What is RdpThief and how does it extract plaintext credentials from Remote Desktop Client?

RdpThief is a tool that extracts plaintext credentials entered into the Remote Desktop Connection client (mstsc.exe) by reading the process memory, rather than using a keylogger. It uses the Detours library to hook system APIs and API Monitor to locate where mstsc.exe stores the username and password. Once injected into the mstsc.exe process, it captures credentials and writes them to a file (e.g., %temp%\data.bin). The tool is especially useful in penetration testing after discovering remote desktop connection history.