Parse and decrypt Windows DPAPI from raw bytes — DPAPI_BLOB, AES/3DES blob decryption given a master key, and Chrome/Edge v10/v20 cookie unwrap — with audited crypto and zero I/O.
DPAPI is one of the largest Windows credential-protection surfaces: Chrome/Edge
saved passwords and the cookie key, Credential Manager, Vault, Wi-Fi keys, and
the master-key files themselves. The blob format and the decrypt-given-key
crypto are identical on disk and in live memory — so dpapi-core is a pure
&[u8]-in library that both a memory tool and a disk tool can share.
[dependencies]
dpapi-core = "0.1"use dpapi_core::{parse_dpapi_blob, decrypt_dpapi_blob};
// `master_key` comes from your key source (LSASS cache in memory, or a
// master-key file + password derivation on disk).
let blob = parse_dpapi_blob(raw_blob_bytes)?;
let plaintext = decrypt_dpapi_blob(&blob, master_key)?;
# Ok::<(), dpapi_core::DpapiError>(())Chrome/Edge cookies (Local State key already recovered):
use dpapi_core::{detect_chrome_cookie_encoding, decrypt_v10_cookie, ChromeCookieEncoding};
if let ChromeCookieEncoding::V10 { nonce, ciphertext } =
detect_chrome_cookie_encoding(encrypted_value)
{
let cookie = decrypt_v10_cookie(&nonce, &ciphertext, &aes_key)?;
}
# Ok::<(), dpapi_core::DpapiError>(())dpapi-core (the library) is byte-oriented and performs no I/O:
parse_dpapi_blob(&[u8])— decode theDPAPI_BLOBwire format: version, master-key GUID, description, algorithm IDs, HMAC key, ciphertext, and HMAC.decrypt_dpapi_blob(blob, master_key)— derive the session key (HMAC-SHA1) and decrypt with AES-256-CBC or 3DES-CBC.detect_chrome_cookie_encoding/decrypt_v10_cookie— classify a Chrome/Edgeencrypted_value(v10/v20/classic-DPAPI/raw) and unwrap the AES-256-GCM variants.
All cryptography uses audited RustCrypto crates
(aes, aes-gcm, cbc, des, hmac, sha1, sha2). No primitive is
hand-rolled. A bad key, IV length, or HMAC surfaces as a typed DpapiError —
the library never fabricates plausible-but-wrong plaintext.
Step 1 (this release) ships the byte-oriented dpapi-core primitives, validated
by the unit tests carried over from memory-forensic. The dpapi-forensic
crate is a stub that re-exports dpapi-core and documents the roadmap.
Step 2 (planned):
masterkey.rsindpapi-core— parse master-key files (%APPDATA%\Microsoft\Protect\<SID>\<GUID>) and derive the key-protection key from the user password (SHA1 → PBKDF2-HMAC) or the domain backup key.dpapi-forensicauditor — enumerate and decrypt Chrome/Edge passwords + cookie key, Credential Manager, Vault, and Wi-Fi keys on an acquired filesystem, emitting gradedforensicnomiconfindings.dpapi4n6CLI per the fleet*4n6pattern, plus a tag-driven release workflow.
Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd