Chrome 95.X版本 解密Cookies文件

今天遇到了一个需求，需要读取chrome的cookies，以获取其他页面的登录认证信息，网上找了许多都是Chrome 80点几的解决方案，还好变动不算太大改吧了改吧，完美解决。

Dome如下

dome.py

# -*- coding=utf-8 -*-
import os
import sqlite3
import decrypt

cookie_file = os.path.expanduser(os.path.join(os.environ['LOCALAPPDATA'], r'Google\Chrome\User Data\Default\Cookies'))


def chrome_decrypt(encrypted_txt):
    if encrypted_txt[:4] == b'x01x00x00x00':
        decrypted_txt = decrypt.dpapi_decrypt(encrypted_txt)
        return decrypted_txt.decode()
    elif encrypted_txt[:3] == b'v10':
        decrypted_txt = decrypt.aes_decrypt(encrypted_txt)
        return decrypted_txt[:-16].decode()


def query_cookie(host):
    with sqlite3.connect(cookie_file) as conn:
        result = conn.execute(
            "select host_key, name, encrypted_value from cookies where host_key = ?", (host,)).fetchall()

    return result


if __name__ == '__main__':
    cookies = query_cookie('www.xxxx.com')
    for i in cookies:
        cok = i[0], i[1], chrome_decrypt(i[2])
        print(cok)

decrypt.py

# _*_ coding: utf-8 _*_
"""
Time:     2021/11/5 16:57
Author:   Jyun
Version:  V 0.1
File:     decrypt.py
Blog:     https://ctrlcv.blog.csdn.net
"""

import os
import json, base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes


class AES_GCM:
    @staticmethod
    def encrypt(cipher, plaintext, nonce):
        cipher.mode = modes.GCM(nonce)
        encryptor = cipher.encryptor()
        ciphertext = encryptor.update(plaintext)
        return cipher, ciphertext, nonce

    @staticmethod
    def decrypt(cipher, ciphertext, nonce):
        cipher.mode = modes.GCM(nonce)
        decryptor = cipher.decryptor()
        return decryptor.update(ciphertext)

    @staticmethod
    def get_cipher(key):
        cipher = Cipher(algorithms.AES(key), None, backend=default_backend())
        return cipher


def dpapi_decrypt(encrypted):
    import ctypes.wintypes

    class DATA_BLOB(ctypes.Structure):
        _fields_ = [('cbData', ctypes.wintypes.DWORD),
                    ('pbData', ctypes.POINTER(ctypes.c_char))]

    p = ctypes.create_string_buffer(encrypted, len(encrypted))
    blobin = DATA_BLOB(ctypes.sizeof(p), p)
    blobout = DATA_BLOB()
    retval = ctypes.windll.crypt32.CryptUnprotectData(
        ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout))
    if not retval:
        raise ctypes.WinError()
    result = ctypes.string_at(blobout.pbData, blobout.cbData)
    ctypes.windll.kernel32.LocalFree(blobout.pbData)
    return result


def get_key_from_local_state():
    local_state_path = os.path.join(os.environ['LOCALAPPDATA'], r"Google\Chrome\User Data\Local State")
    with open(local_state_path, encoding='utf-8', mode="r") as f:
        jsn = json.loads(str(f.readline()))
    return jsn["os_crypt"]["encrypted_key"]


def aes_decrypt(encrypted_txt):
    encoded_key = get_key_from_local_state()
    encrypted_key = base64.b64decode(encoded_key.encode())
    encrypted_key = encrypted_key[5:]
    key = dpapi_decrypt(encrypted_key)
    nonce = encrypted_txt[3:15]
    cipher = AES_GCM.get_cipher(key)
    return AES_GCM.decrypt(cipher, encrypted_txt[15:], nonce)

参考：Chrome 80.X版本如何解密Cookies文件