Capstone module now incorporates framework 2.0RC1

* I also moved the contents of Get-CSDisassembly.ps1 into Capstone.psm1

9 files changed, 175 insertions, 126 deletions

diff --git a/Capstone/Capstone.psd1 b/Capstone/Capstone.psd1
index 5da5a94..d85443f 100644
--- a/Capstone/Capstone.psd1
+++ b/Capstone/Capstone.psd1
@@ -4,7 +4,7 @@
 ModuleToProcess = 'Capstone.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.0.0.0'
+ModuleVersion = '2.0.0.0'
 
 # ID used to uniquely identify this module
 GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'
@@ -13,7 +13,7 @@ GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'
 Author = 'Matthew Graeber'
 
 # Copyright statement for this module
-Copyright = 'BSD 3-Clause'
+Copyright = 'see LICENSE.TXT'
 
 # Description of the functionality provided by this module
 Description = 'Capstone Disassembly Framework Binding Module'
@@ -39,9 +39,10 @@ ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc3
 # List of all files packaged with this module
 FileList = 'Capstone.psm1',
            'Capstone.psd1',
-           'Get-CSDisassembly.ps1',
-           'Usage.md', 
+           'Get-CSDisassembly.format.ps1xml',
+           'LICENSE.TXT',
+           'README', 
            'lib/capstone.dll',
-           'lib/libcapstone.dll'
-
+           'lib/x86/libcapstone.dll',
+           'lib/x64/libcapstone.dll'
 }
diff --git a/Capstone/Capstone.psm1 b/Capstone/Capstone.psm1
index 81d3818..b9829e7 100644
--- a/Capstone/Capstone.psm1
+++ b/Capstone/Capstone.psm1
@@ -1 +1,168 @@
-Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
+#Requires -Modules Capstone
+
+function Get-CSDisassembly
+{
+<#
+.SYNOPSIS
+
+    Disassembles a byte array using the Capstone Engine disassembly framework.
+
+    PowerSploit Function: Get-CSDisassembly
+    Author: Matthew Graeber (@mattifestation)
+    License: See LICENSE.TXT
+    Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll
+    Optional Dependencies: None
+
+.DESCRIPTION
+
+    Get-CSDisassembly is compatible on 32 and 64-bit.
+
+.PARAMETER Architecture
+
+    Specifies the architecture of the code to be disassembled.
+
+.PARAMETER Mode
+
+    Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'.
+
+.PARAMETER Code
+
+    A byte array consisting of the code to be disassembled.
+
+.PARAMETER Offset
+
+    Specifies the starting address of the disassembly listing.
+
+.PARAMETER Count
+
+    Specifies the maximum number of instructions to disassemble.
+
+.PARAMETER Syntax
+
+    Specifies the syntax flavor to be used (INTEL vs. ATT).
+
+.PARAMETER DetailOn
+
+    Specifies that detailed parsing should be performed - i.e. provide detailed information for each disassembled instruction.
+
+.PARAMETER Verstion
+
+    Prints the running Capstone Framework version.
+      
+.EXAMPLE
+
+    $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
+    Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000
+
+    $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
+    Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
+    Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT
+
+    $Bytes = [Byte[]] @( 0x55, 0x48, 0x8b, 0x05, 0xb8, 0x13, 0x00, 0x00 )
+    Get-CSDisassembly -Architecture X86 -Mode Mode64 -Code $Bytes -DetailOn
+
+    $Bytes = [Byte[]] @( 0xED, 0xFF, 0xFF, 0xEB, 0x04, 0xe0, 0x2d, 0xe5, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x83, 0x22, 0xe5, 0xf1, 0x02, 0x03, 0x0e, 0x00, 0x00, 0xa0, 0xe3, 0x02, 0x30, 0xc1, 0xe7, 0x00, 0x00, 0x53, 0xe3 )
+    Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x4f, 0xf0, 0x00, 0x01, 0xbd, 0xe8, 0x00, 0x88, 0xd1, 0xe8, 0x00, 0xf0 )
