From f0a643abe55fa5779d662858c1e5e86a68bfec2c Mon Sep 17 00:00:00 2001
From: Meckazin <meckazin@kissa.io>
Date: Fri, 29 Mar 2024 03:13:09 -0700
Subject: [PATCH] Pattern update for Chrome and Webview2

---
 CookieKatz-BOF/CookieKatzBOF.cpp | 28 +++++++++++++-------------
 CookieKatz/Main.cpp              | 34 ++++++++++++++++----------------
 CookieKatzMinidump/Main.cpp      | 28 +++++++++++++-------------
 3 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/CookieKatz-BOF/CookieKatzBOF.cpp b/CookieKatz-BOF/CookieKatzBOF.cpp
index 1248a3e..d9388fe 100644
--- a/CookieKatz-BOF/CookieKatzBOF.cpp
+++ b/CookieKatz-BOF/CookieKatzBOF.cpp
@@ -76,14 +76,14 @@ extern "C" {
 
         BYTE chromePattern[] = {
             0x56, 0x57, 0x48, 0x83, 0xEC, 0x28, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0xE8, 0xAA, 0xAA, 0xFF, 0xFF,
-            0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x89, 0xF0, 0x48,
+            0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFD, 0x48, 0x89, 0xF0, 0x48,
             0x83, 0xC4, 0x28, 0x5F, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
-            0x56, 0x57, 0x48, 0x83, 0xEC, 0x38, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x05, 0xAA, 0xAA, 0xAA, 0xAA,
-            0x48, 0x31, 0xE0, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8D, 0x79, 0x30, 0x48, 0x8B, 0x49, 0x28,
-            0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x8B, 0x46, 0x20, 0x48, 0x8B, 0x4E, 0x28, 0x48, 0x8B, 0x96,
-            0xAA, 0x01, 0x00, 0x00, 0x4C, 0x8D, 0x44, 0x24, 0x28, 0x49, 0x89, 0x10, 0x48, 0xC7, 0x86, 0xAA,
-            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xFA, 0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA,
-            0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 0x31, 0xE1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x90, 0x48, 0x83
+            0x41, 0x56, 0x56, 0x57, 0x55, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x4D, 0x89, 0xCE, 0x4C, 0x89, 0xC7,
+            0x48, 0x89, 0xD6, 0x48, 0x89, 0xCB, 0x49, 0x8B, 0x01, 0x48, 0x8B, 0x11, 0x48, 0x8B, 0x0E, 0xFF,
+            0x15, 0xAA, 0xAA, 0xAA, 0xAA, 0x89, 0xC5, 0x49, 0x8B, 0x06, 0x48, 0x8B, 0x16, 0x48, 0x8B, 0x0F,
+            0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA, 0x40, 0x84, 0xED, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+            0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+            0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA
         };
 
         BYTE edgePattern[] = {
@@ -100,14 +100,14 @@ extern "C" {
 
         BYTE webviewPattern[] = {
             0x56, 0x57, 0x48, 0x83, 0xEC, 0x28, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0xE8, 0xAA, 0xAA, 0xFF, 0xFF,
-            0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x89, 0xF0, 0x48,
+            0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFB, 0x48, 0x89, 0xF0, 0x48,
             0x83, 0xC4, 0x28, 0x5F, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
-            0x41, 0x56, 0x56, 0x57, 0x53, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x8B, 0x19, 0x4C, 0x8B, 0x33, 0x4D,
-            0x85, 0xF6, 0x74, 0x09, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x7B, 0x08, 0xEB, 0x16, 0x48, 0x83, 0xC4,
