From c370161764c1c7c23c73b45e066205cd64a228e5 Mon Sep 17 00:00:00 2001 From: Yun Zheng Hu Date: Mon, 14 Oct 2024 09:49:00 +0200 Subject: [PATCH] Fix BeaconSetting names with unknown values (#64) Ensure that unknown BeaconSetting names are the same as before, namely: `BeaconSetting_` and not: `BeaconSetting.` --- dissect/cobaltstrike/beacon.py | 2 +- tests/test_beacon.py | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/dissect/cobaltstrike/beacon.py b/dissect/cobaltstrike/beacon.py index 35f75f4..5618c1b 100644 --- a/dissect/cobaltstrike/beacon.py +++ b/dissect/cobaltstrike/beacon.py @@ -794,7 +794,7 @@ def settings_map(self, index_type="enum", pretty=False, parse=True) -> MappingPr for setting in self.settings_tuple: val = setting.value if index_type == "name": - key = setting.index.name or str(setting.index) + key = setting.index.name or str(setting.index).replace(".", "_") elif index_type == "const": key = setting.index.value else: diff --git a/tests/test_beacon.py b/tests/test_beacon.py index 4f0e7b0..60d4002 100644 --- a/tests/test_beacon.py +++ b/tests/test_beacon.py @@ -314,12 +314,12 @@ def test_beacon_domains_punycode(punycode_beacon_file): def test_beacon_setting_unknown_enum(): - setting = ( - beacon.cs_struct.uint16(6969).dumps(), - beacon.SettingsType.TYPE_PTR.dumps(), - beacon.cs_struct.uint16(3).dumps(), - b"foo", - ) - config = beacon.BeaconConfig(b"".join(setting)) + data = beacon.Setting( + index=beacon.BeaconSetting(6969), + type=beacon.SettingsType.TYPE_PTR, + length=3, + value=b"foo", + ).dumps() + config = beacon.BeaconConfig(data) assert None not in config.settings - assert dict(config.settings) == {"BeaconSetting.6969": b"foo"} + assert dict(config.settings) == {"BeaconSetting_6969": b"foo"}