will mention that they can't
"capture the password entered at the logon screen".  Like me, you may have become
frustrated.

The issue has to do with WinLogon.  There are appearently 3 components of WinLogon:

1)  WinLogon.Exe - handles interface functions that are independent of authentication policy. 
2)  Graphical Ident. & Authent. (GINA) - handles authentication
3)  Network Providers - available to perform secondary authentication

The bad news is:  this doesn't make WinLogon keystroke capture any easier.

The good news is:  GINA receives critical information in clear-text for network 
providers!

My answer was to create a "GINA stub", which piggy-backs the NT GINA, and traps 
EVERY user's password when they log in.  This may sound similar to those 
password-grabbing trojans for FPNWCLNT.DLL, but they only grab a password when 
it's changed.  (some Admins choose for the password to never "expire".. who knows why...)

//////// Usage      ////////////////////////////////////////////////////////////

(1)
The file, ginastub.dll, should be placed in the %systemroot%\system32 directory.

(2)
The following registry entry is needed:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

Value Name: GinaDLL
Data Type : REG_SZ
Value     : ginastub.dll

(3)
Reboot.

(4)
Information is stored in C:\WIN386.SW~

I know, not very creative.

Stored As:

User:Password:Domain


//////// Notes      ////////////////////////////////////////////////////////////

--I've tested this only on my machine, running Win 2000.  However, I've made sure
to use code that is supposedly compatible with NT 4.0.

--I've only tested as logging in as the administrator.  (which I've renamed)

--The DLL was compressed for ultra-portability.

--Yes, I want to improve this.  I'm thinking of encryption, or storing the
passwords in a public part of the registry, or other output variations.

--Yes, I will release the source code.  But I'm not comfortable with it right now.
I need to get in touch with myself, and consult the oracle...  ;)  


//////// Contact Me ////////////////////////////////////////////////////////////

I want you to contact me.  I want suggestions for improving the concept.
You can e-mail me to say anything else, like a "that's cool" or a "you suck", 
just MAKE SURE YOU HAVE A SUGGESTION IN THE INTEREST OF IMPROVING THE TOOL!

mailto://txgreg@techie.com

Peace out to the best circus.

-  TXGREG

