GitHub

#Form Grabber

Form grabber is a method of capturing web form data. This project is the result of a school research project and a proof of concept.

It should not be used for malicious purposes !

Happy learning.

Blog

Install and open the latest stable Firefox web browser.
Install and run Fiddler 2: http://www.fiddler2.com/fiddler2/
[OPTIONAL] download and run an echo server: http://bansky.net/echotool/. Run: echotool.exe localhost /p tcp /s 80
Create a new Visual Studio 2010 Project from source src/main.c.
Build and run the executable in RELEASE mode.
In Firefox, go to gmail.com. Verify you are in HTTPS mode.
Fill the login form (mail and password).
Click on the Log in button.
In Fiddler, textView mode, you should now see at least two requests. One encrypted to accounts.google.com. The other one unencrypted to localhost/postDemo.php. Inside the the POST data you'll find your email and password Email=myGmailMail@gmail.com&Passwd=guessMe&
[OPTIONAL] the echotool will print the content of the unencrypted POST.

The form grabber is hidden on a corrupted and malicious PDF file.
The user opens the PDF file on a windows machine.
His machine gets infected : Hidden code on the PDF file is exectued..
The malicious code injects some code on the firefox process by using the well known CreateRemoteThread & WriteProcessMemory technique. See [this page] (http://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces#section_3) for more info about this technique

a. It injects a "POST parser" on the firefox's PR_Write method. This parser detects when a HTTP POST command is sent and grabs login and passwords.

b. It sends the information to a remote server

This proof of concept offers some similar functionnalities to those offered by the zeus trojan : http://www.secureworks.com/research/threats/zeus/

Name		Name	Last commit message	Last commit date
Latest commit History 18 Commits
src		src
README.md		README.md