patterns: Added DPAPI Blob, DPAPI MasterKey, CREDHIST patterns (#328)

* [+]Added DPAPI MasterKey & Updated README.md

* [+]Added DPAPI Blob Pattern & Updated README.md

* [+] Added CREDHIST Pattern &  Updated README.md

* [+] Test Files added for dpapimasterkey, dpapiblob & CREDHIST

README.md

@@ -50,10 +50,13 @@ Everything will immediately show up in ImHex's Content Store and gets bundled wi
 | COFF | `application/x-coff` | [`patterns/coff.hexpat`](patterns/coff.hexpat) | Common Object File Format (COFF) executable |
 | CPIO | `application/x-cpio` | [`patterns/cpio.hexpat`](patterns/cpio.hexpat) | Old Binary CPIO Format |
 | CrashLvl | | [`patterns/Crashlvl.hexpat`](patterns/Crashlvl.hexpat) | Crash Bandicoot - Back in Time (fan game) User created level format |
+| CREDHIST | | [`patterns/credhist.hexpat`](patterns/credhist.hexpat) | CREDHIST Format |
 | DDS | `image/vnd-ms.dds` | [`patterns/dds.hexpat`](patterns/dds.hexpat) | DirectDraw Surface |
 | DEX | | [`patterns/dex.hexpat`](patterns/dex.hexpat) | Dalvik EXecutable Format |
 | DICOM | `application/dicom` | [`patterns/dicom.hexpat`](patterns/dicom.hexpat) | DICOM image format |
 | DMG | | [`patterns/dmg.hexpat`](patterns/dmg.hexpat) | Apple Disk Image Trailer (DMG) |
+| DPAPI_Blob | | [`patterns/dpapblob.hexpat`](patterns/dpapiblob.hexpat) | Data protection API Blob File Format |
+| DPAPI_MasterKey | | [`patterns/dpapimasterkey.hexpat`](patterns/dpapimasterkey.hexpat) | Data protection API MasterKey |
 | DS_Store | | [`patterns/dsstore.hexpat`](patterns/dsstore.hexpat) | .DS_Store file format |
 | DTA | | [`patterns/max_v104.hexpat`](patterns/max_v104.hexpat) | Mechanized Assault and Exploration v1.04 (strategy game) save file format |
 | DTED | | [`patterns/dted.hexpat`](patterns/dted.hexpat) | Digital Terrain Elevation Data (DTED) |

