0.20.0

Author: xaitax

CHANGELOG.md

@@ -1,6 +1,23 @@
 # Chrome App-Bound Encryption Decryption
 
-## 🆕 Changelog
+## Changelog
+
+### v0.20.0
+
+* **Critical Stealth Fix: Bootstrap Direct Syscalls** (thanks [@wrapdavid](https://github.com/wrapdavid) for the sharp-eyed report!): The reflective loader's bootstrap now correctly invokes direct syscalls for `NtAllocateVirtualMemory` and `NtProtectVirtualMemory` through the linked `SyscallTrampoline` assembly function.
+  * The bootstrap now calls the `SyscallTrampoline` assembly used by the injector stage, with a `SyscallEntry` struct layout matching the ASM expectations (gadget pointer at offset 0, arg count at offset 8, SSN at offset 12).
+  * All `VirtualAlloc`/`VirtualProtect` fallback code has been permanently removed. The bootstrap now operates exclusively through direct syscalls.
+
+* **Avast Secure Browser Support**: Added full App-Bound Encryption decryption support for Avast Secure Browser.
+  * Avast's `IElevatorChrome` COM interface has 12 methods (vs Chrome's 3), with `DecryptData` at vtable slot 13 (offset 104 bytes).
+  * New `IAvastElevator` COM interface definition with complete vtable layout.
+  * Browser discovery via Windows Registry with standard and WOW6432Node paths.
+  * Correctly routes Avast through the `IAvastElevator` COM path for vtable-compatible DecryptData invocation.
+  * Use `chromelevator.exe avast` or include in `all` scan.
+
+* **Architecture Detection Fix**: Replaced `IsWow64Process2`-based architecture detection with direct PE header reading.
+  * `IsWow64Process2` returns incorrect results for x64 processes running under emulation on ARM64 Windows (reports `processArch = 0`), causing the tool to misidentify the target architecture.
+  * Now reads the PE file header's `Machine` field directly from the browser executable, which is always accurate regardless of emulation layer.
 
 ### v0.19.0
 
@@ -39,7 +56,7 @@
   * Brave Browser reuses Chrome's `IElevator2Chrome` IID for compatibility.
 
 * **Chrome Beta Channel Support**: Added Chrome Beta as a separate browser target.
-  * Use `--target chrome-beta` or include in `all` scan.
+  * Use `chromelevator.exe chrome-beta` or include in `all` scan.
   * Separate CLSID/IID configuration for Chrome Beta's elevation service.
   * IElevator2 support included for Chrome Beta 144+.
 

README.md

@@ -21,9 +21,9 @@ This tool's effectiveness is rooted in a combination of modern, evasion-focused
 
 - **Direct Syscall-Based Process Hollowing:** A stealthy process creation and injection technique. Instead of injecting into a high-traffic, potentially monitored process, it creates a new, suspended host process. This significantly reduces the chances of detection, as all memory manipulations occur before the process begins normal execution.
 
-- **Fileless In-Memory Payload:** The payload DLL never touches the disk on the target machine. It is stored encrypted within the injector using **ChaCha20** with **compile-time derived keys**, decrypted in-memory, and reflectively loaded, minimizing its forensic footprint and bypassing static file-based scanners.
+- **Fileless In-Memory Payload:** The payload DLL never touches the disk on the target machine. It is embedded as a **ChaCha20-encrypted** compile-time byte array with **compile-time derived keys**, decrypted in-memory, and reflectively loaded, minimizing its forensic footprint and bypassing static file-based scanners.
 
-- **Reflective DLL Injection (RDI):** A stealthy process injection method that circumvents `LoadLibrary`, thereby evading detection mechanisms that monitor module loads. The self-contained C loader resolves all of its own dependencies from memory.
+- **Reflective DLL Injection (RDI):** A stealthy process injection method that circumvents `LoadLibrary` for the main payload, thereby evading detection mechanisms that monitor module loads. The self-contained bootstrap loader maps PE sections, performs relocations, and resolves imports from memory.
 
 - **Target-Context COM Invocation:** The lynchpin for defeating App-Bound Encryption. By executing code _within_ the trusted browser process, we inherit its identity and security context, allowing us to make legitimate-appearing calls to the ABE COM server and satisfy its path-validation security checks.
 
