aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Graeber <mattgraeber@gmail.com>2013-04-28 22:17:14 -0400
committerMatt Graeber <mattgraeber@gmail.com>2013-04-28 22:17:14 -0400
commit9d286e511f3256bfbee2e238d0e60c217ed3c151 (patch)
tree495fb83b820d480ea8a66458a3075ca6619b597e
parent2224f4dca9d856f37a02a9fe4c1941d27c4e564f (diff)
downloadPowerSploit-9d286e511f3256bfbee2e238d0e60c217ed3c151.tar.gz
PowerSploit-9d286e511f3256bfbee2e238d0e60c217ed3c151.zip
Added ARM support to Get-PEHeader
Also fixed various pointer width bugs
Diffstat
-rw-r--r--PETools/Get-PEHeader.ps1715
-rw-r--r--PETools/PETools.format.ps1xml746
2 files changed, 741 insertions, 720 deletions
diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1
index 185a483..01a91f1 100644
--- a/PETools/Get-PEHeader.ps1
+++ b/PETools/Get-PEHeader.ps1
@@ -128,10 +128,12 @@ PROCESS {
if ($Module.Length -gt 1) {
foreach ($Mod in $Module) {
- $ModuleBaseAddress = $Mod.BaseAddress
- Get-PEHeader -ProcessID $ProcessID -Module $Mod -ModuleBaseAddress $ModuleBaseAddress
+ $BaseAddr = $Mod.BaseAddress
+ Get-PEHeader -ProcessID $ProcessID -Module $Mod -ModuleBaseAddress $BaseAddr
}
}
+
+ if (-not $ModuleBaseAddress) { return }
if ($ProcessID -eq $PID) {
Write-Warning 'You cannot parse the PE header of the current process. Open another instance of PowerShell.'
@@ -147,362 +149,372 @@ PROCESS {
}
}
-$code = @"
- using System;
- using System.Runtime.InteropServices;
-
- public class PE
+ try { [PE] | Out-Null } catch [Management.Automation.RuntimeException]
{
- [Flags]
- public enum IMAGE_DOS_SIGNATURE : ushort
+ $code = @"
+ using System;
+ using System.Runtime.InteropServices;
+
+ public class PE
{
- DOS_SIGNATURE = 0x5A4D, // MZ
- OS2_SIGNATURE = 0x454E, // NE
- OS2_SIGNATURE_LE = 0x454C, // LE
- VXD_SIGNATURE = 0x454C, // LE
- }
+ [Flags]
+ public enum IMAGE_DOS_SIGNATURE : ushort
+ {
+ DOS_SIGNATURE = 0x5A4D, // MZ
+ OS2_SIGNATURE = 0x454E, // NE
+ OS2_SIGNATURE_LE = 0x454C, // LE
+ VXD_SIGNATURE = 0x454C, // LE
+ }
- [Flags]
- public enum IMAGE_NT_SIGNATURE : uint
- {
- VALID_PE_SIGNATURE = 0x00004550 // PE00
- }
+ [Flags]
+ public enum IMAGE_NT_SIGNATURE : uint
+ {
+ VALID_PE_SIGNATURE = 0x00004550 // PE00
+ }
- [Flags]
- public enum IMAGE_FILE_MACHINE : ushort
- {
- UNKNOWN = 0,
- I386 = 0x014c, // Intel 386.
- R3000 = 0x0162, // MIPS little-endian =0x160 big-endian
- R4000 = 0x0166, // MIPS little-endian
- R10000 = 0x0168, // MIPS little-endian
- WCEMIPSV2 = 0x0169, // MIPS little-endian WCE v2
- ALPHA = 0x0184, // Alpha_AXP
- SH3 = 0x01a2, // SH3 little-endian
- SH3DSP = 0x01a3,
- SH3E = 0x01a4, // SH3E little-endian
- SH4 = 0x01a6, // SH4 little-endian
- SH5 = 0x01a8, // SH5
- ARM = 0x01c0, // ARM Little-Endian
- THUMB = 0x01c2,
- AM33 = 0x01d3,
- POWERPC = 0x01F0, // IBM PowerPC Little-Endian
- POWERPCFP = 0x01f1,
- IA64 = 0x0200, // Intel 64
- MIPS16 = 0x0266, // MIPS
- ALPHA64 = 0x0284, // ALPHA64
- MIPSFPU = 0x0366, // MIPS
- MIPSFPU16 = 0x0466, // MIPS
- AXP64 = ALPHA64,
- TRICORE = 0x0520, // Infineon
- CEF = 0x0CEF,
- EBC = 0x0EBC, // EFI public byte Code
- AMD64 = 0x8664, // AMD64 (K8)
- M32R = 0x9041, // M32R little-endian
- CEE = 0xC0EE
- }
+ [Flags]
+ public enum IMAGE_FILE_MACHINE : ushort
+ {
+ UNKNOWN = 0,
+ I386 = 0x014c, // Intel 386.
+ R3000 = 0x0162, // MIPS little-endian =0x160 big-endian
+ R4000 = 0x0166, // MIPS little-endian
+ R10000 = 0x0168, // MIPS little-endian
+ WCEMIPSV2 = 0x0169, // MIPS little-endian WCE v2
+ ALPHA = 0x0184, // Alpha_AXP
+ SH3 = 0x01a2, // SH3 little-endian
+ SH3DSP = 0x01a3,
+ SH3E = 0x01a4, // SH3E little-endian
+ SH4 = 0x01a6, // SH4 little-endian
+ SH5 = 0x01a8, // SH5
+ ARM = 0x01c0, // ARM Little-Endian
+ THUMB = 0x01c2,
+ ARMNT = 0x01c4, // ARM Thumb-2 Little-Endian
+ AM33 = 0x01d3,
+ POWERPC = 0x01F0, // IBM PowerPC Little-Endian
+ POWERPCFP = 0x01f1,
+ IA64 = 0x0200, // Intel 64
+ MIPS16 = 0x0266, // MIPS
+ ALPHA64 = 0x0284, // ALPHA64
+ MIPSFPU = 0x0366, // MIPS
+ MIPSFPU16 = 0x0466, // MIPS
+ AXP64 = ALPHA64,
+ TRICORE = 0x0520, // Infineon
+ CEF = 0x0CEF,
+ EBC = 0x0EBC, // EFI public byte Code
+ AMD64 = 0x8664, // AMD64 (K8)
+ M32R = 0x9041, // M32R little-endian
+ CEE = 0xC0EE
+ }
- [Flags]
- public enum IMAGE_FILE_CHARACTERISTICS : ushort
- {
- IMAGE_RELOCS_STRIPPED = 0x0001, // Relocation info stripped from file.
