dissect.target 3.18.dev15__py3-none-any.whl → 3.19__py3-none-any.whl

dissect/target/plugins/os/windows/dpapi/crypto.py

@@ -2,17 +2,16 @@ from __future__ import annotations
 
 import hashlib
 import hmac
-from typing import Optional, Union
 
 try:
-    from Crypto.Cipher import AES, ARC4
+    from Crypto.Cipher import AES, ARC4, DES3
 
     HAS_CRYPTO = True
 except ImportError:
     HAS_CRYPTO = False
 
-CIPHER_ALGORITHMS: dict[Union[int, str], CipherAlgorithm] = {}
-HASH_ALGORITHMS: dict[Union[int, str], HashAlgorithm] = {}
+CIPHER_ALGORITHMS: dict[int | str, CipherAlgorithm] = {}
+HASH_ALGORITHMS: dict[int | str, HashAlgorithm] = {}
 
 
 class CipherAlgorithm:
@@ -35,17 +34,27 @@ class CipherAlgorithm:
         return CIPHER_ALGORITHMS[name]()
 
     def derive_key(self, key: bytes, hash_algorithm: HashAlgorithm) -> bytes:
-        """Mimics the corresponding native Microsoft function."""
+        """Mimics the corresponding native Microsoft function.
+
+        Resources:
+            - https://github.com/tijldeneut/DPAPIck3/blob/main/dpapick3/crypto.py#L185
+        """
+
         if len(key) > hash_algorithm.block_length:
             key = hashlib.new(hash_algorithm.name, key).digest()
 
-        if len(key) >= hash_algorithm.digest_length:
+        if len(key) >= self.key_length:
             return key
 
         key = key.ljust(hash_algorithm.block_length, b"\x00")
-        pad1 = bytes(c ^ 0x36 for c in key)
-        pad2 = bytes(c ^ 0x5C for c in key)
-        return hashlib.new(hash_algorithm.name, pad1).digest() + hashlib.new(hash_algorithm.name, pad2).digest()
+        pad1 = bytes(c ^ 0x36 for c in key)[: hash_algorithm.block_length]
+        pad2 = bytes(c ^ 0x5C for c in key)[: hash_algorithm.block_length]
+        key = hashlib.new(hash_algorithm.name, pad1).digest() + hashlib.new(hash_algorithm.name, pad2).digest()
+        key = self.fixup_key(key)
+        return key
+
+    def fixup_key(self, key: bytes) -> bytes:
+        return key
 
     def decrypt_with_hmac(
         self, data: bytes, key: bytes, iv: bytes, hash_algorithm: HashAlgorithm, rounds: int
@@ -55,7 +64,7 @@ class CipherAlgorithm:
 
         return self.decrypt(data, key, iv)
 
-    def decrypt(self, data: bytes, key: bytes, iv: Optional[bytes] = None) -> bytes:
+    def decrypt(self, data: bytes, key: bytes, iv: bytes | None = None) -> bytes:
         raise NotImplementedError()
 
 
@@ -66,7 +75,7 @@ class _AES(CipherAlgorithm):
     iv_length = 128 // 8
     block_length = 128 // 8
 
-    def decrypt(self, data: bytes, key: bytes, iv: Optional[bytes] = None) -> bytes:
+    def decrypt(self, data: bytes, key: bytes, iv: bytes | None = None) -> bytes:
         if not HAS_CRYPTO:
             raise RuntimeError("Missing pycryptodome dependency")
 
@@ -100,7 +109,7 @@ class _RC4(CipherAlgorithm):
     iv_length = 128 // 8
     block_length = 1 // 8
 
-    def decrypt(self, data: bytes, key: bytes, iv: Optional[bytes] = None) -> bytes:
+    def decrypt(self, data: bytes, key: bytes, iv: bytes | None = None) -> bytes:
         if not HAS_CRYPTO:
             raise RuntimeError("Missing pycryptodome dependency")
 
@@ -108,6 +117,34 @@ class _RC4(CipherAlgorithm):
         return cipher.decrypt(data)
 
 
+class _DES3(CipherAlgorithm):
+    id = 0x6603
+    name = "DES3"
+    key_length = 192 // 8
+    iv_length = 64 // 8
+    block_length = 64 // 8
+
+    def fixup_key(self, key: bytes) -> bytes:
+        nkey = []
+        for byte in key:
+            parity_bit = 0
+            for i in range(8):
+                parity_bit ^= (byte >> i) & 1
+
+            nkey.append(byte if parity_bit == 0 else byte | 1)
+        return bytes(nkey[: self.key_length])
+
+    def decrypt(self, data: bytes, key: bytes, iv: bytes | None = None) -> bytes:
+        if not HAS_CRYPTO:
+            raise RuntimeError("Missing pycryptodome dependency")
+
+        if len(key) != 24:
+            raise ValueError(f"Invalid DES3 CBC key length {len(key)}")
+
+        cipher = DES3.new(key, DES3.MODE_CBC, iv=iv if iv else b"\x00" * 8)
+        return cipher.decrypt(data)
+
+
 class HashAlgorithm:
     id: int
     name: str
@@ -123,7 +160,7 @@ class HashAlgorithm:
         return HASH_ALGORITHMS[id]()
 
     @classmethod
-    def from_name(cls, name: str) -> Optional[HashAlgorithm]:
+    def from_name(cls, name: str) -> HashAlgorithm | None:
         return HASH_ALGORITHMS[name]()
 
 
@@ -148,7 +185,7 @@ class _HMAC(_SHA1):
 
 
 class _SHA256(HashAlgorithm):
-    id = 0x8004
+    id = 0x800C
     name = "sha256"
     digest_length = 256 // 8
     block_length = 512 // 8
@@ -197,12 +234,12 @@ def dpapi_hmac(pwd_hash: bytes, hmac_salt: bytes, value: bytes, hash_algorithm:
 
 def crypt_session_key_type1(
     master_key: bytes,
-    nonce: Optional[bytes],
+    nonce: bytes | None,
     hash_algorithm: HashAlgorithm,
-    entropy: Optional[bytes] = None,
-    strong_password: Optional[str] = None,
-    smart_card_secret: Optional[bytes] = None,
-    verify_blob: Optional[bytes] = None,
+    entropy: bytes | None = None,
+    strong_password: str | None = None,
+    smart_card_secret: bytes | None = None,
+    verify_blob: bytes | None = None,
 ) -> bytes:
     """Computes the decryption key for Type1 DPAPI blob, given the master key and optional information.
 
@@ -218,6 +255,7 @@ def crypt_session_key_type1(
         strong_password: Optional password used for decryption or the blob itself.
         smart_card_secret: Optional MS Next Gen Crypto secret (e.g. from PIN code).
         verify_blob: Optional encrypted blob used for integrity check.
+
     Returns:
         decryption key
     """
@@ -258,10 +296,10 @@ def crypt_session_key_type2(
     masterkey: bytes,
     nonce: bytes,
     hash_algorithm: HashAlgorithm,
-    entropy: Optional[bytes] = None,
-    strong_password: Optional[str] = None,
-    smart_card_secret: Optional[bytes] = None,
-    verify_blob: Optional[bytes] = None,
+    entropy: bytes | None = None,
+    strong_password: str | None = None,
+    smart_card_secret: bytes | None = None,
+    verify_blob: bytes | None = None,
 ) -> bytes:
     """Computes the decryption key for Type2 DPAPI blob, given the masterkey and optional information.
 

dissect/target/plugins/os/windows/dpapi/dpapi.py

@@ -1,18 +1,11 @@
-import hashlib
+from __future__ import annotations
+
 import re
 from functools import cache, cached_property
 from pathlib import Path
-
-try:
-    from Crypto.Cipher import AES
-
-    HAS_CRYPTO = True
-except ImportError:
-    HAS_CRYPTO = False
-
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers import keychain
 from dissect.target.plugin import InternalPlugin
 from dissect.target.plugins.os.windows.dpapi.blob import Blob as DPAPIBlob
 from dissect.target.plugins.os.windows.dpapi.master_key import CredSystem, MasterKeyFile
@@ -20,175 +13,176 @@ from dissect.target.target import Target
 
 
 class DPAPIPlugin(InternalPlugin):
-    __namespace__ = "dpapi"
+    """Windows Data Protection API (DPAPI) plugin.
 
-    MASTER_KEY_REGEX = re.compile("^[0-9a-f]{8}(?:-[0-9a-f]{4}){3}-[0-9a-f]{12}$")
+    Resources:
+        - Reversing ``Crypt32.dll``
+        - https://learn.microsoft.com/en-us/windows/win32/api/dpapi/
+        - https://github.com/fortra/impacket/blob/master/examples/dpapi.py
+        - https://github.com/tijldeneut/DPAPIck3
+        - https://www.passcape.com/index.php?section=docsys&cmd=details&id=28
+    """
 
-    SECURITY_POLICY_KEY = "HKEY_LOCAL_MACHINE\\SECURITY\\Policy"
-    SYSTEM_KEY = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA"
+    __namespace__ = "dpapi"
 
-    SYSTEM_USERNAME = "System"
+    RE_MASTER_KEY = re.compile("^[0-9a-f]{8}(?:-[0-9a-f]{4}){3}-[0-9a-f]{12}$")
+    SYSTEM_SID = "S-1-5-18"
 
     def __init__(self, target: Target):
         super().__init__(target)
         self.keychain = cache(self.keychain)
 
     def check_compatible(self) -> None:
-        if not HAS_CRYPTO:
-            raise UnsupportedPluginError("Missing pycryptodome dependency")
-
-        if not list(self.target.registry.keys(self.SYSTEM_KEY)):
-            raise UnsupportedPluginError(f"Registry key not found: {self.SYSTEM_KEY}")
+        if not self.target.has_function("lsa"):
+            raise UnsupportedPluginError("Windows registry and LSA plugins are required for DPAPI decryption")
 
     def keychain(self) -> set:
-        passwords = set()
-
-        for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
-            if key.key_type == keychain.KeyType.PASSPHRASE:
-                passwords.add(key.value)
-
-        # It is possible to encrypt using an empty passphrase.
-        passwords.add("")
-        return passwords
-
-    @cached_property
-    def syskey(self) -> bytes:
-        lsa = self.target.registry.key(self.SYSTEM_KEY)
-        syskey_keys = ["JD", "Skew1", "GBG", "Data"]
-        # This magic value rotates the order of the data
-        alterator = [0x8, 0x5, 0x4, 0x2, 0xB, 0x9, 0xD, 0x3, 0x0, 0x6, 0x1, 0xC, 0xE, 0xA, 0xF, 0x7]
-
-        r = bytes.fromhex("".join([lsa.subkey(key).class_name for key in syskey_keys]))
-        return bytes(r[i] for i in alterator)
-
-    @cached_property
-    def lsakey(self) -> bytes:
-        policy_key = "PolEKList"
-
-        encrypted_key = self.target.registry.key(self.SECURITY_POLICY_KEY).subkey(policy_key).value("(Default)").value
-
-        lsa_key = _decrypt_aes(encrypted_key, self.syskey)
-
-        return lsa_key[68:100]
-
-    @cached_property
-    def secrets(self) -> dict[str, bytes]:
-        result = {}
-
-        reg_secrets = self.target.registry.key(self.SECURITY_POLICY_KEY).subkey("Secrets")
-        for subkey in reg_secrets.subkeys():
-            enc_data = subkey.subkey("CurrVal").value("(Default)").value
-            secret = _decrypt_aes(enc_data, self.lsakey)
-            result[subkey.name] = secret
-
-        return result
+        return set(self.target._dpapi_keyprovider.keys())
 
     @cached_property
     def master_keys(self) -> dict[str, dict[str, MasterKeyFile]]:
-        # This assumes that there is no user named System.
-        # As far as I can tell, the name "System" is saved for the actual System user
-        # Therefore the user can't actually exist in `all_with_home`
-        result = {self.SYSTEM_USERNAME: {}}
+        """Returns dict of found DPAPI master keys on the Windows target for SYSTEM and regular users."""
+        master_keys = {}
+
+        # Search for SYSTEM master keys
+        master_keys[self.SYSTEM_SID] = {}
 
