#
Screen Recorder: windows/post/gather/screen_spy
The Metasploit screen_spy module records the user's screen by screenshot'ing the user desktop.
Screenshots are taken using the following Windows API functions:
// get handle to necessary GUI/window objects
OpenInputDesktop
GetThreadDesktop
SetThreadDesktop
GetDesktopWindow
// get device context (i.e. metadata describing the desktop image)
GetDC
// convert device-context metadata into an image file
CreateCompatibleBitmap
Screenshots do not appear to be dropped to disk; instead, the screenshots are stored in a buffer in memory, and are sent to the attack platform over the Meterpreter C2 channel.
This module closely emulates the screen-recording implementation seen in Carbanak-malware source code.
#
References
#
Meterpreter Keylogger
This step is intended to emulate FIN7's use of the RDFSNIFFER malware.
We inject the Meterpreter keylogger into process memory of mstsc.exe, which is the RDP client.