advdebug / nomorecookies Goto Github PK

Browser Protector against various stealers, written in C# & C/C++.

License: MIT License

C# 62.04% C++ 37.28% C 0.68%

antivirus blue-team browser hooking protection rat stealer anti-stealer backdoor hook

nomorecookies's Introduction

NoMoreCookies

Browser Protector against various stealers, written in C# & C/C++. (Just a small note, please don't use this protection in a SecureBoot-Enabled environment yet as this protection doesn't fully support SecureBoot yet and may cause problems, also this protection is in UM which means it can be bypassed but it's still a pretty good solution to protect your browser)

Works by hooking NtCreateFile & NtOpenFile and prevent accessing browser files, in addition to prevent some types of unhooking. compatible with various games and software. (contributions are very welcomed)

Stealers/RATs Tested

AsyncRAT
Quasar RAT
StormKitty
HackBrowserData
FireFox-Thief
DcRat
Umbral Stealer
Blank Grabber
Venom RAT
XWorm RAT
Raccoon Stealer
EdgeGuard
Vidar
RedLine

and it should work against other popular stealers. and please note that this protection doesn't only work with these listed above, it will work with future stealers as well as this protection is universal and not targeted against a specific kind/family of stealers.

Supported Browsers:

Installation

you can find the release here, after you extract the files execute NoMoreCookiesInstaller.exe which will give you the option to both install and uninstall NoMoreCookies.

in the installer you can see all options and what each one does so you can choose whatever suits you, and after installation/uninstallation it's recommended to restart your system so that the protection are fully activated/gone.

Showcase

if any Stealer/RAT tried to access your browser files you would get a notification, preventing the Stealer/RAT from accessing it and warning you about it.

Contribution

if you are a C#/C++ developer and want to contribute, make a fork and make a pull request with the mentioning of the changes you have made and why do you think this change is a good idea.

you can find here all the contributors that contributed to this project.

Disclaimer

This Project is for educational purposes only. me, the developer, are not responsible for any kind of misuse.

License

The Program, Libraries, etc. are licensed under MIT License.

nomorecookies's People

Contributors

Stargazers

Watchers

nomorecookies's Issues

Protect more

Protect against stealer advanced who have admin and kill process of your protect cookies

Version Outdated Bug

Your version 2,3 is outdated. update to the version 23 from NoMoreCookies Repo.

Compile

Hello i want to compile src but idk how to found the dll like xnomorecookies or mininomorecookied and when I compile cookie installer folder with sln its do a error can you told how you compile it with picture ? Win+maj+s for screen easy

Thank you for this!

We hate scammers aswell so we've been working on a software to identify stubs online that match known stubs that we can dump to delete webhooks and other stuff.

Ungoogled Chromium version?

Code Repeat and Disk Path can be getted from config

if (Config == "XMode: Mini")
                {
                    if (Environment.Is64BitProcess)
                    {
                        DllPath = @"C:\MiniNoMoreCookies_x64.dll";
                    }
                    else
                    {
                        DllPath = @"C:\MiniNoMoreCookies.dll";
                    }
                }
                else if (Config == "XMode: Disabled")
                {
                    if (Environment.Is64BitProcess)
                    {
                        DllPath = @"C:\NoMoreCookies_x64.dll";
                    }
                    else
                    {
                        DllPath = @"C:\NoMoreCookies.dll";
                    }
                }
                else if (Config == "XMode: Enabled")
                {
                    if (Environment.Is64BitProcess)
                    {
                        DllPath = @"C:\XNoMoreCookies.dll";
                    }
                    else
                    {
                        DllPath = @"C:\XNoMoreCookies_x64.dll";
                    }
                }

std::wstring UserPath(L"C:\\Users\\");
std::wstring EdgePath;
std::wstring BravePath;
std::wstring ChromePath;
std::wstring FirefoxPath;
std::wstring YandexPath;
std::wstring OperaPath;
std::wstring WaterfoxPath;
std::wstring VivaldiPath;
BOOL Startup()
{
    wchar_t Username[50];
    DWORD UsernameLen = 50 - 1;
    if (GetUserNameW(Username, &UsernameLen))
    {
        UserPath = L"\\??\\C:\\Users\\";
        UserPath.append(Username);
        UserPath.append(L"\\");
        EdgePath = UserPath.c_str();
        EdgePath.append(L"AppData\\Local\\Microsoft\\Edge\\User Data");
        BravePath = UserPath.c_str();
        BravePath.append(L"AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data");
        ChromePath = UserPath.c_str();
        ChromePath.append(L"AppData\\Local\\Google\\Chrome\\User Data");
        FirefoxPath = UserPath.c_str();
        FirefoxPath.append(L"AppData\\Roaming\\Mozilla\\Firefox\\Profiles");
        YandexPath = UserPath.c_str();
        YandexPath.append(L"AppData\\Local\\Yandex\\YandexBrowser\\User Data");
        OperaPath = UserPath.c_str();
        OperaPath.append(L"AppData\\Roaming\\Opera Software\\Opera Stable");
        WaterfoxPath = UserPath.c_str();
        WaterfoxPath.append(L"AppData\\Roaming\\Waterfox\\Profiles");
        VivaldiPath = UserPath.c_str();
        VivaldiPath.append(L"AppData\\Local\\Vivaldi\\User Data");
        return true;
    }
    else
    {
        return false;
    }
}

This codes using hard coded disk label, C:\ can be getted from config. Users maybe not using C: disk label or it's can be secured etc if any of them, your app will not work.

const char* Browsers[] = { "msedge.exe", "firefox.exe", "vivaldi.exe", "chrome.exe", "brave.exe", "browser.exe", "opera.exe", "waterfox.exe" };

const wchar_t* Browsers[] = { L"msedge.exe", L"firefox.exe", L"vivaldi.exe", L"chrome.exe", L"brave.exe", L"browser.exe", L"opera.exe", L"waterfox.exe" };

const wchar_t* Browsers[] this list is duplicated (created with same name on two place)

const wchar_t* Publishers[] = { L"mozilla", L"microsoft", L"brave", L"waterfox", L"yandex", L"opera", L"vivaldi" };

This lists can be getted from embedded source or a another header file like a consts.h.

