PSBits/PasswordStealing/NPPSpy at master · gtworek/PSBits
By gtworek
Archived: 2026-04-06 03:32:49 UTC
Simple (but fully working) code for NPLogonNotify() . The function obtains logon data, including cleartext
password.
The DLL is detected by AV engines as a "potentially unwanted software" for obvious reason.
You have been warned. And if you want to run it anyway, you can re-compile it (instructions below) after
introducing some changes in the source code, or just add an AV exclusion.
Installation:
1. Copy NPPSpy.dll to the System32 folder
2. Add "NPPSpy" at the end of the "ProviderOrder" in
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
3. Create HKLM\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider and set following values:
"Class" = [REG_DWORD]2
"ProviderPath" = [REG_EXPAND_SZ]"%SystemRoot%\System32\NPPSPY.dll"
"Name" = [REG_SZ]"NPPSpy"
OR
Use the ConfigureRegistrySettings.ps1 script (by @LadhaAleem)
Re-logon is required, reboot is not required.
Build it at home
1. From the Start Menu run Visual Studio 2019 -> x64 Native Tools Command Prompt for VS 2019
2. Browse to the folder with your NPPSpy.c
3. Run cl.exe /LD NPPSpy.c
Documentation:
The idea is somewhat documented at https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify
Video
I did my best to explain the flow on a short video: https://youtu.be/ggY3srD9dYs
https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
Page 1 of 2

Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
Page 2 of 2