Renamed RE_Tools. Now ReverseEngineering module

* I renamed RE_Tools to ReverseEngineering and made it a module.
* Slight consistency modifications were made to documentation.
* This is one step in the process of modularizing all of PowerSploit.

12 files changed, 227 insertions, 89 deletions

diff --git a/README b/README
index b62bef7..a07e868 100644
--- a/README
+++ b/README
@@ -54,9 +54,9 @@ Get-DllLoadPath:
 

    Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable.

 

-----------

-.\RE_Tools

-----------

+--------------------

+.\ReverseEngineering

+--------------------

 

 Tools to aid in reverse engineering

 

diff --git a/RE_Tools/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1
index 6cb9db8..623d904 100644
--- a/RE_Tools/Get-ILDisassembly.ps1
+++ b/ReverseEngineering/Get-ILDisassembly.ps1
@@ -1,83 +1,94 @@
 function Get-ILDisassembly

 {

 <#

-.Synopsis

+.SYNOPSIS

 

- PowerSploit Module - Get-ILDisassembly

- Author: Matthew Graeber (@mattifestation)

- License: BSD 3-Clause

- 

-.Description

+PowerSploit Module - Get-ILDisassembly

+Author: Matthew Graeber (@mattifestation)

+License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

 

- Get-ILDisassembly disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner

- similar to that of Ildasm.

- 

- The majority of this code was simply translated from C# (with permission) from a code example taken from:

- "C# 4.0 in a Nutshell", Copyright 2010, Joseph Albahari and Ben Albahari, pg. 728-733

- 

-.Parameter MethodInfo

+.DESCRIPTION

 

- A MethodInfo object that describes the implementation of the method and contains the IL for the method.

- 

-.Example

+Get-ILDisassembly disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.

 

- PS> [Int].GetMethod('Parse', [String]) | Get-ILDisassembly | Format-Table Position, Instruction, Operand -AutoSize

- 

- Position Instruction Operand

- -------- ----------- -------

- IL_0000  ldarg.0

- IL_0001  ldc.i4.7

- IL_0002  call        System.Globalization.NumberFormatInfo.get_CurrentInfo

- IL_0007  call        System.Number.ParseInt32

- IL_000C  ret

- 

- Description

- -----------

- Disassembles the System.Int32.Parse(String) method

- 

-.Example

+The majority of this code was simply translated from C# (with permission) from a code example taken from: "C# 4.0 in a Nutshell", Copyright 2010, Joseph Albahari and Ben Albahari, pg. 728-733

 

- PS> $MethodInfo = [Array].GetMethod('BinarySearch', [Type[]]([Array], [Object]))

- PS> Get-ILDisassembly $MethodInfo | Format-Table Position, Instruction, Operand -AutoSize

- 

- Position Instruction Operand

- -------- ----------- -------

- IL_0000  ldarg.0

- IL_0001  brtrue.s    IL_000E

- IL_0003  ldstr       'array'

- IL_0008  newobj      System.ArgumentNullException..ctor

- IL_000D  throw

- IL_000E  ldarg.0

- IL_000F  ldc.i4.0

- IL_0010  callvirt    System.Array.GetLowerBound

- IL_0015  stloc.0

- IL_0016  ldarg.0

- IL_0017  ldloc.0

- IL_0018  ldarg.0

- IL_0019  callvirt    System.Array.get_Length

- IL_001E  ldarg.1

- IL_001F  ldnull

- IL_0020  call        System.Array.BinarySearch

- IL_0025  ret

- 

- Description

- -----------

- Disassembles the System.Array.BinarySearch(Array, Object) method

- 

-.Inputs

- System.Reflection.MethodInfo. The method description containing the raw IL bytecodes.

- 

-.Outputs

- System.Object. Returns a custom object consisting of a position, instruction, and opcode parameter.

+.PARAMETER MethodInfo

+

+A MethodInfo object that describes the implementation of the method and contains the IL for the method.

