> The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted. It's unclear how/why Crowdstrike delivered the files and I'd pause all Crowdstrikes updates temporarily until they can explain.
They weren't last time I looked. They seem to contain a bunch of different things, but you can absolutely download and parse them without needing to decrypt anything.
If you have a Crowdstrike customer ID (CID) — which you can pull from any device that has the implant — you can request any channel file you want from their file server.
Ask for metahash+/cfs/channelfiles/0000000291/<YOUR CUSTOMER ID>/C-00000291-00000000-00000001.sys and you should get something that starts with:
I woke up after they'd already pulled the bad update, and I don't have an affected system.
If I look at the C-00000291-00000000-00000032.sys version that Crowdstrike LFO serves me, I get something that looks superficially reasonable (not random garbage or full of zeroes).
I would share it, but my understanding is that channel files specifically can have different contents for different customers (as opposed to other files like their Linux kernel drivers, which is definitely the same giant .xz blob for everyone). So I'd rather not upload something that's potentially tied to a specific customer/company without asking for permission
But if you have a valid customer ID from Crowdstrike, I'm happy to point you the little tool I use. You can request old versions of channel files from LFO and look at the diff as much as you like. But I can't guarantee you'll actually be getting a file that's obviously broken or full of zeroes like some people are describing. My C291 0.32 looks superficially normal.
> I've obtained copies of the .sys driver files Crowdstrike customers have. They're garbage. Each customer appears to have a different one.
https://cyberplace.social/@GossiTheDog/112812454405913406
> The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted. It's unclear how/why Crowdstrike delivered the files and I'd pause all Crowdstrikes updates temporarily until they can explain.