patterns/credhist.hexpat

@@ -0,0 +1,99 @@
+#pragma description "CREDHIST"
+
+/*
+        FilePath: C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\
+        The files/folders are hidden.
+
+        To unhide it
+        1. Open Command Prompt (cmd.exe).
+        2. Run the following command:
+            => attrib -h -s
+
+*/
+
+import type.guid;
+import std.mem;
+
+// https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id
+enum ALG_ID : u32 {
+    CALG_DH_EPHEM = 0x0000aa02,        // Diffie-Hellman ephemeral key exchange algorithm.
+    CALG_DH_SF = 0x0000aa01,           // Diffie-Hellman store and forward key exchange algorithm.
+    CALG_DSS_SIGN = 0x00002200,        // DSA public key signature algorithm.
+    CALG_ECDH = 0x0000aa05,            // Elliptic curve Diffie-Hellman key exchange algorithm.
+    CALG_ECDH_EPHEM = 0x0000ae06,      // Ephemeral elliptic curve Diffie-Hellman key exchange algorithm.
+    CALG_ECDSA = 0x00002203,           // Elliptic curve digital signature algorithm.
+    CALG_ECMQV = 0x0000a001,           // Elliptic curve Menezes, Qu, and Vanstone (MQV) key exchange algorithm.
+    CALG_HASH_REPLACE_OWF = 0x0000800b, // One way function hashing algorithm.
+    CALG_HUGHES_MD5 = 0x0000a003,      // Hughes MD5 hashing algorithm.
+    CALG_HMAC = 0x00008009,            // HMAC keyed hash algorithm.
+    CALG_KEA_KEYX = 0x0000aa04,        // KEA key exchange algorithm (FORTEZZA).
+    CALG_MAC = 0x00008005,             // MAC keyed hash algorithm.
+    CALG_MD2 = 0x00008001,             // MD2 hashing algorithm.
+    CALG_MD4 = 0x00008002,             // MD4 hashing algorithm.
+    CALG_MD5 = 0x00008003,             // MD5 hashing algorithm.
+    CALG_NO_SIGN = 0x00002000,         // No signature algorithm.
+    CALG_OID_INFO_CNG_ONLY = 0xffffffff, // Algorithm is only implemented in CNG.
+    CALG_OID_INFO_PARAMETERS = 0xfffffffe, // Algorithm is defined in the encoded parameters.
+    CALG_PCT1_MASTER = 0x00004c04,     // Used by the Schannel.dll operations system.
+    CALG_RC2 = 0x00006602,             // RC2 block encryption algorithm.
+    CALG_RC4 = 0x00006801,             // RC4 stream encryption algorithm.
+    CALG_RC5 = 0x0000660d,             // RC5 block encryption algorithm.
+    CALG_RSA_KEYX = 0x0000a400,        // RSA public key exchange algorithm.
+    CALG_RSA_SIGN = 0x00002400,        // RSA public key signature algorithm.
+    CALG_SCHANNEL_ENC_KEY = 0x00004c07, // Used by the Schannel.dll operations system.
+    CALG_SCHANNEL_MAC_KEY = 0x00004c03, // Used by the Schannel.dll operations system.
+    CALG_SCHANNEL_MASTER_HASH = 0x00004c02, // Used by the Schannel.dll operations system.
+    CALG_SEAL = 0x00006802,            // SEAL encryption algorithm.
+    CALG_SHA = 0x00008004,             // SHA hashing algorithm.
+    CALG_SHA1 = 0x00008004,            // Same as CALG_SHA.
+    CALG_SHA_256 = 0x0000800c,         // 256-bit SHA hashing algorithm.
+    CALG_SHA_384 = 0x0000800d,         // 384-bit SHA hashing algorithm.
+    CALG_SHA_512 = 0x0000800e,         // 512-bit SHA hashing algorithm.
+    CALG_SKIPJACK = 0x0000660a,        // Skipjack block encryption algorithm (FORTEZZA).
+    CALG_SSL2_MASTER = 0x00004c05,     // Used by the Schannel.dll operations system.
+    CALG_SSL3_MASTER = 0x00004c01,     // Used by the Schannel.dll operations system.
+    CALG_SSL3_SHAMD5 = 0x00008008,     // Used by the Schannel.dll operations system.
+    CALG_TEK = 0x0000660b,             // TEK (FORTEZZA).
+    CALG_TLS1_MASTER = 0x00004c06,     // Used by the Schannel.dll operations system.
+    CALG_TLS1PRF = 0x0000800a          // Used by the Schannel.dll operations system.
+};
+
+// https://devblogs.microsoft.com/oldnewthing/20040315-00/?p=40253
+struct SID {
+    u8 revisionlvl[[name("RevisionLevel"), comment("SID_REVISION")]];
+    u8 dashes[[name("NoOfDashes"), comment("number of dashes minus two")]]; // dashes = actualdashes - 0x2
+    char ntauth[0x6][[name("NtAuthority"), comment("SECURITY_NT_AUTHORITY")]];
+    u32  subatuh1[[name("SubAuthority1"), comment("SECURITY_NT_NON_UNIQUE")]];
+    u32  subatuh2[[name("SubAuthority2"), comment("these identify the machine that issued the SID")]];
+    u32  subatuh3[[name("SubAuthority3"), comment("these identify the machine that issued the SID")]];
+    u32  subatuh4[[name("SubAuthority4"), comment("these identify the machine that issued the SID")]];
+    u32  rid[[name("RID"), comment("unique user id on the machine")]];
+};  
+
+
+struct CREDHIST_HEADER{
+    u32 version[[name("Version")]];
+    type::GUID guid[[name("GUID")]];
+    u32 nextlen[[name("NextCredSize")]];
+};
+
+struct CREDHIST {
+    CREDHIST_HEADER credheader[[name("CredHistHeader")]];
+    if (std::mem::eof()){
+        break;
+    }
+    u32 flgas [[name("Flags")]];
+    ALG_ID alghashid[[name("AlgorithmHashId")]];
+    u32 rounds [[name("Rounds")]];
+    u32 sidlen [[name("SIDLen")]];
+    ALG_ID algcryptid[[name("AlgorithmCryptId")]];
+    u32 sha1len[[name("SHA1Len")]];
+    u32 md4len[[name("ntlmlen")]];
+    char salt[0x10][[name("Salt")]];
+    SID sid[[name("SID")]];
+    char sha1hash[sha1len][[name("SHA1Hash")]];
+    char md4hash[md4len][[name("NTLMHash")]];
+    u64 unk1[[name("Unknown")]];
+};
+
+CREDHIST credhist [while(!std::mem::eof())] @ 0x0[[name("CredHist")]];