-        system_master_key_path = self.target.fs.path("sysvol/Windows/System32/Microsoft/Protect/S-1-5-18")
+        system_master_key_path = self.target.fs.path(f"sysvol/Windows/System32/Microsoft/Protect/{self.SYSTEM_SID}")
         system_user_master_key_path = system_master_key_path.joinpath("User")
 
         for dir in [system_master_key_path, system_user_master_key_path]:
-            user_mks = self._load_master_keys_from_path(self.SYSTEM_USERNAME, dir)
-            result[self.SYSTEM_USERNAME].update(user_mks)
+            user_mks = self._load_master_keys_from_path(self.SYSTEM_SID, dir)
+            master_keys[self.SYSTEM_SID].update(user_mks)
+
+        # Search for user master keys, generally located at $HOME/AppData/Roaming/Microsoft/Protect/{user_sid}/{mk_guid}
+        PROTECT_DIRS = [
+            # Windows Vista and newer
+            "AppData/Roaming/Microsoft/Protect",
+            # Windows XP
+            "Application Data/Microsoft/Protect",
+        ]
 
         for user in self.target.user_details.all_with_home():
-            path = user.home_path.joinpath("AppData/Roaming/Microsoft/Protect").joinpath(user.user.sid)
-            user_mks = self._load_master_keys_from_path(user.user.name, path)
-            if user_mks:
-                result[user.user.name] = user_mks
+            sid = user.user.sid
+            master_keys.setdefault(sid, {})
 
-        return result
+            for protect_dir in PROTECT_DIRS:
+                path = user.home_path.joinpath(protect_dir).joinpath(sid)
+                if user_mks := self._load_master_keys_from_path(sid, path):
+                    master_keys[sid] |= user_mks
 
-    @cached_property
-    def _users(self) -> dict[str, dict[str, str]]:
-        return {u.name: {"sid": u.sid} for u in self.target.users()}
+        return master_keys
+
+    def _load_master_keys_from_path(self, sid: str, path: Path) -> Iterator[tuple[str, MasterKeyFile]]:
+        """Iterate over the provided ``path`` and search for master key files for the given user SID."""
 
-    def _load_master_keys_from_path(self, username: str, path: Path) -> dict[str, MasterKeyFile]:
         if not path.exists():
-            return {}
+            self.target.log.info("Unable to load master keys from path as it does not exist: %s", path)
+            return
 
-        result = {}
         for file in path.iterdir():
-            if self.MASTER_KEY_REGEX.findall(file.name):
-                with file.open() as fh:
-                    mkf = MasterKeyFile(fh)
-
-                if username == self.SYSTEM_USERNAME:
-                    dpapi_system = CredSystem(self.secrets["DPAPI_SYSTEM"][16:])
+            if not self.RE_MASTER_KEY.findall(file.name):
+                continue
+
+            with file.open() as fh:
+                mkf = MasterKeyFile(fh)
+
+            # Decrypt SYSTEM master key using the DPAPI_SYSTEM LSA secret.
+            if sid == self.SYSTEM_SID:
+                if "DPAPI_SYSTEM" not in self.target.lsa._secrets:
+                    self.target.log.warning("Unable to decrypt SYSTEM master key: LSA secret missing")
+                    continue
+
+                # Windows XP
+                if float(self.target.ntversion) < 6.0:
+                    secret_offset = 8
+
+                # Windows Vista and newer
+                else:
+                    secret_offset = 16
+
+                dpapi_system = CredSystem(self.target.lsa._secrets["DPAPI_SYSTEM"][secret_offset:])
+                mkf.decrypt_with_key(dpapi_system.machine_key)
+                mkf.decrypt_with_key(dpapi_system.user_key)
+
+                # Decrypting the System master key should always succeed
+                if not mkf.decrypted:
+                    self.target.log.error("Failed to decrypt SYSTEM master key!")
+                    continue
+
+                yield file.name, mkf
+
+            # Decrypt user master key
+            else:
+                # Iterate over every master key password we have from the keychain
+                for provider, mk_pass in self.keychain():
+                    try:
+                        if mkf.decrypt_with_password(sid, mk_pass):
+                            self.target.log.info(
+                                "Decrypted user master key with password '%s' from provider %s", mk_pass, provider
+                            )
+                            break
+                    except ValueError:
+                        pass
+
+                    try:
+                        if mkf.decrypt_with_hash(sid, bytes.fromhex(mk_pass)):
+                            self.target.log.info(
+                                "Decrypted SID %s master key with hash '%s' from provider %s", sid, mk_pass, provider
+                            )
+                            break
+                    except ValueError:
+                        pass
 
