diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2013-05-24 21:16:43 -0400 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2013-05-24 21:16:43 -0400 |
| commit | 91bd44f0f08259c541088c278467ed9b597985e3 (patch) | |
| tree | b914bec1d86f444aadbfe08088e26d0f6253db92 | |
| parent | 218f0cb24b382f16f0883a72a6b759579c62755c (diff) | |
| download | PowerSploit-91bd44f0f08259c541088c278467ed9b597985e3.tar.gz PowerSploit-91bd44f0f08259c541088c278467ed9b597985e3.zip | |
Get-PEB now parses _RTL_USER_PROCESS_PARAMETERS
| -rw-r--r-- | ReverseEngineering/Get-PEB.format.ps1xml | 114 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.ps1 | 88 |
2 files changed, 201 insertions, 1 deletions
diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 9c25dc1..88eee6a 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1095,5 +1095,119 @@ </ListEntries>
</ListControl>
</View>
+ <View>
+ <Name>ProcessParameters</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.ProcessParameters</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>MaximumLength</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Length</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Flags</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DebugFlags</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ConsoleHandle</Label>
+ <ScriptBlock>"0x$($_.ConsoleHandle.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ConsoleFlags</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>StandardInput</Label>
+ <ScriptBlock>"0x$($_.StandardInput.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>StandardOutput</Label>
+ <ScriptBlock>"0x$($_.StandardOutput.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>StandardError</Label>
+ <ScriptBlock>"0x$($_.StandardError.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CurrentDirectory</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DllPath</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImagePathName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CommandLine</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>Environment</Label>
+ <ScriptBlock>"0x$($_.Environment.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>StartingX</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>StartingY</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CountX</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CountY</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CountCharsX</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CountCharsY</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FillAttribute</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>WindowFlags</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ShowWindowFlags</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>WindowTitle</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DesktopInfo</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ShellInfo</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>RuntimeData</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
</ViewDefinitions>
</Configuration>
\ No newline at end of file diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 4985da5..7f3a2a2 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -213,6 +213,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx {
$PEBStruct = [_PEB]
$UnicodeStringStruct = [_UNICODE_STRING]
+ $ProcessParametersStruct = [_RTL_USER_PROCESS_PARAMETERS]
$ListEntryStruct = [_LIST_ENTRY]
$LdrDataStruct = [_PEB_LDR_DATA]
$BalancedNodeStruct = [_RTL_BALANCED_NODE]
@@ -239,6 +240,38 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx $UnicodeTypeBuilder.DefineField('Buffer', [IntPtr], 'Public') | Out-Null
$UnicodeStringStruct = $UnicodeTypeBuilder.CreateType()
+ # Build type for _RTL_USER_PROCESS_PARAMETERS
+ $ProcParamTypeBuilder = $ModuleBuilder.DefineType('_RTL_USER_PROCESS_PARAMETERS', $Attributes, [ValueType], 4)
+ $ProcParamTypeBuilder.DefineField('MaximumLength', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('Length', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('DebugFlags', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('ConsoleHandle', [IntPtr], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('ConsoleFlags', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('StandardInput', [IntPtr], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('StandardOutput', [IntPtr], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('StandardError', [IntPtr], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('CurrentDirectory', $UnicodeStringStruct, 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('CurrentDirectoryHandle', [IntPtr], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('DllPath', $UnicodeStringStruct, 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('ImagePathName', $UnicodeStringStruct, 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('CommandLine', $UnicodeStringStruct, 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('Environment', [IntPtr], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('StartingX', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('StartingY', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('CountX', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('CountY', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('CountCharsX', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('CountCharsY', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('FillAttribute', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('WindowFlags', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('ShowWindowFlags', [UInt32], 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('WindowTitle', $UnicodeStringStruct, 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('DesktopInfo', $UnicodeStringStruct, 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('ShellInfo', $UnicodeStringStruct, 'Public') | Out-Null
+ $ProcParamTypeBuilder.DefineField('RuntimeData', $UnicodeStringStruct, 'Public') | Out-Null
+ $ProcessParametersStruct = $ProcParamTypeBuilder.CreateType()
+
# Build type for _LIST_ENTRY
$ListEntryTypeBuilder = $ModuleBuilder.DefineType('_LIST_ENTRY', $Attributes, [System.ValueType])
$ListEntryTypeBuilder.DefineField('Flink', [IntPtr], 'Public') | Out-Null
@@ -778,6 +811,59 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx $PEB = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessBasicInfo.PebBaseAddress) -StructType ($PEBStruct)
+ $ProcessParams = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.ProcessParameters) -StructType ($ProcessParametersStruct)
+
+ $CurrentDirectory = ''
+ $DllPath = ''
+ $ImagePathName = ''
+ $CommandLine = ''
+ $WindowTitle = ''
+ $DesktopInfo = ''
+ $ShellInfo = ''
+ $RuntimeData = ''
+
+ if ($ProcessParams.CurrentDirectory.Buffer) { $CurrentDirectory = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.CurrentDirectory.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.CurrentDirectory.MaximumLength) }
+ if ($ProcessParams.DllPath.Buffer) { $DllPath = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.DllPath.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.DllPath.MaximumLength) } else { $DllPath = '' }
+ if ($ProcessParams.ImagePathName.Buffer) { $ImagePathName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.ImagePathName.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.ImagePathName.MaximumLength) }
+ if ($ProcessParams.CommandLine.Buffer) { $CommandLine = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.CommandLine.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.CommandLine.MaximumLength) }
+ if ($ProcessParams.WindowTitle.Buffer) { $WindowTitle = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.WindowTitle.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.WindowTitle.MaximumLength) }
+ if ($ProcessParams.DesktopInfo.Buffer) { $DesktopInfo = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.DesktopInfo.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.DesktopInfo.MaximumLength) }
+ if ($ProcessParams.ShellInfo.Buffer) { $ShellInfo = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.ShellInfo.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.ShellInfo.MaximumLength) }
+ if ($ProcessParams.RuntimeData.Buffer) { $RuntimeData = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.RuntimeData.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.RuntimeData.MaximumLength) }
+
+ $ProcessParameters = @{
+ MaximumLength = $ProcessParams.MaximumLength
+ Length = $ProcessParams.Length
+ Flags = $ProcessParams.Flags
+ DebugFlags = $ProcessParams.DebugFlags
+ ConsoleHandle = $ProcessParams.ConsoleHandle
+ ConsoleFlags = $ProcessParams.ConsoleFlags
+ StandardInput = $ProcessParams.StandardInput
+ StandardOutput = $ProcessParams.StandardOutput
+ StandardError = $ProcessParams.StandardError
+ CurrentDirectory = $CurrentDirectory
+ DllPath = $DllPath
+ ImagePathName = $ImagePathName
+ CommandLine = $CommandLine
+ Environment = $ProcessParams.Environment
+ StartingX = $ProcessParams.StartingX
+ StartingY = $ProcessParams.StartingY
+ CountX = $ProcessParams.CountX
+ CountY = $ProcessParams.CountY
+ CountCharsX = $ProcessParams.CountCharsX
+ CountCharsY = $ProcessParams.CountCharsY
+ FillAttribute = $ProcessParams.FillAttribute
+ WindowFlags = $ProcessParams.WindowFlags
+ ShowWindowFlags = $ProcessParams.ShowWindowFlags
+ WindowTitle = $WindowTitle
+ DesktopInfo = $DesktopInfo
+ ShellInfo = $ShellInfo
+ RuntimeData = $RuntimeData
+ }
+
+ $ProcessParamsParsed = New-Object PSObject -Property $ProcessParameters
+ $ProcessParamsParsed.PSObject.TypeNames[0] = 'PEB.ProcessParameters'
+
# Get custom objects for the PEB based upon OS version
# First, build up the custom object with fields common amongst all versions of the PEB
$CustomPEB = @{
@@ -789,7 +875,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx Mutant = $PEB.Mutant
ImageBaseAddress = $PEB.ImageBaseAddress
Ldr = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.Ldr) -StructType ($LdrDataStruct)
- ProcessParameters = $PEB.ProcessParameters
+ ProcessParameters = $ProcessParamsParsed
SubSystemData = $PEB.SubSystemData
ProcessHeap = $PEB.ProcessHeap
FastPebLock = $PEB.FastPebLock
|