-            0x28, 0x5B, 0x5F, 0x5E, 0x41, 0x5E, 0xC3, 0x48, 0x83, 0xC7, 0xF8, 0x48, 0x89, 0xF9, 0xE8, 0x1D,
-            0x00, 0x00, 0x00, 0x4C, 0x39, 0xF7, 0x75, 0xEF, 0x4C, 0x89, 0x73, 0x08, 0x48, 0x8B, 0x06, 0x48,
-            0x8B, 0x08, 0x48, 0x83, 0xC4, 0x28, 0x5B, 0x5F, 0x5E, 0x41, 0x5E, 0xE9, 0xAA, 0xAA, 0xAA, 0xAA,
-            0x56, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x85, 0xC9, 0x74, 0x2A, 0x48, 0x8B, 0x31, 0x48, 0xC7, 0x01
+            0x56, 0x57, 0x48, 0x83, 0xEC, 0x38, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x05, 0xAA, 0xAA, 0xAA, 0x07,
+            0x48, 0x31, 0xE0, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8D, 0x79, 0x30, 0x48, 0x8B, 0x49, 0x28,
+            0xE8, 0xAA, 0xAA, 0xAA, 0xF8, 0x48, 0x8B, 0x46, 0x20, 0x48, 0x8B, 0x4E, 0x28, 0x48, 0x8B, 0x96,
+            0x48, 0x01, 0x00, 0x00, 0x4C, 0x8D, 0x44, 0x24, 0x28, 0x49, 0x89, 0x10, 0x48, 0xC7, 0x86, 0x48,
+            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xFA, 0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA,
+            0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 0x31, 0xE1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFB, 0x90, 0x48, 0x83
         };
 
         LPCWSTR processName;
diff --git a/CookieKatz/Main.cpp b/CookieKatz/Main.cpp
index a345ee0..1f5a88f 100644
--- a/CookieKatz/Main.cpp
+++ b/CookieKatz/Main.cpp
@@ -119,15 +119,15 @@ int main(int argc, char* argv[]) {
         processName = L"chrome.exe";
         dllName = L"chrome.dll";
         pattern = new BYTE[144]{
-            0x56, 0x57, 0x48, 0x83, 0xEC, 0x28, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0xE8, 0xAA, 0xAA, 0xFF, 0xFF,
-            0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x89, 0xF0, 0x48,
-            0x83, 0xC4, 0x28, 0x5F, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
-            0x56, 0x57, 0x48, 0x83, 0xEC, 0x38, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x05, 0xAA, 0xAA, 0xAA, 0xAA,
-            0x48, 0x31, 0xE0, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8D, 0x79, 0x30, 0x48, 0x8B, 0x49, 0x28,
-            0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x8B, 0x46, 0x20, 0x48, 0x8B, 0x4E, 0x28, 0x48, 0x8B, 0x96,
-            0xAA, 0x01, 0x00, 0x00, 0x4C, 0x8D, 0x44, 0x24, 0x28, 0x49, 0x89, 0x10, 0x48, 0xC7, 0x86, 0xAA,
-            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xFA, 0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA,
-            0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 0x31, 0xE1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x90, 0x48, 0x83
+            0x56, 0x57, 0x48, 0x83, 0xEC, 0x28, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0xE8, 0xAA, 0xAA, 0xFF, 0xFF, 
+            0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFD, 0x48, 0x89, 0xF0, 0x48, 
+            0x83, 0xC4, 0x28, 0x5F, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 
+            0x41, 0x56, 0x56, 0x57, 0x55, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x4D, 0x89, 0xCE, 0x4C, 0x89, 0xC7,
+            0x48, 0x89, 0xD6, 0x48, 0x89, 0xCB, 0x49, 0x8B, 0x01, 0x48, 0x8B, 0x11, 0x48, 0x8B, 0x0E, 0xFF, 
