From 0d608e51465188b59ed6c48b3d09a452eddf09de Mon Sep 17 00:00:00 2001 From: Signum21 Date: Tue, 5 Mar 2024 04:17:29 +0100 Subject: [PATCH] Add option to get the GUID of the preferred masterkey from the Preferred file --- pypykatz/dpapi/cmdhelper.py | 4 ++++ pypykatz/dpapi/dpapi.py | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/pypykatz/dpapi/cmdhelper.py b/pypykatz/dpapi/cmdhelper.py index ab6f0d9..4eb8ea3 100644 --- a/pypykatz/dpapi/cmdhelper.py +++ b/pypykatz/dpapi/cmdhelper.py @@ -100,6 +100,8 @@ def add_args(self, parser, live_parser): dpapi_minidump_group.add_argument('minidumpfile', help='path to minidump file') dpapi_minidump_group.add_argument('-o', '--out-file', help= 'Master and Backup keys will be stored in this file. Easier to handle in other commands.') + dpapi_preferredkey_group = dpapi_subparsers.add_parser('preferredkey', help='Get preferred masterkey GUID') + dpapi_preferredkey_group.add_argument('preferredkeyfile', help='path to preferred masterkey file') dpapi_masterkey_group = dpapi_subparsers.add_parser('masterkey', help='Decrypt masterkey file') dpapi_masterkey_group.add_argument('masterkeyfile', help='path to masterkey file') @@ -210,6 +212,8 @@ def run(self, args): else: dpapi.dump_pre_keys() + elif args.dapi_module == 'preferredkey': + dpapi.dump_preferred_masterkey_guid(args.preferredkeyfile) elif args.dapi_module == 'masterkey': if args.prekey is None: diff --git a/pypykatz/dpapi/dpapi.py b/pypykatz/dpapi/dpapi.py index 97745bd..dc41084 100644 --- a/pypykatz/dpapi/dpapi.py +++ b/pypykatz/dpapi/dpapi.py @@ -131,6 +131,15 @@ def load_prekeys(self, filename): line = line.strip() self.prekeys[bytes.fromhex(line)] = 1 + def dump_preferred_masterkey_guid(self, filename): + from uuid import UUID + + with open(filename, 'rb') as f: + b = f.read()[:16] + + guid = UUID(bytes_le = b) + print('[GUID] %s' % guid) + def dump_masterkeys(self, filename = None): if filename is None: for x in self.masterkeys: