[tux3]

They weren't last time I looked. They seem to contain a bunch of different things, but you can absolutely download and parse them without needing to decrypt anything.

If you have a Crowdstrike customer ID (CID) — which you can pull from any device that has the implant — you can request any channel file you want from their file server.

Ask for metahash+/cfs/channelfiles/0000000291/<YOUR CUSTOMER ID>/C-00000291-00000000-00000001.sys and you should get something that starts with:

    00000000: aaaa aaaa 0100 2301 0000 0500 0000 0000  ......#.........
    00000010: 0100 0000 4808 0000 2c08 0000 0600 0004  ....H...,.......

That's a channel file, unencrypted.

[screwgauge1]

Could you please upload it to some place and share a link. Curious to examine the contents.

[tux3]

I woke up after they'd already pulled the bad update, and I don't have an affected system.

If I look at the C-00000291-00000000-00000032.sys version that Crowdstrike LFO serves me, I get something that looks superficially reasonable (not random garbage or full of zeroes).

I would share it, but my understanding is that channel files specifically can have different contents for different customers (as opposed to other files like their Linux kernel drivers, which is definitely the same giant .xz blob for everyone). So I'd rather not upload something that's potentially tied to a specific customer/company without asking for permission

But if you have a valid customer ID from Crowdstrike, I'm happy to point you the little tool I use. You can request old versions of channel files from LFO and look at the diff as much as you like. But I can't guarantee you'll actually be getting a file that's obviously broken or full of zeroes like some people are describing. My C291 0.32 looks superficially normal.