Switch to ruff linter

.gitignore

@@ -0,0 +1,163 @@
+# dissect.cobaltstrike version.py
+dissect/cobaltstrike/_version.py
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/

.pre-commit-config.yaml

@@ -1,15 +1,14 @@
 repos:
+  - repo: https://github.com/charliermarsh/ruff-pre-commit
+    rev: v0.0.270
+    hooks:
+      - id: ruff
   - repo: https://github.com/psf/black
-    rev: 22.10.0
+    rev: 23.3.0
     hooks:
     - id: black
       args: [--check, --diff]
       language_version: python3
-  - repo: https://github.com/pycqa/flake8
-    rev: 5.0.4
-    hooks:
-      - id: flake8
-        additional_dependencies: [flake8-bugbear]
   - repo: https://github.com/codespell-project/codespell
     rev: v2.2.2
     hooks:

dissect/cobaltstrike/artifact.py

@@ -3,12 +3,11 @@
 
 .. _ArtifactKit: https://www.cobaltstrike.com/blog/what-is-a-stageless-payload-artifact/
 """
+import contextlib
 import io
-import sys
 import logging
-import contextlib
-
-from typing import NamedTuple, BinaryIO, Iterator, Optional
+import sys
+from typing import BinaryIO, Iterator, NamedTuple, Optional
 
 from dissect.cobaltstrike import utils
 

dissect/cobaltstrike/beacon.py

@@ -2,26 +2,44 @@
 This module is responsible for extracting and parsing configuration from Cobalt Strike beacon payloads.
 """
 import collections
-import os
-import io
-import sys
-import time
+import functools
 import hashlib
-import logging
+import io
 import ipaddress
 import itertools
-import functools
+import logging
+import os
+import sys
+import time
 from collections import OrderedDict
 from types import MappingProxyType
-from typing import Any, BinaryIO, Dict, Callable, Iterator, List, Mapping, Optional, Tuple, Union, cast
+from typing import (
+    Any,
+    BinaryIO,
+    Callable,
+    Dict,
+    Iterator,
+    List,
+    Mapping,
+    Optional,
+    Tuple,
+    Union,
+    cast,
+)
 
 from dissect import cstruct
-
 from dissect.cobaltstrike import pe
+from dissect.cobaltstrike.utils import (
+    catch_sigpipe,
+    iter_find_needle,
+    p8,
+    u16be,
+    u32,
+    u32be,
+    xor,
+)
 from dissect.cobaltstrike.version import BeaconVersion
 from dissect.cobaltstrike.xordecode import XorEncodedFile
-from dissect.cobaltstrike.utils import catch_sigpipe, p8, u16be, u32, u32be
-from dissect.cobaltstrike.utils import xor, iter_find_needle
 
 logger = logging.getLogger(__name__)
 
@@ -1018,8 +1036,7 @@ def build_parser():
 @catch_sigpipe
 def main():
     """Entrypoint for beacon-dump."""
-    from . import c2profile
-    from . import utils
+    from . import c2profile, utils
 
     parser = build_parser()
     args = parser.parse_args()

dissect/cobaltstrike/c2.py

@@ -3,15 +3,15 @@
 """
 # Python imports
 import base64
-import random
-import logging
 import hashlib
 import hmac
 import io
-from urllib.parse import urlparse, parse_qsl
+import logging
+import random
 
 # Typing imports
-from typing import List, Optional, Union, Tuple, NamedTuple, Iterator, Dict, overload
+from typing import Dict, Iterator, List, NamedTuple, Optional, Tuple, Union, overload
+from urllib.parse import parse_qsl, urlparse
 
 # Pycryptodome imports
 try:
@@ -30,14 +30,20 @@
 
 # Local imports
 from dissect.cobaltstrike.beacon import BeaconConfig
-from dissect.cobaltstrike.utils import xor, p32be, netbios_encode, netbios_decode, namedtuple_reprlib_repr
 from dissect.cobaltstrike.c_c2 import (  # noqa: F401
-    c2struct,
+    BeaconCallback,
+    BeaconCommand,
+    BeaconMetadata,
     CallbackPacket,
     TaskPacket,
-    BeaconMetadata,
-    BeaconCommand,
-    BeaconCallback,
+    c2struct,
+)
+from dissect.cobaltstrike.utils import (
+    namedtuple_reprlib_repr,
+    netbios_decode,
+    netbios_encode,
+    p32be,
+    xor,
 )
 
 TransformStep = Tuple[str, Union[str, bytes, bool, int]]
@@ -263,7 +269,7 @@ def transform(self, c2data: C2Data, request: Optional[HttpRequest] = None) -> Ht
         headers = request.headers
         body = request.body
         data: bytes = b""
-        for (step, step_val) in self.tsteps:
+        for step, step_val in self.tsteps:
             # logger.debug("transform step %r, %r", step, step_val)
             step = step.lower()
             if step == "append":
@@ -334,7 +340,7 @@ def recover(self, http: Union[HttpRequest, HttpResponse]) -> Union[ClientC2Data,
         build_id = None
         data = b""
         # logger.debug("recover steps: %r", self.rsteps)
-        for (step, step_val) in self.rsteps:
+        for step, step_val in self.rsteps:
             step = step.lower()
             if step == "append":
                 if isinstance(step_val, bytes):

dissect/cobaltstrike/c2profile.py

@@ -2,13 +2,13 @@
 This module is responsible for parsing and generating Cobalt Strike Malleable C2 profiles.
 It uses the `lark-parser` library for parsing the syntax using the ``c2profile.lark`` grammar file.
 """
+import collections
+import logging
 import os
 import sys
-import logging
-import collections
 from typing import Any, List, Tuple, Union
 
-from lark import Lark, Tree, Token
+from lark import Lark, Token, Tree
 from lark.reconstruct import Reconstructor
 
 from dissect.cobaltstrike.beacon import BeaconConfig, BeaconSetting
@@ -764,6 +764,7 @@ def main():
     """Entrypoint for c2profile-dump."""
 
     import logging
+
     from dissect.cobaltstrike.beacon import BeaconConfig
 
     parser = build_parser()