+    Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x10, 0xf1, 0x10, 0xe7, 0x11, 0xf2, 0x31, 0xe7, 0xdc, 0xa1, 0x2e, 0xf3, 0xe8, 0x4e, 0x62, 0xf3 )
+    Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x70, 0x47, 0xeb, 0x46, 0x83, 0xb0, 0xc9, 0x68 )
+    Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes -DetailOn
+
+    $Bytes = [Byte[]] @( 0x21, 0x7c, 0x02, 0x9b, 0x21, 0x7c, 0x00, 0x53, 0x00, 0x40, 0x21, 0x4b, 0xe1, 0x0b, 0x40, 0xb9 )
+    Get-CSDisassembly -Architecture Arm64 -Mode Arm -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x0C, 0x10, 0x00, 0x97, 0x00, 0x00, 0x00, 0x00, 0x24, 0x02, 0x00, 0x0c, 0x8f, 0xa2, 0x00, 0x00, 0x34, 0x21, 0x34, 0x56 )
+    Get-CSDisassembly -Architecture Mips -Mode 'Mode32, BigEndian' -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x56, 0x34, 0x21, 0x34, 0xc2, 0x17, 0x01, 0x00 )
+    Get-CSDisassembly -Architecture Mips -Mode 'Mode64, LittleEndian' -Code $Bytes
+
+    $Bytes = [Byte[]] @( 0x80, 0x20, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x10, 0x43, 0x23, 0x0e, 0xd0, 0x44, 0x00, 0x80, 0x4c, 0x43, 0x22, 0x02, 0x2d, 0x03, 0x00, 0x80, 0x7c, 0x43, 0x20, 0x14, 0x7c, 0x43, 0x20, 0x93, 0x4f, 0x20, 0x00, 0x21, 0x4c, 0xc8, 0x00, 0x21 )
+    Get-CSDisassembly -Architecture PPC -Mode BigEndian -Code $Bytes
+
+.INPUTS
+
+    None
+
+    You cannot pipe objects to Get-CSDisassembly.
+
+.OUTPUTS
+
+    Capstone.Instruction[]
+
+    Get-CSDisassembly returns an array of Instruction objects.
+#>
+
+    [OutputType([Capstone.Instruction])]
+    [CmdletBinding(DefaultParameterSetName = 'Disassemble')]
+    Param (
+        [Parameter(Mandatory, ParameterSetName = 'Disassemble')]
+        [Capstone.Architecture]
+        $Architecture,
+
+        [Parameter(Mandatory, ParameterSetName = 'Disassemble')]
+        [Capstone.Mode]
+        $Mode,
+
+        [Parameter(Mandatory, ParameterSetName = 'Disassemble')]
+        [ValidateNotNullOrEmpty()]
+        [Byte[]]
+        $Code,
+
+        [Parameter( ParameterSetName = 'Disassemble' )]
+        [UInt64]
+        $Offset = 0,
+
+        [Parameter( ParameterSetName = 'Disassemble' )]
+        [UInt32]
+        $Count = 0,
+
+        [Parameter( ParameterSetName = 'Disassemble' )]
+        [ValidateSet('Intel', 'ATT')]
+        [String]
+        $Syntax,
+
+        [Parameter( ParameterSetName = 'Disassemble' )]
+        [Switch]
+        $DetailOn,
+
+        [Parameter( ParameterSetName = 'Version' )]
+        [Switch]
+        $Version
+    )
+
+    if ($PsCmdlet.ParameterSetName -eq 'Version')
+    {
+        $Disassembly = New-Object Capstone.Capstone([Capstone.Architecture]::X86, [Capstone.Mode]::Mode16)
+        $Disassembly.Version
+
+        return
+    }
+
+    $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode)
+
+    if ($Syntax)
+    {
+        switch ($Syntax)
+        {
+            'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel }
+            'ATT'   { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT }
+        }
+
+        $Disassembly.SetSyntax($SyntaxMode)
+    }
+
+    if ($DetailOn)
+    {
+        $Disassembly.SetDetail($True)
+    }
+
+    $Disassembly.Disassemble($Code, $Offset, $Count)
+}
\ No newline at end of file
diff --git a/Capstone/Get-CSDisassembly.ps1 b/Capstone/Get-CSDisassembly.ps1
deleted file mode 100644
index 257ba96..0000000
--- a/Capstone/Get-CSDisassembly.ps1
+++ /dev/null
@@ -1,119 +0,0 @@
-#requires -Version 3
-
-function Get-CSDisassembly
-{
-<#
-.SYNOPSIS
-
-    Disassembles a byte array using the Capstone Engine disassembly framework.
-
-    PowerSploit Function: Get-CSDisassembly
