Release v0.20.0

v0.20.0

• Critical Stealth Fix: Bootstrap Direct Syscalls (thanks @wrapdavid for the sharp-eyed report!): The reflective loader's bootstrap now correctly invokes direct syscalls for NtAllocateVirtualMemory and NtProtectVirtualMemory through the linked SyscallTrampoline assembly function.

  • The bootstrap now calls the SyscallTrampoline assembly used by the injector stage, with a SyscallEntry struct layout matching the ASM expectations (gadget pointer at offset 0, arg count at offset 8, SSN at offset 12).
  • All VirtualAlloc/VirtualProtect fallback code has been permanently removed. The bootstrap now operates exclusively through direct syscalls.

• Avast Secure Browser Support: Added full App-Bound Encryption decryption support for Avast Secure Browser.

  • Avast's IElevatorChrome COM interface has 12 methods (vs Chrome's 3), with DecryptData at vtable slot 13 (offset 104 bytes).
  • New IAvastElevator COM interface definition with complete vtable layout.
  • Browser discovery via Windows Registry with standard and WOW6432Node paths.
  • Correctly routes Avast through the IAvastElevator COM path for vtable-compatible DecryptData invocation.
  • Use chromelevator.exe avast or include in all scan.

• Architecture Detection Fix: Replaced IsWow64Process2-based architecture detection with direct PE header reading.

  • IsWow64Process2 returns incorrect results for x64 processes running under emulation on ARM64 Windows (reports processArch = 0), causing the tool to misidentify the target architecture.
  • Now reads the PE file header's Machine field directly from the browser executable, which is always accurate regardless of emulation layer.

Release v0.19.0

v0.19.0

• C2 Framework Compatibility (Embedded Payload): Replaced Windows PE resource loading with compile-time embedded payload for enhanced compatibility with C2 frameworks and reflective loaders.

  • The encrypted payload DLL is now embedded as a constexpr byte array in a generated C++ header (payload_data.hpp).
  • Eliminates dependency on FindResource/LoadResource Win32 APIs, which require a Windows-registered module handle unavailable in BOF (COFF format), reflective loading, and shellcode contexts.
  • Enables direct memory access to payload data without PE resource parsing.

• Bug Fix: Profile Processing Crash: Fixed a crash that occurred during profile enumeration on certain systems.

  • Removed the non-essential folder size calculation to eliminate this crash vector entirely.

Release v0.18.1

v0.18.1

• Edge Copilot/Aster Key Extraction: Added extraction and display of Edge's secondary App-Bound Encryption key (aster_app_bound_encrypted_key).

  • This key is used by Edge for encrypting imported passwords and Copilot-related data when server-side feature flags are enabled.
  • Extracted via IElevator interface and displayed as ASTER_KEY: in IPC output alongside the primary key.

• Brave IElevator2 Support: Brave now uses Chrome's IElevator2Chrome interface for forward compatibility.

  • Brave's elevation service exposes Chrome's IElevator2Chrome IID: {1BF5208B-295F-4992-B5F4-3A9BB6494838}
  • Same vtable layout as Chrome (DecryptData at offset 40).

• Edge IElevator2 Support: Added Microsoft Edge's IElevator2 interface for forward compatibility (Edge 144+).

  • New IID: {8F7B6792-784D-4047-845D-1782EFBEF205}
  • Edge now follows the same IElevator2 → IElevator fallback pattern as Chrome/Brave.
  • Note: Edge's interface chain differs (includes IElevatorEdgeBase), with DecryptData at offset 64 vs 40 for Chrome/Brave.

Release v0.18.0

v0.18.0

• IElevator2 Interface Support: Added forward-compatible support for Chrome's new IElevator2 COM interface (chromium/chromium@4962049).

  • Chrome 144+ introduces IElevator2 as a replacement for the legacy IElevator interface used in App-Bound Encryption.
  • ChromElevator now attempts IElevator2 first (when available), with automatic fallback to IElevator for older Chrome versions.
  • This ensures continued operation across Chrome 143 (legacy), Chrome 144+ (transition period), and future versions (when IElevator is removed).
  • New Chrome IElevator2 IID: {1BF5208B-295F-4992-B5F4-3A9BB6494838}
  • Brave Browser support is prepared with placeholder for their upcoming IElevator2 adoption.
  • Edge remains unchanged (uses different interface chain).

• Chrome Beta Channel Support: Added Chrome Beta as a separate browser target.

  • Use --target chrome-beta or include in all scan.
  • Separate CLSID/IID configuration for Chrome Beta's elevation service.
  • IElevator2 support included for Chrome Beta 144+.

• Improved Browser Discovery: Enhanced syscall-based registry lookups with fallback paths.