@@ -38,20 +38,20 @@ This tool's effectiveness is rooted in a combination of modern, evasion-focused
 
 ### Stealth & Evasion
 
-- 🛡️ **Fileless Payload Delivery:** In-memory decryption and injection of an encrypted resource.
+- 🛡️ **Fileless Payload Delivery:** In-memory decryption and injection of an encrypted embedded payload.
 - 🛡️ **Direct Syscall Engine:** Bypasses common endpoint defenses by avoiding hooked user-land APIs for all process operations.
 - 🛡️ **Hash-Based Syscall Resolution:** No plaintext `Nt*`/`Zw*` function names in binary—uses compile-time DJB2 hashes.
 - 🛡️ **Compile-Time Key Derivation:** Encryption keys derived from build metadata, unique per build.
 - 🛡️ **PE Header Destruction:** Post-injection PE headers obliterated with pseudo-random data to evade memory scanners.
 - 🛡️ **IPC Mimicry:** Browser-specific named pipe patterns that blend with legitimate browser IPC traffic.
 - 🤫 **Process Hollowing:** Creates a benign, suspended host process for the payload, avoiding injection into potentially monitored processes.
 - 👻 **Reflective DLL Injection:** Stealthily loads the payload without suspicious `LoadLibrary` calls.
-- 🔒 **Proactive File-Lock Mitigation:** Automatically terminates browser utility processes that hold locks on target database files.
+- 🔒 **Non-Intrusive File-Lock Bypass:** Uses syscall-based handle duplication to access locked SQLite databases without terminating browser processes. Optional `--kill` flag available for full process termination.
 - 💼 **No Admin Privileges Required:** Operates entirely within the user's security context.
 
 ### Compatibility & Usability
 
-- 🌐 Works on **Google Chrome**, **Brave**, & **Edge**.
+- 🌐 Works on **Google Chrome**, **Brave**, **Edge**, & **Avast Secure Browser**.
 - 💻 Natively supports **x64** and **ARM64** architectures.
 - 🚀 **Standalone Operation:** Automatically creates a new browser process to host the payload, requiring no pre-existing running instances.
 - 📁 Customizable output directory for extracted data.
@@ -61,35 +61,36 @@ This tool's effectiveness is rooted in a combination of modern, evasion-focused
 
 ## 📦 Supported & Tested Versions
 
-| Browser                 | Tested Version (x64 & ARM64) |
-| ----------------------- | ---------------------------- |
-| **Google Chrome**       | 144.0.7559.97                |
-| **Google Chrome Beta**  | 145.0.7632.18                |
-| **Brave**               | 1.86.142 (144.0.7559.97)     |
-| **Microsoft Edge**      | 144.0.3719.92                |
+| Browser                    | Tested Version (x64 & ARM64) |
+| -------------------------- | ---------------------------- |
+| **Google Chrome**          | 144.0.7559.133               |
+| **Google Chrome Beta**     | 145.0.7632.18                |
+| **Brave**                  | 1.86.148 (144.1.86.148)      |
+| **Microsoft Edge**         | 145.0.3800.36                |
+| **Avast Secure Browser**   | 143.0.33371.147              |
 
-> **Note:** Chrome/Brave/Edge 144+ use the new `IElevator2` COM interface. This tool automatically uses `IElevator2` when available and falls back to `IElevator` for older versions.
+> **Note:** Chrome/Brave/Edge 144+ use the new `IElevator2` COM interface. This tool automatically uses `IElevator2` when available and falls back to `IElevator` for older versions. Avast Secure Browser uses a custom `IElevatorChrome` interface with an extended vtable (12 methods, DecryptData at offset 104).
 
 ## 🔍 Feature Support Matrix
 
 This matrix outlines the extraction capabilities for each supported browser.
 
-| Feature              | Google Chrome          | Microsoft Edge                  | Brave                          |
-|----------------------|------------------------|------------------------|-----------------------------------------|
-| **Cookies**         | ✅ ABE                | ✅ ABE                | ✅ ABE                                 |
-| **Passwords**       | ✅ ABE                | ✅ ABE                | ✅ ABE                                 |
-| **Payment Methods** | ✅ ABE                | ✅ ABE                | ✅ ABE                                 |
-| **IBANs**           | ✅ ABE                | ❌ N/A                | ✅ ABE                                 |
-| **Auth Tokens**     | ✅ Google             | ❌ N/A                | ❌ N/A                                 |
+| Feature              | Google Chrome          | Microsoft Edge         | Brave                  | Avast Secure Browser   |
+|----------------------|------------------------|------------------------|------------------------|------------------------|
+| **Cookies**         | ✅ ABE                | ✅ ABE                | ✅ ABE                | ✅ ABE                |
+| **Passwords**       | ✅ ABE                | ✅ ABE                | ✅ ABE                | ✅ ABE                |
+| **Payment Methods** | ✅ ABE                | ✅ ABE                | ✅ ABE                | ✅ ABE                |
+| **IBANs**           | ✅ ABE                | ❌ N/A                | ✅ ABE                | ✅ ABE                |
+| **Auth Tokens**     | ✅ Google             | ❌ N/A                | ❌ N/A                | ❌ N/A                |
 
 ## 🔬 Technical Workflow
 
 The tool's execution is focused on stealth and efficiency, built around a **Direct Syscall-based Reflective Hollowing** process. This approach ensures that few high-level API calls are made and that the payload operates from within a legitimate, newly created browser process.
 