- IMAGE_EXECUTABLE_IMAGE = 0x0002, // File is executable (i.e. no unresolved external references).
- IMAGE_LINE_NUMS_STRIPPED = 0x0004, // Line nunbers stripped from file.
- IMAGE_LOCAL_SYMS_STRIPPED = 0x0008, // Local symbols stripped from file.
- IMAGE_AGGRESIVE_WS_TRIM = 0x0010, // Agressively trim working set
- IMAGE_LARGE_ADDRESS_AWARE = 0x0020, // App can handle >2gb addresses
- IMAGE_REVERSED_LO = 0x0080, // public bytes of machine public ushort are reversed.
- IMAGE_32BIT_MACHINE = 0x0100, // 32 bit public ushort machine.
- IMAGE_DEBUG_STRIPPED = 0x0200, // Debugging info stripped from file in .DBG file
- IMAGE_REMOVABLE_RUN_FROM_SWAP = 0x0400, // If Image is on removable media =copy and run from the swap file.
- IMAGE_NET_RUN_FROM_SWAP = 0x0800, // If Image is on Net =copy and run from the swap file.
- IMAGE_SYSTEM = 0x1000, // System File.
- IMAGE_DLL = 0x2000, // File is a DLL.
- IMAGE_UP_SYSTEM_ONLY = 0x4000, // File should only be run on a UP machine
- IMAGE_REVERSED_HI = 0x8000 // public bytes of machine public ushort are reversed.
- }
+ [Flags]
+ public enum IMAGE_FILE_CHARACTERISTICS : ushort
+ {
+ IMAGE_RELOCS_STRIPPED = 0x0001, // Relocation info stripped from file.
+ IMAGE_EXECUTABLE_IMAGE = 0x0002, // File is executable (i.e. no unresolved external references).
+ IMAGE_LINE_NUMS_STRIPPED = 0x0004, // Line nunbers stripped from file.
+ IMAGE_LOCAL_SYMS_STRIPPED = 0x0008, // Local symbols stripped from file.
+ IMAGE_AGGRESIVE_WS_TRIM = 0x0010, // Agressively trim working set
+ IMAGE_LARGE_ADDRESS_AWARE = 0x0020, // App can handle >2gb addresses
+ IMAGE_REVERSED_LO = 0x0080, // public bytes of machine public ushort are reversed.
+ IMAGE_32BIT_MACHINE = 0x0100, // 32 bit public ushort machine.
+ IMAGE_DEBUG_STRIPPED = 0x0200, // Debugging info stripped from file in .DBG file
+ IMAGE_REMOVABLE_RUN_FROM_SWAP = 0x0400, // If Image is on removable media =copy and run from the swap file.
+ IMAGE_NET_RUN_FROM_SWAP = 0x0800, // If Image is on Net =copy and run from the swap file.
+ IMAGE_SYSTEM = 0x1000, // System File.
+ IMAGE_DLL = 0x2000, // File is a DLL.
+ IMAGE_UP_SYSTEM_ONLY = 0x4000, // File should only be run on a UP machine
+ IMAGE_REVERSED_HI = 0x8000 // public bytes of machine public ushort are reversed.
+ }
- [Flags]
- public enum IMAGE_NT_OPTIONAL_HDR_MAGIC : ushort
- {
- PE32 = 0x10b,
- PE64 = 0x20b
- }
+ [Flags]
+ public enum IMAGE_NT_OPTIONAL_HDR_MAGIC : ushort
+ {
+ PE32 = 0x10b,
+ PE64 = 0x20b
+ }
- [Flags]
- public enum IMAGE_SUBSYSTEM : ushort
- {
- UNKNOWN = 0, // Unknown subsystem.
- NATIVE = 1, // Image doesn't require a subsystem.
- WINDOWS_GUI = 2, // Image runs in the Windows GUI subsystem.
- WINDOWS_CUI = 3, // Image runs in the Windows character subsystem.
- OS2_CUI = 5, // image runs in the OS/2 character subsystem.
- POSIX_CUI = 7, // image runs in the Posix character subsystem.
- NATIVE_WINDOWS = 8, // image is a native Win9x driver.
- WINDOWS_CE_GUI = 9, // Image runs in the Windows CE subsystem.
- EFI_APPLICATION = 10,
- EFI_BOOT_SERVICE_DRIVER = 11,
- EFI_RUNTIME_DRIVER = 12,
- EFI_ROM = 13,
- XBOX = 14,
- WINDOWS_BOOT_APPLICATION = 16
- }
+ [Flags]
+ public enum IMAGE_SUBSYSTEM : ushort
+ {
+ UNKNOWN = 0, // Unknown subsystem.
+ NATIVE = 1, // Image doesn't require a subsystem.
+ WINDOWS_GUI = 2, // Image runs in the Windows GUI subsystem.
+ WINDOWS_CUI = 3, // Image runs in the Windows character subsystem.
+ OS2_CUI = 5, // image runs in the OS/2 character subsystem.
+ POSIX_CUI = 7, // image runs in the Posix character subsystem.
+ NATIVE_WINDOWS = 8, // image is a native Win9x driver.
+ WINDOWS_CE_GUI = 9, // Image runs in the Windows CE subsystem.
+ EFI_APPLICATION = 10,
+ EFI_BOOT_SERVICE_DRIVER = 11,
+ EFI_RUNTIME_DRIVER = 12,
+ EFI_ROM = 13,
+ XBOX = 14,
+ WINDOWS_BOOT_APPLICATION = 16
+ }
- [Flags]
- public enum IMAGE_DLLCHARACTERISTICS : ushort
- {
- DYNAMIC_BASE = 0x0040, // DLL can move.
- FORCE_INTEGRITY = 0x0080, // Code Integrity Image
- NX_COMPAT = 0x0100, // Image is NX compatible
- NO_ISOLATION = 0x0200, // Image understands isolation and doesn't want it
- NO_SEH = 0x0400, // Image does not use SEH. No SE handler may reside in this image
- NO_BIND = 0x0800, // Do not bind this image.
