dissect.cobaltstrike.artifact ============================= .. py:module:: dissect.cobaltstrike.artifact .. autoapi-nested-parse:: This module is responsible for dumping payloads from `ArtifactKit`_ generated executables. .. _ArtifactKit: https://www.cobaltstrike.com/blog/what-is-a-stageless-payload-artifact/ Attributes ---------- .. autoapisummary:: dissect.cobaltstrike.artifact.logger Classes ------- .. autoapisummary:: dissect.cobaltstrike.artifact.ArtifactKitPayload Functions --------- .. autoapisummary:: dissect.cobaltstrike.artifact.iter_artifactkit_payloads dissect.cobaltstrike.artifact.main Module Contents --------------- .. py:data:: logger .. py:class:: ArtifactKitPayload Bases: :py:obj:`NamedTuple` Namedtuple containing the ArtifactKit metadata and decoded payload .. py:attribute:: offset :type: int Offset of the ArtifactKit metadata in the file .. py:attribute:: size :type: int Size of the payload .. py:attribute:: xorkey :type: bytes 4-byte random xor mask .. py:attribute:: hints :type: bytes Loader hints (GetModuleHandleA, GetProcAddress) .. py:attribute:: payload :type: bytes Decoded ArtifactKit payload .. py:function:: iter_artifactkit_payloads(fobj: BinaryIO, start_offset: Optional[int] = 0, maxrange: Optional[int] = None) -> Iterator[ArtifactKitPayload] Iterate over found :class:`ArtifactKitPayload` by scanning `fobj` for possible ArtifactKit payloads. Side effects: file position due to seeking .. note:: No additional checks are done on the ArtifactKit payloads to ensure that what is found is actually correct. :param fobj: file-like object :param start_offset: starting offset to search for ArtifactKit payloads, if `None` it will search from current offset. (default: 0) :param maxrange: maximum file offset to limit search to, if `None` it will search the entire file (default: `None`) :Yields: :class:`ArtifactKitPayload` .. py:function:: main() Entrypoint for :doc:`/tools/beacon-artifact`