dissect.cobaltstrike.utils ========================== .. py:module:: dissect.cobaltstrike.utils .. autoapi-nested-parse:: This module contains generic helper functions used by ``dissect.cobaltstrike``. Attributes ---------- .. autoapisummary:: dissect.cobaltstrike.utils.unpack_be dissect.cobaltstrike.utils.pack_be dissect.cobaltstrike.utils.u8 dissect.cobaltstrike.utils.p8 dissect.cobaltstrike.utils.u16 dissect.cobaltstrike.utils.p16 dissect.cobaltstrike.utils.u16be dissect.cobaltstrike.utils.p16be dissect.cobaltstrike.utils.u32 dissect.cobaltstrike.utils.p32 dissect.cobaltstrike.utils.u32be dissect.cobaltstrike.utils.p32be dissect.cobaltstrike.utils.u64 dissect.cobaltstrike.utils.p64 dissect.cobaltstrike.utils.u64be dissect.cobaltstrike.utils.p64be Classes ------- .. autoapisummary:: dissect.cobaltstrike.utils.LRUDict Functions --------- .. autoapisummary:: dissect.cobaltstrike.utils.xor dissect.cobaltstrike.utils.netbios_encode dissect.cobaltstrike.utils.netbios_decode dissect.cobaltstrike.utils.retain_file_offset dissect.cobaltstrike.utils.catch_sigpipe dissect.cobaltstrike.utils.unpack dissect.cobaltstrike.utils.pack dissect.cobaltstrike.utils.iter_find_needle dissect.cobaltstrike.utils.checksum8 dissect.cobaltstrike.utils.is_stager_x86 dissect.cobaltstrike.utils.is_stager_x64 dissect.cobaltstrike.utils.random_stager_uri dissect.cobaltstrike.utils.namedtuple_reprlib_repr dissect.cobaltstrike.utils.enable_reprlib_cstruct dissect.cobaltstrike.utils.enable_reprlib_flow_record dissect.cobaltstrike.utils.grouper Module Contents --------------- .. py:function:: xor(data: bytes, key: bytes) -> bytes XOR data with key (simd version) .. py:function:: netbios_encode(data: bytes, offset: int = 65) -> bytes Encode `data` using NetBIOS encoding and return the encoded bytes. :param data: bytes to be NetBIOS encoded :param offset: offset used for encoding, defaults to char ``A`` (``0x41``) :returns: NetBIOS encoded bytes .. py:function:: netbios_decode(data: bytes, offset: int = 65) -> bytes Decode the netbios encoded `data` and return the decoded bytes. :param data: bytes to be NetBIOS decoded :param offset: offset used for decoding, defaults to char ``A`` (``0x41``) :returns: NetBIOS decoded bytes .. py:function:: retain_file_offset(fobj, offset=None, whence=io.SEEK_SET) Return a context manager that changes the position of the file-like object `fobj` to the given byte `offset`. After completion of the block it restores the original position of the file. :param fobj: file-like object :param offset: offset to seek to relative to position indicated by `whence`. If ``None`` no seek will be done. :param whence: default is ``SEEK_SET``, values for `whence` are: - ``SEEK_SET`` or ``0`` – start of the stream (the default); offset should be zero or positive - ``SEEK_CUR`` or ``1`` – current stream position; offset may be negative - ``SEEK_END`` or ``2`` – end of the stream; offset is usually negative :returns: context manager .. py:function:: catch_sigpipe(func) Decorator for catching KeyboardInterrupt and BrokenPipeError (OSError 22 on Windows). .. py:function:: unpack(data: bytes, size: int = None, byteorder='little', signed=False) -> int .. py:function:: pack(n: int, size: int = None, byteorder='little', signed=False) -> bytes .. py:data:: unpack_be .. py:data:: pack_be .. py:data:: u8 .. py:data:: p8 .. py:data:: u16 .. py:data:: p16 .. py:data:: u16be .. py:data:: p16be .. py:data:: u32 .. py:data:: p32 .. py:data:: u32be .. py:data:: p32be .. py:data:: u64 .. py:data:: p64 .. py:data:: u64be .. py:data:: p64be .. py:function:: iter_find_needle(fp: BinaryIO, needle: bytes, start_offset: int = None, max_offset: int = 0) -> Iterator[int] Return an iterator yielding `offset` for found `needle` bytes in file `fp`. Side effects: file handle position due to seeking. :param fp: file like object :param needle: needle to search for :param start_offset: offset in file object to start searching from, if None it will search from current position :param max_offset: how far we search for into the file, 0 for no limit :Yields: offset where `needle` was found in file `fp` .. py:function:: checksum8(text: str) -> int Compute the *checksum8* value of text .. py:function:: is_stager_x86(uri: str) -> bool Return ``True`` if URI is a x86 stager URI, otherwise ``False`` .. py:function:: is_stager_x64(uri: str) -> bool Return ``True`` if URI is a x64 stager URI, otherwise ``False`` .. py:function:: random_stager_uri(*, x64: bool = False, length: int = 4) -> str Generate a random (valid *checksum8*) stager URI. Defaults to x86 URIs unless `x64` is ``True``. :param x64: generate a x64 stager URI if ``True``, ``False`` for a x86 stager URI. (default: ``False``) :param length: length of URI to generate, excluding the "/" prefix. (default: 4) :returns: random stager URI .. py:function:: namedtuple_reprlib_repr(nt: NamedTuple) -> str Return a `reprlib` version of __repr__ for namedtuple `nt` .. py:function:: enable_reprlib_cstruct() Enable `reprlib` style __repr__ for `dissect.cstruct` instances. .. py:function:: enable_reprlib_flow_record() Enable `reprlib` style __repr__ for `flow.record` instances. .. py:class:: LRUDict(maxsize=128, *args, **kwds) Bases: :py:obj:`collections.OrderedDict` Limit size, evicting the least recently looked-up key when full .. py:attribute:: maxsize :value: 128 .. py:method:: __getitem__(key) x.__getitem__(y) <==> x[y] .. py:method:: __setitem__(key, value) Set self[key] to value. .. py:function:: grouper(iterable, n, fillvalue=None) Collect data into fixed-length chunks or blocks