dissect.target.plugins.os.windows.dpapi.dpapi

Module Contents

Classes

DPAPIPlugin

Parent class for internal plugins.

Attributes

HAS_CRYPTO

dissect.target.plugins.os.windows.dpapi.dpapi.HAS_CRYPTO = True

class dissect.target.plugins.os.windows.dpapi.dpapi.DPAPIPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.InternalPlugin

Parent class for internal plugins.

InternalPlugin marks all non-private methods internal by default (same as @internal decorator).

__namespace__ = 'dpapi'

MASTER_KEY_REGEX

SECURITY_POLICY_KEY = 'HKEY_LOCAL_MACHINE\\SECURITY\\Policy'

SYSTEM_KEY = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA'

SYSTEM_USERNAME = 'System'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

keychain() → set

syskey() → bytes

lsakey() → bytes

secrets() → dict[str, bytes]

master_keys() → dict[str, dict[str, dissect.target.plugins.os.windows.dpapi.master_key.MasterKeyFile]]

decrypt_system_blob(data: bytes) → bytes

Decrypt the given bytes using the System master key.

decrypt_user_blob(data: bytes, username: str) → bytes

Decrypt the given bytes using the master key of the given user.

decrypt_blob(data: bytes) → bytes

Attempt to decrypt the given bytes using any of the available master keys.