Didier Stevens

metatool.py is a tool to help with the analysis of Metasploit or Cobalt Strike URLs.

I added option -a to provide URLs via the command-line.

metatool_V0_0_4.zip (http)
MD5: 374B30DD3D92557A7F8DAA97B81CEE0E
SHA256: D627AF2462610AE0B8CC5AB2BA0A4325D1386BB06F96DC2827DDD22430499192

This update to 1768.py, my Cobalt Strike beacon analysis tool, adds “runtime configuration” extraction.

Although 1768.py could already search for beacon configurations inside process memory dumps, the dump was just processed as a raw file.

With this update, 1768.py will also search for the runtime configuration inside a process memory dump. The runtime configuration, is a C/C++ array with integers and pointers, that is created in the heap by the beacon’s C/C++ code from the obfuscated configuration (e.g., XOR 0x2E).

Because this requires pointer calculations for the heap, Python module minidump is required. A warning will be displayed if it is not installed and it is needed.

The hexadecimal dump screenshots in this blog post show a runtime configuration.

Example of 1768.py finding a runtime configuration:

This is a 32-bit runtime config.

As the runtime config uses pointers, its structure is different for 32-bit and 64-bit beacons (because pointer size is different).

In this process memory dump, 1768.py only found the runtime config, not the embedded config.

Here is an example where both configs are found:

1768_v0_0_20.zip (http)
MD5: EFEFF856FEAD08DE8F9F27056E729351
SHA256: 2F71EA23F64403C26B64CA32E8FA025CAB1F941790D746E8906AA87401900AAC

This new version of format-bytes.py adds IPv6 representations:

Big-endian (b), little-endian (l) and 4 32-bit little-endian unsigned integers (l4).

And if you use a # to pass on literal data (here in hexadecimal: #h#), then the data is also printed.

format-bytes_V0_0_15.zip (http)
MD5: 42DBC44DA7F7ACB09AD353976CD7FA2F
SHA256: 2AF5BFB8A263BCA935CB3B73669B458D229B3E6FBCE3CA2F6E32CFDCE5B73723

Some extra information when signature is found.

1768_v0_0_19.zip (http)
MD5: FCF07B2AEDDBB4911520152531C5F107
SHA256: 5EE73B9311578D202246011FAF3216674387894833E759148F6C5356B646686F

This update adds ZIP support for binary files, and a –prompt option.

When this option is used, the user is prompted after each request, and processing of new requests is suspended until the user reacts to the prompt.

simple_listener_v0_1_4.zip (http)
MD5: 85A9E47B6243CD860D20E483F162DEA0
SHA256: 72FB2E7783315BFD21D74829BAECC1364A404A2B3853DBFD9B29DB2A9322F20B

This update adds option –group: with this option, all lines are stored as a list in variable lines, and the Python expression is evaluated just once after each file is processed.

python-per-line_V0_0_11.zip (http)
MD5: B35187DFEA8970BFFFBA33E8DC36B31E
SHA256: 2EFC172F48BB9D5A7EFF87737D81F15F473EEFB4B9899A09571E7892FF15BAD1