Apr4h
commented
3 years ago Thanks for letting me know - I've updated the current release to include a re-compiled executable. Sorry for the delay in updating.
Closed theonlykernel closed 3 years ago
Apr4h
commented
3 years ago Thanks for letting me know - I've updated the current release to include a re-compiled executable. Sorry for the delay in updating.
theonlykernel
commented
3 years ago Ok will this be added to the "releases" section?
Thanks!
Apr4h
commented
3 years ago It's already been added. I just updated the current release so you shouldn't actually see any changes. Re-downloading the current release should now work without having libyara installed on the machine.
Xzeoss
commented
3 years ago Hi,
I just tried using the 1.1.1.0 release and it is still throwing errors saying libyara couldn't be loaded. Any chance you could confirm libyara is not required for this release?
Thanks!
Apr4h
commented
3 years ago Thanks for updating me. My apologies - I thought that a previous build had fixed the issue. I've restructured the entire CobaltStrikeScan solution here 2ea8e20db4adfc51fe1a4588a6dbade5effa46d8 to make embedding dependency assemblies more straightforward. I've also re-uploaded the executable for the current release and this time I believe the issue should be resolved.
FabFaeb
commented
3 years ago Hi!
Unfortunately I still have some problems with libyara in the current release.
When I run CobaltStrikeScan.exe -p everything seems to work fine. However, when I run CobaltStrikeScan.exe -f /path/to/memdump, I get an System.IO.FilenotFoundException: Could not load file or assembly libyara.NET...
Does the filescan option work differently than the "regular" process scan?
Apr4h
commented
3 years ago Hi @FabFaeb, sorry to hear that but I haven't been able to recreate your issue using the latest build. I've tried across multiple Win10 versions that didn't have libyara.net installed and in all cases I was able to detect Cobalt Strike beacons in files on disk.
Because of the way Costura.Fody packages libyara.net.dll into the assembly, it will be dropped into %Temp%\Costura when CobaltStrikeScan.exe is executed. Are you seeing the DLL being dropped when you execute the file?
Could you try downloading the latest release and having another go? If you're still having issues, I'd appreciate if you could provide all of the details listed in the bug report template so that I can help to triage the problem :)
FabFaeb
commented
3 years ago Hey @Apr4h, I appreciate the feedback - the updated release v.1.1.2 works like a charm for me! Thanks a lot.
The current release does not work as a standalone product and only works when libyara is installed on the machine. Please recompile a working release.
Thank you!