diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2013-07-11 18:20:05 -0400 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2013-07-11 18:20:05 -0400 |
| commit | 05c58324583c4b47cd09c18a73026ebd09d44ebb (patch) | |
| tree | 64c64d1eddaf8da65c788f8eb2709f65b3f3f633 | |
| parent | 55a6dbd019624d4e8de0a0c77c042a3a5963d32a (diff) | |
| download | PowerSploit-05c58324583c4b47cd09c18a73026ebd09d44ebb.tar.gz PowerSploit-05c58324583c4b47cd09c18a73026ebd09d44ebb.zip | |
Latest version of .NET Framework broke Get-PEB
To fix this, I needed to explicitly cast types in the SizeOf and
PtrToStructure methods.
| -rw-r--r-- | ReverseEngineering/Get-PEB.ps1 | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 1a196ac..86e064d 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -482,7 +482,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx $PEBStruct = $TypeBuilder.CreateType()
}
- $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf($PEBStruct)
+ $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$PEBStruct)
#endregion
function Local:Get-StructFromMemory
@@ -562,7 +562,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx do
{
$MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+ $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
$Protection = $ProtectField.GetValue($MemoryBasicInformation)
$AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
@@ -577,7 +577,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return
}
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($LdrModuleStruct)
+ $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$LdrModuleStruct)
$EndOfAllocation = $AllocationBase + $RegionSize
$EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
@@ -611,15 +611,15 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return
}
- $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $LdrModuleStruct)
+ $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $LdrModuleStruct)
[Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
switch ($LoadOrder)
{
'InLoadOrderModuleList' { $Flink = $ParsedLdrModule.InLoadOrderModuleList.Flink }
- 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct)) }
- 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct))) }
+ 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)) }
+ 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) }
}
$SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
@@ -636,7 +636,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx elseif ($StructType -eq [String] -and $UnicodeStringSize)
{
$MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+ $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
$Protection = $ProtectField.GetValue($MemoryBasicInformation)
$AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
@@ -695,7 +695,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx else
{
$MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+ $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
$Protection = $ProtectField.GetValue($MemoryBasicInformation)
$AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
@@ -710,7 +710,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return
}
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($StructType)
+ $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$StructType)
$EndOfAllocation = $AllocationBase + $RegionSize
$EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
@@ -744,7 +744,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return
}
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $StructType)
+ $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType)
[Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
$SafeHandle.Close()
@@ -935,8 +935,8 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx switch ($j)
{
1 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($CustomPEB['Ldr'].InLoadOrderModuleList.Flink) -StructType ($LdrModuleStruct) -LoadOrder 'InLoadOrderModuleList' }
- 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' }
- 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' }
+ 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' }
+ 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' }
}
$ParsedOrderedModules = New-Object Hashtable[]($OrderedModules.Length)
|