search

fox-it / dissect.cobaltstrike

Python library for dissecting and parsing Cobalt Strike related data such as Beacon payloads and Malleable C2 Profiles
https://dissect-cobaltstrike.readthedocs.io
MIT License
145 stars 20 forks source link

Compatibility with dissect.struct 4.x #53

Open yunzheng opened 3 months ago

yunzheng commented 3 months ago

Some internals changed in dissect.cstruct>=4.0 breaking some things. Either fix the compatibility or pin to older version of dissect.cstruct.

fabaff commented 1 week ago

Tests are failing as well.

============================= test session starts ==============================
platform linux -- Python 3.12.5, pytest-8.3.2, pluggy-1.5.0
rootdir: /build/source
configfile: pyproject.toml
plugins: pytest_httpserver-1.0.10, anyio-4.4.0
collected 54 items / 2 errors                                                  

==================================== ERRORS ====================================
______________________ ERROR collecting tests/test_c2.py _______________________
tests/test_c2.py:6: in <module>
    from dissect.cobaltstrike.c2 import (
dissect/cobaltstrike/c2.py:34: in <module>
    from dissect.cobaltstrike.c_c2 import (  # noqa: F401
dissect/cobaltstrike/c_c2.py:197: in <module>
    class BeaconMetadata(cstruct.Instance):
E   AttributeError: module 'dissect.cstruct' has no attribute 'Instance'
____________________ ERROR collecting tests/test_client.py _____________________
tests/test_client.py:12: in <module>
    from dissect.cobaltstrike.c2 import decrypt_metadata, encrypt_packet, parse_raw_http, decrypt_packet
dissect/cobaltstrike/c2.py:34: in <module>
    from dissect.cobaltstrike.c_c2 import (  # noqa: F401
dissect/cobaltstrike/c_c2.py:197: in <module>
    class BeaconMetadata(cstruct.Instance):
E   AttributeError: module 'dissect.cstruct' has no attribute 'Instance'
=============================== warnings summary ===============================
yunzheng commented 6 days ago

I published version 1.1.0 to PyPi, which pins dissect.cstruct to version 3 for now until we can get the compatibility fixed.

fabaff commented 6 days ago

Pinning doesn't really help with the distribution packages but fixes the issue for other installation methods. For now, I disabled dissect.cobaltstrike for Nixpkgs.

yunzheng commented 36 minutes ago

The above PR is in draft that fixes this issue, however it currently waits for a new dissect.cstruct release so it contains the following fix(es):