CookieKatz is a project that allows operators to dump cookies from Chrome, Edge or Msedgewebview2 directly from the process memory. Chromium based browsers load all their cookies from the on-disk cookie database on startup.
The benefits of this approach are:
- Support dumping cookies from Chrome's Incogntio and Edge's In-Private processes
- Access cookies of other user's browsers when running elevated
- Dump cookies from webview processes
- No need to touch on-disk database file
- DPAPI keys not needed to decrypt the cookies
- Parse cookies offline from a minidump file
On the negative side, even as the method of finding the correct offsets in the memory are currently stable and work on multiple different versions, it will definitely break at some point in the future. 32bit browser installations are not supported and 32bit builds of CookieKatz are not supported either.
Currently only regular cookies are dumped. Chromium stores Partitioned Cookies in a different place and they are currently not included in the dump.
This solution consists of three projects, CookieKatz that is a PE executable, CookieKatz-BOF that is a Beacon Object File version and CookieKatzMinidump which is the minidump parser.
Build and Install
Download the latest release build of the CookieKatz-BOF here. The zip file includes compiled BOFs and the CNA script to run them.
Build your own
You may build both projects on Visual Studio with Release or Debug configuration and x64 platform.
BOF version has been developed with Cobalt Strike's Visual Studio template bof-vs. This means that Debug configuration for the CookieKatz-BOF will generate an exe instead of the COFF file. You can read more about the use of the Visual Studio template here.
You can compile your own BOF with nmake in x64 Native Tools Command Prompt for VS 2022:
Usage
NOTE! When choosing using PID to target, use commands /list or cookie-katz-find respectively to choose the right subprocess!
CookieKatz
Examples:
.\CookieKatz.exe
By default targets first available Chrome process
.\CookieKatz.exe /edge
Targets first available Edge process
.\CookieKatz.exe /pid:<pid>
Attempts to target given pid, expecting it to be Chrome
.\CookieKatz.exe /webview /pid:<pid>
Targets the given msedgewebview2 process
.\CookieKatz.exe /list /webview
Lists available webview processes
Flags:
/edge Target current user Edge process
/webview Target current user Msedgewebview2 process
/pid Attempt to dump given pid, for example, someone else's if running elevated
/list List targettable processes, use with /edge or /webview to target other browsers
/help This what you just did! -h works as well
CookieKatz-BOF
beacon> help cookie-katz
Dump cookies from Chrome or Edge
Use: cookie-katz [chrome|edge|webview] [pid]
beacon> help cookie-katz-find
Find processes for Cookie-Katz
Use: cookie-katz-find [chrome|edge|webview]
CookieKatzMinidump
Usage:
CookieKatzMinidump.exe <Path_to_minidump_file>
Example:
.\CookieKatzMinidump.exe .\msedge.DMP
To target correct process for creating the minidump, you can use the following PowerShell command:
Get-WmiObject Win32_Process | where {$_.CommandLine -match 'network.mojom.NetworkService'} | select -Property Name,ProcessId