brett-fitz/pyMalleableProfileParser
GitHub: brett-fitz/pyMalleableProfileParser
将 Cobalt Strike Malleable C2 配置文件解析为结构化 Python 对象,支持版本校验和便捷属性访问。
Stars: 61 | Forks: 6
# pyMalleableProfileParser
解析 Cobalt Strike malleable C2 配置文件。
[](https://pypi.org/project/pyMalleableProfileParser/)
[](https://github.com/brett-fitz/pyMalleableProfileParser/blob/main/LICENSE)
[](https://github.com/brett-fitz/pyMalleableProfileParser/issues)
## 安装 :gear:
```
pip3 install pyMalleableProfileParser
```
### 升级到最新版本
```
pip3 install --upgrade pyMalleableProfileParser
```
## 用法
### MalleableProfile 类
```
from mpp import MalleableProfile
mp = MalleableProfile(profile='/path/to/profile')
mp.profile
```
### 轻松获取属性
### 选项
这是一个获取全局选项 `jitter` 的示例:
```
>> mp.jitter
Option(option="jitter", value="0")
>> mp.jitter.option
'jitter'
>> mp.jitter.value
'0'
```
你也可以访问任何代码块中的选项:
```
>> mp.http_get.uri
Option(option="uri", value="/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books")
```
### 语句
你可以在任何代码块或子代码块中获取语句:
```
>> mp.http_get.client.Host
Statement(statement=header, key="Host", value="www.amazon.com")
```
```
>> mp = MalleableProfile('bing_maps.profile')
>> mp.stage.transform_x86.ReflectiveLoader
Statement(statement=strrep, string="ReflectiveLoader", replace="")
```
### 代码块
像语句一样,你可以访问任何代码块或子代码块:
```
>> mp.http_get
Block(name=http-get, data=[Option(option="uri", value="/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"),
Block(name=client, data=[Statement(statement=header, key="Accept", value="*/*"), Statement(statement=header, key="Host",
value="www.amazon.com"), Block(name=metadata, data=[Statement(statement=base64, value=""), Statement(statement=prepend,
value="session-token="), Statement(statement=prepend, value="skin=noskin;"), Statement(statement=append,
value="csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996"), Statement(statement=header, key="Cookie", value="")])]),
Block(name=server, data=[Statement(statement=header, key="Server", value="Server"), Statement(statement=header,
key="x-amz-id-1", value="THKUYEZKCKPGY5T42PZT"), Statement(statement=header, key="x-amz-id-2",
value="a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo="), Statement(statement=header,
key="X-Frame-Options", value="SAMEORIGIN"), Statement(statement=header, key="Content-Encoding", value="gzip"), Block(
name=output, data=[Statement(statement=print, value="")])])])
>> mp.http_get.server.output
Block(name=output, data=[Statement(statement=print, value="")])
```
## 验证配置文件
默认情况下,`validate()` 将验证 4.0+ 版本的 Malleable Profiles。你也可以指定特定版本。注意:在全局设置 dns 选项时将显示警告,但如果你指定版本 `4.3`,验证将失败。
**示例**
```
>>> from mpp.profile import MalleableProfile
>>> mp = MalleableProfile('bing_maps.profile')
>>> mp.validate()
starting with v4.3, dns options have been moved into 'dns-beacon' block: dns_idle
starting with v4.3, dns options have been moved into 'dns-beacon' block: maxdns
starting with v4.3, dns options have been moved into 'dns-beacon' block: dns_sleep
starting with v4.3, dns options have been moved into 'dns-beacon' block: dns_stager_prepend
starting with v4.3, dns options have been moved into 'dns-beacon' block: dns_stager_subhost
starting with v4.3, dns options have been moved into 'dns-beacon' block: dns_max_txt
starting with v4.3, dns options have been moved into 'dns-beacon' block: dns_ttl
True
>>> mp.validate(version=4.3)
