Chrome-App-Bound-Encryption-Decryption

ChromElevator _{^{(Chrome App-Bound Encryption Decryption)}}

🚀 Overview

A post-exploitation tool demonstrating a complete, in-memory bypass of Chromium's App-Bound Encryption (ABE). This project utilizes Direct Syscall-based Reflective Process Hollowing to launch a legitimate browser process in a suspended state, stealthily injecting a payload to hijack its identity and security context. This Living-off-the-Land (LOTL) technique subverts the browser's own security model. The fileless approach allows the tool to operate entirely from memory, bypassing user-land API hooks to decrypt and exfiltrate sensitive user data (cookies, passwords, payments) from modern Chromium browsers.

If you find this research valuable, I'd appreciate a coffee:

🛡️ Core Technical Pillars

This tool's effectiveness is rooted in a combination of modern, evasion-focused techniques:

• Direct Syscalls for Evasion: Bypasses EDR/AV user-land hooks on standard WinAPI functions by invoking kernel functions directly. The engine dynamically resolves syscall numbers at runtime using Hell's Gate technique with hash-based function matching (no plaintext syscall names in the binary).

• Direct Syscall-Based Process Hollowing: A stealthy process creation and injection technique. Instead of injecting into a high-traffic, potentially monitored process, it creates a new, suspended host process. This significantly reduces the chances of detection, as all memory manipulations occur before the process begins normal execution.

• Fileless In-Memory Payload: The payload DLL never touches the disk on the target machine. It is embedded as a ChaCha20-encrypted compile-time byte array with compile-time derived keys, decrypted in-memory, and reflectively loaded, minimizing its forensic footprint and bypassing static file-based scanners.

• Reflective DLL Injection (RDI): A stealthy process injection method that circumvents LoadLibrary for the main payload, thereby evading detection mechanisms that monitor module loads. The self-contained bootstrap loader maps PE sections, performs relocations, and resolves imports from memory.

• Target-Context COM Invocation: The lynchpin for defeating App-Bound Encryption. By executing code within the trusted browser process, we inherit its identity and security context, allowing us to make legitimate-appearing calls to the ABE COM server and satisfy its path-validation security checks.

⚙️ Features