A Python tool that enables user-mode decryption of cookies for Chromium-based browsers that have implemented App-Bound Encryption (ABE)
- Works on Google Chrome, Brave and Microsoft Edge
- Tested on the most recent stable version (Chromium v144)
- Extracts all cookies from all profiles for each browser without requiring administrator privileges
For each of the three supported browsers, the script:
- Checks the install path of the
browser - Launches the
browserin suspended mode - Sets up a named
pipeusing a deterministic algorithm for the name - Decodes the
dlland writes it to a temp directory - Injects the
dllinto thebrowserusingLoadLibraryA - Reads the encrypted
ABEkey from the browser'sLocal Statefile - Waits for the injected
dllto connect to thepipeand sends the encryptedABEkey once connected - The
dllcalls the decrypt function on the browser's internal Elevator COM interface and sends the now decryptedABE keyback through the samepipe - Once the decrypted
keyis received, terminates the suspended process and closes thepipe - Finds all
browser profilesand their associatedcookie databases - Copies each
cookie databaseto a temp directory, which might require killing the browser process if running - Extracts the
cookiesand decrypts them using the decryptedABE key - Writes the decrypted
cookiestocookies/{BROWSER NAME}_{PROFILE NAME}_cookies.txtin Netscape format
For a more detailed explanation of how the key decryption itself works, check out the Research done by xaitax
Python 3.12(other recent Python 3 versions will likely work)MSVC x64 build environment(e.g., “x64 Native Tools Command Prompt for VS”)
- Open a command prompt with a 64-bit MSVC environment enabled
- Run
python builder.py - The output file will be in
build/injector.py
Install the requirements from requirements.txt via pip install -r requirements.txt
While this is not required for building the final file, it is a requirement to run the injector
While this tool gets the job done, it is merely a POC and not meant to be used in a production environment, as it has several limitations
- This tool only works on
Windows x64 Windows ARM64is currently not supported
- This tool doesn't implement any EDR or AV evasion techniques and will therefore likely get detected by them
- No Encryption: The
dllis stored unencrypted as a base64 blob - No Syscalls: The entire process uses high-level Windows API calls, making it trivial for AV solutions to block them. This includes writing the
dllto disk directly and usingLoadLibraryAfor injection
- No Encryption: The
- As chromium browsers can be very strict with who is allowed to access the cookie database, this also kills the browser process, making it very obvious to the user what is happening
This project wouldn't have been possible without the research found in xaitax/Chrome-App-Bound-Encryption-Decryption. A good chunk of the C++ code of this project is also an adapted version of that project's chrome_decrypt.cpp. Check out THIRD_PARTY_LICENSES for information on the licensing.
This is a proof-of-concept project and is NOT meant to be used to get unauthorized access to user data or to be used in malware campaigns