-    Author: Matthew Graeber (@mattifestation)
-    License: See LICENSE.TXT
-    Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll
-    Optional Dependencies: None
-
-.DESCRIPTION
-
-    Get-CSDisassembly is compatible on 32 and 64-bit.
-
-.PARAMETER Architecture
-
-    Specifies the architecture of the code to be disassembled.
-
-.PARAMETER Mode
-
-    Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'.
-
-.PARAMETER Code
-
-    A byte array consisting of the code to be disassembled.
-
-.PARAMETER Offset
-
-    Specifies the starting address of the disassembly listing.
-
-.PARAMETER Count
-
-    Specifies the maximum number of instructions to disassemble.
-
-.PARAMETER Syntax
-
-    Specifies the syntax flavor to be used (INTEL vs. ATT).
-
-.PARAMETER DetailOff
-
-    Specifies that detailed parsing should not be performed - i.e. do not perform additional analysis beyond disassembling.
-      
-.EXAMPLE
-
-    C:\PS>$Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
-    Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000
-
-.EXAMPLE
-
-    C:\PS>$Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
-    Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT
-
-.INPUTS
-
-    None
-
-    You cannot pipe objects to Get-CSDisassembly.
-
-.OUTPUTS
-
-    Capstone.Instruction[]
-
-    Get-CSDisassembly returns an array of Instruction objects.
-#>
-
-    [OutputType([Capstone.Instruction])]
-    [CmdletBinding()] Param (
-        [Parameter(Mandatory)]
-        [Capstone.Architecture]
-        $Architecture,
-
-        [Parameter(Mandatory)]
-        [Capstone.Mode]
-        $Mode,
-
-        [Parameter(Mandatory)]
-        [ValidateNotNullOrEmpty()]
-        [Byte[]]
-        $Code,
-
-        [UInt64]
-        $Offset = 0,
-
-        [UInt32]
-        $Count = 0,
-
-        [ValidateSet('Intel', 'ATT')]
-        [String]
-        $Syntax,
-
-        [Switch]
-        $DetailOff
-    )
-
-    $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode)
-
-    if ($Syntax)
-    {
-        switch ($Syntax)
-        {
-            'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel }
-            'ATT'   { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT }
-        }
-
-        $Disassembly.SetSyntax($SyntaxMode)
-    }
-
-    if ($DetailOff)
-    {
-        $Disassembly.SetDetail($False)
-    }
-
-    $Disassembly.Disassemble($Code, $Offset, $Count)
-}
\ No newline at end of file
diff --git a/Capstone/lib/capstone.dll b/Capstone/lib/capstone.dll
index 1727436..914fd1e 100644
--- a/Capstone/lib/capstone.dll
+++ b/Capstone/lib/capstone.dll
diff --git a/Capstone/lib/place_capstone.dll_here b/Capstone/lib/place_capstone.dll_here
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/Capstone/lib/place_capstone.dll_here
diff --git a/Capstone/lib/x64/libcapstone.dll b/Capstone/lib/x64/libcapstone.dll
index e4f5e33..f7e7fda 100644
--- a/Capstone/lib/x64/libcapstone.dll
+++ b/Capstone/lib/x64/libcapstone.dll
diff --git a/Capstone/lib/x64/place_64-bit_libcapstone.dll_here b/Capstone/lib/x64/place_64-bit_libcapstone.dll_here
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/Capstone/lib/x64/place_64-bit_libcapstone.dll_here
diff --git a/Capstone/lib/x86/libcapstone.dll b/Capstone/lib/x86/libcapstone.dll
index 242ad7e..515c869 100644
--- a/Capstone/lib/x86/libcapstone.dll
+++ b/Capstone/lib/x86/libcapstone.dll
diff --git a/Capstone/lib/x86/place_32-bit_libcapstone.dll_here b/Capstone/lib/x86/place_32-bit_libcapstone.dll_here
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/Capstone/lib/x86/place_32-bit_libcapstone.dll_here