+

+.EXAMPLE

+

+C:\PS> [Int].GetMethod('Parse', [String]) | Get-ILDisassembly | Format-Table Position, Instruction, Operand -AutoSize

+

+Position Instruction Operand

+-------- ----------- -------

+IL_0000  ldarg.0

+IL_0001  ldc.i4.7

+IL_0002  call        System.Globalization.NumberFormatInfo.get_CurrentInfo

+IL_0007  call        System.Number.ParseInt32

+IL_000C  ret

+

+Description

+-----------

+Disassembles the System.Int32.Parse(String) method

+

+.EXAMPLE

+

+C:\PS> $MethodInfo = [Array].GetMethod('BinarySearch', [Type[]]([Array], [Object]))

+C:\PS> Get-ILDisassembly $MethodInfo | Format-Table Position, Instruction, Operand -AutoSize

+

+Position Instruction Operand

+-------- ----------- -------

+IL_0000  ldarg.0

+IL_0001  brtrue.s    IL_000E

+IL_0003  ldstr       'array'

+IL_0008  newobj      System.ArgumentNullException..ctor

+IL_000D  throw

+IL_000E  ldarg.0

+IL_000F  ldc.i4.0

+IL_0010  callvirt    System.Array.GetLowerBound

+IL_0015  stloc.0

+IL_0016  ldarg.0

+IL_0017  ldloc.0

+IL_0018  ldarg.0

+IL_0019  callvirt    System.Array.get_Length

+IL_001E  ldarg.1

+IL_001F  ldnull

+IL_0020  call        System.Array.BinarySearch

+IL_0025  ret

+

+Description

+-----------

+Disassembles the System.Array.BinarySearch(Array, Object) method

+

+.INPUTS

+

+System.Reflection.MethodInfo

+

+The method description containing the raw IL bytecodes.

+

+.OUTPUTS

+

+System.Object

+

+Returns a custom object consisting of a position, instruction, and opcode parameter.

  

-.Link

- My blog: http://www.exploit-monday.com

- Original C# code: http://www.albahari.com/nutshell/cs4ch18.aspx

- OpCodes Class: http://msdn.microsoft.com/en-us/library/system.reflection.emit.opcodes.aspx

- ECMA-335 IL Standard: http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf

+.LINK

+

+http://www.exploit-monday.com

+http://www.albahari.com/nutshell/cs4ch18.aspx

+http://msdn.microsoft.com/en-us/library/system.reflection.emit.opcodes.aspx

+http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf

 #>

 

-Param ( [Parameter(Mandatory = $True, ValueFromPipeline = $True)] [System.Reflection.MethodInfo] $MethodInfo )

+    Param (

+        [Parameter(Mandatory = $True, ValueFromPipeline = $True)]

+        [System.Reflection.MethodInfo]

+        $MethodInfo

+    )

 

     if (!($MethodInfo.GetMethodBody())) {

         return

diff --git a/RE_Tools/Get-KernelModuleInfo.format.ps1xml b/ReverseEngineering/Get-KernelModuleInfo.format.ps1xml
index 3e3f347..3e3f347 100644
--- a/RE_Tools/Get-KernelModuleInfo.format.ps1xml
+++ b/ReverseEngineering/Get-KernelModuleInfo.format.ps1xml
diff --git a/RE_Tools/Get-KernelModuleInfo.ps1 b/ReverseEngineering/Get-KernelModuleInfo.ps1
index 0d9f367..0704919 100644
--- a/RE_Tools/Get-KernelModuleInfo.ps1
+++ b/ReverseEngineering/Get-KernelModuleInfo.ps1
@@ -8,6 +8,8 @@ Returns loaded kernel module information.
 PowerSploit Module - Get-KernelModuleInfo

 Author: Matthew Graeber (@mattifestation)

 License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: Get-KernelModuleInfo.format.ps1xml

  

 .DESCRIPTION

 

@@ -43,7 +45,7 @@ To display the output as seen in the example, ensure that Get-KernelModuleInfo.f
 

 .LINK

 

-http://www.exploit-monday.com/

+http://www.exploit-monday.com

 #>

 

     # Load custom object formatting views

diff --git a/RE_Tools/Get-Member.ps1 b/ReverseEngineering/Get-Member.ps1
index 9342997..30d29f4 100644
--- a/RE_Tools/Get-Member.ps1
+++ b/ReverseEngineering/Get-Member.ps1
@@ -2,22 +2,29 @@ function Get-Member
 {

 <#

 .SYNOPSIS

+

 Gets the properties and methods of objects.