 ### **Stage 1: The Injector (`chromelevator.exe`)**
 
-1.  **Pre-Flight & Initialization:** The injector begins by initializing its **direct syscall engine**, dynamically parsing `ntdll.dll` to resolve syscall numbers (SSNs) using hash-based matching and locate kernel transition gadgets (`syscall/ret` or `svc/ret`). It then performs a critical pre-flight check, using `NtGetNextProcess` and other syscalls to find and terminate any browser "network service" child processes. This preemptively releases file locks on the target SQLite databases.
-2.  **Payload Preparation:** The core payload DLL, which is stored as a **ChaCha20-encrypted resource** with compile-time derived keys, is loaded and decrypted entirely in-memory.
+1.  **Pre-Flight & Initialization:** The injector begins by initializing its **direct syscall engine**, dynamically parsing `ntdll.dll` to resolve syscall numbers (SSNs) using hash-based matching and locate kernel transition gadgets (`syscall/ret` or `svc/ret`). If the `--kill` flag is specified, it uses `NtGetNextProcess` and `NtTerminateProcess` syscalls to terminate all running instances of the target browser, releasing file locks on SQLite databases.
+2.  **Payload Preparation:** The core payload DLL, which is embedded as a **ChaCha20-encrypted** compile-time byte array with compile-time derived keys, is decrypted entirely in-memory.
 3.  **Process Hollowing:** Instead of targeting an existing process, the injector creates a new instance of the target browser in a **`CREATE_SUSPENDED`** state (`CreateProcessW`). This pristine, suspended process serves as the host for our payload.
 4.  **Reflective Injection via Syscalls:** Using the direct syscall engine, the injector performs a series of stealthy actions on the suspended process:
     - It allocates memory using `NtAllocateVirtualMemory` (direct syscall).
@@ -108,14 +109,14 @@ The tool's execution is focused on stealth and efficiency, built around a **Dire
     - **Destroys PE headers** by overwriting DOS/NT headers with pseudo-random data, eliminating MZ signature from memory.
     - Finally, invokes the payload's `DllMain`.
 2.  **Connection & Setup:** The `DllMain` spawns a new thread that immediately connects to the named pipe handle passed by the injector. It reads the configuration, including the output path, sent by the injector. All subsequent logs and status updates are relayed back through this pipe.
-3.  **Target-Context COM Hijack:** Now running natively within the browser process, the payload instantiates the browser's internal COM server (`IElevator2` for Chrome 144+, `IElevator` for earlier versions, or `IEdgeElevatorFinal` for Edge). As the call originates from a trusted process path, all of the server's security checks are passed.
+3.  **Target-Context COM Hijack:** Now running natively within the browser process, the payload instantiates the browser's internal COM server (`IElevator2` for Chrome/Brave 144+, `IElevator` for earlier versions, `IEdgeElevatorFinal` for Edge, or `IAvastElevator` for Avast Secure Browser). As the call originates from a trusted process path, all of the server's security checks are passed.
 4.  **Master Key Decryption:** The payload calls the `DecryptData` method on the COM interface, providing the `app_bound_encrypted_key` it reads from the `Local State` file. The COM server dutifully decrypts the key and returns the plaintext AES-256 master key to the payload.
 5.  **Data Exfiltration:** Armed with the AES key, the payload enumerates all user profiles (`Default`, `Profile 1`, etc.). For each profile, it queries the relevant SQLite databases (`Cookies`, `Login Data`, `Web Data`), decrypts the data blobs using AES-256-GCM, and formats the secrets as JSON. The results are written directly to the output directory specified by the injector.
 6.  **Shutdown:** After processing all profiles, the payload sends a completion signal to the injector over the pipe and calls `FreeLibraryAndExitThread` to clean up. The injector, upon receiving the signal, terminates the parent host process with `NtTerminateProcess`.
 
 ## 🔧 Build Instructions
 
-This project uses a simple, robust build script that handles all compilation and resource embedding automatically.
+This project uses a simple, robust build script that handles all compilation and payload embedding automatically.
 
 1. **Clone** this repository.
 
