I wrote this DLL years ago and spoke about it at Rochester BSides last year. I’ve been meaning to post this since then, but time tends to get away from me. Because Windows 2K and XP might not be around that much longer I’m going to keep this post short and sweet. You can download my GINA Stub DLL and deployment program here http://leetsys.com/programs/gina/gina.zip.
Microsoft GINA technology which stands for Graphical Identification ‘N Authentication is responsible for graphically handling logon requests when events such as CTRL-ALT-DEL are received. This is only one piece of what GINA can do, but arguably the most important for our needs.
Long story short a GINA Stub simply extends the functionality of another GINA DLL. The default provided by Microsoft and which handles logon events is MsGina.dll. You can choose to write your own GINA module from scratch and replace the MsGina.dll, but that’s obviously a huge pain in the butt. Why bother having to reinvent the wheel when all we want to do is grab the credentials?
My GINA dll logs credentials to c:\windows\sys.dll (plaintext file), it currently logs the domain, username and password. I Also included a simple program I called ginastubber which copies gs.dll from current directory to system32 and configures the necessary registry entry to use the gina stub dll. The registry entry is
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL, which needs to be a REG_SZ value pointing to the gs.dll
I had grabbed the gina stub example from MSDN and simply tweaked the WlxLoggedOutSAS() function to log the credentials. Just a reminder that this will not work for Vista and later Operating Systems, as they have switched to the Credential Provider model. To accomplish the same thing in those Operating Systems you can check out my custom credential provider at https://twrightson.wordpress.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/.
If you want to know more about GINA this is a great url to start with:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375198(v=vs.85).aspx
Tyler Wrightson's Security Blog 
[…] use this modified GINA stub. More information about how GINA works can be found in his excellent blog post. For Vista/7 you can use this custom credential provider More information can be found in his blog […]