Note
This project was written a few years ago. Source code will be updated soon. It was developed as a plugin for my implant and c2 framework.
POC version of the project in action is available here!
Lets say you are an attacker that pwned a victim's Windows box and you have a special intrest in scanned documents. After taking some screenshots and watching your targets actions you found out he is using none other than WFS.EXE to scan his documents. So, what do you do? use WFS Stealer.
WFS Stealer is a DLL that when injected to Windows Fax & Scan process hooks certain functions that enable it to steal images of scanned documents, store them in another location, all without the user noticing anything.
As part of my learning journey into hooking, I decided to take a deeper look into WFS, a program I used to work with a lot at the time.
After some reversing with Ghidra and Sysinternalsuite and ApiMon fun, I found which functions should be hooked. The function itself was hooked using the Detours library.
TL;DR - A faxing and scanning utility available from Vista to Windows 11.
Wikipedia: Windows Fax and Scan is an integrated faxing and scanning application introduced in Windows Vista and included in the Business, Enterprise, and Ultimate Windows Vista editions as the replacement for the Fax Console of Windows XP; it is available in all versions of Windows 7, Windows 8, Windows 10 (x86/x64) and Windows 11 (x64), but not on ARM64 versions of Windows 10 and Windows 11.
Windows Fax and Scan supports sending and receiving faxes, faxing or emailing scanned documents, and forwarding faxes as email attachments.
This repository is for research and educational purposes only, use of this code/information is your responsibility. I take no responsibility and/or liability for how you choose to use the code/information available here. By using, copying, or distributing any part of this repository or information provided in it, you understand and agree to use it at your own risk and you hold full responsibility for your actions. This repository does not promote any hacking-related activity.