diff --git a/CookieKatz-BOF/ChromeKatz/Process.cpp b/CookieKatz-BOF/ChromeKatz/Process.cpp index 0411681..29dfed3 100644 --- a/CookieKatz-BOF/ChromeKatz/Process.cpp +++ b/CookieKatz-BOF/ChromeKatz/Process.cpp @@ -365,4 +365,19 @@ extern "C" { } return TRUE; } + + BOOL IsWow64(HANDLE hProcess) { + BOOL isBrowserWow64 = FALSE; + if (!IsWow64Process(hProcess, &isBrowserWow64)) { + BeaconPrintf(CALLBACK_ERROR, "IsWow64Process failed for browser process, Error: %i\n", GetLastError()); + CloseHandle(hProcess); + return TRUE; + } + if (isBrowserWow64) { + CloseHandle(hProcess); + return TRUE; + } + + return FALSE; + } } \ No newline at end of file diff --git a/CookieKatz-BOF/CookieKatzBOF.cpp b/CookieKatz-BOF/CookieKatzBOF.cpp index f695891..1083e42 100644 --- a/CookieKatz-BOF/CookieKatzBOF.cpp +++ b/CookieKatz-BOF/CookieKatzBOF.cpp @@ -57,6 +57,11 @@ extern "C" { banner(); BeaconPrintf(CALLBACK_OUTPUT, "Kittens love cookies too! >:3\n"); +#ifndef _WIN64 + BeaconPrintf(CALLBACK_OUTPUT, "32bit version is not currently supported.\n"); + return 1; +#endif // !_WIN64 + DWORD chromePid = 0; LPCSTR targetConfig = NULL; datap parser; @@ -127,6 +132,12 @@ extern "C" { BeaconPrintf(CALLBACK_OUTPUT, "Targeting PID: %d\n", chromePid); } + if (IsWow64(hChrome)) + { + BeaconPrintf(CALLBACK_ERROR, "Target process is 32bit. Only 64bit browsers are supported!\n"); + return; + } + uintptr_t baseAddress = 0; DWORD moduleSize = 0; if (!GetRemoteModuleBaseAddress(hChrome, dllName, baseAddress, &moduleSize)) { diff --git a/CookieKatz-BOF/DFR.h b/CookieKatz-BOF/DFR.h index a361200..b307a67 100644 --- a/CookieKatz-BOF/DFR.h +++ b/CookieKatz-BOF/DFR.h @@ -35,6 +35,9 @@ DFR(KERNEL32, K32GetModuleBaseNameW) DFR(KERNEL32, K32GetModuleInformation) #define K32GetModuleInformation KERNEL32$K32GetModuleInformation +DFR(KERNEL32, IsWow64Process) +#define IsWow64Process KERNEL32$IsWow64Process + DFR(MSVCRT, memcpy) #define memcpy MSVCRT$memcpy DFR(MSVCRT, malloc) diff --git a/CookieKatz-BOF/FindChromeProcess.cpp b/CookieKatz-BOF/FindChromeProcess.cpp index b0de545..e902423 100644 --- a/CookieKatz-BOF/FindChromeProcess.cpp +++ b/CookieKatz-BOF/FindChromeProcess.cpp @@ -43,6 +43,11 @@ extern "C" { banner(); BeaconPrintf(CALLBACK_OUTPUT, "Kittens love cookies too! >:3\n\n"); +#ifndef _WIN64 + BeaconPrintf(CALLBACK_OUTPUT, "32bit version is not currently supported.\n"); + return 1; +#endif // !_WIN64 + datap parser; BeaconDataParse(&parser, args, len); if (parser.original == 0) diff --git a/CookieKatz/Main.cpp b/CookieKatz/Main.cpp index 0e71129..ed1d1d2 100644 --- a/CookieKatz/Main.cpp +++ b/CookieKatz/Main.cpp @@ -50,6 +50,11 @@ int main(int argc, char* argv[]) { banner(); printf("Kittens love cookies too!\n\n"); +#ifndef _WIN64 + printf("[-] 32bit version is not currently supported.\n"); + return 1; +#endif // !_WIN64 + BOOL chrome = TRUE; BOOL ProcessList = FALSE; DWORD pid = 0; @@ -97,6 +102,12 @@ int main(int argc, char* argv[]) { printf("[-] Failed to get process handle to PID: %lu\n", pid); return 1; } + + if (IsWow64(hChrome)) + { + printf("[-] Target process is 32bit. Only 64bit browsers are supported!\n"); + return 1; + } } LPCWSTR processName; @@ -151,6 +162,12 @@ int main(int argc, char* argv[]) { printf("[-] Failed to find right process\n"); return 1; } + + if (IsWow64(hChrome)) + { + printf("[-] Target process is 32bit. Only 64bit browsers are supported!\n"); + return 1; + } } #ifdef _DEBUG wprintf(TEXT("[*] Targeting process PID: %d\n"), pid); diff --git a/CookieKatz/Process.cpp b/CookieKatz/Process.cpp index 74a3a3e..c516103 100644 --- a/CookieKatz/Process.cpp +++ b/CookieKatz/Process.cpp @@ -318,4 +318,20 @@ BOOL GetProcessHandle(DWORD pid, HANDLE* hProcess) { } *hProcess = hHandle; return TRUE; +} + +BOOL IsWow64(HANDLE hProcess) { + BOOL isBrowserWow64 = FALSE; + if (!IsWow64Process(hProcess, &isBrowserWow64)) { + DebugPrintErrorWithMessage(TEXT("IsWow64Process failed for browser process")); + CloseHandle(hProcess); + return TRUE; + } + if (isBrowserWow64) { + DebugPrint(TEXT("[-] Target process is 32bit. Only 64bit browsers are supported!")); + CloseHandle(hProcess); + return TRUE; + } + + return FALSE; } \ No newline at end of file diff --git a/CookieKatz/Process.h b/CookieKatz/Process.h index d0af0de..25d24f5 100644 --- a/CookieKatz/Process.h +++ b/CookieKatz/Process.h @@ -6,4 +6,5 @@ BOOL FindCorrectProcessPID(LPCWSTR processName, DWORD* pid, HANDLE* hProcess); BOOL GetRemoteModuleBaseAddress(HANDLE hProcess, const wchar_t* moduleName, uintptr_t& baseAddress, DWORD* moduleSize); BOOL GetProcessHandle(DWORD pid, HANDLE* hProcess); -BOOL GetProcessName(HANDLE hProcess, BOOL& chrome); \ No newline at end of file +BOOL GetProcessName(HANDLE hProcess, BOOL& chrome); +BOOL IsWow64(HANDLE hProcess); \ No newline at end of file