README
ChromElevator (Chrome App-Bound Encryption Decryption)
🚀 Overview
A post-exploitation tool demonstrating a complete, in-memory bypass of Chromium's App-Bound Encryption (ABE). This project utilizes Direct Syscall-based Reflective Process Hollowing to launch a legitimate browser process in a suspended state, stealthily injecting a payload to hijack its identity and security context. This Living-off-the-Land (LOTL) technique subverts the browser's own security model. The fileless approach allows the tool to operate entirely from memory, bypassing user-land API hooks to decrypt and exfiltrate sensitive user data (cookies, passwords, payments) from modern Chromium browsers.
If you find this research valuable, I'd appreciate a coffee:
🛡️ Core Technical Pillars
This tool's effectiveness is rooted in a combination of modern, evasion-focused techniques:
-
Direct Syscalls for Evasion: Bypasses EDR/AV user-land hooks on standard WinAPI functions by invoking kernel functions directly. The engine dynamically resolves syscall numbers at runtime using Hell's Gate technique with hash-based function matching (no plaintext syscall names in the binary).
-
Direct Syscall-Based Process Hollowing: A stealthy process creation and injection technique. Instead of injecting into a high-traffic, potentially monitored process, it creates a new, suspended host process. This significantly reduces the chances of detection, as all memory manipulations occur before the process begins normal execution.
-
Fileless In-Memory Payload: The payload DLL never touches the disk on the target machine. It is embedded as a ChaCha20-encrypted compile-time byte array with compile-time derived keys, decrypted in-memory, and reflectively loaded, minimizing its forensic footprint and bypassing static file-based scanners.
-
Reflective DLL Injection (RDI): A stealthy process injection method that circumvents
LoadLibraryfor the main payload, thereby evading detection mechanisms that monitor module loads. The self-contained bootstrap loader maps PE sections, performs relocations, and resolves imports from memory. -
Target-Context COM Invocation: The lynchpin for defeating App-Bound Encryption. By executing code within the trusted browser process, we inherit its identity and security context, allowing us to make legitimate-appearing calls to the ABE COM server and satisfy its path-validation security checks.