Didier Stevens

This update to 1768.py, my Cobalt Strike beacon analysis tool, adds “runtime configuration” extraction.

Although 1768.py could already search for beacon configurations inside process memory dumps, the dump was just processed as a raw file.

With this update, 1768.py will also search for the runtime configuration inside a process memory dump. The runtime configuration, is a C/C++ array with integers and pointers, that is created in the heap by the beacon’s C/C++ code from the obfuscated configuration (e.g., XOR 0x2E).

Because this requires pointer calculations for the heap, Python module minidump is required. A warning will be displayed if it is not installed and it is needed.

The hexadecimal dump screenshots in this blog post show a runtime configuration.

Example of 1768.py finding a runtime configuration:

This is a 32-bit runtime config.

As the runtime config uses pointers, its structure is different for 32-bit and 64-bit beacons (because pointer size is different).

In this process memory dump, 1768.py only found the runtime config, not the embedded config.

Here is an example where both configs are found:

1768_v0_0_20.zip (http)
MD5: EFEFF856FEAD08DE8F9F27056E729351
SHA256: 2F71EA23F64403C26B64CA32E8FA025CAB1F941790D746E8906AA87401900AAC

This new version of format-bytes.py adds IPv6 representations:

Big-endian (b), little-endian (l) and 4 32-bit little-endian unsigned integers (l4).

And if you use a # to pass on literal data (here in hexadecimal: #h#), then the data is also printed.

format-bytes_V0_0_15.zip (http)
MD5: 42DBC44DA7F7ACB09AD353976CD7FA2F
SHA256: 2AF5BFB8A263BCA935CB3B73669B458D229B3E6FBCE3CA2F6E32CFDCE5B73723

Some extra information when signature is found.

1768_v0_0_19.zip (http)
MD5: FCF07B2AEDDBB4911520152531C5F107
SHA256: 5EE73B9311578D202246011FAF3216674387894833E759148F6C5356B646686F

This update adds ZIP support for binary files, and a –prompt option.

When this option is used, the user is prompted after each request, and processing of new requests is suspended until the user reacts to the prompt.

simple_listener_v0_1_4.zip (http)
MD5: 85A9E47B6243CD860D20E483F162DEA0
SHA256: 72FB2E7783315BFD21D74829BAECC1364A404A2B3853DBFD9B29DB2A9322F20B

This update adds option –group: with this option, all lines are stored as a list in variable lines, and the Python expression is evaluated just once after each file is processed.

python-per-line_V0_0_11.zip (http)
MD5: B35187DFEA8970BFFFBA33E8DC36B31E
SHA256: 2EFC172F48BB9D5A7EFF87737D81F15F473EEFB4B9899A09571E7892FF15BAD1

This new version adds YARA support.

myjson-filter_V0_0_5.zip (http)
MD5: CA8EAB44E283C2BFE0674CCDA1EE35EE
SHA256: A1E133E5BBB0F129156058E0E8DBD3834A23CEC6173BAFF0ADB79E46BDF48AAB

This new version adds two new values for option -l.

One could already use option -l P to locate all PE files inside an arbitrary binary file.

Option -l PE also adds entries for the extra (E) data, e.g., the data in between found PE files.

Option -l PO is like PE, but adds some more information for the other (O) files: the magic header (hex & ASCII).

pecheck-v0_7_16.zip (http)
MD5: FBC115DDC2C0EDFBA9612B00DE6692DB
SHA256: CA9E6D06A7DA9E6CD6B585423F854030364F1936702B5A0A14B7F90722824A7C

This is just a small update to my XOR known-plaintext attack tool, with some improvements on the algorithm.

xor-kpa_V0_0_8.zip (http)
MD5: EB6397FC81C920DF4E1753A4A31DA9B4
SHA256: 9706979A4B1FBC6E318F6015C69ED2759ADC871632FDB9034615A4488DAC32E0