Release v0.17.4

v0.17.4

• Brave Cookie Extraction: Attempt at fixing cookie extraction returning 0 results for Brave browser.
  • Chrome cookies have a 32-byte metadata header after decryption; Brave may not sometimes. The extraction now handles both formats.
• Cookie JSON Output: Added is_secure and is_httponly boolean fields to cookie output.
• Account-Synced Password Extraction: Added support for extracting passwords from Login Data For Account database.
  • These are passwords synced via browser account (separate from locally-stored passwords).
  • Outputs to passwords_account.json in each profile directory.

v0.17.3 - Santa's Little Helper Release!

v0.17.3

• Locked SQLite Access via Handle Duplication: Added syscall-based handle enumeration and duplication to access browser SQLite databases without terminating processes.
  • Duplicates open database file handles into the payload process and extracts from a temporary copy.
  • Prevents failures caused by active file locks on especially Cookies.
• Extended Syscall Coverage: Added direct syscall support for handle and file operations (NtDuplicateObject, NtQuerySystemInformation, NtQueryObject, NtReadFile, NtQueryInformationFile, NtSetInformationFile).
• Extraction Flow Change: Removed browser network-service termination logic in favor of non-intrusive live-process extraction.

v0.17.2 - Santa's Little Helper Release!

v0.17.2

• Browser Process Termination: Added -k/--kill flag to terminate all running browser processes before extraction.
  • Uses direct syscalls (NtTerminateProcess, NtGetNextProcess, NtOpenProcess) for process termination.
  • Automatically terminates child processes to release file locks on SQLite databases.

v0.17.1

• Google Auth Token Extraction: Added support for extracting Google OAuth2 Refresh Tokens.
  • Extracts and decrypts tokens used for Chrome Sync and Google services.
  • Outputs to tokens.json in the browser profile directory.
• Cookie Extraction: Added expires timestamp and path fields to the cookie extraction output, enabling identification of expired cookies.

v0.17.0

• Full Codebase Refactor: Completely rewrote the project into a modern, modular C++ architecture.
• Compile-Time Key Derivation: Eliminated static encryption keys from the binary.
  • Keys derived at compile-time from version tag + build date via FNV-1a/MurmurHash3 cascade.
  • Each build produces unique encryption keys automatically.
• Hash-Based Syscall Resolution: Eliminated plaintext syscall names from the binary.
  • All syscall names replaced with compile-time DJB2 hashes.
• Reflective Loader Enhancements:
  • PE Header Destruction: After payload mapping, PE headers (MZ/PE signatures) are overwritten with pseudo-random data.
  • Syscall-Based Memory Operations: Now uses direct syscalls for NtAllocateVirtualMemory and NtProtectVirtualMemory.
• Enhanced Fingerprint Extraction: More comprehensive browser metadata collection (-f flag).
• Redesigned Console Output: Cleaner visual hierarchy with box-drawing tree structure.

v0.17.1 - Santa's Little Helper Release!

v0.17.1

• Google Auth Token Extraction: Added support for extracting Google OAuth2 Refresh Tokens.
  • Extracts and decrypts tokens used for Chrome Sync and Google services.
  • Outputs to tokens.json in the browser profile directory.
• Cookie Extraction: Added expires timestamp and path fields to the cookie extraction output, enabling identification of expired cookies.

v0.17.0

• Full Codebase Refactor: Completely rewrote the project into a modern, modular C++ architecture.
• Compile-Time Key Derivation: Eliminated static encryption keys from the binary.
  • Keys derived at compile-time from version tag + build date via FNV-1a/MurmurHash3 cascade.
  • Each build produces unique encryption keys automatically.
• Hash-Based Syscall Resolution: Eliminated plaintext syscall names from the binary.
  • All syscall names replaced with compile-time DJB2 hashes.
• Reflective Loader Enhancements:
  • PE Header Destruction: After payload mapping, PE headers (MZ/PE signatures) are overwritten with pseudo-random data.
  • Syscall-Based Memory Operations: Now uses direct syscalls for NtAllocateVirtualMemory and NtProtectVirtualMemory.
• Enhanced Fingerprint Extraction: More comprehensive browser metadata collection (-f flag).
• Redesigned Console Output: Cleaner visual hierarchy with box-drawing tree structure.

v0.17.0 - Santa's Little Helper Release!

v0.17.0

• Full Codebase Refactor: Completely rewrote the project into a modern, modular C++ architecture.
• Compile-Time Key Derivation: Eliminated static encryption keys from the binary.
  • Keys derived at compile-time from version tag + build date via FNV-1a/MurmurHash3 cascade.
  • Each build produces unique encryption keys automatically.
• Hash-Based Syscall Resolution: Eliminated plaintext syscall names from the binary.
  • All syscall names replaced with compile-time DJB2 hashes.
• Reflective Loader Enhancements:
  • PE Header Destruction: After payload mapping, PE headers (MZ/PE signatures) are overwritten with pseudo-random data.
  • Syscall-Based Memory Operations: Now uses direct syscalls for NtAllocateVirtualMemory and NtProtectVirtualMemory.
• Enhanced Fingerprint Extraction: More comprehensive browser metadata collection (-f flag).
• Redesigned Console Output: Cleaner visual hierarchy with box-drawing tree structure.

Release v0.16.1

v0.16.1

• New Feature: IBAN Extraction: Added support for extracting International Bank Account Numbers (IBANs) (thanks raphaelthief!)
  • Extracts encrypted IBAN values and associated nicknames.
  • Outputs to iban.json in the browser profile directory.