+            0x15, 0xAA, 0xAA, 0xAA, 0xAA, 0x89, 0xC5, 0x49, 0x8B, 0x06, 0x48, 0x8B, 0x16, 0x48, 0x8B, 0x0F, 
+            0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA, 0x40, 0x84, 0xED, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 
+            0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 
+            0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA
         };
         break;
     case Msedge:
@@ -151,15 +151,15 @@ int main(int argc, char* argv[]) {
         processName = L"msedgewebview2.exe";
         dllName = L"msedge.dll";
         pattern = new BYTE[144]{
-            0x56, 0x57, 0x48, 0x83, 0xEC, 0x28, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0xE8, 0xAA, 0xAA, 0xFF, 0xFF,
-            0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x89, 0xF0, 0x48, 
+            0x56, 0x57, 0x48, 0x83, 0xEC, 0x28, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0xE8, 0xAA, 0xAA, 0xFF, 0xFF, 
+            0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFB, 0x48, 0x89, 0xF0, 0x48, 
             0x83, 0xC4, 0x28, 0x5F, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 
-            0x41, 0x56, 0x56, 0x57, 0x53, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x8B, 0x19, 0x4C, 0x8B, 0x33, 0x4D, 
-            0x85, 0xF6, 0x74, 0x09, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x7B, 0x08, 0xEB, 0x16, 0x48, 0x83, 0xC4, 
-            0x28, 0x5B, 0x5F, 0x5E, 0x41, 0x5E, 0xC3, 0x48, 0x83, 0xC7, 0xF8, 0x48, 0x89, 0xF9, 0xE8, 0x1D, 
-            0x00, 0x00, 0x00, 0x4C, 0x39, 0xF7, 0x75, 0xEF, 0x4C, 0x89, 0x73, 0x08, 0x48, 0x8B, 0x06, 0x48, 
-            0x8B, 0x08, 0x48, 0x83, 0xC4, 0x28, 0x5B, 0x5F, 0x5E, 0x41, 0x5E, 0xE9, 0xAA, 0xAA, 0xAA, 0xAA, 
-            0x56, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x85, 0xC9, 0x74, 0x2A, 0x48, 0x8B, 0x31, 0x48, 0xC7, 0x01
+            0x56, 0x57, 0x48, 0x83, 0xEC, 0x38, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x05, 0xAA, 0xAA, 0xAA, 0x07, 
+            0x48, 0x31, 0xE0, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8D, 0x79, 0x30, 0x48, 0x8B, 0x49, 0x28, 
+            0xE8, 0xAA, 0xAA, 0xAA, 0xF8, 0x48, 0x8B, 0x46, 0x20, 0x48, 0x8B, 0x4E, 0x28, 0x48, 0x8B, 0x96, 
+            0x48, 0x01, 0x00, 0x00, 0x4C, 0x8D, 0x44, 0x24, 0x28, 0x49, 0x89, 0x10, 0x48, 0xC7, 0x86, 0x48, 
+            0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xFA, 0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA, 
+            0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 0x31, 0xE1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFB, 0x90, 0x48, 0x83
         };
         break;
     default:
diff --git a/CookieKatzMinidump/Main.cpp b/CookieKatzMinidump/Main.cpp
index d4fdaa6..1ff64e4 100644
--- a/CookieKatzMinidump/Main.cpp
+++ b/CookieKatzMinidump/Main.cpp
@@ -67,14 +67,14 @@ int main(int argc, char* argv[]) {
 			dllName = "chrome.dll";
 			pattern = new BYTE[144]{
 			0x56, 0x57, 0x48, 0x83, 0xEC, 0x28, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0xE8, 0xAA, 0xAA, 0xFF, 0xFF,
-			0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x89, 0xF0, 0x48,
+			0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFD, 0x48, 0x89, 0xF0, 0x48,
