Add clipboard module for DLL clipboard capture

[webRemi]

Description

NetExec clipboard logger module

Usage

nxc smb <ip> -u <user> -p <password> -M clipboard -o BINARY=<binary> DLL=<dll> TIME=<seconds>

Example

nxc smb x -u x -p x -M clipboard -o BINARY=resources/dfuse.exe DLL=resources/dllwin1.dll TIME=30

[!NOTE] Will delete all notepad process.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• [ ] Bug fix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [ ] Deprecation of feature or functionality
• [ ] This change requires a documentation update
• [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

• Need to have the required used file: dfuse.exe whois an injector and dllwin2.dll whois the dll injected.
• The tool close all notepad existing on the target. Attention!

Screenshots (if appropriate):

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• [ ] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• [ ] I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• [ ] New and existing e2e tests pass locally with my changes
• [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• [x] I have performed a self-review of my own code
• [x] I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the PR!

A few questions:

• So we upload a binary and a dll right? Why both and not just only a binary?
• Why do we need to kill notepad?
• I guess this binary/dll is pretty standard most of the time? If so we should probably just provide a default one

[webRemi]

Thanks for the PR!

A few questions:

• So we upload a binary and a dll right? Why both and not just only a binary?
• Why do we need to kill notepad?
• I guess this binary/dll is pretty standard most of the time? If so we should probably just provide a default one

1. We upload a dll and a binary cause this bypass defender and ESET, and i need a session interactive, its why its injected into notepad.
2. The executable launch a notepad instance to inject inside, we need to kill this notepad process launched, but as i dont know how to determine PID, i need to kill all of them.
3. Yes its the same each time, i can provide default but this will take huge space into Netexec if we create a resources folder.

[NeffIsBack]

How much MB are we talking about? I think just provide the binary/dll so i can get a better idea how this works. Could you also provide the source code somewhere so i can check it?

[webRemi]

How much MB are we talking about? I think just provide the binary/dll so i can get a better idea how this works. Could you also provide the source code somewhere so i can check it?

dfuse.exe -> 136KB dllwin2.dll -> 148KB

Yes i can provide you both, where could i share you the files and source codes ?

This all was only tested on Windows 10, for Windows 11 it seems there a protection who prevents to steal token and impersonate Administrator. This prevent malicious code like this one from running. But works great on Windows 10

If you like this version i have the same doing keylogger.

[NeffIsBack]

How much MB are we talking about? I think just provide the binary/dll so i can get a better idea how this works. Could you also provide the source code somewhere so i can check it?

dfuse.exe -> 136KB dllwin2.dll -> 148KB

Ah easy! Just that modules folder alone is 6.6MB.

Yes i can provide you both, where could i share you the files and source codes ?

Just upload the binaries to nxc/data/<module_name>/* and integrate that into the module itself, so you can just execute it. Would probably best to put the source code there as well, so people can check for themselves if they would like to.

This all was only tested on Windows 10, for Windows 11 it seems there a protection who prevents to steal token and impersonate Administrator. This prevent malicious code like this one from running. But works great on Windows 10

If you like this version i have the same doing keylogger.

That would probably another module, so let's keep it at the clipboard one for now

[webRemi]

How much MB are we talking about? I think just provide the binary/dll so i can get a better idea how this works. Could you also provide the source code somewhere so i can check it?

dfuse.exe -> 136KB dllwin2.dll -> 148KB

Ah easy! Just that modules folder alone is 6.6MB.

Yes i can provide you both, where could i share you the files and source codes ?

Just upload the binaries to nxc/data/<module_name>/* and integrate that into the module itself, so you can just execute it. Would probably best to put the source code there as well, so people can check for themselves if they would like to.

This all was only tested on Windows 10, for Windows 11 it seems there a protection who prevents to steal token and impersonate Administrator. This prevent malicious code like this one from running. But works great on Windows 10 If you like this version i have the same doing keylogger.

That would probably another module, so let's keep it at the clipboard one for now

I uploaded the binaries under data and added also under data the source code .c for everything used also some custom functions like writetofile.c. I use the get_script_ps1() function to fetch them.