patterns/dpapiblob.hexpat

@@ -0,0 +1,73 @@
+#pragma description "DPAPI Blob"
+
+import type.guid;
+import std.mem;
+
+enum ALG_ID : u32 {
+    CALG_DH_EPHEM = 0x0000aa02,        
+    CALG_DH_SF = 0x0000aa01,           
+    CALG_DSS_SIGN = 0x00002200,        
+    CALG_ECDH = 0x0000aa05,            
+    CALG_ECDH_EPHEM = 0x0000ae06,      
+    CALG_ECDSA = 0x00002203,           
+    CALG_ECMQV = 0x0000a001,           
+    CALG_HASH_REPLACE_OWF = 0x0000800b, 
+    CALG_HUGHES_MD5 = 0x0000a003,      
+    CALG_HMAC = 0x00008009,            
+    CALG_KEA_KEYX = 0x0000aa04,        
+    CALG_MAC = 0x00008005,             
+    CALG_MD2 = 0x00008001,             
+    CALG_MD4 = 0x00008002,             
+    CALG_MD5 = 0x00008003,             
+    CALG_NO_SIGN = 0x00002000,         
+    CALG_OID_INFO_CNG_ONLY = 0xffffffff, 
+    CALG_OID_INFO_PARAMETERS = 0xfffffffe, 
+    CALG_PCT1_MASTER = 0x00004c04,     
+    CALG_RC2 = 0x00006602,             
+    CALG_RC4 = 0x00006801,             
+    CALG_RC5 = 0x0000660d,             
+    CALG_RSA_KEYX = 0x0000a400,        
+    CALG_RSA_SIGN = 0x00002400,        
+    CALG_SCHANNEL_ENC_KEY = 0x00004c07, 
+    CALG_SCHANNEL_MAC_KEY = 0x00004c03, 
+    CALG_SCHANNEL_MASTER_HASH = 0x00004c02, 
+    CALG_SEAL = 0x00006802,            
+    CALG_SHA = 0x00008004,             
+    CALG_SHA1 = 0x00008004,            
+    CALG_SHA_256 = 0x0000800c,         
+    CALG_SHA_384 = 0x0000800d,         
+    CALG_SHA_512 = 0x0000800e,         
+    CALG_SKIPJACK = 0x0000660a,        
+    CALG_SSL2_MASTER = 0x00004c05,     
+    CALG_SSL3_MASTER = 0x00004c01,     
+    CALG_SSL3_SHAMD5 = 0x00008008,     
+    CALG_TEK = 0x0000660b,             
+    CALG_TLS1_MASTER = 0x00004c06,     
+    CALG_TLS1PRF = 0x0000800a          
+};
+
+struct DPAPI_BLOB{
+    u32 version[[name("Version")]];
+    type::GUID providerguid[[name("ProviderGUID")]];
+    u32 masterguid[[name("MasterKeyVersion")]];
+    type::GUID guid[[name("MasterKeyGUID")]];
+    u32 flags[[name("Flags")]];
+    u32 desclen [[name("DescriptionLen")]];
+    char16 desc[desclen / 0x02 ] [[name("Description")]];
+    ALG_ID cryptid [[name("AlgCryptId")]];
+    u32 algcryptlen[[name("AlgCryptLen")]];
+    u32 saltlen [[name("SaltLen")]];
+    char salt[saltlen][[name("Salt")]];
+    u32 hmackeylen[[name("HMACKeyLen")]];
+    char hmackey[hmackeylen][[name("HMACKey")]];
+    ALG_ID algid[[name("AlgHashId")]];
+    u32 alghashkeylen[[name("AlgHashKeyLen")]];
+    u32 hmac2keylen[[name("HMAC2keylen")]];
+    char hmac2[hmac2keylen][[name("HMAC2Key")]];
+    u32 datalen[[name("DataLen")]];
+    char data[datalen][[name("Data")]];
+    u32 signlen[[name("signlen")]];
+    char signhash[signlen][[name("SignHash")]];
+};
+
+DPAPI_BLOB dpapiblob @0x00 [[name("DPAPIBlob")]];

