Awesome
SharpRDPThief
SharpRDPThief is a C# implementation of RDPThief. It uses EasyHook to inject a DLL into mstsc.exe, which will then hook the CryptProtectMemory api call. The hook will grab the password from the address passed to CryptProtectMemory and then send it to the main process through EasyHook's IPC server.
Currently this is only a proof of concept implementation and requires RDPHook.dll to be in the same directory as SharpRDPThief.exe. The immediate plan is to allow for completely in memory execution, for use with tools like Cobalt Strike's execute-assembly.
You can read more about the original research from @0x09AL here: https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients/
TODO
Completely in-memory execution
Better parsing of memory for username/password
[Done] Search for mstsc.exe processes and inject into them automatically.
References
RDPThief: https://github.com/0x09AL/RdpThief
EasyHook FileMonitor: https://github.com/EasyHook/EasyHook-Tutorials/tree/master/Managed/RemoteFileMonitor
EasyHook remote process hook tutorial: https://easyhook.github.io/tutorials/remotefilemonitor.html