- WDM_DRIVER = 0x2000, // Driver uses WDM model
- TERMINAL_SERVER_AWARE = 0x8000
- }
+ [Flags]
+ public enum IMAGE_DLLCHARACTERISTICS : ushort
+ {
+ DYNAMIC_BASE = 0x0040, // DLL can move.
+ FORCE_INTEGRITY = 0x0080, // Code Integrity Image
+ NX_COMPAT = 0x0100, // Image is NX compatible
+ NO_ISOLATION = 0x0200, // Image understands isolation and doesn't want it
+ NO_SEH = 0x0400, // Image does not use SEH. No SE handler may reside in this image
+ NO_BIND = 0x0800, // Do not bind this image.
+ WDM_DRIVER = 0x2000, // Driver uses WDM model
+ TERMINAL_SERVER_AWARE = 0x8000
+ }
- [Flags]
- public enum IMAGE_SCN : uint
- {
- TYPE_NO_PAD = 0x00000008, // Reserved.
- CNT_CODE = 0x00000020, // Section contains code.
- CNT_INITIALIZED_DATA = 0x00000040, // Section contains initialized data.
- CNT_UNINITIALIZED_DATA = 0x00000080, // Section contains uninitialized data.
- LNK_INFO = 0x00000200, // Section contains comments or some other type of information.
- LNK_REMOVE = 0x00000800, // Section contents will not become part of image.
- LNK_COMDAT = 0x00001000, // Section contents comdat.
- NO_DEFER_SPEC_EXC = 0x00004000, // Reset speculative exceptions handling bits in the TLB entries for this section.
- GPREL = 0x00008000, // Section content can be accessed relative to GP
- MEM_FARDATA = 0x00008000,
- MEM_PURGEABLE = 0x00020000,
- MEM_16BIT = 0x00020000,
- MEM_LOCKED = 0x00040000,
- MEM_PRELOAD = 0x00080000,
- ALIGN_1BYTES = 0x00100000,
- ALIGN_2BYTES = 0x00200000,
- ALIGN_4BYTES = 0x00300000,
- ALIGN_8BYTES = 0x00400000,
- ALIGN_16BYTES = 0x00500000, // Default alignment if no others are specified.
- ALIGN_32BYTES = 0x00600000,
- ALIGN_64BYTES = 0x00700000,
- ALIGN_128BYTES = 0x00800000,
- ALIGN_256BYTES = 0x00900000,
- ALIGN_512BYTES = 0x00A00000,
- ALIGN_1024BYTES = 0x00B00000,
- ALIGN_2048BYTES = 0x00C00000,
- ALIGN_4096BYTES = 0x00D00000,
- ALIGN_8192BYTES = 0x00E00000,
- ALIGN_MASK = 0x00F00000,
- LNK_NRELOC_OVFL = 0x01000000, // Section contains extended relocations.
- MEM_DISCARDABLE = 0x02000000, // Section can be discarded.
- MEM_NOT_CACHED = 0x04000000, // Section is not cachable.
- MEM_NOT_PAGED = 0x08000000, // Section is not pageable.
- MEM_SHARED = 0x10000000, // Section is shareable.
- MEM_EXECUTE = 0x20000000, // Section is executable.
- MEM_READ = 0x40000000, // Section is readable.
- MEM_WRITE = 0x80000000 // Section is writeable.
- }
+ [Flags]
+ public enum IMAGE_SCN : uint
+ {
+ TYPE_NO_PAD = 0x00000008, // Reserved.
+ CNT_CODE = 0x00000020, // Section contains code.
+ CNT_INITIALIZED_DATA = 0x00000040, // Section contains initialized data.
+ CNT_UNINITIALIZED_DATA = 0x00000080, // Section contains uninitialized data.
+ LNK_INFO = 0x00000200, // Section contains comments or some other type of information.
+ LNK_REMOVE = 0x00000800, // Section contents will not become part of image.
+ LNK_COMDAT = 0x00001000, // Section contents comdat.
+ NO_DEFER_SPEC_EXC = 0x00004000, // Reset speculative exceptions handling bits in the TLB entries for this section.
+ GPREL = 0x00008000, // Section content can be accessed relative to GP
+ MEM_FARDATA = 0x00008000,
+ MEM_PURGEABLE = 0x00020000,
+ MEM_16BIT = 0x00020000,
+ MEM_LOCKED = 0x00040000,
+ MEM_PRELOAD = 0x00080000,
+ ALIGN_1BYTES = 0x00100000,
+ ALIGN_2BYTES = 0x00200000,
+ ALIGN_4BYTES = 0x00300000,
+ ALIGN_8BYTES = 0x00400000,
+ ALIGN_16BYTES = 0x00500000, // Default alignment if no others are specified.
+ ALIGN_32BYTES = 0x00600000,
+ ALIGN_64BYTES = 0x00700000,
+ ALIGN_128BYTES = 0x00800000,
+ ALIGN_256BYTES = 0x00900000,
+ ALIGN_512BYTES = 0x00A00000,
+ ALIGN_1024BYTES = 0x00B00000,
+ ALIGN_2048BYTES = 0x00C00000,
+ ALIGN_4096BYTES = 0x00D00000,
+ ALIGN_8192BYTES = 0x00E00000,
+ ALIGN_MASK = 0x00F00000,
+ LNK_NRELOC_OVFL = 0x01000000, // Section contains extended relocations.
+ MEM_DISCARDABLE = 0x02000000, // Section can be discarded.
+ MEM_NOT_CACHED = 0x04000000, // Section is not cachable.
+ MEM_NOT_PAGED = 0x08000000, // Section is not pageable.
+ MEM_SHARED = 0x10000000, // Section is shareable.
+ MEM_EXECUTE = 0x20000000, // Section is executable.
+ MEM_READ = 0x40000000, // Section is readable.
+ MEM_WRITE = 0x80000000 // Section is writeable.
