CookieKatz: Dump cookies directly from Chrome process memory

Cookie dumper for Chrome and Edge

CookieKatz is a project that allows operators to dump cookies from Chrome, Edge, or Msedgewebview2 directly from the process memory. Chromium-based browsers load all their cookies from the on-disk cookie database on startup.

The benefits of this approach are:

  1. Support dumping cookies from Chrome’s Incogntio and Edge’s In-Private processes
  2. Access cookies of other user’s browsers when running elevated
  3. Dump cookies from webview processes
  4. No need to touch on-disk database file
  5. DPAPI keys not needed to decrypt the cookies
  6. Parse cookies offline from a minidump file

On the negative side, even though the method of finding the correct offsets in the memory is currently stable and works on multiple different versions, it will break at some point in the future. 32bit browser installations are not supported and 32bit builds of CookieKatz are not supported either.

Currently, only regular cookies are dumped. Chromium stores Partitioned Cookies in a different place and they are currently not included in the dump.

This solution consists of three projects, CookieKatz that is a PE executable, CookieKatz-BOF that is a Beacon Object File version and CookieKatzMinidump which is the minidump parser.


NOTE! When choosing to use PID to target, use commands /list or cookie-katz-find respectively to choose the right subprocess!



beacon> help cookie-katz
Dump cookies from Chrome or Edge
Use: cookie-katz [chrome|edge|webview] [pid]

beacon> help cookie-katz-find
Find processes for Cookie-Katz
Use: cookie-katz-find [chrome|edge|webview]


Copyright (c) 2024, Aleksi Vepsäläinen. All rights reserved.