-                    if not mkf.decrypt_with_key(dpapi_system.machine_key):
-                        mkf.decrypt_with_key(dpapi_system.user_key)
+                if not mkf.decrypted:
+                    self.target.log.warning("Could not decrypt master key '%s' for SID '%s'", file.name, sid)
 
-                    # This should not be possible, decrypting the System master key should always succeed
-                    if not mkf.decrypted:
-                        raise Exception("Failed to decrypt System master key")
+                yield file.name, mkf
 
-                if user := self._users.get(username):
-                    for mk_pass in self.keychain():
-                        if mkf.decrypt_with_password(user["sid"], mk_pass):
-                            break
+    @cached_property
+    def _users(self) -> dict[str, str]:
+        """Cached map of username to SID."""
+        return {user.name: user.sid for user in self.target.users()}
 
-                        try:
-                            if mkf.decrypt_with_hash(user["sid"], bytes.fromhex(mk_pass)) is True:
-                                break
-                        except ValueError:
-                            pass
+    def decrypt_system_blob(self, data: bytes) -> bytes:
+        """Decrypt the given bytes using the SYSTEM master key."""
+        return self.decrypt_user_blob(data, sid=self.SYSTEM_SID)
 
-                    if not mkf.decrypted:
-                        self.target.log.warning("Could not decrypt DPAPI master key for username '%s'", username)
+    def decrypt_user_blob(self, data: bytes, username: str | None = None, sid: str | None = None) -> bytes:
+        """Decrypt the given bytes using the master key of the given SID or username."""
 
-                result[file.name] = mkf
+        if not sid and not username:
+            raise ValueError("Either sid or username argument is required")
 
-        return result
+        if not sid and username:
+            sid = self._users.get(username)
 
-    def decrypt_system_blob(self, data: bytes) -> bytes:
-        """Decrypt the given bytes using the System master key."""
-        return self.decrypt_user_blob(data, self.SYSTEM_USERNAME)
+        if not sid:
+            raise ValueError("No SID provided or no SID found")
 
-    def decrypt_user_blob(self, data: bytes, username: str) -> bytes:
-        """Decrypt the given bytes using the master key of the given user."""
-        blob = DPAPIBlob(data)
+        try:
+            blob = DPAPIBlob(data)
+        except EOFError as e:
+            raise ValueError(f"Failed to parse DPAPI blob: {e}")
 
-        if not (mk := self.master_keys.get(username, {}).get(blob.guid)):
-            raise ValueError(f"Blob UUID is unknown to {username} master keys")
+        if not (mk := self.master_keys.get(sid, {}).get(blob.guid)):
+            raise ValueError(f"Blob is encrypted using master key {blob.guid} that we do not have for SID {sid}")
 
         if not blob.decrypt(mk.key):
-            raise ValueError(f"Failed to decrypt blob for user {username}")
+            raise ValueError(f"Failed to decrypt blob for SID {sid}")
 
         return blob.clear_text
 
     def decrypt_blob(self, data: bytes) -> bytes:
         """Attempt to decrypt the given bytes using any of the available master keys."""
-        blob = DPAPIBlob(data)
+        try:
+            blob = DPAPIBlob(data)
+        except EOFError as e:
+            raise ValueError(f"Failed to parse DPAPI blob: {e}")
 
         for user in self.master_keys:
             for mk in self.master_keys[user].values():
                 if blob.decrypt(mk.key):
                     return blob.clear_text
 
