dissect.cobaltstrike.c_c2
Structure definitions and classes for dealing with Cobalt Strike C2 packets.
Mainly used by dissect.cobaltstrike.c2
.
Module Contents
Classes
Enum where members are also (and must be) ints |
|
Enum where members are also (and must be) ints |
|
Holds parsed structure data. |
|
Holds parsed structure data. |
|
Holds parsed structure data. |
Functions
|
Return C compatible typedef string for enum_class. |
Attributes
- class dissect.cobaltstrike.c_c2.BeaconCommand[source]
Bases:
enum.IntEnum
Enum where members are also (and must be) ints
- class dissect.cobaltstrike.c_c2.BeaconCallback[source]
Bases:
enum.IntEnum
Enum where members are also (and must be) ints
- dissect.cobaltstrike.c_c2.C2_DEF = Multiline-String[source]
Show Value
1// Callback data from: Beacon -> Team Server 2typedef struct CallbackPacket { 3 uint32 counter; 4 uint32 size; 5 BeaconCallback callback; 6 char data[size]; 7}; 8 9// Task from: Team Server -> Beacon 10typedef struct TaskPacket { 11 uint32 epoch; 12 uint32 total_size; 13 BeaconCommand command; 14 uint32 size; 15 char data[size]; 16}; 17 18struct BeaconMetadata { 19 uint32 magic; 20 uint32 size; 21 char aes_rand[16]; 22 uint16 ansi_cp; // GetACP 23 uint16 oem_cp; // GetOEMCP 24 uint32 bid; 25 uint32 pid; 26 uint16 port; 27 uint8 flag; 28 uint8 ver_major; 29 uint8 ver_minor; 30 uint16 ver_build; 31 uint32 ptr_x64; // for x64 addressing 32 uint32 ptr_gmh; // GetModuleHandle 33 uint32 ptr_gpa; // GetProcAddress 34 uint32 ip; 35 char info[size - 51]; 36};
- dissect.cobaltstrike.c_c2.typedef_for_enum(enum_class: enum.IntEnum, int_type: str = 'uint32') str [source]
Return C compatible typedef string for enum_class.
- class dissect.cobaltstrike.c_c2.BeaconMetadata(*args, **kwargs)[source]
Bases:
dissect.cstruct.Instance
Holds parsed structure data.
- class dissect.cobaltstrike.c_c2.CallbackPacket(*args, **kwargs)[source]
Bases:
dissect.cstruct.Instance
Holds parsed structure data.