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_DOS_HEADER
- {
- public IMAGE_DOS_SIGNATURE e_magic; // Magic number
- public ushort e_cblp; // public bytes on last page of file
- public ushort e_cp; // Pages in file
- public ushort e_crlc; // Relocations
- public ushort e_cparhdr; // Size of header in paragraphs
- public ushort e_minalloc; // Minimum extra paragraphs needed
- public ushort e_maxalloc; // Maximum extra paragraphs needed
- public ushort e_ss; // Initial (relative) SS value
- public ushort e_sp; // Initial SP value
- public ushort e_csum; // Checksum
- public ushort e_ip; // Initial IP value
- public ushort e_cs; // Initial (relative) CS value
- public ushort e_lfarlc; // File address of relocation table
- public ushort e_ovno; // Overlay number
- [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
- public string e_res; // This will contain 'Detours!' if patched in memory
- public ushort e_oemid; // OEM identifier (for e_oeminfo)
- public ushort e_oeminfo; // OEM information; e_oemid specific
- [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=10)] // , ArraySubType=UnmanagedType.U4
- public ushort[] e_res2; // Reserved public ushorts
- public int e_lfanew; // File address of new exe header
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_DOS_HEADER
+ {
+ public IMAGE_DOS_SIGNATURE e_magic; // Magic number
+ public ushort e_cblp; // public bytes on last page of file
+ public ushort e_cp; // Pages in file
+ public ushort e_crlc; // Relocations
+ public ushort e_cparhdr; // Size of header in paragraphs
+ public ushort e_minalloc; // Minimum extra paragraphs needed
+ public ushort e_maxalloc; // Maximum extra paragraphs needed
+ public ushort e_ss; // Initial (relative) SS value
+ public ushort e_sp; // Initial SP value
+ public ushort e_csum; // Checksum
+ public ushort e_ip; // Initial IP value
+ public ushort e_cs; // Initial (relative) CS value
+ public ushort e_lfarlc; // File address of relocation table
+ public ushort e_ovno; // Overlay number
+ [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
+ public string e_res; // This will contain 'Detours!' if patched in memory
+ public ushort e_oemid; // OEM identifier (for e_oeminfo)
+ public ushort e_oeminfo; // OEM information; e_oemid specific
+ [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=10)] // , ArraySubType=UnmanagedType.U4
+ public ushort[] e_res2; // Reserved public ushorts
+ public int e_lfanew; // File address of new exe header
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_FILE_HEADER
- {
- public IMAGE_FILE_MACHINE Machine;
- public ushort NumberOfSections;
- public uint TimeDateStamp;
- public uint PointerToSymbolTable;
- public uint NumberOfSymbols;
- public ushort SizeOfOptionalHeader;
- public IMAGE_FILE_CHARACTERISTICS Characteristics;
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_FILE_HEADER
+ {
+ public IMAGE_FILE_MACHINE Machine;
+ public ushort NumberOfSections;
+ public uint TimeDateStamp;
+ public uint PointerToSymbolTable;
+ public uint NumberOfSymbols;
+ public ushort SizeOfOptionalHeader;
+ public IMAGE_FILE_CHARACTERISTICS Characteristics;
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_NT_HEADERS32
- {
- public IMAGE_NT_SIGNATURE Signature;
- public _IMAGE_FILE_HEADER FileHeader;
- public _IMAGE_OPTIONAL_HEADER32 OptionalHeader;
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_NT_HEADERS32
+ {
+ public IMAGE_NT_SIGNATURE Signature;
+ public _IMAGE_FILE_HEADER FileHeader;
+ public _IMAGE_OPTIONAL_HEADER32 OptionalHeader;
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_NT_HEADERS64
- {
- public IMAGE_NT_SIGNATURE Signature;
- public _IMAGE_FILE_HEADER FileHeader;
- public _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_NT_HEADERS64
+ {
+ public IMAGE_NT_SIGNATURE Signature;
+ public _IMAGE_FILE_HEADER FileHeader;
+ public _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_OPTIONAL_HEADER32
- {
- public IMAGE_NT_OPTIONAL_HDR_MAGIC Magic;
- public byte MajorLinkerVersion;
- public byte MinorLinkerVersion;
- public uint SizeOfCode;
- public uint SizeOfInitializedData;
- public uint SizeOfUninitializedData;
- public uint AddressOfEntryPoint;
- public uint BaseOfCode;
- public uint BaseOfData;
- public uint ImageBase;
- public uint SectionAlignment;
- public uint FileAlignment;
- public ushort MajorOperatingSystemVersion;
- public ushort MinorOperatingSystemVersion;
- public ushort MajorImageVersion;
- public ushort MinorImageVersion;
- public ushort MajorSubsystemVersion;
- public ushort MinorSubsystemVersion;
- public uint Win32VersionValue;
- public uint SizeOfImage;
- public uint SizeOfHeaders;
- public uint CheckSum;
- public IMAGE_SUBSYSTEM Subsystem;
- public IMAGE_DLLCHARACTERISTICS DllCharacteristics;
- public uint SizeOfStackReserve;
- public uint SizeOfStackCommit;
- public uint SizeOfHeapReserve;
- public uint SizeOfHeapCommit;
- public uint LoaderFlags;
- public uint NumberOfRvaAndSizes;
- [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=16)]
- public _IMAGE_DATA_DIRECTORY[] DataDirectory;
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_OPTIONAL_HEADER32
+ {
+ public IMAGE_NT_OPTIONAL_HDR_MAGIC Magic;
+ public byte MajorLinkerVersion;
+ public byte MinorLinkerVersion;
+ public uint SizeOfCode;
+ public uint SizeOfInitializedData;
+ public uint SizeOfUninitializedData;
+ public uint AddressOfEntryPoint;
+ public uint BaseOfCode;
+ public uint BaseOfData;
+ public uint ImageBase;
+ public uint SectionAlignment;
+ public uint FileAlignment;
+ public ushort MajorOperatingSystemVersion;
+ public ushort MinorOperatingSystemVersion;
+ public ushort MajorImageVersion;
+ public ushort MinorImageVersion;
+ public ushort MajorSubsystemVersion;
+ public ushort MinorSubsystemVersion;
+ public uint Win32VersionValue;
+ public uint SizeOfImage;
+ public uint SizeOfHeaders;
+ public uint CheckSum;
+ public IMAGE_SUBSYSTEM Subsystem;
+ public IMAGE_DLLCHARACTERISTICS DllCharacteristics;
+ public uint SizeOfStackReserve;
+ public uint SizeOfStackCommit;
+ public uint SizeOfHeapReserve;
+ public uint SizeOfHeapCommit;
+ public uint LoaderFlags;
+ public uint NumberOfRvaAndSizes;
+ [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=16)]
+ public _IMAGE_DATA_DIRECTORY[] DataDirectory;
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_OPTIONAL_HEADER64
- {
- public IMAGE_NT_OPTIONAL_HDR_MAGIC Magic;
- public byte MajorLinkerVersion;
- public byte MinorLinkerVersion;
- public uint SizeOfCode;
- public uint SizeOfInitializedData;
- public uint SizeOfUninitializedData;
- public uint AddressOfEntryPoint;
- public uint BaseOfCode;
- public ulong ImageBase;
- public uint SectionAlignment;
- public uint FileAlignment;
- public ushort MajorOperatingSystemVersion;
- public ushort MinorOperatingSystemVersion;
- public ushort MajorImageVersion;
