diff options
| author | bitform <matt@exploit-monday.com> | 2012-11-17 16:46:50 -0500 |
|---|---|---|
| committer | bitform <matt@exploit-monday.com> | 2012-11-17 16:46:50 -0500 |
| commit | 138bd399113319fcc1bc07ed86132dc23c9ab97c (patch) | |
| tree | 1a2b8b1a7aa9239950977d23f66da1897760e726 | |
| parent | ca705d0a6eb88a2f8f345965a1d18b082f10aef9 (diff) | |
| download | PowerSploit-138bd399113319fcc1bc07ed86132dc23c9ab97c.tar.gz PowerSploit-138bd399113319fcc1bc07ed86132dc23c9ab97c.zip | |
Adding Get-MethodAddress
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | RE_Tools/Get-MethodAddress.ps1 | 110 |
2 files changed, 114 insertions, 0 deletions
@@ -56,6 +56,10 @@ Get-Strings: Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.
+Get-MethodAddress:
+
+ Get the unmanaged function address of a .NET method.
+
-------
.\Recon
-------
diff --git a/RE_Tools/Get-MethodAddress.ps1 b/RE_Tools/Get-MethodAddress.ps1 new file mode 100644 index 0000000..e72beff --- /dev/null +++ b/RE_Tools/Get-MethodAddress.ps1 @@ -0,0 +1,110 @@ +function Get-MethodAddress
+{
+<#
+.SYNOPSIS
+
+Get the unmanaged function address of a .NET method.
+
+PowerSploit Module - Get-MethodAddress
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+
+.DESCRIPTION
+
+Get-MethodAddress aids in the process of reverse engineering and exploitation by returning an unmanaged function pointer to any .NET method. This method is useful for those interested in seeing what JITed MSIL opcodes look like in their assembly language representation.
+
+For example, here is the MSIL representation of [System.IntPtr].ToPointer:
+0x02 ldarg.0
+0x7B,0x53,0x04,0x00,0x04 ldfld void* System.IntPtr::m_value
+0x2A ret
+
+After calling Get-MethodAddress and inspecting it in WinDbg, here is the x86_64 ASM representation:
+C:\PS> Get-MethodAddress ([IntPtr].GetMethod('ToPointer'))
+0x000007FF35544CC0
+
+mscorlib_ni+0xd04cc0:
+000007ff`35544cc0 488b01 mov rax,qword ptr [rcx]
+000007ff`35544cc3 c3 ret
+000007ff`35544cc4 cc int 3
+
+This MSIL to ASM translation makes sense because all the assembly instructions are doing is dereferencing the pointer in rcx.
+
+.PARAMETER MethodInfo
+
+The method whose unmanaged address will be returned.
+
+.EXAMPLE
+
+C:\PS> Get-MethodAddress ([String].GetMethod('Trim', [Type[]]@()))
+
+Description
+-----------
+Returns the unmanaged address of [System.Object].Trim() method.
+
+.EXAMPLE
+
+C:\PS> [Int].Module.GetTypes().GetMethods() | ForEach-Object {Get-MethodAddress $_ -ErrorAction SilentlyContinue -WarningAction SilentlyContinue}
+
+Description
+-----------
+Returns an unmanaged address for every method (in which an address can be returned) in mscorlib.
+
+.OUTPUTS
+
+[System.String]
+A hexadecimal representation of the method address.
+
+.NOTES
+
+Not all methods will be able to return an address. For example, methods with implementation flags of AggressiveInlining, Synchronized, or CodeTypeMask will not return an address. Also note that any InternalCall method will return the same pointer every time because the CLR determines its address at runtime.
+
+Lastly, note that the MSIL opcodes used to implement this cmdlet are unverifiable. This means for example, that this technique won't aid exploiting Silverlight applications. :'(
+
+.LINK
+
+http://www.exploit-monday.com/2012/11/Get-MethodAddress.html
+#>
+
+ [CmdletBinding()] Param (
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
+ [System.Reflection.MethodInfo]
+ $MethodInfo
+ )
+
+ if ($MethodInfo.MethodImplementationFlags -eq 'InternalCall')
+ {
+ Write-Warning "$($MethodInfo.Name) is an InternalCall method. These methods always point to the same address."
+ }
+
+ $Domain = [AppDomain]::CurrentDomain
+ $DynAssembly = New-Object System.Reflection.AssemblyName('MethodLeakAssembly')
+ # Assemble in memory
+ $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MethodLeakModule')
+ $TypeBuilder = $ModuleBuilder.DefineType('MethodLeaker', [System.Reflection.TypeAttributes]::Public)
+ # Declaration of the LeakMethod method
+ $MethodBuilder = $TypeBuilder.DefineMethod('LeakMethod', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, [UInt64], $null)
+ $Generator = $MethodBuilder.GetILGenerator()
+
+ # Push unmanaged pointer to MethodInfo onto the evaluation stack
+ $Generator.Emit([System.Reflection.Emit.OpCodes]::Ldftn, $MethodInfo)
+ # Convert the pointer to type - unsigned int64
+ $Generator.Emit([System.Reflection.Emit.OpCodes]::Conv_Ovf_U8)
+ $Generator.Emit([System.Reflection.Emit.OpCodes]::Ret)
+
+ # Assemble everything
+ $Type = $TypeBuilder.CreateType()
+ $Method = $Type.GetMethod('LeakMethod')
+
+ try
+ {
+ # Call the method and return its JITed address
+ $Address = $Method.Invoke($null, @())
+
+ Write-Output "0x$($Address.ToString("X$([IntPtr]::Size * 2)"))"
+ }
+ catch [System.Management.Automation.MethodInvocationException]
+ {
+ Write-Error "$($MethodInfo.Name) cannot return an unmanaged address."
+ }
+}
\ No newline at end of file |