package main
import (
"database/sql"
"fmt"
"os"
"io/ioutil"
"encoding/json"
"encoding/base64"
"syscall"
"unsafe"
"crypto/aes"
"crypto/cipher"
_ "github.com/mattn/go-sqlite3"
)
type DATA_BLOB struct {
cbData uint32
pbData *byte
}
func NewBlob(d []byte) *DATA_BLOB {
if len(d)==0 {
return &DATA_BLOB{}
}
b:=&DATA_BLOB{
pbData:&d[0],
cbData:uint32(len(d)),
}
return b
}
func (b *DATA_BLOB) ToByteArray() []byte {
d:=make([]byte, b.cbData)
copy(d, (*[1 << 30]byte)(unsafe.Pointer(b.pbData))[:])
return d
}
func dpapi_decrypt(encrypted []byte)([]byte, error){
dllcrypt32:=syscall.NewLazyDLL("Crypt32.dll")
dllkernel32:=syscall.NewLazyDLL("Kernel32.dll")
procDecryptData:=dllcrypt32.NewProc("CryptUnprotectData")
procLocalFree:=dllkernel32.NewProc("LocalFree")
var outblob DATA_BLOB
r,_,err:=procDecryptData.Call(uintptr(unsafe.Pointer(NewBlob(encrypted))), 0, 0, 0, 0,0x1, uintptr(unsafe.Pointer(&outblob)))
if r==0 {
return nil, err
}
defer procLocalFree.Call(uintptr(unsafe.Pointer(outblob.pbData)))
return outblob.ToByteArray(), err
}
func aesGCMDecrypt(data []byte, key []byte, iv []byte) []byte {
block,_:=aes.NewCipher(key)
aesGcm,_:=cipher.NewGCM(block)
plaintext,_:=aesGcm.Open(nil,iv,data, nil)
return plaintext
}
func aes_decrypt(encrypted_txt string)([]byte,){
key_file,_:=os.OpenFile(os.Getenv("LOCALAPPDATA")+ "\\Microsoft\\Edge\\User Data\\Local State",os.O_RDONLY,os.ModePerm)
defer key_file.Close()
key_data,_:=ioutil.ReadAll(key_file)
dynamic:=make(map[string]interface{})
json.Unmarshal([]byte(string(key_data)),&dynamic)
encrypted_key,_:=base64.StdEncoding.DecodeString(dynamic["os_crypt"].(map[string]interface{})["encrypted_key"].(string))
encrypted_key=encrypted_key[5:]//去掉DPAPI后的加密key
key,_:=dpapi_decrypt(encrypted_key)//解密后的key
nonce:=encrypted_txt[3:15]//AES随机12位vi
decryptor:=aesGCMDecrypt([]byte(encrypted_txt[15:]),key,[]byte(nonce))
return decryptor
}
/*前缀处理*/
func chrome_decrypt (encrypted_txt string)[]byte{
var decrypted_txt []byte
if encrypted_txt[:3]=="v10"{
decrypted_txt=aes_decrypt(encrypted_txt)
}
if encrypted_txt[:4]=="DPAP"{
decrypted_txt,_=dpapi_decrypt([]byte(encrypted_txt))
}
return decrypted_txt
}
func get_cookies_from_chrome(domain string)([]map[string]string){
query:=`SELECT name, encrypted_value as value,host_key as domain, path FROM cookies where host_key like `+`"%`+domain+`%"`
fmt.Println(query)
var file string
if _,err:=os.Stat(os.Getenv("LOCALAPPDATA")+"\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies");err==nil{
file=os.Getenv("LOCALAPPDATA")+"\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies"
}else if _,err:=os.Stat(os.Getenv("LOCALAPPDATA")+"\\Microsoft\\Edge\\User Data\\Profile 3\\Network\\Cookies");err==nil{
file=os.Getenv("LOCALAPPDATA")+"\\Microsoft\\Edge\\User Data\\Profile 3\\Network\\Cookies"
}
fmt.Println(file)
db,_:= sql.Open("sqlite3", file)
defer db.Close()
rows,_:= db.Query(query)
defer rows.Close()
var cookies []map[string]string
for rows.Next() {
var name,value,domain,path string
rows.Scan(&name, &value, &domain, &path)
if name != "" && value != ""{
cc_data_tmp:=make(map[string]string)
cc_data_tmp["name"]=name
cc_data_tmp["vlaue"]=string(chrome_decrypt(value))
cc_data_tmp["doamin"]=domain
cc_data_tmp["path"]=path
cookies=append(cookies,cc_data_tmp)
}
}
return cookies
}
func main() {
//fmt.Println(get_cookies_from_chrome(".hao123.com")[0]["vlaue"])
for _,v:=range get_cookies_from_chrome(".hao123.com"){
fmt.Println(v)
}
}
( 粤ICP备18085999号-1 | 粤公网安备 44051102000585号)
狗仔卡
发表于 2022-12-20 22:56:50
置顶卡
千斤顶
显身卡
一看就是个高手