- public ushort MinorImageVersion;
- public ushort MajorSubsystemVersion;
- public ushort MinorSubsystemVersion;
- public uint Win32VersionValue;
- public uint SizeOfImage;
- public uint SizeOfHeaders;
- public uint CheckSum;
- public IMAGE_SUBSYSTEM Subsystem;
- public IMAGE_DLLCHARACTERISTICS DllCharacteristics;
- public ulong SizeOfStackReserve;
- public ulong SizeOfStackCommit;
- public ulong SizeOfHeapReserve;
- public ulong SizeOfHeapCommit;
- public uint LoaderFlags;
- public uint NumberOfRvaAndSizes;
- [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=16)]
- public _IMAGE_DATA_DIRECTORY[] DataDirectory;
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_OPTIONAL_HEADER64
+ {
+ public IMAGE_NT_OPTIONAL_HDR_MAGIC Magic;
+ public byte MajorLinkerVersion;
+ public byte MinorLinkerVersion;
+ public uint SizeOfCode;
+ public uint SizeOfInitializedData;
+ public uint SizeOfUninitializedData;
+ public uint AddressOfEntryPoint;
+ public uint BaseOfCode;
+ public ulong ImageBase;
+ public uint SectionAlignment;
+ public uint FileAlignment;
+ public ushort MajorOperatingSystemVersion;
+ public ushort MinorOperatingSystemVersion;
+ public ushort MajorImageVersion;
+ public ushort MinorImageVersion;
+ public ushort MajorSubsystemVersion;
+ public ushort MinorSubsystemVersion;
+ public uint Win32VersionValue;
+ public uint SizeOfImage;
+ public uint SizeOfHeaders;
+ public uint CheckSum;
+ public IMAGE_SUBSYSTEM Subsystem;
+ public IMAGE_DLLCHARACTERISTICS DllCharacteristics;
+ public ulong SizeOfStackReserve;
+ public ulong SizeOfStackCommit;
+ public ulong SizeOfHeapReserve;
+ public ulong SizeOfHeapCommit;
+ public uint LoaderFlags;
+ public uint NumberOfRvaAndSizes;
+ [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=16)]
+ public _IMAGE_DATA_DIRECTORY[] DataDirectory;
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_DATA_DIRECTORY
- {
- public uint VirtualAddress;
- public uint Size;
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_DATA_DIRECTORY
+ {
+ public uint VirtualAddress;
+ public uint Size;
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_EXPORT_DIRECTORY
- {
- public uint Characteristics;
- public uint TimeDateStamp;
- public ushort MajorVersion;
- public ushort MinorVersion;
- public uint Name;
- public uint Base;
- public uint NumberOfFunctions;
- public uint NumberOfNames;
- public uint AddressOfFunctions; // RVA from base of image
- public uint AddressOfNames; // RVA from base of image
- public uint AddressOfNameOrdinals; // RVA from base of image
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_EXPORT_DIRECTORY
+ {
+ public uint Characteristics;
+ public uint TimeDateStamp;
+ public ushort MajorVersion;
+ public ushort MinorVersion;
+ public uint Name;
+ public uint Base;
+ public uint NumberOfFunctions;
+ public uint NumberOfNames;
+ public uint AddressOfFunctions; // RVA from base of image
+ public uint AddressOfNames; // RVA from base of image
+ public uint AddressOfNameOrdinals; // RVA from base of image
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_SECTION_HEADER
- {
- [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
- public string Name;
- public uint VirtualSize;
- public uint VirtualAddress;
- public uint SizeOfRawData;
- public uint PointerToRawData;
- public uint PointerToRelocations;
- public uint PointerToLinenumbers;
- public ushort NumberOfRelocations;
- public ushort NumberOfLinenumbers;
- public IMAGE_SCN Characteristics;
- }
-
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_IMPORT_DESCRIPTOR
- {
- public uint OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
- public uint TimeDateStamp; // 0 if not bound,
- // -1 if bound, and real date/time stamp
- // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
- // O.W. date/time stamp of DLL bound to (Old BIND)
- public uint ForwarderChain; // -1 if no forwarders
- public uint Name;
- public uint FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_SECTION_HEADER
+ {
+ [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
+ public string Name;
+ public uint VirtualSize;
+ public uint VirtualAddress;
+ public uint SizeOfRawData;
+ public uint PointerToRawData;
+ public uint PointerToRelocations;
+ public uint PointerToLinenumbers;
+ public ushort NumberOfRelocations;
+ public ushort NumberOfLinenumbers;
+ public IMAGE_SCN Characteristics;
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_THUNK_DATA
- {
- public IntPtr AddressOfData; // PIMAGE_IMPORT_BY_NAME
- }
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_IMPORT_DESCRIPTOR
+ {
+ public uint OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
+ public uint TimeDateStamp; // 0 if not bound,
+ // -1 if bound, and real date/time stamp
+ // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
+ // O.W. date/time stamp of DLL bound to (Old BIND)
+ public uint ForwarderChain; // -1 if no forwarders
+ public uint Name;
+ public uint FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
+ }
+
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_THUNK_DATA32
+ {
+ public Int32 AddressOfData; // PIMAGE_IMPORT_BY_NAME
+ }
+
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_THUNK_DATA64
+ {
+ public Int64 AddressOfData; // PIMAGE_IMPORT_BY_NAME
+ }
- [StructLayout(LayoutKind.Sequential, Pack=1)]
- public struct _IMAGE_IMPORT_BY_NAME
- {
- public ushort Hint;
- public char Name;
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _IMAGE_IMPORT_BY_NAME
+ {
+ public ushort Hint;
+ public char Name;
+ }
}
- }
"@
- $location = [PsObject].Assembly.Location
- $compileParams = New-Object System.CodeDom.Compiler.CompilerParameters
- $assemblyRange = @("System.dll", $location)
- $compileParams.ReferencedAssemblies.AddRange($assemblyRange)
- $compileParams.GenerateInMemory = $True
- Add-Type -TypeDefinition $code -passthru -WarningAction SilentlyContinue | Out-Null
+ $location = [PsObject].Assembly.Location
+ $compileParams = New-Object System.CodeDom.Compiler.CompilerParameters
+ $assemblyRange = @("System.dll", $location)
+ $compileParams.ReferencedAssemblies.AddRange($assemblyRange)
+ $compileParams.GenerateInMemory = $True
+ Add-Type -TypeDefinition $code -passthru -WarningAction SilentlyContinue | Out-Null
+ }
function Get-DelegateType
{
@@ -599,28 +611,38 @@ $code = @"
$NtHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PointerNtHeader, [PE+_IMAGE_NT_HEADERS32])
$Architecture = ($NtHeader.FileHeader.Machine).ToString()
+ $BinaryPtrWidth = 4
+
# Define relevant structure types depending upon whether the binary is 32 or 64-bit
if ($Architecture -eq 'AMD64') {
+ $BinaryPtrWidth = 8
+
$PEStruct = @{
IMAGE_OPTIONAL_HEADER = [PE+_IMAGE_OPTIONAL_HEADER64]
NT_HEADER = [PE+_IMAGE_NT_HEADERS64]
}
+
+ $ThunkDataStruct = [PE+_IMAGE_THUNK_DATA64]
+
Write-Verbose "Architecture: $Architecture"
Write-Verbose 'Proceeding with parsing a 64-bit binary.'
