CobaltStrike 字符集编码改进技术文档<\/h1>

0x01 场景概述<\/h2>

在使用CobaltStrike时，配合第三方工具（如带web探测功能的工具）时，获取到的webtitle或其他内容通过beacon console回显时，经常出现乱码问题。主要原因：<\/p>

第三方工具获取的webtitle通常是UTF-8编码格式<\/li>
包含中文内容时尤其明显<\/li>

在简体中文Windows系统上测试发现：

GB2312编码文件显示正常<\/li>

UTF-8编码文件显示乱码<\/li> <\/ul> <\/li> <\/ol>

根本原因<\/strong>：编码不统一导致的问题。<\/p>

0x02 编码定位与调试环境搭建<\/h2>
反编译环境准备<\/h3>

使用IDEA自带的反编译插件java-decompiler.jar：<\/p>
java -cp java-decompiler.jar org.jetbrains.java.decompiler.main.decompiler.ConsoleDecompiler -dgs=<\/span>true cs_bin\/cobaltstrike.jar cs_src\/ <\/span><\/span><\/code><\/pre><\/li> 构建二次开发环境：<\/p> 基于反编译得到的源代码<\/li> 使用原始cobaltstrike.jar<\/li> 采用增量修改方式<\/li> <\/ul> <\/li> <\/ol> 调试环境配置<\/h3> Server端配置<\/strong>：<\/p> Main class: server.TeamServer<\/code><\/li> VM options: -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=.\/cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath .\/cobaltstrike.jar server.TeamServer $* <\/code><\/pre> <\/li> Program arguments: 172.16.119.1 123456<\/code> (示例)<\/li> <\/ul> Client端配置<\/strong>：<\/p> VM options: -Dfile.encoding=UTF-8 -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC <\/code><\/pre> <\/li> <\/ul> 编码处理流程分析<\/h3> Client与Server交互时，metadata携带系统编码信息<\/li> 处理流程： beacon.BeaconC2.process_beacon_metadata()<\/code><\/li> 调用common.WindowsCharsets.getName()<\/code>解析编码类型<\/li> WindowsCharsets.getName()<\/code>通过switch-case维护编码解析对应表<\/li> 实例化BeaconEntry<\/code>并将编码类型赋值给beaconEntry.chst<\/code><\/li> 通过this.getCharsets().register(beaconEntry.getId(), var9, var10)<\/code>注册编码信息<\/li> <\/ul> <\/li> <\/ol> 关键代码<\/strong>：<\/p> public<\/span> void<\/span> register<\/span>(<\/span>Map map,<\/span> String var2,<\/span> String var3)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>var3 !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Charset var4 =<\/span> Charset.<\/span>forName<\/span>(<\/span>var3);<\/span> <\/span><\/span> synchronized<\/span> (<\/span>this<\/span>)<\/span> {<\/span> <\/span><\/span> map.<\/span>put<\/span>(<\/span>var2,<\/span> var4);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception var8)<\/span> {<\/span> <\/span><\/span> MudgeSanity.<\/span>logException<\/span>(<\/span>"Could not find charset '"<\/span> +<\/span> var3 +<\/span> "' for Beacon ID "<\/span> +<\/span> var2,<\/span> var8,<\/span> false<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>测试验证<\/strong>：强制修改注册编码类型为UTF-8可使UTF-8内容正常显示，但GB2312内容变为乱码。<\/p> 0x03 功能实现方案<\/h2> 设计思路<\/h3> 仿造Note功能实现动态修改编码功能，包含两部分：<\/p> beacon console命令<\/li> GUI界面选项<\/li> <\/ol> 代码实现<\/h3> Client端处理<\/strong>：<\/p> beacon.TaskBeacon.Note()<\/code>处理note xxx<\/code>指令<\/li> aggressor.windows.BeaconConsole<\/code>首次处理请求<\/li> 最终通过common.TeamQueue.run()<\/code>发送指令到teamserver<\/li> <\/ul> Server端处理<\/strong>：<\/p> server.Beacons.buildBeaconModel()<\/code>处理接收的指令<\/li> 使用this.notes<\/code>维护beaconId和note的键值对<\/li> 通过广播机制更新状态<\/li> <\/ul> GUI实现代码<\/strong>（添加到default.cna）：<\/p> item "Setchar"<\/span> { <\/span><\/span> $<\/span>bid =<\/span> $<\/span>1<\/span>; <\/span><\/span> $<\/span>dialog =<\/span> dialog("Setchar"<\/span>, %<\/span>(charsets =><\/span> ""<\/span>), &<\/span>Setchar); <\/span><\/span> dialog_description($<\/span>dialog, "Set the Beacon's Charset "<\/span>); <\/span><\/span> drow_combobox($<\/span>dialog, "charsets"<\/span>, "charset:"<\/span>, @<\/span>(""<\/span>, "UTF-8"<\/span>, "GBK"<\/span>, "GB2312"<\/span>, "GB18030"<\/span>, "ISO-8859-1"<\/span>, "BIG5"<\/span>, "UTF-16"<\/span>, "UTF-16LE"<\/span>, "UTF-16BE"<\/span>)); <\/span><\/span> dbutton_action($<\/span>dialog, "Setchar"<\/span>); <\/span><\/span> dialog_show($<\/span>dialog); <\/span><\/span>} <\/span><\/span> <\/span><\/span>sub Setchar { <\/span><\/span> binput($<\/span>bid, "setchar $3['charsets']"<\/span>); <\/span><\/span> beacon_setchar($<\/span>bid, $<\/span>3<\/span>['<\/span>charsets'<\/span>]); <\/span><\/span>} <\/span><\/span><\/code><\/pre>支持编码类型<\/strong>：<\/p> UTF-8<\/li> GBK<\/li> GB2312<\/li> GB18030<\/li> ISO-8859-1<\/li> BIG5<\/li> UTF-16<\/li> UTF-16LE<\/li> UTF-16BE<\/li> <\/ul> 0x04 使用效果<\/h2> Console命令使用<\/h3> 添加setchar<\/code>命令：<\/p> Use: setchar [text] e.g: setchar utf-8 | setchar set a charset to this Beacon. <\/code><\/pre> GUI界面使用<\/h3> 通过图形菜单设置编码<\/li> 可选择9种编码格式<\/li> 选择空值将重置为初始编码<\/li> <\/ol> 0x05 技术总结<\/h2> 通过分析CobaltStrike的编码处理流程定位问题<\/li> 借鉴Note功能的实现方式<\/li> 采用增量修改方式保持代码稳定性<\/li> 提供Console和GUI两种操作方式<\/li> 支持多种常见编码格式切换<\/li> <\/ol> 附录：完整实现要点<\/h2> 编码注册机制<\/strong>：修改beacon.BeaconCharsets.register()<\/code>方法<\/li> 命令处理<\/strong>：仿照Note<\/code>命令实现setchar<\/code>命令处理<\/li> 状态维护<\/strong>：在Server端维护编码状态<\/li> GUI集成<\/strong>：通过default.cna添加图形界面<\/li> 广播机制<\/strong>：确保编码更改能实时生效<\/li> <\/ol> 通过此改进，可有效解决CobaltStrike中因编码不一致导致的乱码问题，提升工具在多种语言环境下的可用性。<\/p>