 

+PowerSploit Module - Get-Member

 Author: Matthew Graeber (@mattifestation)

 License: BSD 3-Clause (Except for the help documentation derived from the original Get-Member)

+Required Dependencies: None

+Optional Dependencies: None

 

 .DESCRIPTION

+

 The Get-Member cmdlet gets the "members" (properties and methods) of objects.

 

 To specify the object, use the InputObject parameter or pipe an object to Get-Member. To retrieve information about static members (members of the class, not of the instance), use the Static parameter. To get only certain types of members, such as NoteProperties, use the MemberType parameter.

 

 .PARAMETER Private

+

 Gets only the non-public members of the object.

 

 These members are typically not exposed and are extracted using reflection.

 

 .PARAMETER Static

+

 Gets only the static properties and methods of the object. 

 

 Static properties and methods are defined on the class of objects, not on any particular instance of the class.

@@ -25,6 +32,7 @@ Static properties and methods are defined on the class of objects, not on any pa
 If you use the Static parameter with the View parameter, the View parameter is ignored. If you use the Static parameter with the MemberType parameter, Get-Member gets only the members that belong to both sets.

 

 .PARAMETER Force

+

 Adds the intrinsic members (PSBase, PSAdapted, PSObject, PSTypeNames) and the compiler-generated get_, set_, op_, .ctor, and .cctor methods to the display. By default, Get-Member gets these properties in all views other than "Base" and "Adapted," but it does not display them. 

 

 The following list describes the properties that are added when you use the Force parameter:

@@ -41,6 +49,7 @@ The following list describes the properties that are added when you use the Forc
 -- .cctor: The object's copy constructor

 

 .PARAMETER InputObject

+

 Specifies the object whose members are retrieved.

 

 Using the InputObject parameter is not the same as piping an object to Get-Member. The differences are as follows:

@@ -50,6 +59,7 @@ Using the InputObject parameter is not the same as piping an object to Get-Membe
 -- When you use InputObject to submit a collection of objects, Get-Member gets the members of the collection, such as the properties of the array in an array of integers.

 

 .PARAMETER PrivateMemberType

+

 When the 'Private' parameter is specified, only members with the specified member type. The default is All.

 

 The valid values for this parameter are:

@@ -66,6 +76,7 @@ The valid values for this parameter are:
 -- All: Gets all member types.

 

 .PARAMETER MemberType

+

 Gets only members with the specified PowerShell member type. The default is All.

 

 The valid values for this parameter are: 

@@ -92,6 +103,7 @@ Not all objects have every type of member. If you specify a member type that the
 To get related types of members, such as all extended members, use the View parameter. If you use the MemberType parameter with the Static or View parameters, Get-Member gets the members that belong to both sets.

 

 .PARAMETER Name

+

 Specifies the names of one or more properties or methods of the object. Get-Member gets only the specified properties and methods.

         

 If you use the Name parameter with the MemberType, View, or Static parameters, Get-Member gets only the members that satisfy the criteria of all parameters. 

@@ -99,6 +111,7 @@ If you use the Name parameter with the MemberType, View, or Static parameters, G
 To get a static member by name, use the Static parameter with the Name parameter.

 

 .PARAMETER View

+

 Gets only particular types of members (properties and methods). Specify one or more of the values. The default is "Adapted, Extended".

 

 Valid values are:

@@ -112,40 +125,51 @@ The View parameter determines the members retrieved, not just the display of tho
 To get particular member types, such as script properties, use the MemberType parameter. If you use the MemberType and View parameters in the same command, Get-Member gets the members that belong to both sets. If you use the Static and View parameters in the same command, the View parameter is ignored.

 

 .EXAMPLE

-PS > [String] | Get-Member -Static -Private

 

+C:\PS> [String] | Get-Member -Static -Private

+

+Description

+-----------

 Returns all staic, non-public members of the String class.

