`dissect.cobaltstrike.artifact`

This module is responsible for dumping payloads from ArtifactKit generated executables.

Module Contents

Classes

ArtifactKitPayload

Namedtuple containing the ArtifactKit metadata and decoded payload

Functions

`iter_artifactkit_payloads`(→ Iterator[ArtifactKitPayload])	Iterate over found `ArtifactKitPayload` by scanning fobj for possible ArtifactKit payloads.
`main`()	Entrypoint for beacon-artifact

Attributes

logger

dissect.cobaltstrike.artifact.logger[source]

class dissect.cobaltstrike.artifact.ArtifactKitPayload[source]

Bases: NamedTuple

Namedtuple containing the ArtifactKit metadata and decoded payload

offset :int[source]: Offset of the ArtifactKit metadata in the file

size :int[source]: Size of the payload

xorkey :bytes[source]: 4-byte random xor mask

hints :bytes[source]: Loader hints (GetModuleHandleA, GetProcAddress)

payload :bytes[source]: Decoded ArtifactKit payload

dissect.cobaltstrike.artifact.iter_artifactkit_payloads(fobj: BinaryIO, start_offset: Optional[int] = 0, maxrange: Optional[int] = None) → Iterator[ArtifactKitPayload][source]

Iterate over found ArtifactKitPayload by scanning fobj for possible ArtifactKit payloads.

Side effects: file position due to seeking

Note

No additional checks are done on the ArtifactKit payloads to ensure that what is found is actually correct.

Parameters

fobj – file-like object
start_offset – starting offset to search for ArtifactKit payloads, if None it will search from current offset. (default: 0)
maxrange – maximum file offset to limit search to, if None it will search the entire file (default: None)

Yields