Created
August 15, 2020 01:07
-
-
Save usualsuspect/d3451dfa25687190a5106afd549f0468 to your computer and use it in GitHub Desktop.
Parser for Cobalt Strike's Malleable C2 config item
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Cobalt Strike Malleable C2 instruction parser | |
| import struct | |
| import sys | |
| def read_int(f): | |
| data = f.read(4) | |
| if not data: | |
| return None | |
| return struct.unpack(">I",data)[0] | |
| def parse(ins_item): | |
| f = open(ins_item,"rb") | |
| while True: | |
| op = read_int(f) | |
| if not op: | |
| break | |
| if op <= 8: | |
| if op == 1: | |
| l = read_int(f) | |
| print("Remove %d chars at the end" % l) | |
| elif op == 2: | |
| l = read_int(f) | |
| print("Remove %d chars from the beginning" % l) | |
| elif op == 3: | |
| print("Base64 decode") | |
| else: | |
| continue | |
| elif op == 13: | |
| print("Base64 URL-safe decode") | |
| elif op == 8: | |
| print("NetBIOS Encode 'a'") | |
| elif op == 11: | |
| print("NetBIOS Encode 'A'") | |
| elif op == 15: | |
| print("XOR mask w/ random key") | |
| parse(sys.argv[1]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment