Extracts browser-stored data such as refresh tokens, cookies, saved credentials, credit cards, autofill entries, browsing history, and bookmarks from modern Chromium-based and Gecko-based browsers (Chrome, Microsoft Edge, Firefox, Opera, Opera GX, and Vivaldi).
Malware Development Course Syllabus
Offensive Phishing Operations Course Syllabus
Ransomware Internals, Simulation and Detection Course Syllabus
This project is an improved version of DumpChromeSecrets, and similarly consists of two components:
- Executable (
DumpBrowserSecrets.exe)
Creates a headless Chromium process, injects the DLL via Early Bird APC injection, and receives extracted decryption keys. These keys are either App-Bound (extracted from Chrome, Brave, and Microsoft Edge) or DPAPI keys (used by Opera, Opera GX, and Vivaldi). Once the required keys have been recovered, this executable parses the browser's SQLite databases and JSON files on disk and decrypts the stored data, including credentials, cookies, tokens, and other browsing data.
Additionally, when targeting non-Chromium-based browsers (e.g., Firefox), DumpBrowserSecrets.exe handles all the required steps for data extraction and decryption (without DLL-Injection).
- DLL (
DllExtractChromiumSecrets.dll)
Runs inside Chromium browsers to decrypt the App-Bound encryption key using the IElevator COM interface. It leverages the IElevator COM interface to decrypt the App-Bound encryption key and retrieves the decrypted values of app_bound_encrypted_key and encrypted_key from the targeted browser's Local State file. These values are then returned to the executable, which performs all extraction operations.
Note
Unlike the DumpChromeSecrets project, this implementation performs all browser data extraction in the DumpBrowserSecrets.exe executable, while the DLL is limited to retrieving encryption keys from Chromium-based browsers.
Below are some of the most notable features provided:
- Compile-time string obfuscation and API hashing to evade static analysis.
- PPID & argument spoofing via
NtCreateUserProcesswith manual CSRSS registration. - Custom SQLite3 file format parser (
SQLoot), replacing sqlite-amalgamation in > v1.1.1. - Handle duplication to bypass file locks held by running browsers.
- Encrypted output packs for offline decryption using a user-defined signature.
Usage: DumpBrowserSecrets.exe [options]
Extraction Options:
/b:<browser> Target Browser: Chrome, Edge, Brave, Opera, Operagx, Vivaldi, Firefox, All
Can Be Specified Multiple Times
/enc:<sig> Encrypt JSON Output With Signature (1-8 Bytes)
/spoof Enable Argument and PPID Spoofing When Retrieving ABE Keys
/e:<count> Max Extracted Entries Per Category (Default: 16, 'all' For No Limit)
Decryption Options:
/dec:<sig> Decrypt Mode With The Same Signature Used When Encrypting(1-8 Bytes)
/i <file> Input Encrypted Pack File (Required For Decryption)
/? Show This Help Message
Examples:
DumpBrowserSecrets.exe Extract 16 Entries From The Default Browser
DumpBrowserSecrets.exe /b:chrome /b:edge /spoof /e:100 Extract 100 Entries From Chrome And Edge With PPID Spoofing
DumpBrowserSecrets.exe /b:firefox /e:all /enc:SIG213 Extract All Entries From FireFox To Encrypted Pack
DumpBrowserSecrets.exe /b:all /e:all /enc:0xCAFEBABE Extract All Entries From All Browsers To Encrypted Pack
DumpBrowserSecrets.exe /dec:0xCAFEBABE /i EncPack-XXXXX.bin Decrypt Pack File To JSON Files
The tables below showcase the exact data locations, formats, and encryption models used by each supported browser.
