• Report Links
    We do not store any files or images on our server. XenPaste only index and link to content provided by other non-affiliated sites. If your copyrighted material has been posted on XenPaste or if hyperlinks to your copyrighted material are returned through our search engine and you want this material removed, you must contact the owners of such sites where the files and images are stored.

We write a stealer. How to get your hands on Chrome and Firefox passwords.


Active member
Jul 12, 2021
Reaction score
The content of the article
  • 1. What will the antivirus say?
  • 2. Chrome
  • 3. Firefox
  • 4. Network Security Services (NSS)
  • 5. Conclusion

So, browsers based on Chrome or Firefox store usernames and passwords encrypted in a SQLite database. This DBMS is compact and distributed free of charge under a free license. The same as the browsers we are considering: all their code is open and well documented, which will undoubtedly help us.
The example of the styling module, which I will provide in the article, will actively use CRT and other third-party libraries and dependencies, such as sqlite.h. If you want compact code without dependencies, you have to rework it a little, get rid of some functions and tune the compiler properly.

What will the antivirus say?
When advertising their products, virus writers often draw the attention of potential buyers to the fact that at the moment their stealer is not being "fired" by an antivirus.
Here you need to understand that all modern and more or less serious viruses and Trojans have a modular structure, each module in which is responsible for something different: one module collects passwords, the second prevents debugging and emulation, the third determines the fact of working in a virtual machine, the fourth carries out obfuscation of WinAPI calls, the fifth deals with the firewall built into the OS.
So, to judge whether a certain method is "fired" by an antivirus or not, you can only if we are talking about a complete "combat" application, and not by a separate module.

Let's start with Chrome. First, let's get a file that stores user accounts and passwords. On Windows, it is located at this address:

C:\Users\%username%\AppData\Local\Google\Chrome\UserData\Default\Login Data

To perform any manipulations with this file, you need to either kill all browser processes, which will catch your eye, or copy the database file somewhere and then start working with it.

Let's write a...

Read more

Continue reading...