BOOL IsBlacklistedApp(wchar_t* FileNamez)
{
    if (Signed2)
    {
        BOOL IsBlacklistedPublisher = FALSE;
        std::wstring Publisher(GetPublisherName(FileNamez));
        if (Publisher.c_str() != NULL)
        {
            const wchar_t* PublisherName = Publisher.c_str();
            const wchar_t* Publishers[] = { L"python", L"oracle" };
            int Size3 = sizeof(Publishers) / sizeof(Publishers[0]);
            wchar_t LowercasePublisher[100];
            wcscpy_s(LowercasePublisher, 256, PublisherName);
            for (int i = 0; LowercasePublisher[i] != L'\0'; i++)
                LowercasePublisher[i] = towlower(LowercasePublisher[i]);
            for (int i = 0; i < Size3; i++)
            {
                if (wcsstr(LowercasePublisher, Publishers[i]) != NULL)
                {
                    IsBlacklistedPublisher = TRUE;
                    break;
                }
            }
        }
        return IsBlacklistedPublisher && Signed2;
    }
    return false;
}

i don't understand that can you explain this to me?

switch (arg)
                    {
                        case "--ignore-updates":
                            Settings.CheckUpdates = false;
                            break;
                        case "--ignore-warnings":
                            Settings.ShowWarnings = false;
                            break;
                        //this setting is turned off by default for security reasons, you can enable it by editing the code
                        /*
                        case "--direct-uninstall":
                            if (!Settings.DirectInstall)
                                Settings.DirectUninstall = true;
                            break;
                        */
                        case "--show-browsers":
                            Settings.ShowBrowsers = true;
                            break;
                        case "--no-output":
                            Settings.ShowOutput = false;
                            break;
                    }

You can use library for that. C# has a lot of library for parsing args.

Environment.CurrentDirectory + "\\Components\\MiniNoMoreCookies_x64.dll";

You can use Path.Combine on there

            string MiniNoMoreCookiesx64 = Environment.CurrentDirectory + "\\Components\\MiniNoMoreCookies_x64.dll";
            string MiniNoMoreCookiesx86 = Environment.CurrentDirectory + "\\Components\\MiniNoMoreCookies.dll";
            string NoMoreCookiesx64 = Environment.CurrentDirectory + "\\Components\\NoMoreCookies_x64.dll";
            string NoMoreCookiesx86 = Environment.CurrentDirectory + "\\Components\\NoMoreCookies.dll";
            string XNoMoreCookiesx64 = Environment.CurrentDirectory + "\\Components\\XNoMoreCookies_x64.dll";
            string XNoMoreCookiesx86 = Environment.CurrentDirectory + "\\Components\\XNoMoreCookies.dll";

And you can use function to fix code repeating.

This variables is duplicated too is defined in 2 places (public static void Install(string Option, bool SecureBoot) and public static bool IsComponentsAvailable(string Option)). You can use class for getting this variables.

You can use ILogger (Microsoft.Extensions.Logging) interface for logging. You can use Serilog it's very easy logger with ILogger interface support.

static double Version = 2.3;

You can get Version info from AssemblyInfo.

Add custom blacklisted apps

Hi, your file signed verification its failing and i cannot start Sandboxie cuz is injecting the dll to the Sandboxie Service (its signed), can u add custom blacklists?

Thanks! Great project btw

Failed to Create NoMoreCookies Services, Error Code: 1073

defect

If the stealer name == browser.exe , then the service will accept it as a real browser

Tor and Mullvad browser stopped working

After I installed NoMoreCookies, apparently Tor and Mullvad browser has stopped working, they only just show a blank grey page, that's it.
So I decided to uninstall NoMoreCookies and it works perfectly.
Not sure why NoMoreCookies blocks Mullvad and Tor browser.

did crash my system

after installation (option1) on windows 10 x64 first i wasn't able to restart anymore. clicking restart was not doing anything and opening task manager was also funky. i just saw little popup windows with the title "checksum" and a checksum within. it was quite randomly happening but the system was definitely behaving quite weird. after a hard reset of the pc, windows wasn't able to boot anymore and i get a blue screen everytime. luckily the system repair was able to fix it and afterwards i was able to boot up the system again.

Can't reopen the installer after mini installation

Hi, wonderful work, this is a revolutionary program! However, there is a bug where you can not reopen the installer after installation. I tried installing all the versions, and the bug happened to me after installing the mini version. I also tried with enabling secure boot and trying to rerun the installer in case the AppinitDLL being loaded was causing a problem, without success. Translation of the top text: "Attempt to read or write in protected memory. Often, this indicates that there is other damaged memory." Also, I don't know about its support on Windows 7, but this is Windows 10 (LTSC 2019 aka 1809) modified to look like Windows 7.

NoMoreCookies causes Mullvad VPN to crash on startup

I've been using NoMoreCookies because I see that it works really well.
However, while it's installed, Mullvad won't start, which surprises me, since it's a VPN and not related to a browsers (apart from the fact that it runs in a chromium sandbox).

I get the following error message:
Can't access file: file:///C:\Program Files\Mullvad VPN\resources\app.asar\build\src\index.html

I see the possibility of other programs sharing the same fate, so I think that it's an issue worth looking into.