 

 .EXAMPLE

-PS > [Diagnostics.Process] | Get-Member -Private -PrivateMemberType Method

+

+C:\PS> [Diagnostics.Process] | Get-Member -Private -PrivateMemberType Method

+

+Description

+-----------

 Returns all non-public instance methods of the Diagnostics.Process class

 

 .EXAMPLE

-PS > "Hello, World" | Get-Member -Private -Force

 

+C:\PS> "Hello, World" | Get-Member -Private -Force

+

+Description

+-----------

 Returns all instance members including those with special names (like .ctor) of the string instance

 

 .LINK

+

 http://www.exploit-monday.com/2012/08/surgical-net-dissection.html

 

 #>

     [CmdletBinding(DefaultParameterSetName = 'Default')]

-    param(

+    Param (

         [Parameter(ValueFromPipeline=$true, ParameterSetName = 'Default')]

         [Parameter(ValueFromPipeline=$true, ParameterSetName = 'Private')]

         [System.Management.Automation.PSObject]

-        ${InputObject},

+        $InputObject,

 

         [Parameter(Position=0, ParameterSetName = 'Default')]

         [Parameter(Position=0, ParameterSetName = 'Private')]

         [ValidateNotNullOrEmpty()]

         [System.String[]]

-        ${Name},

+        $Name,

 

         [Parameter(ParameterSetName = 'Default')]

         [Alias('Type')]

         [System.Management.Automation.PSMemberTypes]

-        ${MemberType},

+        $MemberType,

         

         [Parameter(ParameterSetName = 'Private')]

         [System.Reflection.MemberTypes]

@@ -153,23 +177,24 @@ http://www.exploit-monday.com/2012/08/surgical-net-dissection.html
 

         [Parameter(ParameterSetName = 'Default')]

         [System.Management.Automation.PSMemberViewTypes]

-        ${View},

+        $View,

 

         [Parameter(ParameterSetName = 'Default')]

         [Parameter(ParameterSetName = 'Private')]

         [Switch]

-        ${Static},

+        $Static,

 

         [Parameter(ParameterSetName = 'Default')]

         [Parameter(ParameterSetName = 'Private')]

         [Switch]

-        ${Force},

+        $Force,

         

         [Parameter(ParameterSetName = 'Private')]

         [Switch]

-        ${Private})

+        $Private

+    )

 

-    begin

+    BEGIN

     {

         try {

             $outBuffer = $null

@@ -196,7 +221,7 @@ http://www.exploit-monday.com/2012/08/surgical-net-dissection.html
         }

     }

 

-    process

+    PROCESS

     {

         try {

             $steppablePipeline.Process($_)

@@ -204,7 +229,7 @@ http://www.exploit-monday.com/2012/08/surgical-net-dissection.html
         }

     }

 

-    end

+    END

     {

         try {

             $steppablePipeline.End()

diff --git a/RE_Tools/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1
index e72beff..bd6c627 100644
--- a/RE_Tools/Get-MethodAddress.ps1
+++ b/ReverseEngineering/Get-MethodAddress.ps1
@@ -8,6 +8,8 @@ Get the unmanaged function address of a .NET method.
 PowerSploit Module - Get-MethodAddress

 Author: Matthew Graeber (@mattifestation)

 License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

  

 .DESCRIPTION

 

@@ -51,7 +53,8 @@ Returns an unmanaged address for every method (in which an address can be return
 

 .OUTPUTS

 

-[System.String]

+System.String

+

 A hexadecimal representation of the method address.

 

 .NOTES

diff --git a/RE_Tools/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml
index 9c25dc1..9c25dc1 100644
--- a/RE_Tools/Get-PEB.format.ps1xml
+++ b/ReverseEngineering/Get-PEB.format.ps1xml
diff --git a/RE_Tools/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1
index d230721..6dbd55a 100644
--- a/RE_Tools/Get-PEB.ps1
+++ b/ReverseEngineering/Get-PEB.ps1
@@ -8,6 +8,8 @@ Returns the process environment block (PEB) of a process.
 PowerSploit Module - Get-PEB

 Author: Matthew Graeber (@mattifestation)

 License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: Get-PEB.format.ps1xml

  