@@ -152,9 +153,9 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.18.1 by @xaitax
+ x64 & ARM64 | v0.20.0 by @xaitax
 
-  Usage: chromelevator.exe [options] <chrome|chrome-beta|edge|brave|all>
+  Usage: chromelevator.exe [options] <chrome|chrome-beta|edge|brave|avast|all>
 
   Options:
     -v, --verbose      Show detailed output
@@ -195,7 +196,7 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.18.1 by @xaitax
+ x64 & ARM64 | v0.20.0 by @xaitax
 
   ┌──── Brave (143.1.85.120) ──────────────────────
   │
@@ -270,7 +271,7 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.18.1 by @xaitax
+ x64 & ARM64 | v0.20.0 by @xaitax
 
   ┌──── Chrome (143.0.7499.193) ───────────────────
   │ Creating suspended process: C:\Program Files\Google\Chrome\Application\chrome.exe

src/com/elevator.cpp

@@ -27,7 +27,8 @@ namespace Com
         const CLSID &clsid,
         const IID &iid,
         const std::optional<IID> &iid_v2,
-        bool isEdge)
+        bool isEdge,
+        bool isAvast)
     {
         BSTR bstrEnc = SysAllocStringByteLen(reinterpret_cast<const char *>(encryptedKey.data()), (UINT)encryptedKey.size());
         if (!bstrEnc)
@@ -70,6 +71,19 @@ namespace Com
                 }
             }
         }
+        else if (isAvast)
+        {
+            // Avast uses same IID as Chrome base IElevator but has 12 methods instead of 3
+            // DecryptData is at vtable slot 13 (offset 104) instead of slot 5 (offset 40)
+            Microsoft::WRL::ComPtr<IAvastElevator> elevator;
+            hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, iid, &elevator);
+            if (SUCCEEDED(hr))
+            {
+                CoSetProxyBlanket(elevator.Get(), RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, COLE_DEFAULT_PRINCIPAL,
+                                  RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_DYNAMIC_CLOAKING);
+                hr = elevator->DecryptData(bstrEnc, &bstrPlain, &comErr);
+            }
+        }
         else
         {
             Microsoft::WRL::ComPtr<IOriginalBaseElevator> elevator;

src/com/elevator.hpp

@@ -19,6 +19,7 @@ namespace Com {
     };
 
     // Interface definitions
+    // Chrome/Brave IElevator interface (3 methods)
     MIDL_INTERFACE("A949CB4E-C4F9-44C4-B213-6BF8AA9AC69C")
     IOriginalBaseElevator : public IUnknown {
     public:
@@ -27,6 +28,25 @@ namespace Com {
         virtual HRESULT STDMETHODCALLTYPE DecryptData(const BSTR, BSTR*, DWORD*) = 0;
     };
 
+    // Avast's IElevatorChrome interface (12 methods - same vtable as base IElevator but properly registered)
+    // Avast added 9 methods between RunRecoveryCRXElevated and EncryptData
+    MIDL_INTERFACE("7737BB9F-BAC1-4C71-A696-7C82D7994B6F")
+    IAvastElevator : public IUnknown {
+    public:
+        virtual HRESULT STDMETHODCALLTYPE RunRecoveryCRXElevated(const WCHAR*, const WCHAR*, const WCHAR*, const WCHAR*, DWORD, ULONG_PTR*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE UpdateSearchProviderElevated(const WCHAR*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE CleanupMigrateStateElevated(void) = 0;
+        virtual HRESULT STDMETHODCALLTYPE UpdateInstallerLangElevated(const WCHAR*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE UpdateBrandValueElevated(const WCHAR*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE MigrateUninstallKeyElevated(const WCHAR*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE UpdateEndpointIdElevated(const char*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE UpdateFingerprintIdElevated(const char*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE RunMicroMVDifferentialUpdate(void) = 0;
+        virtual HRESULT STDMETHODCALLTYPE EncryptData(ProtectionLevel, const BSTR, BSTR*, DWORD*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE DecryptData(const BSTR, BSTR*, DWORD*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE DecryptData2(const BSTR, BSTR*, DWORD*) = 0;
+    };
+
     MIDL_INTERFACE("E12B779C-CDB8-4F19-95A0-9CA19B31A8F6")
     IEdgeElevatorBase_Placeholder : public IUnknown {
     public:
@@ -67,7 +87,8 @@ namespace Com {
             const CLSID& clsid,
             const IID& iid,
             const std::optional<IID>& iid_v2,
-            bool isEdge);
+            bool isEdge,
+            bool isAvast = false);
 
         // Decrypt using specific Edge IID (for testing Copilot vs Edge)
         std::vector<uint8_t> DecryptKeyEdgeIID(

src/core/version.hpp

@@ -6,9 +6,9 @@
 namespace Core {
 
     // Main version string - shown in banner
-    constexpr const char* VERSION = "0.19.0";
+    constexpr const char* VERSION = "0.20.0";
 
     // Full version for build identification (update for releases)
-    constexpr const char* BUILD_TAG = "v0.19.0";
+    constexpr const char* BUILD_TAG = "v0.20.0";
 
 }