dissect.cobaltstrike.utils

This module contains generic helper functions used by dissect.cobaltstrike.

Module Contents

Classes

LRUDict

Limit size, evicting the least recently looked-up key when full

Functions

xor(→ bytes)	XOR data with key (simd version)
netbios_encode(→ bytes)	Encode data using NetBIOS encoding and return the encoded bytes.
netbios_decode(→ bytes)	Decode the netbios encoded data and return the decoded bytes.
retain_file_offset(fobj[, offset, whence])	Return a context manager that changes the position of the file-like object fobj to the given byte offset.
catch_sigpipe(func)	Decorator for catching KeyboardInterrupt and BrokenPipeError (OSError 22 on Windows).
unpack(→ int)
pack(→ bytes)
iter_find_needle(→ Iterator[int])	Return an iterator yielding offset for found needle bytes in file fp.
checksum8(→ int)	Compute the checksum8 value of text
is_stager_x86(→ bool)	Return True if URI is a x86 stager URI, otherwise False
is_stager_x64(→ bool)	Return True if URI is a x64 stager URI, otherwise False
random_stager_uri(→ str)	Generate a random (valid checksum8) stager URI. Defaults to x86 URIs unless x64 is True.
namedtuple_reprlib_repr(→ str)	Return a reprlib version of __repr__ for namedtuple nt
enable_reprlib_cstruct()	Enable reprlib style __repr__ for dissect.cstruct instances.
enable_reprlib_flow_record()	Enable reprlib style __repr__ for flow.record instances.

Attributes

unpack_be
pack_be
u8
p8
u16
p16
u16be
p16be
u32
p32
u32be
p32be
u64
p64
u64be
p64be

dissect.cobaltstrike.utils.xor(data: bytes, key: bytes) → bytes

XOR data with key (simd version)

dissect.cobaltstrike.utils.netbios_encode(data: bytes, offset: int = 65) → bytes

Encode data using NetBIOS encoding and return the encoded bytes.

Parameters:

• data – bytes to be NetBIOS encoded

• offset – offset used for encoding, defaults to char A (0x41)

Returns:

NetBIOS encoded bytes

dissect.cobaltstrike.utils.netbios_decode(data: bytes, offset: int = 65) → bytes

Decode the netbios encoded data and return the decoded bytes.

Parameters:

• data – bytes to be NetBIOS decoded

• offset – offset used for decoding, defaults to char A (0x41)

Returns:

NetBIOS decoded bytes

dissect.cobaltstrike.utils.retain_file_offset(fobj, offset=None, whence=io.SEEK_SET)

Return a context manager that changes the position of the file-like object fobj to the given byte offset. After completion of the block it restores the original position of the file.

Parameters:

• fobj – file-like object

• offset – offset to seek to relative to position indicated by whence. If None no seek will be done.

• whence –

  default is SEEK_SET, values for whence are:

  • SEEK_SET or 0 – start of the stream (the default); offset should be zero or positive

  • SEEK_CUR or 1 – current stream position; offset may be negative

  • SEEK_END or 2 – end of the stream; offset is usually negative

Returns:

context manager

dissect.cobaltstrike.utils.catch_sigpipe(func)

Decorator for catching KeyboardInterrupt and BrokenPipeError (OSError 22 on Windows).

dissect.cobaltstrike.utils.unpack(data: bytes, size: int = None, byteorder='little', signed=False) → int

dissect.cobaltstrike.utils.pack(n: int, size: int = None, byteorder='little', signed=False) → bytes

dissect.cobaltstrike.utils.unpack_be

dissect.cobaltstrike.utils.pack_be

dissect.cobaltstrike.utils.u8

dissect.cobaltstrike.utils.p8

dissect.cobaltstrike.utils.u16

dissect.cobaltstrike.utils.p16

dissect.cobaltstrike.utils.u16be

dissect.cobaltstrike.utils.p16be

dissect.cobaltstrike.utils.u32

dissect.cobaltstrike.utils.p32

dissect.cobaltstrike.utils.u32be

dissect.cobaltstrike.utils.p32be

dissect.cobaltstrike.utils.u64

dissect.cobaltstrike.utils.p64

dissect.cobaltstrike.utils.u64be

dissect.cobaltstrike.utils.p64be

dissect.cobaltstrike.utils.iter_find_needle(fp: BinaryIO, needle: bytes, start_offset: int = None, max_offset: int = 0) → Iterator[int]

Return an iterator yielding offset for found needle bytes in file fp.

Side effects: file handle position due to seeking.

Parameters:

• fp – file like object

• needle – needle to search for

• start_offset – offset in file object to start searching from, if None it will search from current position

• max_offset – how far we search for into the file, 0 for no limit

Yields:

offset where needle was found in file fp

dissect.cobaltstrike.utils.checksum8(text: str) → int

Compute the checksum8 value of text

dissect.cobaltstrike.utils.is_stager_x86(uri: str) → bool

Return True if URI is a x86 stager URI, otherwise False

dissect.cobaltstrike.utils.is_stager_x64(uri: str) → bool

Return True if URI is a x64 stager URI, otherwise False

dissect.cobaltstrike.utils.random_stager_uri(*, x64: bool = False, length: int = 4) → str

Generate a random (valid checksum8) stager URI. Defaults to x86 URIs unless x64 is True.

Parameters:

• x64 – generate a x64 stager URI if True, False for a x86 stager URI. (default: False)

• length – length of URI to generate, excluding the “/” prefix. (default: 4)

Returns:

random stager URI

dissect.cobaltstrike.utils.namedtuple_reprlib_repr(nt: NamedTuple) → str

Return a reprlib version of __repr__ for namedtuple nt

dissect.cobaltstrike.utils.enable_reprlib_cstruct()

Enable reprlib style __repr__ for dissect.cstruct instances.

dissect.cobaltstrike.utils.enable_reprlib_flow_record()

Enable reprlib style __repr__ for flow.record instances.

class dissect.cobaltstrike.utils.LRUDict(maxsize=128, *args, **kwds)

Bases: collections.OrderedDict

Limit size, evicting the least recently looked-up key when full

__getitem__(key)

x.__getitem__(y) <==> x[y]

__setitem__(key, value)

Set self[key] to value.