diff options
| author | bitform <matt@exploit-monday.com> | 2012-07-22 15:16:22 -0400 |
|---|---|---|
| committer | bitform <matt@exploit-monday.com> | 2012-07-22 15:16:22 -0400 |
| commit | 65ebaea880b1470718f609e1946f950e7fff0d81 (patch) | |
| tree | a47abcb754d066808e410277920ca82d4dfce1ac /PETools/Get-PEArchitecture.ps1 | |
| parent | 72c00d7422ea2df4fe397db099d67c6945d48724 (diff) | |
| download | PowerSploit-65ebaea880b1470718f609e1946f950e7fff0d81.tar.gz PowerSploit-65ebaea880b1470718f609e1946f950e7fff0d81.zip | |
Added Get-PEHeader. PETools is now a module.
Get-PEHeader is a 32 and 64-bit in-memory and on-disk PE parsing
utility.
PETools is now a PowerShell module that can be loaded with
`Import-Module PETools`
Diffstat (limited to 'PETools/Get-PEArchitecture.ps1')
| -rw-r--r-- | PETools/Get-PEArchitecture.ps1 | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/PETools/Get-PEArchitecture.ps1 b/PETools/Get-PEArchitecture.ps1 new file mode 100644 index 0000000..e53c5ff --- /dev/null +++ b/PETools/Get-PEArchitecture.ps1 @@ -0,0 +1,83 @@ +function Get-PEArchitecture {
+<#
+.Synopsis
+
+ PowerSploit Module - Get-PEArchitecture
+ Author: Matthew Graeber (@mattifestation)
+ License: BSD 3-Clause
+
+.Description
+
+ Get-PEArchitecture returns the architecture for which
+ a Windows portable executable was compiled.
+
+.Parameter Path
+
+ Path to the executable.
+
+.Example
+
+ PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe
+ X86
+
+.Example
+
+ PS> Get-PEArchitecture C:\Windows\System32\cmd.exe
+ X64
+
+.Link
+
+ My blog: http://www.exploit-monday.com
+#>
+ Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path )
+
+ if (!(Test-Path $Path)) {
+ Write-Warning 'Invalid path or file does not exist.'
+ return
+ }
+
+ # Parse PE header to see if binary was compiled 32 or 64-bit
+ $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
+
+ [Byte[]] $MZHeader = New-Object Byte[](2)
+ $FileStream.Read($MZHeader,0,2) | Out-Null
+
+ $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
+ if ($Header -ne 'MZ') {
+ Write-Warning 'Invalid PE header.'
+ $FileStream.Close()
+ return
+ }
+
+ # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
+ $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null
+
+ [Byte[]] $lfanew = New-Object Byte[](4)
+
+ # Read offset to the PE Header (will be read in reverse)
+ $FileStream.Read($lfanew,0,4) | Out-Null
+ $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))
+
+ # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
+ $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
+ [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)
+
+ # Read compiled architecture
+ $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
+ $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
+ $FileStream.Close()
+
+ if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) {
+ Write-Warning 'Invalid PE header or unsupported architecture.'
+ return
+ }
+
+ if ($Architecture -eq '014C') {
+ return 'X86'
+ } elseif ($Architecture -eq '8664') {
+ return 'X64'
+ } else {
+ return 'OTHER'
+ }
+
+}
|