BAD BASS is a proof-of-concept for a browser-in-the-browser phishing technique involving WebView injection. Essentially, a new window is injected over the browser's child window that handles the rendered web-content. This webview can then be loaded with phishing pages to collect user information.
- Visual Studio 2022
- Go >= 1.18.3
- Donut
- Compile WEBPHISH to DLL using the build.bat script
- Compile WEBPHISH DLL to shellcode using Donut
- Place shellcode binary file into LIVEBAIT/payload/loader.bin
- Compile LIVEBAIT with Visual Studio
- Package a web-inject archive with PHISHROD (see -h)
- Embed the web-inject archive from (5) using PHISHROD into the LIVEBAIT executable (see PHISHROD -h for assistance)
Huge credits to jchv for the go-webview2 project that wraps the WebView interfaces. Virtually all of the browser code was pulled from that project. Small modifications were made that required some of the files be pulled into the WEBPHISH sources.