- } elseif ($Architecture -eq 'I386') {
+ } elseif ($Architecture -eq 'I386' -or $Architecture -eq 'ARMNT') {
$PEStruct = @{
IMAGE_OPTIONAL_HEADER = [PE+_IMAGE_OPTIONAL_HEADER32]
NT_HEADER = [PE+_IMAGE_NT_HEADERS32]
}
+
+ $ThunkDataStruct = [PE+_IMAGE_THUNK_DATA32]
+
Write-Verbose "Architecture: $Architecture"
Write-Verbose 'Proceeding with parsing a 32-bit binary.'
} else {
- Write-Warning 'This parser only supports binaries compiled for x86 or AMD64.'
+ Write-Warning 'Get-PEHeader only supports binaries compiled for x86, AMD64, and ARM.'
return
}
@@ -749,9 +771,8 @@ $code = @"
}
$Result['Ordinal'] = "0x$(($Key + $Base).ToString('X4'))"
- # Uncomment this after I somehow manage to implement the RVA for the imports
- # $Result['RVA'] = "0x$($FunctionHashTable[$Key].ToString('X8'))"
- $Result['VA'] = "0x$(($FunctionHashTable[$Key] + $PEBaseAddr.ToInt64()).ToString("X$([IntPtr]::Size*2)"))"
+ $Result['RVA'] = "0x$($FunctionHashTable[$Key].ToString("X$($BinaryPtrWidth*2)"))"
+ #$Result['VA'] = "0x$(($FunctionHashTable[$Key] + $PEBaseAddr.ToInt64()).ToString("X$($BinaryPtrWidth*2)"))"
$Export = New-Object PSObject -Property $Result
$Export.PSObject.TypeNames.Insert(0, 'Export')
@@ -794,16 +815,16 @@ $code = @"
$j = 0
while ($true)
{
- $FuncAddrPtr = [IntPtr] ($FirstFuncAddrPtr.ToInt64() + ($j * [System.Runtime.InteropServices.Marshal]::SizeOf([PE+_IMAGE_THUNK_DATA])))
- $FuncAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncAddrPtr, [PE+_IMAGE_THUNK_DATA])
- $OFTPtr = [IntPtr] ($FirstOFTPtr.ToInt64() + ($j * [System.Runtime.InteropServices.Marshal]::SizeOf([PE+_IMAGE_THUNK_DATA])))
- $ThunkData = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OFTPtr, [PE+_IMAGE_THUNK_DATA])
+ $FuncAddrPtr = [IntPtr] ($FirstFuncAddrPtr.ToInt64() + ($j * [System.Runtime.InteropServices.Marshal]::SizeOf($ThunkDataStruct)))
+ $FuncAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncAddrPtr, $ThunkDataStruct)
+ $OFTPtr = [IntPtr] ($FirstOFTPtr.ToInt64() + ($j * [System.Runtime.InteropServices.Marshal]::SizeOf($ThunkDataStruct)))
+ $ThunkData = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OFTPtr, $ThunkDataStruct)
$Result = @{ ModuleName = $DllName }
- if (([System.Convert]::ToString($ThunkData.AddressOfData.ToInt64(),2)).PadLeft(32, '0')[0] -eq '1')
+ if (([System.Convert]::ToString($ThunkData.AddressOfData, 2)).PadLeft(32, '0')[0] -eq '1')
{
# Trim high order bit in order to get the ordinal value
- $TempOrdinal = [System.Convert]::ToInt64(([System.Convert]::ToString($ThunkData.AddressOfData.ToInt64(),2))[1..63] -join '', 2)
+ $TempOrdinal = [System.Convert]::ToInt64(([System.Convert]::ToString($ThunkData.AddressOfData, 2))[1..63] -join '', 2)
$TempOrdinal = $TempOrdinal.ToString('X16')[-1..-4]
[Array]::Reverse($TempOrdinal)
$Ordinal = ''
@@ -820,7 +841,7 @@ $code = @"
$Result['FunctionName'] = $FuncName
}
- $Result['VA'] = "0x$($FuncAddr.AddressOfData.ToString("X$([IntPtr]::Size*2)"))"
+ $Result['RVA'] = "0x$($FuncAddr.AddressOfData.ToString("X$($BinaryPtrWidth*2)"))"
if ($FuncAddr.AddressOfData -eq 0) { break }
if ($OFTPtr -eq 0) { break }
diff --git a/PETools/PETools.format.ps1xml b/PETools/PETools.format.ps1xml
index bce54bd..17d2c56 100644
--- a/PETools/PETools.format.ps1xml
+++ b/PETools/PETools.format.ps1xml
@@ -1,374 +1,374 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<Configuration>
- <SelectionSets>
- <SelectionSet>
- <Name>OptionHeaderTypes</Name>
- <Types>
- <TypeName>PE+_IMAGE_OPTIONAL_HEADER32</TypeName>
- <TypeName>PE+_IMAGE_OPTIONAL_HEADER64</TypeName>
- </Types>
- </SelectionSet>
- </SelectionSets>
- <ViewDefinitions>
- <View>
- <Name>PEView</Name>
- <ViewSelectedBy>
- <TypeName>PEHeader</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>Module</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DOSHeader</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>FileHeader</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OptionalHeader</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>SectionHeaders</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>Imports</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>Exports</PropertyName>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>OptionalHeaderView</Name>
- <ViewSelectedBy>
- <SelectionSetName>OptionHeaderTypes</SelectionSetName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>Magic</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>MajorLinkerVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>MinorLinkerVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SizeOfCode</Label>
- <ScriptBlock>"0x$($_.SizeOfCode.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SizeOfInitializedData</Label>
- <ScriptBlock>"0x$($_.SizeOfInitializedData.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SizeOfUninitializedData</Label>
- <ScriptBlock>"0x$($_.SizeOfUninitializedData.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AddressOfEntryPoint</Label>
- <ScriptBlock>"0x$($_.AddressOfEntryPoint.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>BaseOfCode</Label>
- <ScriptBlock>"0x$($_.BaseOfCode.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>BaseOfData</Label>
- <ScriptBlock>"0x$($_.BaseOfData.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ImageBase</Label>
- <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SectionAlignment</Label>
- <ScriptBlock>"0x$($_.SectionAlignment.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FileAlignment</Label>
- <ScriptBlock>"0x$($_.FileAlignment.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>MajorOperatingSystemVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>MinorOperatingSystemVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>MajorSubsystemVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>MinorSubsystemVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>Win32VersionValue</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SizeOfImage</Label>
- <ScriptBlock>"0x$($_.SizeOfImage.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SizeOfHeaders</Label>
- <ScriptBlock>"0x$($_.SizeOfHeaders.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>CheckSum</Label>
- <ScriptBlock>"0x$($_.CheckSum.ToString('X8'))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>Subsystem</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DllCharacteristics</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SizeOfStackReserve</Label>
- <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfStackReserve.ToString('X8'))" } else { "0x$($_.SizeOfStackReserve.ToString('X16'))" }</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SizeOfStackCommit</Label>
