First thing noticed when opeing any projects from SpecterOps, the code structure will always look like this.

Another reason why I wanted to do source code analysis for Rebeus and Certify is because I was just started to exploring AD CS coped with Certified Pre-Owned white paper by SpecterOps.

https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi

C:.
└───SharpDPAPI-master
    ├───SharpChrome
    │   ├───bin
    │   │   └───Debug
    │   ├───Commands
    │   ├───Domain
    │   ├───lib
    │   ├───obj
    │   │   └───Debug
    │   │       └───TempPE
    │   ├───Properties
    │   └───SQLite
    │       └───csharp-sqlite-src
    └───SharpDPAPI
        ├───bin
        │   └───Debug
        ├───Commands
        ├───Domain
        ├───lib
        ├───obj
        │   └───Debug
        │       └───TempPE
        └───Properties

# Ex for SharpDPAPI

C:.
└───Rubeus
    ├───Asn1
    ├───Commands
    ├───Domain
    ├───lib
    │   ├───crypto
    │   │   └───dh
    │   ├───Interop
    │   ├───krb_structures
    │   │   └───pac
    │   │       └───Ndr
    │   ├───math
    │   └───ndr
    │       ├───Ndr
    │       │   └───Marshal
    │       ├───Utilities
    │       │   ├───Memory
    │       │   └───Text
    │       └───Win32
    │           └───Rpc
    └───Properties
#Ex for Rubeus

SharpDPAPI

Main.cs

This is the entry point for all program. we noticed there are two different methods are being used FileExecute and MainExecute . This is done to redirect the output to either a file or stream. Which will be useful if the user wants to retrieve the results in a file. Also we noticed that inside of M

Retrieving Domain BackupKey

1. Getting the LSA Policy handle by converting strings to UNICODE and LsaOpenPolicy API call

https://docs.microsoft.com/en-us/windows/win32/secmgmt/policy-object

1. Retrive the GUID for later to use to retrieve the BACKUPKEY

Converting the IntPtr buffer to UNICODE STRING and append after G$BACKUPKEY_