dissect.cobaltstrike.utils
This module contains generic helper functions used by dissect.cobaltstrike
.
Attributes
Classes
Limit size, evicting the least recently looked-up key when full |
Functions
|
XOR data with key (simd version) |
|
Encode data using NetBIOS encoding and return the encoded bytes. |
|
Decode the netbios encoded data and return the decoded bytes. |
|
Return a context manager that changes the position of the file-like object fobj to the given byte offset. |
|
Decorator for catching KeyboardInterrupt and BrokenPipeError (OSError 22 on Windows). |
|
|
|
|
|
Return an iterator yielding offset for found needle bytes in file fp. |
|
Compute the checksum8 value of text |
|
Return |
|
Return |
|
Generate a random (valid checksum8) stager URI. Defaults to x86 URIs unless x64 is |
|
Return a reprlib version of __repr__ for namedtuple nt |
Enable reprlib style __repr__ for dissect.cstruct instances. |
|
Enable reprlib style __repr__ for flow.record instances. |
Module Contents
- dissect.cobaltstrike.utils.xor(data: bytes, key: bytes) bytes [source]
XOR data with key (simd version)
- dissect.cobaltstrike.utils.netbios_encode(data: bytes, offset: int = 65) bytes [source]
Encode data using NetBIOS encoding and return the encoded bytes.
- Parameters:
data – bytes to be NetBIOS encoded
offset – offset used for encoding, defaults to char
A
(0x41
)
- Returns:
NetBIOS encoded bytes
- dissect.cobaltstrike.utils.netbios_decode(data: bytes, offset: int = 65) bytes [source]
Decode the netbios encoded data and return the decoded bytes.
- Parameters:
data – bytes to be NetBIOS decoded
offset – offset used for decoding, defaults to char
A
(0x41
)
- Returns:
NetBIOS decoded bytes
- dissect.cobaltstrike.utils.retain_file_offset(fobj, offset=None, whence=io.SEEK_SET)[source]
Return a context manager that changes the position of the file-like object fobj to the given byte offset. After completion of the block it restores the original position of the file.
- Parameters:
fobj – file-like object
offset – offset to seek to relative to position indicated by whence. If
None
no seek will be done.whence –
default is
SEEK_SET
, values for whence are:SEEK_SET
or0
– start of the stream (the default); offset should be zero or positiveSEEK_CUR
or1
– current stream position; offset may be negativeSEEK_END
or2
– end of the stream; offset is usually negative
- Returns:
context manager
- dissect.cobaltstrike.utils.catch_sigpipe(func)[source]
Decorator for catching KeyboardInterrupt and BrokenPipeError (OSError 22 on Windows).
- dissect.cobaltstrike.utils.unpack(data: bytes, size: int = None, byteorder='little', signed=False) int [source]
- dissect.cobaltstrike.utils.pack(n: int, size: int = None, byteorder='little', signed=False) bytes [source]
- dissect.cobaltstrike.utils.iter_find_needle(fp: BinaryIO, needle: bytes, start_offset: int = None, max_offset: int = 0) Iterator[int] [source]
Return an iterator yielding offset for found needle bytes in file fp.
Side effects: file handle position due to seeking.
- Parameters:
fp – file like object
needle – needle to search for
start_offset – offset in file object to start searching from, if None it will search from current position
max_offset – how far we search for into the file, 0 for no limit
- Yields:
offset where needle was found in file fp
- dissect.cobaltstrike.utils.is_stager_x86(uri: str) bool [source]
Return
True
if URI is a x86 stager URI, otherwiseFalse
- dissect.cobaltstrike.utils.is_stager_x64(uri: str) bool [source]
Return
True
if URI is a x64 stager URI, otherwiseFalse
- dissect.cobaltstrike.utils.random_stager_uri(*, x64: bool = False, length: int = 4) str [source]
Generate a random (valid checksum8) stager URI. Defaults to x86 URIs unless x64 is
True
.- Parameters:
x64 – generate a x64 stager URI if
True
,False
for a x86 stager URI. (default:False
)length – length of URI to generate, excluding the “/” prefix. (default: 4)
- Returns:
random stager URI
- dissect.cobaltstrike.utils.namedtuple_reprlib_repr(nt: NamedTuple) str [source]
Return a reprlib version of __repr__ for namedtuple nt
- dissect.cobaltstrike.utils.enable_reprlib_cstruct()[source]
Enable reprlib style __repr__ for dissect.cstruct instances.