{
	"id": "d118c70a-6d3b-4b6e-b2ae-9fe863bb5634",
	"created_at": "2026-04-06T01:30:58.981111Z",
	"updated_at": "2026-04-10T03:21:53.752912Z",
	"deleted_at": null,
	"sha1_hash": "8e0c992c318bb45b2f4c3db1704a0438c86364b4",
	"title": "Intercepting Password Changes With Function Hooking",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78098,
	"plain_text": "Intercepting Password Changes With Function Hooking\r\nBy Posted on\r\nPublished: 2013-09-15 · Archived: 2026-04-06 01:21:14 UTC\r\nLast week, Mubix published a malicious Windows password filter DLL\r\n(http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html). The idea is simple,\r\nby installing this password filter, he can intercept the clear text credential whenever a user changes their password.\r\nThere are two caveats with installing this password filter:\r\n1. You must restart the computer for it to take affect\r\n2. It will show up as an autorun and a loaded DLL in lsass.exe which may be noticed\r\nI’ve been playing around with function hooks lately and thought this would be a great demonstration of their\r\nusefulness. The idea is that you hook the PasswordChangeNotify function in the default Windows password filter\r\n(rassfm.dll). Anytime PasswordChangeNotify is called, it will be rerouted to my malicious\r\nPasswordChangeNotify function, which will write the password to disk and return execution back to the original\r\nPasswordChangeNotify function.\r\nTo do this, I will write the function hooking code in a DLL and reflectively inject the DLL in to lsass.exe using\r\nInvoke-ReflectivePEInjection. The benefit to this approach is that no binaries are written to disk, no suspicious\r\nDLL’s are loaded in lsass, no registry changes are made, and no reboot is required.\r\nSince I know not everybody is familiar with writing a function hook, I’ll explain the code (which can be found\r\nhere: https://github.com/clymb3r/Misc-Windows-Hacking/tree/master/HookPasswordChange):\r\nInvoke-ReflectivePEInjection is used to inject the malicious hooking DLL in to lsass.\r\n.\\Invoke-ReflectivePEInjection –pepath .\\HookPasswordChange.dll –procname lsass\r\nInvoke-ReflectivePEInjection calls the function VoidFunc in the reflectively loaded DLL, which installs\r\nthe function hook. The function hook overwrites the first 12 bytes of PasswordChangeNotify with\r\ninstructions to jump to another location.\r\nThe hook also allocates some RWX memory that holds byte code that returns execution flow to\r\nrassfm!PasswordChangeNotify (more on this later).\r\nRassfm!PasswordChangeNotify is called; it immediately executes the following assembly which diverts\r\nexecution to my malicious PasswordChangeNotifyHook function.\r\nhttps://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/\r\nPage 1 of 2\n\nDisassembly of PasswordChangeNotify after being hooked. The instructions after jmp rax disassemble incorrectly\r\nafter hooking, but all the code after the hook is intact.\r\nPasswordChangeNotifyHook is a function written in c++, and it takes the same parameters as\r\nrassfm!PasswordChangeNotify function. This function takes the username and password and writes it to\r\ndisk (or does something else that you program such as sending the output to a web site).\r\nNow it is time to return execution flow back to the real PasswordChangeNotify.\r\nPasswordChangeNotifyHook casts the memory address of the RWX memory allocated earlier to be a\r\nfunction pointer to a function with the same signature as rassfm!PasswordChangeNotify and calls this\r\nfunction pointer.\r\nThe RWX memory contains the first 3 instructions (15 bytes worth of byte code) that we overwrote in\r\nrassfm!PasswordChangeNotify. Now that those instructions have been executed, load the memory address\r\nof PasswordChangeNotify+0xf to the EAX and jump to it. Execution flow has now been successfully\r\nreturned to rassfm!PasswordChangeNotify.\r\nDisassembly of the RWX memory I allocate which ends up returning execution to PasswordChangeNotify.\r\nOriginally I wanted to write inline asm in the PasswordChangeNotifyHook function to return control flow to\r\nrassfm!PasswordChangeNotify but unfortunately Visual Studio doesn’t support inline asm for x64 or Itanium,\r\nonly x86. This is why I had to allocate RWX memory to put the byte code in and trigger it by calling a function\r\npointer.\r\nNote that this is a proof of concept. I have tested it on Windows Server 2012 but it should work on 2008R2 as\r\nwell. The code can be found at: https://github.com/clymb3r/Misc-Windows-Hacking/tree/master/HookPasswordChange.\r\nThe Invoke-ReflectivePEInjection script which is used to load the hook DLL can be found\r\nat: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectivePEInjection.\r\nSource: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/\r\nhttps://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/"
	],
	"report_names": [
		"intercepting-password-changes-with-function-hooking"
	],
	"threat_actors": [],
	"ts_created_at": 1775439058,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e0c992c318bb45b2f4c3db1704a0438c86364b4.pdf",
		"text": "https://archive.orkl.eu/8e0c992c318bb45b2f4c3db1704a0438c86364b4.txt",
		"img": "https://archive.orkl.eu/8e0c992c318bb45b2f4c3db1704a0438c86364b4.jpg"
	}
}