This is a collection of research materials and offensive tools for the Windows DPAPI architecture.
The goal is to deepen my own understanding and share whatever I can along the way.
Data Protection Application Programming Interface is a set of APIs used to protect and unprotect secrets on a Windows system.
This functionality allows developers to obfuscate secure application data without implementing cryptography algorithms.
- Windows DPAPI Fundamentals
- DPAPI Blob Hunting: Be vewy, vewy quiet, I’m hunting secrets
- Reading DPAPI Protected Blobs: Making opaque blobs less opaque
- Extracting DPAPI MasterKey Data: An analysis of the DPAPI MasterKey binary structure and a PoC tool to extract key data
- Decrypting DPAPI Credentials Offline: An OPSEC-conscious approach to decrypting DPAPI Credentials
- Fileless DPAPI Credential Extraction With PowerShell: Using Living off the Land Techniques for Extracting DPAPI Credentials
- DPAPIDataExample: C# project demonstrating the use of the ProtectedData class to protect/unprotect data stored in file
- DPAPIBlobHunter: C# project demonstrating methods of scanning the filesystem and registry for DPAPI blobs
- DPAPIBlobReader: C# project demonstrating the processing of a DPAPI protected blob
- DPAPIMasterKeyReader: C# project demonstrating the processing of a DPAPI master key file
- DPAPIPowerShell: PowerShell snippets related to DPAPI
- PowerDPAPI: PowerShell project to locate, parse and dump DPAPI credential blobs and the corresponding master key
- DPAPI-BOF: Beacon Object File to locate, parse and dump DPAPI credential blobs and the corresponding master key