[(Option(option="dns_idle", value="8.8.8.8"), 'INVALID_OPTION'), (Option(option="maxdns", value="245"), 'INVALID_OPTION'), (Option(option="dns_sleep", value="0"), 'INVALID_OPTION'), (Option(option="dns_stager_prepend", value=""), 'INVALID_OPTION'), (Option(option="dns_stager_subhost", value=""), 'INVALID_OPTION'), (Option(option="dns_max_txt", value="252"), 'INVALID_OPTION'), (Option(option="dns_ttl", value="1"), 'INVALID_OPTION')]
>>>
```
## 配置文件结构 (Dict)
**示例:amazon.profile**
```
{'sleeptime': Option(option="sleeptime", value="5000"),
'jitter': Option(option="jitter", value="0"),
'maxdns': Option(option="maxdns", value="255"),
'useragent': Option(option="useragent", value="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"),
'http-get': Block(name=http-get, data=[Option(option="uri", value="/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"),
Block(name=client, data=[Statement(statement=header, key="Accept", value="*/*"),
Statement(statement=header, key="Host", value="www.amazon.com"),
Block(name=metadata, data=[Statement(statement=base64, value=""),
Statement(statement=prepend, value="session-token="),
Statement(statement=prepend, value="skin=noskin;"),
Statement(statement=append, value="csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996"),
Statement(statement=header, key="Cookie", value="")])]),
Block(name=server, data=[Statement(statement=header, key="Server", value="Server"),
Statement(statement=header, key="x-amz-id-1", value="THKUYEZKCKPGY5T42PZT"),
Statement(statement=header, key="x-amz-id-2", value="a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo="),
Statement(statement=header, key="X-Frame-Options", value="SAMEORIGIN"),
Statement(statement=header, key="Content-Encoding", value="gzip"),
Block(name=output, data=[Statement(statement=print, value="")])])]),
'http-post': Block(name=http-post, data=[Option(option="uri", value="/N4215/adj/amzn.us.sr.aps"),
Block(name=client, data=[Statement(statement=header, key="Accept", value="*/*"),
Statement(statement=header, key="Content-Type", value="text/xml"),
Statement(statement=header, key="X-Requested-With", value="XMLHttpRequest"),
Statement(statement=header, key="Host", value="www.amazon.com"),
Statement(statement=parameter, key="sz", value="160x600"),
Statement(statement=parameter, key="oe", value="oe=ISO-8859-1;"),
Block(name=id, data=[Statement(statement=parameter, key="sn", value="")]),
Statement(statement=parameter, key="s", value="3717"),
Statement(statement=parameter, key="dc_ref", value="http%3A%2F%2Fwww.amazon.com"),
Block(name=output, data=[Statement(statement=base64, value=""),
Statement(statement=print, value="")])]),
Block(name=server, data=[Statement(statement=header, key="Server", value="Server"),
Statement(statement=header, key="x-amz-id-1", value="THK9YEZJCKPGY5T42OZT"),
Statement(statement=header, key="x-amz-id-2", value="a21JZ1xrNDNtdGRsa219bGV3YW85amZuZW9zdG5rZmRuZ2tmZGl4aHRvNDVpbgo="),
Statement(statement=header, key="X-Frame-Options", value="SAMEORIGIN"),
Statement(statement=header, key="x-ua-compatible", value="IE=edge"),
Block(name=output, data=[Statement(statement=print, value="")])])])}
```
## 帮助 :construction_worker:
#### 在讨论区加入我们
我使用 GitHub Discussions 来讨论与本仓库相关的各种话题。
#### 提交 Issue
首先,请查看 [现有问题](https://github.com/brett-fitz/pyMalleableProfileParser/issues)。如果你发现了新问题,请提交一个 Issue。我们将利用该 Issue 就你想要解决的问题进行交流,我会
尽力尽快处理。
标签:C2 配置解析, Cobalt Strike, DAST, Malleable C2, Profile Parser, PyPI, Python 库, XML 请求, 命令与控制, 威胁情报, 安全开发, 开发者工具, 恶意软件分析, 攻击诱捕, 流量伪装, 逆向工具