| Data Type | Database Path | Format | Encryption |
|---|---|---|---|
| Cookies | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies |
SQLite | V20 |
| Logins | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data |
SQLite | V20 |
| Credit Cards | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Data |
SQLite | V20 |
| Tokens | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Data |
SQLite | V20 |
| Autofill | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Data |
SQLite | Unencrypted |
| History | %LOCALAPPDATA%\Google\Chrome\User Data\Default\History |
SQLite | Unencrypted |
| Bookmarks | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Bookmarks |
JSON | Unencrypted |
| Data Type | Database Path | Format | Encryption |
|---|---|---|---|
| Cookies | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Network\Cookies |
SQLite | V20 |
| Logins | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data |
SQLite | V20 |
| Credit Cards | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Web Data |
SQLite | V20 |
| Tokens | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Web Data |
SQLite | X |
| Autofill | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Web Data |
SQLite | Unencrypted |
| History | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\History |
SQLite | Unencrypted |
| Bookmarks | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Bookmarks |
JSON | Unencrypted |
| Data Type | Database Path | Format | Encryption |
|---|---|---|---|
| Cookies | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Network\Cookies |
SQLite | V20 |
| Logins | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Login Data |
SQLite | V20 |
| Credit Cards | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Web Data |
SQLite | V20 |
| Tokens | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Web Data |
SQLite | X |
| Autofill | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Web Data |
SQLite | Unencrypted |
| History | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\History |
SQLite | Unencrypted |
| Bookmarks | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Bookmarks |
JSON | Unencrypted |
| Data Type | Database Path | Format | Encryption |
|---|---|---|---|
| Cookies | %APPDATA%\Opera Software\Opera Stable\Default\Network\Cookies |
SQLite | V10 |
| Logins | %APPDATA%\Opera Software\Opera Stable\Default\Login Data |
SQLite | V10 |
| Credit Cards | %APPDATA%\Opera Software\Opera Stable\Default\Web Data |
SQLite | V10 |
| Tokens | %APPDATA%\Opera Software\Opera Stable\Default\Web Data |
SQLite | V10 + Base64 |
| Autofill | %APPDATA%\Opera Software\Opera Stable\Default\Web Data |
SQLite | Unencrypted |
| History | %APPDATA%\Opera Software\Opera Stable\Default\History |
SQLite | Unencrypted |
| Bookmarks | %APPDATA%\Opera Software\Opera Stable\Default\Bookmarks |
JSON | Unencrypted |
| Data Type | Database Path | Format | Encryption |
|---|---|---|---|
| Cookies | %APPDATA%\Opera Software\Opera GX Stable\Default\Network\Cookies |
SQLite | V10 |
| Logins | %APPDATA%\Opera Software\Opera GX Stable\Default\Login Data |
SQLite | V10 |
| Credit Cards | %APPDATA%\Opera Software\Opera GX Stable\Default\Web Data |
SQLite | V10 |
| Tokens | %APPDATA%\Opera Software\Opera GX Stable\Default\Web Data |
SQLite | V10 + Base64 |
| Autofill | %APPDATA%\Opera Software\Opera GX Stable\Default\Web Data |
SQLite | Unencrypted |
| History | %APPDATA%\Opera Software\Opera GX Stable\Default\History |
SQLite | Unencrypted |
| Bookmarks | %APPDATA%\Opera Software\Opera GX Stable\Default\Bookmarks |
JSON | Unencrypted |
| Data Type | Database Path | Format | Encryption |
|---|---|---|---|
| Cookies | %LOCALAPPDATA%\Vivaldi\User Data\Default\Network\Cookies |
SQLite | V10 |
| Logins | %LOCALAPPDATA%\Vivaldi\User Data\Default\Login Data |
SQLite | V10 |
| Credit Cards | %LOCALAPPDATA%\Vivaldi\User Data\Default\Web Data |
SQLite | V10 |
| Tokens | %LOCALAPPDATA%\Vivaldi\User Data\Default\Web Data |
SQLite | X |
| Autofill | %LOCALAPPDATA%\Vivaldi\User Data\Default\Web Data |
SQLite | Unencrypted |
| History | %LOCALAPPDATA%\Vivaldi\User Data\Default\History |
SQLite | Unencrypted |
| Bookmarks | %LOCALAPPDATA%\Vivaldi\User Data\Default\Bookmarks |
JSON | Unencrypted |
| Data Type | File / Database Path | Format | Encryption |
|---|---|---|---|
| Cookies | %APPDATA%\Mozilla\Firefox\Profiles\<profile>\cookies.sqlite |
SQLite | Unencrypted |
| Logins | %APPDATA%\Mozilla\Firefox\Profiles\<profile>\logins.json |
JSON | AES‑256‑CBC or 3DES‑CBC |
| Tokens | %APPDATA%\Mozilla\Firefox\Profiles\<profile>\signedInUser.json |
JSON | Unencrypted |
| Autofill | %APPDATA%\Mozilla\Firefox\Profiles\<profile>\formhistory.sqlite |
SQLite | Unencrypted |
| History | %APPDATA%\Mozilla\Firefox\Profiles\<profile>\places.sqlite |
SQLite | Unencrypted |
| Bookmarks | %APPDATA%\Mozilla\Firefox\Profiles\<profile>\places.sqlite |
SQLite | Unencrypted |
- Manual CSRSS process registration implementation from NtCreateUserProcess-Post
- Chromme IElevator COM interface research from snovvcrash's gist
- Edge & Brave IElevator COM interface research from Chrome-App-Bound-Encryption-Decryption
- luci4 for technical guidance
- SQLite amalgamation from sqlite.org In <= v1.1.1