- <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfStackCommit.ToString('X8'))" } else { "0x$($_.SizeOfStackCommit.ToString('X16'))" }</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SizeOfHeapReserve</Label>
- <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfHeapReserve.ToString('X8'))" } else { "0x$($_.SizeOfHeapReserve.ToString('X16'))" }</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SizeOfHeapCommit</Label>
- <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfHeapCommit.ToString('X8'))" } else { "0x$($_.SizeOfHeapCommit.ToString('X16'))" }</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>LoaderFlags</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfRvaAndSizes</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DataDirectory</PropertyName>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>SectionHeaderView</Name>
- <ViewSelectedBy>
- <TypeName>PE+_IMAGE_SECTION_HEADER</TypeName>
- </ViewSelectedBy>
- <TableControl>
- <AutoSize/>
- <TableHeaders>
- <TableColumnHeader>
- <Label>Name</Label>
- <Alignment>Right</Alignment>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>VirtualSize</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>VirtualAddress</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>SizeOfRawData</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>PointerToRawData</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>Characteristics</Label>
- <Alignment>Left</Alignment>
- </TableColumnHeader>
- </TableHeaders>
- <TableRowEntries>
- <TableRowEntry>
- <TableColumnItems>
- <TableColumnItem>
- <Alignment>Right</Alignment>
- <PropertyName>Name</PropertyName>
- </TableColumnItem>
- <TableColumnItem>
- <ScriptBlock>"0x$($_.VirtualSize.ToString('X8'))"</ScriptBlock>
- </TableColumnItem>
- <TableColumnItem>
- <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock>
- </TableColumnItem>
- <TableColumnItem>
- <ScriptBlock>"0x$($_.SizeOfRawData.ToString('X8'))"</ScriptBlock>
- </TableColumnItem>
- <TableColumnItem>
- <ScriptBlock>"0x$($_.PointerToRawData.ToString('X8'))"</ScriptBlock>
- </TableColumnItem>
- <TableColumnItem>
- <PropertyName>Characteristics</PropertyName>
- </TableColumnItem>
- </TableColumnItems>
- </TableRowEntry>
- </TableRowEntries>
- </TableControl>
- </View>
- <View>
- <Name>FileHeaderView</Name>
- <ViewSelectedBy>
- <TypeName>PE+_IMAGE_FILE_HEADER</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>Machine</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfSections</PropertyName>
- </ListItem>
- <ListItem>
- <Label>TimeDateStamp</Label>
- <!-- GMT compile time -->
- <ScriptBlock>(New-Object DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock>
- <!-- Compile time assuming it was compiled in Redmond, Washington (PST - GMT-8) -->
- <!-- <ScriptBlock>(New-Object DateTime(1969, 12, 31, 16, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock> -->
- </ListItem>
- <ListItem>
- <PropertyName>PointerToSymbolTable</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfSymbols</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>SizeOfOptionalHeader</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>Characteristics</PropertyName>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>DataDirectoryView</Name>
- <ViewSelectedBy>
- <TypeName>PE+_IMAGE_DATA_DIRECTORY</TypeName>
- </ViewSelectedBy>
- <TableControl>
- <AutoSize/>
- <TableHeaders>
- <TableColumnHeader>
- <Label>VirtualAddress</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>Size</Label>
- </TableColumnHeader>
- </TableHeaders>
- <TableRowEntries>
- <TableRowEntry>
- <TableColumnItems>
- <TableColumnItem>
- <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock>
- </TableColumnItem>
- <TableColumnItem>
- <ScriptBlock>"0x$($_.Size.ToString('X8'))"</ScriptBlock>
- </TableColumnItem>
- </TableColumnItems>
- </TableRowEntry>
- </TableRowEntries>
- </TableControl>
- </View>
- <View>
- <Name>ImportView</Name>
- <ViewSelectedBy>
- <TypeName>Import</TypeName>
- </ViewSelectedBy>
- <TableControl>
- <AutoSize/>
- <TableHeaders>
- <TableColumnHeader>
- <Label>ModuleName</Label>
- <Alignment>Right</Alignment>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>VirtualAddress</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>Ordinal</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>FunctionName</Label>
- </TableColumnHeader>
- </TableHeaders>
- <TableRowEntries>
- <TableRowEntry>
- <TableColumnItems>
- <TableColumnItem>
- <Alignment>Right</Alignment>
- <PropertyName>ModuleName</PropertyName>
- </TableColumnItem>
- <TableColumnItem>
- <PropertyName>VA</PropertyName>
- </TableColumnItem>
- <TableColumnItem>
- <PropertyName>Ordinal</PropertyName>
- </TableColumnItem>
- <TableColumnItem>
- <PropertyName>FunctionName</PropertyName>
- </TableColumnItem>
- </TableColumnItems>
- </TableRowEntry>
- </TableRowEntries>
- </TableControl>
- </View>
- <View>
- <Name>ExportView</Name>
- <ViewSelectedBy>
- <TypeName>Export</TypeName>
- </ViewSelectedBy>
- <TableControl>
- <AutoSize/>
- <TableHeaders>
- <TableColumnHeader>
- <Label>VirtualAddress</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>Ordinal</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>FunctionName</Label>
- </TableColumnHeader>
- <TableColumnHeader>
- <Label>ForwardedName</Label>
- </TableColumnHeader>
- </TableHeaders>
- <TableRowEntries>
- <TableRowEntry>
- <TableColumnItems>
- <TableColumnItem>
- <PropertyName>VA</PropertyName>
- </TableColumnItem>
- <TableColumnItem>
- <PropertyName>Ordinal</PropertyName>
- </TableColumnItem>
- <TableColumnItem>
- <PropertyName>FunctionName</PropertyName>
- </TableColumnItem>
- <TableColumnItem>
- <PropertyName>ForwardedName</PropertyName>
- </TableColumnItem>
- </TableColumnItems>
- </TableRowEntry>
- </TableRowEntries>
- </TableControl>
- </View>
- </ViewDefinitions>
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+ <SelectionSets>
+ <SelectionSet>
+ <Name>OptionHeaderTypes</Name>
+ <Types>
+ <TypeName>PE+_IMAGE_OPTIONAL_HEADER32</TypeName>
+ <TypeName>PE+_IMAGE_OPTIONAL_HEADER64</TypeName>
+ </Types>
+ </SelectionSet>
+ </SelectionSets>
+ <ViewDefinitions>
+ <View>
+ <Name>PEView</Name>
+ <ViewSelectedBy>
+ <TypeName>PEHeader</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>Module</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DOSHeader</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FileHeader</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OptionalHeader</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SectionHeaders</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Imports</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Exports</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>OptionalHeaderView</Name>
+ <ViewSelectedBy>
