- Joined
- May 15, 2017
- Messages
- 981
- Likes
- 760
- Points
- 1,045
First, let's get the file where user accounts and passwords are stored. In Windows, it lies at the following address:
C: \ Users \% username% \ AppData \ Local \ Google \ Chrome \ UserData \ Default \ Login Data
To perform any manipulations with this file, you must either kill all the browser processes, which will catch the eye, or copy the base file somewhere and after that start working with it.
Let's write a function that gets the path to the Chrome password database. As an argument, it will be passed an array of characters with the result of its work (that is, the array will contain the path to the Chrome password file).
Function call:
Let's briefly explain what is happening here. We immediately write this function, implying a future expansion. One of its arguments is the browser_family field, it will signal a family of browsers whose database we get (that is, browsers based on Chrome or Firefox).
If the condition browser_family = 0 is met, then we get the browser database of passwords based on Chrome, if browser_family = 1 - Firefox. The CHROME_DB_PATH identifier points to the Chrome password database. After that we get the path to the database using the SHGetFolderPath function, passing to it the CSIDL_LOCAL_APPDATA value as the CSIDL argument, which means:
1
The SHGetFolderPath function is already obsolete, and Microsoft recommends using SHGetKnownFolderPath instead. The problem lies in the fact that support for this feature starts with Windows Vista, so I used its older equivalent to maintain backward compatibility. Here is its prototype:
After that, the lstrcat function combines the result of the SHGetFolderPath with the identifier CHROME_DB_PATH.
The password database is received, now we start to work with it. As I said before, this is a SQLite database, it is convenient to work with it through the SQLite API, which are connected with the sqlite3.h header file. Let's copy the database file, so as not to occupy it and not interfere with the browser.
Now we connect to the database with the sqlite3_open_v2 command. Its prototype is:
The first argument is our database; the connection information is returned to the second argument, the opening flags go next, and the fourth argument specifies the operating system interface that should use this connection to the database, in our case it is not needed. If this function runs correctly, the value of SQLITE_OK is returned, otherwise an error code is returned.
Please note: in case of incorrect function development, we still need to close the connection to the database on our own and delete its copy.
Now we begin to directly process the data in the database. To do this, we use the function sqlite3_exec ().
This function has the following prototype:
The first argument is our password database, the second is the SQL command that pulls out the file's URL, login, password and username, the third argument is the callback function that will decrypt the passwords, the fourth is passed to our callback function, but The fifth argument reports an error.
Let's take a closer look at the callback function that decrypts passwords. It will be used for each row from a sample of our SELECT query. Its prototype is int (* callback) (void *, int, char **, char **), but we will not need all the arguments, although they must be declared. The function itself is called crack_chrome_db, we begin to write and declare the necessary variables:
In this loop, we form BLOBs (that is, a large array of binary data). Next, select the memory, read the blob and initialize the DATA_BLOB fields:
Now let's proceed directly to decrypting passwords. Chrome database is encrypted with the Data Protection Application Programming Interface (DPAPI) engine. The essence of this mechanism is that data can be decrypted only under the account under which they were encrypted. In other words, you can not pull out the password database, and then decrypt it already on your computer. To decrypt data, we need the CryptUnprotectData function.
After that, select the memory and fill in the passwds array with the decrypted data.
C: \ Users \% username% \ AppData \ Local \ Google \ Chrome \ UserData \ Default \ Login Data
To perform any manipulations with this file, you must either kill all the browser processes, which will catch the eye, or copy the base file somewhere and after that start working with it.
Let's write a function that gets the path to the Chrome password database. As an argument, it will be passed an array of characters with the result of its work (that is, the array will contain the path to the Chrome password file).
Function call:
Let's briefly explain what is happening here. We immediately write this function, implying a future expansion. One of its arguments is the browser_family field, it will signal a family of browsers whose database we get (that is, browsers based on Chrome or Firefox).
If the condition browser_family = 0 is met, then we get the browser database of passwords based on Chrome, if browser_family = 1 - Firefox. The CHROME_DB_PATH identifier points to the Chrome password database. After that we get the path to the database using the SHGetFolderPath function, passing to it the CSIDL_LOCAL_APPDATA value as the CSIDL argument, which means:
1
The SHGetFolderPath function is already obsolete, and Microsoft recommends using SHGetKnownFolderPath instead. The problem lies in the fact that support for this feature starts with Windows Vista, so I used its older equivalent to maintain backward compatibility. Here is its prototype:
After that, the lstrcat function combines the result of the SHGetFolderPath with the identifier CHROME_DB_PATH.
The password database is received, now we start to work with it. As I said before, this is a SQLite database, it is convenient to work with it through the SQLite API, which are connected with the sqlite3.h header file. Let's copy the database file, so as not to occupy it and not interfere with the browser.
Now we connect to the database with the sqlite3_open_v2 command. Its prototype is:
The first argument is our database; the connection information is returned to the second argument, the opening flags go next, and the fourth argument specifies the operating system interface that should use this connection to the database, in our case it is not needed. If this function runs correctly, the value of SQLITE_OK is returned, otherwise an error code is returned.
Please note: in case of incorrect function development, we still need to close the connection to the database on our own and delete its copy.
Now we begin to directly process the data in the database. To do this, we use the function sqlite3_exec ().
This function has the following prototype:
The first argument is our password database, the second is the SQL command that pulls out the file's URL, login, password and username, the third argument is the callback function that will decrypt the passwords, the fourth is passed to our callback function, but The fifth argument reports an error.
Let's take a closer look at the callback function that decrypts passwords. It will be used for each row from a sample of our SELECT query. Its prototype is int (* callback) (void *, int, char **, char **), but we will not need all the arguments, although they must be declared. The function itself is called crack_chrome_db, we begin to write and declare the necessary variables:
In this loop, we form BLOBs (that is, a large array of binary data). Next, select the memory, read the blob and initialize the DATA_BLOB fields:
Now let's proceed directly to decrypting passwords. Chrome database is encrypted with the Data Protection Application Programming Interface (DPAPI) engine. The essence of this mechanism is that data can be decrypted only under the account under which they were encrypted. In other words, you can not pull out the password database, and then decrypt it already on your computer. To decrypt data, we need the CryptUnprotectData function.
After that, select the memory and fill in the passwds array with the decrypted data.
Actually, that's all! After that, passwds will contain user accounts and URLs. You can display this information or save it to a file and send it somewhere.