This feature can reveal the passwords stored behind the asterisks in standard password text-boxes.
This feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to dump passwords hidden behind asterisks in password text-boxes. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.
Once injected and executed the thread will run with the same access privileges of the Local Security Authority Subsystem; it loads the function "DumpBox" from Abel.dll which enumerates every password text-box present on the screen and dumps its text (the password) into a temporary file named boxes.txt. Finally, the content of this file is put on the screen and the temporary file is deleted.
The "Box Revealer" supports most standard password text-boxes, however some applications don't store passwords behind the asterisks for security reasons. In such cases this feature will not be able to show the passwords.
To dump passwords hidden behind asterisks you can press the "Insert" button on the keyboard or click the icon with the blue + on the toolbar.
This feature requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.
Abel.dll is also required by the remote thread injected into LSASS process.