-        raise ValueError("Failed to decrypt blob")
-
-
-def _decrypt_aes(data: bytes, key: bytes) -> bytes:
-    ctx = hashlib.sha256()
-    ctx.update(key)
-
-    tmp = data[28:60]
-    for _ in range(1, 1000 + 1):
-        ctx.update(tmp)
-
-    aeskey = ctx.digest()
-    iv = b"\x00" * 16
-
-    result = []
-    for i in range(60, len(data), 16):
-        cipher = AES.new(aeskey, AES.MODE_CBC, iv)
-        result.append(cipher.decrypt(data[i : i + 16].ljust(16, b"\x00")))
-
-    return b"".join(result)
+        raise ValueError("Failed to decrypt blob using any available master key")

dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py

@@ -0,0 +1,21 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.plugin import export
+from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
+    KeyProviderPlugin,
+)
+
+
+class CredHistKeyProviderPlugin(KeyProviderPlugin):
+    __namespace__ = "_dpapi_keyprovider_credhist"
+
+    def check_compatible(self) -> None:
+        if not self.target.has_function("credhist"):
+            raise UnsupportedPluginError("CREDHIST plugin not available on target")
+
+    @export(output="yield")
+    def keys(self) -> Iterator[tuple[str, str]]:
+        for credhist in self.target.credhist():
+            if value := getattr(credhist, "sha1"):
+                yield self.__namespace__, value

dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py

@@ -0,0 +1,17 @@
+from typing import Iterator
+
+from dissect.target.plugin import export
+from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
+    KeyProviderPlugin,
+)
+
+
+class EmptyKeyProviderPlugin(KeyProviderPlugin):
+    __namespace__ = "_dpapi_keyprovider_empty"
+
+    def check_compatible(self) -> None:
+        return
+
+    @export(output="yield")
+    def keys(self) -> Iterator[tuple[str, str]]:
+        yield self.__namespace__, ""

dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py

@@ -0,0 +1,20 @@
+from typing import Iterator
+
+from dissect.target.helpers import keychain
+from dissect.target.plugin import export
+from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
+    KeyProviderPlugin,
+)
+
+
+class KeychainKeyProviderPlugin(KeyProviderPlugin):
+    __namespace__ = "_dpapi_keyprovider_keychain"
+
+    def check_compatible(self) -> None:
+        return
+
+    @export(output="yield")
+    def keys(self) -> Iterator[tuple[str, str]]:
+        for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
+            if key.key_type == keychain.KeyType.PASSPHRASE:
+                yield self.__namespace__, key.value

dissect/target/plugins/os/windows/dpapi/keyprovider/keyprovider.py

@@ -0,0 +1,8 @@
+from dissect.target.plugin import InternalNamespacePlugin
+
+
+class KeyProviderPlugin(InternalNamespacePlugin):
+    __namespace__ = "_dpapi_keyprovider"
+
+    def check_compatible(self) -> None:
+        return None

dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py

@@ -0,0 +1,38 @@
+from typing import Iterator
+
+from dissect.cstruct import cstruct
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.plugin import export
+from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
+    KeyProviderPlugin,
+)
+
+defaultpassword_def = """
+struct DefaultPassword {
+    DWORD   length;
+    char    flags[4*3];
+    WCHAR   data[length/2];
+    char    checksum_or_guid[0x10];
+};
+"""
+
+c_defaultpassword = cstruct().load(defaultpassword_def)
+
+
+class LSADefaultPasswordKeyProviderPlugin(KeyProviderPlugin):
+    __namespace__ = "_dpapi_keyprovider_lsa_defaultpassword"
+
+    def check_compatible(self) -> None:
+        if not self.target.has_function("lsa"):
+            raise UnsupportedPluginError("LSA plugin not available on target")
+
+    @export(output="yield")
+    def keys(self) -> Iterator[tuple[str, str]]:
+        if default_pass := self.target.lsa._secrets.get("DefaultPassword"):
+            try:
+                value = c_defaultpassword.DefaultPassword(default_pass).data
+            except Exception:
+                self.target.log.warning("Failed to parse LSA DefaultPassword value")
+                return
+            yield self.__namespace__, value

dissect/target/plugins/os/windows/dpapi/master_key.py

@@ -95,6 +95,9 @@ class MasterKey:
 
     def decrypt_with_password(self, user_sid: str, pwd: str) -> bool:
         """Decrypts the master key with the given user's password and SID."""
+        if self.decrypted:
+            return True
+
         pwd = pwd.encode("utf-16-le")
 
         for algo in ["sha1", "md4"]: