diff options
| author | mattifestation <mattgraeber@gmail.com> | 2013-11-07 07:28:53 -0500 |
|---|---|---|
| committer | mattifestation <mattgraeber@gmail.com> | 2013-11-07 07:28:53 -0500 |
| commit | 5b4b9924d5a016af996ffac91a975b9822651451 (patch) | |
| tree | 053750330c18ac6589937c71424cd714b34b5285 | |
| parent | 20f0a5cd96b86b9441e9361df9b0c4d50293a3e2 (diff) | |
| download | PowerSploit-5b4b9924d5a016af996ffac91a975b9822651451.tar.gz PowerSploit-5b4b9924d5a016af996ffac91a975b9822651451.zip | |
Get-ILDisassembly now displays metadata tokens.
* Having metadata tokens displayed in output helps with reverse
engineering because you can pass metadata tokens to
System.Reflection.Module.ResolveMember and then easily interact with the
member in question.
* I also fixed a bug when displaying integer constants. I wasn't doing
an endian swap.
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.format.ps1xml | 6 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.ps1 | 4 |
2 files changed, 9 insertions, 1 deletions
diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml index f933e1e..3c610cc 100644 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml @@ -18,6 +18,9 @@ <TableColumnHeader> <Label>Operand</Label> </TableColumnHeader> + <TableColumnHeader> + <Label>MetadataToken</Label> + </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> @@ -31,6 +34,9 @@ <TableColumnItem> <PropertyName>Operand</PropertyName> </TableColumnItem> + <TableColumnItem> + <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock> + </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index 645dc39..b7293e0 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -131,6 +131,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf $Type = $Op.OperandType
$Operand = $null
+ $OpInt = $null
if ($Type -eq 'InlineNone') {
$OperandLength = 0
@@ -191,13 +192,14 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
# Simply print the hex for all operands with immediate values
- $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '')
+ $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
}
$Instruction = @{
Position = $InstructionPostion
Instruction = $Op.Name
Operand = $Operand
+ MetadataToken = $OpInt
}
# Return a custom object containing a position, instruction, and fully-qualified operand
|