+ <SelectionSetName>OptionHeaderTypes</SelectionSetName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>Magic</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MajorLinkerVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MinorLinkerVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfCode</Label>
+ <ScriptBlock>"0x$($_.SizeOfCode.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfInitializedData</Label>
+ <ScriptBlock>"0x$($_.SizeOfInitializedData.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfUninitializedData</Label>
+ <ScriptBlock>"0x$($_.SizeOfUninitializedData.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AddressOfEntryPoint</Label>
+ <ScriptBlock>"0x$($_.AddressOfEntryPoint.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>BaseOfCode</Label>
+ <ScriptBlock>"0x$($_.BaseOfCode.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>BaseOfData</Label>
+ <ScriptBlock>"0x$($_.BaseOfData.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ImageBase</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SectionAlignment</Label>
+ <ScriptBlock>"0x$($_.SectionAlignment.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FileAlignment</Label>
+ <ScriptBlock>"0x$($_.FileAlignment.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MajorOperatingSystemVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MinorOperatingSystemVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MajorSubsystemVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MinorSubsystemVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Win32VersionValue</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfImage</Label>
+ <ScriptBlock>"0x$($_.SizeOfImage.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfHeaders</Label>
+ <ScriptBlock>"0x$($_.SizeOfHeaders.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>CheckSum</Label>
+ <ScriptBlock>"0x$($_.CheckSum.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Subsystem</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DllCharacteristics</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfStackReserve</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfStackReserve.ToString('X8'))" } else { "0x$($_.SizeOfStackReserve.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfStackCommit</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfStackCommit.ToString('X8'))" } else { "0x$($_.SizeOfStackCommit.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfHeapReserve</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfHeapReserve.ToString('X8'))" } else { "0x$($_.SizeOfHeapReserve.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfHeapCommit</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfHeapCommit.ToString('X8'))" } else { "0x$($_.SizeOfHeapCommit.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoaderFlags</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfRvaAndSizes</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DataDirectory</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>SectionHeaderView</Name>
+ <ViewSelectedBy>
+ <TypeName>PE+_IMAGE_SECTION_HEADER</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>Name</Label>
+ <Alignment>Right</Alignment>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>VirtualSize</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>VirtualAddress</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>SizeOfRawData</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>PointerToRawData</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Characteristics</Label>
+ <Alignment>Left</Alignment>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <Alignment>Right</Alignment>
+ <PropertyName>Name</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.VirtualSize.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.SizeOfRawData.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.PointerToRawData.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Characteristics</PropertyName>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ <View>
+ <Name>FileHeaderView</Name>
+ <ViewSelectedBy>
+ <TypeName>PE+_IMAGE_FILE_HEADER</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>Machine</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfSections</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>TimeDateStamp</Label>
+ <!-- GMT compile time -->
+ <ScriptBlock>(New-Object DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock>
+ <!-- Compile time assuming it was compiled in Redmond, Washington (PST - GMT-8) -->
+ <!-- <ScriptBlock>(New-Object DateTime(1969, 12, 31, 16, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock> -->
+ </ListItem>
+ <ListItem>
+ <PropertyName>PointerToSymbolTable</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfSymbols</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SizeOfOptionalHeader</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Characteristics</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>DataDirectoryView</Name>
+ <ViewSelectedBy>
+ <TypeName>PE+_IMAGE_DATA_DIRECTORY</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>VirtualAddress</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Size</Label>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.Size.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ <View>
+ <Name>ImportView</Name>
+ <ViewSelectedBy>
+ <TypeName>Import</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>ModuleName</Label>
+ <Alignment>Right</Alignment>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>VA/FT</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Ordinal</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>FunctionName</Label>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <Alignment>Right</Alignment>
+ <PropertyName>ModuleName</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>RVA</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Ordinal</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>FunctionName</PropertyName>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ <View>
+ <Name>ExportView</Name>
+ <ViewSelectedBy>
+ <TypeName>Export</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>RVA</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Ordinal</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>FunctionName</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>ForwardedName</Label>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <PropertyName>RVA</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Ordinal</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>FunctionName</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>ForwardedName</PropertyName>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ </ViewDefinitions>
</Configuration> \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-26 03:09:27 +0000