 			0x83, 0xC4, 0x28, 0x5F, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
-			0x56, 0x57, 0x48, 0x83, 0xEC, 0x38, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x05, 0xAA, 0xAA, 0xAA, 0xAA,
-			0x48, 0x31, 0xE0, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8D, 0x79, 0x30, 0x48, 0x8B, 0x49, 0x28,
-			0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x8B, 0x46, 0x20, 0x48, 0x8B, 0x4E, 0x28, 0x48, 0x8B, 0x96,
-			0xAA, 0x01, 0x00, 0x00, 0x4C, 0x8D, 0x44, 0x24, 0x28, 0x49, 0x89, 0x10, 0x48, 0xC7, 0x86, 0xAA,
-			0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xFA, 0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA,
-			0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 0x31, 0xE1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x90, 0x48, 0x83
+			0x41, 0x56, 0x56, 0x57, 0x55, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x4D, 0x89, 0xCE, 0x4C, 0x89, 0xC7,
+			0x48, 0x89, 0xD6, 0x48, 0x89, 0xCB, 0x49, 0x8B, 0x01, 0x48, 0x8B, 0x11, 0x48, 0x8B, 0x0E, 0xFF,
+			0x15, 0xAA, 0xAA, 0xAA, 0xAA, 0x89, 0xC5, 0x49, 0x8B, 0x06, 0x48, 0x8B, 0x16, 0x48, 0x8B, 0x0F,
+			0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA, 0x40, 0x84, 0xED, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+			0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+			0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA
 			};
 			found = true;
 			break;
@@ -101,14 +101,14 @@ int main(int argc, char* argv[]) {
 			dllName = "msedge.dll";
 			pattern = new BYTE[144]{
 			0x56, 0x57, 0x48, 0x83, 0xEC, 0x28, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0xE8, 0xAA, 0xAA, 0xFF, 0xFF,
-			0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xAA, 0x48, 0x89, 0xF0, 0x48,
+			0x85, 0xFF, 0x74, 0x08, 0x48, 0x89, 0xF1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFB, 0x48, 0x89, 0xF0, 0x48,
 			0x83, 0xC4, 0x28, 0x5F, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
-			0x41, 0x56, 0x56, 0x57, 0x53, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x8B, 0x19, 0x4C, 0x8B, 0x33, 0x4D,
-			0x85, 0xF6, 0x74, 0x09, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x7B, 0x08, 0xEB, 0x16, 0x48, 0x83, 0xC4,
-			0x28, 0x5B, 0x5F, 0x5E, 0x41, 0x5E, 0xC3, 0x48, 0x83, 0xC7, 0xF8, 0x48, 0x89, 0xF9, 0xE8, 0x1D,
-			0x00, 0x00, 0x00, 0x4C, 0x39, 0xF7, 0x75, 0xEF, 0x4C, 0x89, 0x73, 0x08, 0x48, 0x8B, 0x06, 0x48,
-			0x8B, 0x08, 0x48, 0x83, 0xC4, 0x28, 0x5B, 0x5F, 0x5E, 0x41, 0x5E, 0xE9, 0xAA, 0xAA, 0xAA, 0xAA,
-			0x56, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x85, 0xC9, 0x74, 0x2A, 0x48, 0x8B, 0x31, 0x48, 0xC7, 0x01
+			0x56, 0x57, 0x48, 0x83, 0xEC, 0x38, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x05, 0xAA, 0xAA, 0xAA, 0x07,
+			0x48, 0x31, 0xE0, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8D, 0x79, 0x30, 0x48, 0x8B, 0x49, 0x28,
+			0xE8, 0xAA, 0xAA, 0xAA, 0xF8, 0x48, 0x8B, 0x46, 0x20, 0x48, 0x8B, 0x4E, 0x28, 0x48, 0x8B, 0x96,
+			0x48, 0x01, 0x00, 0x00, 0x4C, 0x8D, 0x44, 0x24, 0x28, 0x49, 0x89, 0x10, 0x48, 0xC7, 0x86, 0x48,
+			0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xFA, 0xFF, 0x15, 0xAA, 0xAA, 0xAA, 0xAA,
+			0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 0x31, 0xE1, 0xE8, 0xAA, 0xAA, 0xAA, 0xFB, 0x90, 0x48, 0x83
 			};
 			found = true;
 			break;