dissect.target.plugins.os.windows.dpapi.dpapi

Module Contents

Classes

DPAPIPlugin

Windows Data Protection API (DPAPI) plugin.

class dissect.target.plugins.os.windows.dpapi.dpapi.DPAPIPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.InternalPlugin

Windows Data Protection API (DPAPI) plugin.

References

• Reversing Crypt32.dll

• https://learn.microsoft.com/en-us/windows/win32/api/dpapi/

• https://github.com/fortra/impacket/blob/master/examples/dpapi.py

• https://github.com/tijldeneut/DPAPIck3

• https://www.passcape.com/index.php?section=docsys&cmd=details&id=28

__namespace__ = 'dpapi'

Defines the plugin namespace.

RE_MASTER_KEY

SYSTEM_SID = 'S-1-5-18'

keychain

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

property master_keys: dict[str, dict[str, dissect.target.plugins.os.windows.dpapi.master_key.MasterKeyFile]]

Returns dict of found DPAPI master keys on the Windows target for SYSTEM and regular users.

decrypt_system_blob(data: bytes, **kwargs) → bytes

Decrypt the given bytes using the SYSTEM master key.

Parameters:

• data – Bytes of DPAPI system blob to decrypt.

• **kwargs – Arbitrary named arguments to pass to DPAPIBlob.decrypt function.

Raises:

ValueError – When conditions to decrypt are not met or if decrypting failed.

Returns:

Decrypted bytes.

decrypt_user_blob(data: bytes, username: str | None = None, sid: str | None = None, **kwargs) → bytes

Decrypt the given bytes using the master key of the given SID or username.

Parameters:

• data – Bytes of DPAPI blob to decrypt.

• username – Username of the owner of the DPAPI blob.

• sid – SID of the owner of the DPAPI blob.

• **kwargs – Arbitrary named arguments to pass to DPAPIBlob.decrypt function.

Raises:

ValueError – When conditions to decrypt are not met or if decrypting failed.

Returns:

Decrypted bytes.

decrypt_blob(data: bytes, **kwargs) → bytes

Attempt to decrypt the given bytes using any of the available master keys.

Parameters:

• data – Bytes of DPAPI blob to decrypt.

• **kwargs – Arbitrary named arguments to pass to DPAPIBlob.decrypt function.

Raises:

ValueError – When conditions to decrypt are not met or if decrypting failed.

Returns:

Decrypted bytes.