Skip to content
/ DumpChromeSecrets Public
forked from Maldev-Academy/DumpChromeSecrets

Extract data from modern Chrome versions, including refresh tokens, cookies, saved credentials, autofill data, browsing history, and bookmarks

License

MIT license
0 stars 61 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Sec-Fork/DumpChromeSecrets

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Common
Common
 
 
DllExtractChromeSecrets
DllExtractChromeSecrets
 
 
DumpChromeSecrets
DumpChromeSecrets
 
 
DumpChromeSecrets.sln
DumpChromeSecrets.sln
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

DumpChromeSecrets

Extract data from modern Chrome versions, including refresh tokens, cookies, saved credentials, autofill data, browsing history, and bookmarks.


Quick Links

Maldev Academy Home

Maldev Database

Malware Development Course Syllabus

Offensive Phishing Operations Course Syllabus

Ransomware Internals, Simulation and Detection Course Syllabus


How Does It Work

This project consists of two components:

  1. Executable (DumpChromeSecrets.exe) - Creates a headless Chrome process, injects the DLL via Early Bird APC injection, and receives extracted data through a named pipe.

  2. DLL (DllExtractChromeSecrets.dll) - Runs inside Chrome's process context to decrypt the App-Bound encryption key using Chrome's IElevator COM interface, then extracts and decrypts data from SQLite databases.


Chrome's App-Bound Encryption (v127+)

Starting with Chrome 127, Google introduced App-Bound Encryption, which ties cookie encryption keys to the Chrome application identity. The encryption key (named "app_bound_encrypted_key") is stored in the "Local State" file, and can be decrypted by Chrome's elevation service via the IElevator COM interface.

This project bypasses this protection by injecting code into Chrome's process, allowing it to call IElevator::DecryptData with the proper application context. Another method was implemented by luci4 in the Dumping Browser Cookies: Chrome and Dumping Saved Logins: Chrome modules.

image

The above image was taken from: Improving the security of Chrome cookies on Windows



Data Extraction

Once the DLL is injected, it extracts the following data from Chrome:

Data Type Database Path Format Encryption
App-Bound Key User Data\Local State JSON DPAPI + IElevator
Cookies User Data\Default\Network\Cookies SQLite AES-256-GCM (v20)
Logins User Data\Default\Login Data SQLite AES-256-GCM (v20)
Tokens User Data\Default\Web Data SQLite AES-256-GCM (v20)
Autofill User Data\Default\Web Data SQLite None
History User Data\Default\History SQLite None
Bookmarks User Data\Default\Bookmarks JSON None

Usage

Usage: DumpChromeSecrets.exe [options]

Options:
  /o <file>    Output JSON File (default: ChromeData.json)
  /all         Export All Entries (default: max 16 per category)
  /?           Show This Help Message

Examples:
  DumpChromeSecrets.exe                        Extract 16 Entry To ChromeData.json
  DumpChromeSecrets.exe /all                   Export All Entries
  DumpChromeSecrets.exe /o Output.json /all    Extract All To Output.json

Credits


Demo

image

About

Extract data from modern Chrome versions, including refresh tokens, cookies, saved credentials, autofill data, browsing history, and bookmarks

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 100.0%