 .DESCRIPTION

 

diff --git a/RE_Tools/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1
index 37834cd..87f5f6a 100644
--- a/RE_Tools/Get-Strings.ps1
+++ b/ReverseEngineering/Get-Strings.ps1
@@ -8,6 +8,8 @@ Gets strings from a file.
 PowerSploit Module - Inject-Shellcode

 Author: Matthew Graeber (@mattifestation)

 License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

 

 .DESCRIPTION

 

diff --git a/RE_Tools/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1
index d4d710a..9a265c5 100644
--- a/RE_Tools/Get-StructFromMemory.ps1
+++ b/ReverseEngineering/Get-StructFromMemory.ps1
@@ -8,6 +8,8 @@ Marshals data from an unmanaged block of memory in an arbitrary process to a new
 PowerSploit Module - Get-StructFromMemory

 Author: Matthew Graeber (@mattifestation)

 License: BSD 3-Clause

+Required Dependencies: None

+Optional Dependencies: None

  

 .DESCRIPTION

 

@@ -41,7 +43,7 @@ Get-StructFromMemory does a good job with error handling however it will crash i
 

 .LINK

 

-http://www.exploit-monday.com/

+http://www.exploit-monday.com

 #>

 

     [CmdletBinding()] Param (

diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1
new file mode 100644
index 0000000..3ad890d
--- /dev/null
+++ b/ReverseEngineering/ReverseEngineering.psd1
@@ -0,0 +1,90 @@
+@{

+

+# Script module or binary module file associated with this manifest.

+ModuleToProcess = 'ReverseEngineering.psm1'

+

+# Version number of this module.

+ModuleVersion = '1.0.0.0'

+

+# ID used to uniquely identify this module

+GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'

+

+# Author of this module

+Author = 'Matthew Graeber'

+

+# Company or vendor of this module

+CompanyName = ''

+

+# Copyright statement for this module

+Copyright = 'BSD 3-Clause'

+

+# Description of the functionality provided by this module

+Description = 'PowerSploit Reverse Engineering Module'

+

+# Minimum version of the Windows PowerShell engine required by this module

+PowerShellVersion = '2.0'

+

+# Name of the Windows PowerShell host required by this module

+# PowerShellHostName = ''

+

+# Minimum version of the Windows PowerShell host required by this module

+# PowerShellHostVersion = ''

+

+# Minimum version of the .NET Framework required by this module

+# DotNetFrameworkVersion = ''

+

+# Minimum version of the common language runtime (CLR) required by this module

+# CLRVersion = ''

+

+# Processor architecture (None, X86, Amd64) required by this module

+# ProcessorArchitecture = ''

+

+# Modules that must be imported into the global environment prior to importing this module

+# RequiredModules = @()

+

+# Assemblies that must be loaded prior to importing this module

+# RequiredAssemblies = @()

+

+# Script files (.ps1) that are run in the caller's environment prior to importing this module.

+# ScriptsToProcess = ''

+

+# Type files (.ps1xml) to be loaded when importing this module

+# TypesToProcess = @()

+

+# Format files (.ps1xml) to be loaded when importing this module

+FormatsToProcess = 'Get-KernelModuleInfo.format.ps1xml', 'Get-PEB.format.ps1xml'

+

+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

+# NestedModules = @()

+

+# Functions to export from this module

+FunctionsToExport = '*'

+

+# Cmdlets to export from this module

+CmdletsToExport = '*'

+

+# Variables to export from this module

+VariablesToExport = ''

+

+# Aliases to export from this module

+AliasesToExport = ''

+

+# List of all modules packaged with this module.

+ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'})

+

+# List of all files packaged with this module

+FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-KernelModuleInfo.format.ps1xml', 

+               'Get-KernelModuleInfo.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',

+               'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1'

+

+# Private data to pass to the module specified in RootModule/ModuleToProcess

+# PrivateData = ''

+

+# HelpInfo URI of this module

+# HelpInfoURI = ''

+

+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.

+# DefaultCommandPrefix = ''

+

+}

+

diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1
new file mode 100644
index 0000000..5bb81d3
--- /dev/null
+++ b/ReverseEngineering/ReverseEngineering.psm1
@@ -0,0 +1 @@
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file