patterns/dpapimasterkey.hexpat

@@ -0,0 +1,124 @@
+#pragma description "DPAPIMasterKey"
+
+/*
+        FilePath: C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<SID>
+        This files are hidden.
+        To unhide it,
+        1. Open Command Prompt (cmd.exe).
+        2. Run the following command:
+        - attrib -h -s
+
+*/
+
+import type.guid;
+
+// https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id
+enum ALG_ID : u32 {
+    CALG_DH_EPHEM = 0x0000aa02,        
+    CALG_DH_SF = 0x0000aa01,           
+    CALG_DSS_SIGN = 0x00002200,        
+    CALG_ECDH = 0x0000aa05,            
+    CALG_ECDH_EPHEM = 0x0000ae06,      
+    CALG_ECDSA = 0x00002203,           
+    CALG_ECMQV = 0x0000a001,           
+    CALG_HASH_REPLACE_OWF = 0x0000800b, 
+    CALG_HUGHES_MD5 = 0x0000a003,      
+    CALG_HMAC = 0x00008009,            
+    CALG_KEA_KEYX = 0x0000aa04,        
+    CALG_MAC = 0x00008005,             
+    CALG_MD2 = 0x00008001,             
+    CALG_MD4 = 0x00008002,             
+    CALG_MD5 = 0x00008003,             
+    CALG_NO_SIGN = 0x00002000,         
+    CALG_OID_INFO_CNG_ONLY = 0xffffffff, 
+    CALG_OID_INFO_PARAMETERS = 0xfffffffe, 
+    CALG_PCT1_MASTER = 0x00004c04,     
+    CALG_RC2 = 0x00006602,             
+    CALG_RC4 = 0x00006801,             
+    CALG_RC5 = 0x0000660d,             
+    CALG_RSA_KEYX = 0x0000a400,        
+    CALG_RSA_SIGN = 0x00002400,        
+    CALG_SCHANNEL_ENC_KEY = 0x00004c07, 
+    CALG_SCHANNEL_MAC_KEY = 0x00004c03, 
+    CALG_SCHANNEL_MASTER_HASH = 0x00004c02, 
+    CALG_SEAL = 0x00006802,            
+    CALG_SHA = 0x00008004,             
+    CALG_SHA1 = 0x00008004,            
+    CALG_SHA_256 = 0x0000800c,         
+    CALG_SHA_384 = 0x0000800d,         
+    CALG_SHA_512 = 0x0000800e,         
+    CALG_SKIPJACK = 0x0000660a,        
+    CALG_SSL2_MASTER = 0x00004c05,     
+    CALG_SSL3_MASTER = 0x00004c01,     
+    CALG_SSL3_SHAMD5 = 0x00008008,     
+    CALG_TEK = 0x0000660b,             
+    CALG_TLS1_MASTER = 0x00004c06,     
+    CALG_TLS1PRF = 0x0000800a          
+};
+
+
+struct CREDHIST_MASTERKEY {
+    u32 version[[name("Version")]];
+    type::GUID guid[[name("GUID")]];
+    
+};
+
+struct DOMAINKEY_MASTERKEY {
+    u32 version[[name("Version")]];
+    u32 seclen[[name("SecretLen")]];
+    u32 accesschklen[[name("AccessCheckLen")]];
+    type::GUID backupguid_[[name("BackupKeyGUID")]];
+    char blob[seclen][[name("Secret")]];
+    char accesschk[accesschklen][[name("AccessCheck")]];
+
+};  
+
+struct BACKUP_MASTERKEY {
+    u32 start = $;
+    u32 version[[name("Version")]];
+    char salt[16][[name("Salt")]];
+    u32 rounds [[name("PBKDF2IterationCount")]];
+    ALG_ID alghashid[[name("HMACAlgId")]];
+    ALG_ID algcryptid[[name("CryptAlgId")]];
+    u32 meta = $ - start;
+    char key[parent.backupkeylen - meta][[name("Key")]];
+};
+
+struct PASSWORD_MASTERKEY {
+    u32 start = $;
+    u32 version[[name("Version")]];
+    char salt[16][[name("Salt")]];
+    u32 rounds [[name("PBKDF2IterationCount")]];
+    ALG_ID alghashid[[name("HMACAlgId")]];
+    ALG_ID algcryptid[[name("CryptAlgId")]];
+    u32 meta = $ - start;
+    char key[parent.masterkeylen - meta][[name("Key")]];
+};
+
+struct DPAPIMasterKey {
+    u32 version[[name("Version")]];
+    u32 unk1[[name("Unknown1")]];
+    u32 unk2[[name("Unknown2")]];
+    char16 guid[0x24][[name("GUID"), comment("This GUID is the fileName itself")]];
+    u32 unk3[[name("Unknown3")]];
+    u32 unk4[[name("Unknown4")]];
+    u32 policy[[name("Policy")]];
+    u64 masterkeylen [[name("MasterKeyLen")]];
+    u64 backupkeylen [[name("BackupKeyLen")]];
+    u64 credhistlen [[name("CredHistoryLen")]];
+    u64 domainkeylen [[name("DomainKeyLen")]];
+    if (masterkeylen > 0){
+        PASSWORD_MASTERKEY  masterkey[[name("MasterKey")]];
+    }
+    if (backupkeylen > 0){
+        BACKUP_MASTERKEY    backupkey[[name("BackupKey")]];
+    }
+    if (credhistlen > 0){
+        CREDHIST_MASTERKEY  credhistkey[[name("CredHistoryKey")]];
+    }
+    if (domainkeylen > 0){
+        DOMAINKEY_MASTERKEY domainkey[[name("DomainKey")]];
+    }
+};
+
+DPAPIMasterKey masterkey  @0x00[[name("DPAPIMasterKey")]];