Well, I have to admit that it’s been a long time since I wrote here.
Lot of people complained during the past years that DPAPIck was only supporting Windows XP and Vista and basically wanted to know if one day we were going to support newer versions of Microsoft Windows.
Thanks to Francesco Picasso (@dfirfpi), this project now supports Windows versions from XP to the latest Windows 8.1 (sorry, we haven’t tested it on Windows 10 yet). He did the work and sent me a patch that allowed DPAPIck to run against Windows 7 blobs but it was also breaking XP support at the same time. So I took some extra time to give that a bit of polish and to improve a few things on how the tool was processing data.
As a side note, I wish to say that DPAPIck is an opensource project that currently relies on the amount of spare time I can dedicate to it (and being involved in other projects, this amount will not magically increase). But contributions are more than welcome, just like Francesco did.
So, let’s talk a bit on the changes/improvements that we made for v0.3 release:
- Windows 7, 8 and 8.1 support (long story short, it seems that Microsoft learned how to read an RFC and changed one function on which DPAPI relies and which was not RFC compliant)
- unit tests ; it was something I wanted to add for a long time to help me avoid stupid bugs and also to be able to extend this tool without experiencing functional regressions
- iCloud probe (Francesco contribution)
- Dropbox probe (again, thanks to Francesco for his contributions)
- Serialization support of internal structures ; at the moment it may seem useless but this feature was needed for the upcoming next release, DPAPIck v0.4
- PIP compliant installation so, hopefully, one would just have to type “pip install dpapick”
- LSA secrets extraction supports newer Windows versions; here also Microsoft changed the underlying algorithms so I upgraded this part too (nothing fancy here, I just looked at the code of mimikatz)
- LSA secrets now extracts both old and current values (previously, only the current value was extracted) and it can display also the timestamps associated with those values
- Give the ability to add already decrypted masterkeys as well as their hash in the masterkeypool (the goal here is to provide ways of using DPAPIck with stuff that may be extracted at some point from memory dumps using volatility or from a live machine using mimikatz)
- Improved the decryption algorithm to also test NTLM hash of the password (used for Windows 2000 backward compatible structures)
Is that it?
Well, we are already working with Francesco on DPAPIck v0.4 that is going to includes other big changes that we weren’t able to finish for this release.
Here is a rough overview of what to expect for v0.4:
- bin/dpapidec tool will disappear for a better frontend (bin/dpapick) that can use the probes
- Probes API will be upgraded to support the new frontend
- leverage the serialization of internal structures (v0.3) to save/restore a state
- Interactive shell as well as scripting support (something pretty similar to what volatility does)
- Probably some new probes too
- Python3 readiness (some dependencies such as M2Crypto might not be available in Python3)
On a bigger picture (i.e. features that I want to be there for DPAPIck v1.0), we are probably going to:
- have a look at DPAPI-ng (used for connected Live accounts),
- try to have a look on DPAPI related data that mimikatz can export to make them usable with DPAPIck.
- try to add blob/masterkey creation capability
- improve the inline documentation
- provide some documention / guides on the wiki (specially for probes writing)
Leveraging that, DPAPIck would be able to act as a migration tool to import data from a computer A into a computer B, even if they don’t share the same Windows version. Another scenario would be to re-encrypt all the masterkeys with the current password to clear the CREDHIST file.
Again, if you want to contribute to this project, I’d be happy to integrate your patches/files in this project.
You can also use the bug tracker to ask for a feature request that we have not thought about. If you are requesting for additional, please, try to provide some test data for that.
Where to get it?
As usual, you can get the tool on Bitbucket either through mercurial or through the download section (click on the “Tags” tab).
If I didn’t screw up the installation system, you can also try “pip install dpapick” to get it on your computer and benefit from the upgrade capability that it provides 🙂
Filed under dpapi dfir roadmap python release