`dissect.cobaltstrike.utils`

This module contains generic helper functions used by dissect.cobaltstrike.

Module Contents

Functions

`xor`(data: bytes, key: bytes) → bytes	XOR data with key
`catch_sigpipe`(func)	Catches KeyboardInterrupt and BrokenPipeError (OSError 22 on Windows).
`unpack`(data: bytes, size: int = None, byteorder='little') → int
`pack`(n: int, size: int = None, byteorder='little') → bytes
`iter_find_needle`(fp: BinaryIO, needle: bytes, start_offset: int = None, max_offset: int = 0) → Iterator[int]	Return an iterator yielding offset for found needle bytes in file fp.
`checksum8`(text: str) → int	Compute the checksum8 value of text
`is_stager_x86`(uri: str) → bool	Return `True` if URI is a x86 stager URI, otherwise `False`
`is_stager_x64`(uri: str) → bool	Return `True` if URI is a x64 stager URI, otherwise `False`
`random_stager_uri`(x64: bool = False, length: int = 4) → str	Generate a random (valid checksum8) stager URI. Defaults to x86 URIs unless x64 is `True`.

Attributes

`unpack_be`
`pack_be`
`u8`
`p8`
`u16`
`p16`
`u16be`
`p16be`
`u32`
`p32`
`u32be`
`p32be`
`u64`
`p64`
`u64be`
`p64be`

dissect.cobaltstrike.utils.xor(data: bytes, key: bytes) → bytes[source]: XOR data with key

dissect.cobaltstrike.utils.catch_sigpipe(func)[source]: Catches KeyboardInterrupt and BrokenPipeError (OSError 22 on Windows).

dissect.cobaltstrike.utils.unpack(data: bytes, size: int = None, byteorder='little') → int[source]

dissect.cobaltstrike.utils.pack(n: int, size: int = None, byteorder='little') → bytes[source]

dissect.cobaltstrike.utils.unpack_be[source]

dissect.cobaltstrike.utils.pack_be[source]

dissect.cobaltstrike.utils.u8[source]

dissect.cobaltstrike.utils.p8[source]

dissect.cobaltstrike.utils.u16[source]

dissect.cobaltstrike.utils.p16[source]

dissect.cobaltstrike.utils.u16be[source]

dissect.cobaltstrike.utils.p16be[source]

dissect.cobaltstrike.utils.u32[source]

dissect.cobaltstrike.utils.p32[source]

dissect.cobaltstrike.utils.u32be[source]

dissect.cobaltstrike.utils.p32be[source]

dissect.cobaltstrike.utils.u64[source]

dissect.cobaltstrike.utils.p64[source]

dissect.cobaltstrike.utils.u64be[source]

dissect.cobaltstrike.utils.p64be[source]

dissect.cobaltstrike.utils.iter_find_needle(fp: BinaryIO, needle: bytes, start_offset: int = None, max_offset: int = 0) → Iterator[int][source]

Return an iterator yielding offset for found needle bytes in file fp.

Side effects: file handle position due to seeking.

Parameters

fp – file like object
needle – needle to search for
start_offset – offset in file object to start searching from, if None it will search from current position
max_offset – how far we search for into the file, 0 for no limit

Yields

offset where needle was found in file fp

dissect.cobaltstrike.utils.checksum8(text: str) → int[source]: Compute the checksum8 value of text

dissect.cobaltstrike.utils.is_stager_x86(uri: str) → bool[source]: Return True if URI is a x86 stager URI, otherwise False

dissect.cobaltstrike.utils.is_stager_x64(uri: str) → bool[source]: Return True if URI is a x64 stager URI, otherwise False

dissect.cobaltstrike.utils.random_stager_uri(x64: bool = False, length: int = 4) → str[source]

Generate a random (valid checksum8) stager URI. Defaults to x86 URIs unless x64 is True.

Parameters

x64 – generate a x64 stager URI if True, False for a x86 stager URI. (default: False)
length – length of URI to generate, exluding the “/” prefix. (default: 4)

Returns

random stager URI

dissect.cobaltstrike.utils

Module Contents

Functions

Attributes

`dissect.cobaltstrike.utils`