-
Notifications
You must be signed in to change notification settings - Fork 0
TokenLook ‐ TokenExtract
vrikodar edited this page Jun 21, 2026
·
10 revisions
- The method of extracting JWT tokens from outlook app memory has already been highlighted before https://mrd0x.com/stealing-tokens-from-office-applications/
- For our purpose, we created a simple
C#program that uses legitimate Process Dump binary from Microsoft in combination with custom parsing to extract tokens from the Outlook process memory - Process Dump binary can be downloaded from https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- This version of the program is a simple extractor, that works in following steps:
- The program first looks for
ProcessDump.exein the current directory - Once the Process Dump binary is found, the program looks for PID of the running Outlook APP
- During testing it was found that Outlook APP on windows can run as either
OUTLOOK.exeorotlk.exe - Hence the program falls back to
otlk.exeifOUTLOOK.exeis not found
- The program first looks for