Added ProcessModuleTrace cmdlets

Added *-ProcessModuleTrace cmdlets to trace details when modules are
loaded into a process. These can be useful for malware analysis.

4 files changed, 153 insertions, 2 deletions

diff --git a/README.md b/README.md
index 6bdda8d..5141808 100644
--- a/README.md
+++ b/README.md
@@ -116,6 +116,18 @@ Converts the bytes of a file to a string that has a 1-to-1 mapping back to the f
 
 Get the unmanaged function address of a .NET method.
 
+#### `Register-ProcessModuleTrace`
+
+Starts a trace of loaded process modules
+
+#### `Get-ProcessModuleTrace`
+
+Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace
+
+#### `Unregister-ProcessModuleTrace`
+
+Stops the running process module trace
+
 ## AntivirusBypass
 
 **AV doesn't stand a chance against PowerShell!**
diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml
new file mode 100644
index 0000000..fbad0b9
--- /dev/null
+++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+    <ViewDefinitions>
+        <View>
+            <Name>ProcessModuleTraceView</Name>
+                <ViewSelectedBy>
+		            <TypeName>LOADED_MODULE</TypeName>
+		        </ViewSelectedBy>
+            <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <PropertyName>TimeCreated</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>ProcessId</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>FileName</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <Label>ImageBase</Label>
+                                <ScriptBlock>"0x$($_.ImageBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>ImageSize</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
+    </ViewDefinitions>
+</Configuration>
\ No newline at end of file
diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1
new file mode 100644
index 0000000..3eb57a7
--- /dev/null
+++ b/ReverseEngineering/ProcessModuleTrace.ps1
@@ -0,0 +1,103 @@
+function Register-ProcessModuleTrace
+{
+<#
+.SYNOPSIS
+
+    Starts a trace of loaded process modules
+
+    PowerSploit Function: Register-ProcessModuleTrace
+    Author: Matthew Graeber (@mattifestation)
+    License: BSD 3-Clause
+    Required Dependencies: None
+    Optional Dependencies: None
+
+.OUTPUTS
+
+    System.Management.Automation.PSEventJob
+
+    If desired, you can manipulate the event returned with the *-Event cmdlets.
+
+.LINK
+
+    http://www.exploit-monday.com/
+#>
+
+    [CmdletBinding()] Param ()
+
+    if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator'))
+    {
+        throw 'You must run this cmdlet from an elevated PowerShell session.'
+    }
+
+    $ModuleLoadedAction = {
+        $Event = $EventArgs.NewEvent
+
+        $ModuleInfo = @{
+            TimeCreated = [DateTime]::FromFileTime($Event.TIME_CREATED)
+            ProcessId = $Event.ProcessId
+            FileName = $Event.FileName
+            ImageBase = $Event.ImageBase
+            ImageSize = $Event.ImageSize
+        }
+
+        $ModuleObject = New-Object PSObject -Property $ModuleInfo
+        $ModuleObject.PSObject.TypeNames[0] = 'LOADED_MODULE'
+
+        $ModuleObject
+    }
+
+    Register-WmiEvent 'Win32_ModuleLoadTrace' -SourceIdentifier 'ModuleLoaded' -Action $ModuleLoadedAction
+}
+
+function Get-ProcessModuleTrace
+{
+<#
+.SYNOPSIS
+
+    Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace
+
+    PowerSploit Function: Get-ProcessModuleTrace
+    Author: Matthew Graeber (@mattifestation)
+    License: BSD 3-Clause
+    Required Dependencies: Register-ProcessModuleTrace
+    Optional Dependencies: None
+
+.OUTPUTS
+
+    PSObject
+
+.LINK
+
+    http://www.exploit-monday.com/
+#>
+
+    $Events = Get-EventSubscriber -SourceIdentifier 'ModuleLoaded' -ErrorVariable NoEventRegistered -ErrorAction SilentlyContinue
+
+    if ($NoEventRegistered)
+    {
+        throw 'You must execute Register-ProcessModuleTrace before you can retrieve a loaded module list'
+    }
+
+    $Events.Action.Output
+}
+
+function Unregister-ProcessModuleTrace
+{
+<#
+.SYNOPSIS
+
+    Stops the running process module trace
+
+    PowerSploit Function: Unregister-ProcessModuleTrace
+    Author: Matthew Graeber (@mattifestation)
+    License: BSD 3-Clause
+    Required Dependencies: Register-ProcessModuleTrace
+    Optional Dependencies: None
+
+.LINK
+
+    http://www.exploit-monday.com/
+#>
+
+    Unregister-Event -SourceIdentifier 'ModuleLoaded'
+}
\ No newline at end of file
diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1
index 0f643b7..b7da355 100644
--- a/ReverseEngineering/ReverseEngineering.psd1
+++ b/ReverseEngineering/ReverseEngineering.psd1
@@ -52,7 +52,7 @@ PowerShellVersion = '2.0'
 # TypesToProcess = @()

 

 # Format files (.ps1xml) to be loaded when importing this module

-FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml', 'Get-ILDisassembly.format.ps1xml'

+FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.format.ps1xml'

 

 # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

 # NestedModules = @()

@@ -76,7 +76,7 @@ ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; G
 FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',

                'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',

                'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',

-               'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'Usage.md'

+               'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'

 

 # Private data to pass to the module specified in RootModule/ModuleToProcess

 # PrivateData = ''