Improve DPAPI plugin

[JSCU-CNI]

This PR improves several DPAPI related features:

• move LSA logic from DPAPI to separate plugin
• move SAM and CREDHIST plugins to dissect.target.plugins.os.windows.credential
• add Windows XP support to DPAPI plugin (RC4 and DES3)
• fix bug in _SHA256 identifier (0x800C instead of 0x8004)
• add providers for DPAPI masterkey passphrases

The latter "dpapi provider" feature is experimental and we are keen to discuss a better InternalNamespacePlugin implementation.

[Schamper]

Some initial comments. I will need to take a deeper dive into the key provider thing at a later stage, as I do think that can be done nicer.

[JSCU-CNI]

Thanks for the review @Schamper. We've implemented the review feedback in fde58ae. Test coverage should now be better. See the commit message for the other stuff we changed.

[Schamper]

Still need to have a think about the key provider plugins, but you can have some fun with these comments already 😉.

[JSCU-CNI]

Is this PR good to go? :)

[Schamper]

I'm still a little bit torn on the keyprovider thing. I don't think it's reasonable to implement a proper solution in this PR, so I'm willing to have a temporary one instead, but I'd at least want to make the InternalNamespacePlugin to actually work, or if that's a bit difficult, at least have all the keyprovider plugins actually be internal only.

For reference, the idea I was leaning towards the most as a proper solution to this was nested namespaces, but that will take a smidge more work 😅. I'm a bit swamped the coming days, so if you're not willing to wait on my solution to the internal namespace stuff, feel free to have a go at it.

Another idea I had was a fancy "target keychain" that you can plug "password/key material providers" into. For example, also dump password databases into it. But I'm not sure if there's actually a real use case for that outside of this specific one. So I don't think that's a good way to go.

[Schamper]

I've made a few changes, let me know if those work for you @JSCU-CNI.

Unfortunately target-query -l is horribly broken with these changes, but that's because that code is littered with bugs and it's almost impossible to track down where and what exactly breaks. Probably most of that is already resolved with #763, and otherwise it will be picked up in that PR anyway. Sorry in the meantime @Zawadidone 😉.

[codecov]

Codecov Report

Attention: Patch coverage is 86.19529% with 41 lines in your changes missing coverage. Please review.

Project coverage is 75.59%. Comparing base (ce1e994) to head (adfc834).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
dissect/target/plugins/os/windows/dpapi/dpapi.py	76.82%	19 Missing ⚠️
...issect/target/plugins/os/windows/credential/lsa.py	90.19%	10 Missing ⚠️
...target/plugins/os/windows/dpapi/keyprovider/lsa.py	80.95%	4 Missing ⚠️
dissect/target/plugins/os/windows/dpapi/crypto.py	91.89%	3 Missing ⚠️
...t/plugins/os/windows/dpapi/keyprovider/credhist.py	85.71%	2 Missing ⚠️
...issect/target/plugins/os/windows/credential/sam.py	66.66%	1 Missing ⚠️
dissect/target/plugins/os/windows/dpapi/blob.py	50.00%	1 Missing ⚠️
...sect/target/plugins/os/windows/dpapi/master_key.py	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #711      +/-   ##
==========================================
+ Coverage   75.52%   75.59%   +0.06%     
==========================================
  Files         305      311       +6     
  Lines       26363    26540     +177     
==========================================
+ Hits        19911    20062     +151     
- Misses       6452     6478      +26     

Flag	Coverage Δ
unittests	75.59% <86.19%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[JSCU-CNI]

I've made a few changes, let me know if those work for you @JSCU-CNI.

That looks like a neat solution, thanks. I guess we can update the namespaces to dpapi.keyprovider.* once nested namespaces are fixed?

Unfortunately target-query -l is horribly broken with these changes, but that's because that code is littered with bugs and it's almost impossible to track down where and what exactly breaks.

Is that blocking for now? I can see that get_all_records is listed, which looks like the only faulty behaviour to me.

[Schamper]

That looks like a neat solution, thanks. I guess we can update the namespaces to dpapi.keyprovider.* once nested namespaces are fixed?

Yes.

Is that blocking for now? I can see that get_all_records is listed, which looks like the only faulty behaviour to me.

No, not blocking. I'd prefer #763 instead of trying to fix this. There were some other things broken as well, but it doesn't really matter 😄.

[JSCU-CNI]

That should fix the tests.