Expand description
dpapi4n6 — forensic CLI over the dpapi_core decoders.
The on-disk auditor for DPAPI-protected stores: Chrome/Edge (Local State
cookie key + v10/v20 cookies), Credential Manager, Vault (VPOL/VCRD),
and Wi-Fi (Wlansvc PSK). Every secret is recovered through dpapi_core (all
crypto is audited RustCrypto), and the master key is the analyst’s input —
when it is unavailable the CLI reports the store as present but locked with
the offending master-key GUID and a non-zero exit, never a guessed secret.
Decision logic lives in this library (the testable decode_* functions +
Cli::run); main.rs is a thin shell (Humble Object).
Re-exports§
pub use dpapi_core;
Structs§
- Cli
dpapi4n6— recover DPAPI-protected secrets from acquired Windows artifacts.- CliReport
- The CLI’s overall result: the recovered items across the requested stores.
- Master
KeyArg - The master-key material, shared by every subcommand: the 64-byte user/SYSTEM
master key as hex (e.g. impacket’s
-key 0x...value, sans0x). - Store
Result - A recovered secret from one store (the unit of CLI output).
Enums§
Functions§
- decode_
browser - Decode the browser cookie key from
Local StateJSON, optionally decrypting av10/v20cookie blob. - decode_
credman - Decode a Credential Manager file’s blob.
- decode_
vault - Decode a Vault
VPOLpolicy + oneVCRDrecord into its web credentials. - decode_
wifi - Decode a Wi-Fi profile XML’s PSK.
- parse_
master_ key_ hex - Decode a 64-byte master key from hex, erroring loudly on bad input.
- render_
text - Render a
CliReportas a human-readable table.