diff options
| author | bitform <matt@exploit-monday.com> | 2012-07-22 15:16:22 -0400 |
|---|---|---|
| committer | bitform <matt@exploit-monday.com> | 2012-07-22 15:16:22 -0400 |
| commit | 65ebaea880b1470718f609e1946f950e7fff0d81 (patch) | |
| tree | a47abcb754d066808e410277920ca82d4dfce1ac /PETools/PETools.format.ps1xml | |
| parent | 72c00d7422ea2df4fe397db099d67c6945d48724 (diff) | |
| download | PowerSploit-65ebaea880b1470718f609e1946f950e7fff0d81.tar.gz PowerSploit-65ebaea880b1470718f609e1946f950e7fff0d81.zip | |
Added Get-PEHeader. PETools is now a module.
Get-PEHeader is a 32 and 64-bit in-memory and on-disk PE parsing
utility.
PETools is now a PowerShell module that can be loaded with
`Import-Module PETools`
Diffstat (limited to 'PETools/PETools.format.ps1xml')
| -rw-r--r-- | PETools/PETools.format.ps1xml | 374 |
1 files changed, 374 insertions, 0 deletions
diff --git a/PETools/PETools.format.ps1xml b/PETools/PETools.format.ps1xml new file mode 100644 index 0000000..2a1cbdb --- /dev/null +++ b/PETools/PETools.format.ps1xml @@ -0,0 +1,374 @@ +<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+ <SelectionSets>
+ <SelectionSet>
+ <Name>OptionHeaderTypes</Name>
+ <Types>
+ <TypeName>PE+_IMAGE_OPTIONAL_HEADER32</TypeName>
+ <TypeName>PE+_IMAGE_OPTIONAL_HEADER64</TypeName>
+ </Types>
+ </SelectionSet>
+ </SelectionSets>
+ <ViewDefinitions>
+ <View>
+ <Name>PEView</Name>
+ <ViewSelectedBy>
+ <TypeName>PEHeader</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>Module</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DOSHeader</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FileHeader</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OptionalHeader</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SectionHeaders</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Imports</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Exports</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>OptionalHeaderView</Name>
+ <ViewSelectedBy>
+ <SelectionSetName>OptionHeaderTypes</SelectionSetName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>Magic</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MajorLinkerVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MinorLinkerVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfCode</Label>
+ <ScriptBlock>"0x$($_.SizeOfCode.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfInitializedData</Label>
+ <ScriptBlock>"0x$($_.SizeOfInitializedData.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfUninitializedData</Label>
+ <ScriptBlock>"0x$($_.SizeOfUninitializedData.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AddressOfEntryPoint</Label>
+ <ScriptBlock>"0x$($_.AddressOfEntryPoint.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>BaseOfCode</Label>
+ <ScriptBlock>"0x$($_.BaseOfCode.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>BaseOfData</Label>
+ <ScriptBlock>"0x$($_.BaseOfData.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ImageBase</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SectionAlignment</Label>
+ <ScriptBlock>"0x$($_.SectionAlignment.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FileAlignment</Label>
+ <ScriptBlock>"0x$($_.FileAlignment.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MajorOperatingSystemVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MinorOperatingSystemVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MajorSubsystemVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MinorSubsystemVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Win32VersionValue</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfImage</Label>
+ <ScriptBlock>"0x$($_.SizeOfImage.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfHeaders</Label>
+ <ScriptBlock>"0x$($_.SizeOfHeaders.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>CheckSum</Label>
+ <ScriptBlock>"0x$($_.CheckSum.ToString('X8'))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Subsystem</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DllCharacteristics</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfStackReserve</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfStackCommit</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfHeapReserve</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SizeOfHeapCommit</Label>
+ <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoaderFlags</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfRvaAndSizes</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DataDirectory</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>SectionHeaderView</Name>
+ <ViewSelectedBy>
+ <TypeName>PE+_IMAGE_SECTION_HEADER</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>Name</Label>
+ <Alignment>Right</Alignment>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>VirtualSize</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>VirtualAddress</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>SizeOfRawData</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>PointerToRawData</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Characteristics</Label>
+ <Alignment>Left</Alignment>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <Alignment>Right</Alignment>
+ <PropertyName>Name</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.VirtualSize.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.SizeOfRawData.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.PointerToRawData.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Characteristics</PropertyName>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ <View>
+ <Name>FileHeaderView</Name>
+ <ViewSelectedBy>
+ <TypeName>PE+_IMAGE_FILE_HEADER</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>Machine</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfSections</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>TimeDateStamp</Label>
+ <!-- GMT compile time -->
+ <ScriptBlock>(New-Object DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock>
+ <!-- Compile time assuming it was compiled in Redmond, Washington (PST - GMT-8) -->
+ <!-- <ScriptBlock>(New-Object DateTime(1969, 12, 31, 16, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock> -->
+ </ListItem>
+ <ListItem>
+ <PropertyName>PointerToSymbolTable</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfSymbols</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SizeOfOptionalHeader</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Characteristics</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>DataDirectoryView</Name>
+ <ViewSelectedBy>
+ <TypeName>PE+_IMAGE_DATA_DIRECTORY</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>VirtualAddress</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Size</Label>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.Size.ToString('X8'))"</ScriptBlock>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ <View>
+ <Name>ImportView</Name>
+ <ViewSelectedBy>
+ <TypeName>Import</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>ModuleName</Label>
+ <Alignment>Right</Alignment>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>VirtualAddress</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Ordinal</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>FunctionName</Label>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <Alignment>Right</Alignment>
+ <PropertyName>ModuleName</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>VA</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Ordinal</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>FunctionName</PropertyName>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ <View>
+ <Name>ExportView</Name>
+ <ViewSelectedBy>
+ <TypeName>Export</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>VirtualAddress</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Ordinal</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>FunctionName</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>ForwardedName</Label>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <PropertyName>VA</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Ordinal</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>FunctionName</PropertyName>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>ForwardedName</PropertyName>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ </ViewDefinitions>
+</Configuration>
\ No newline at end of file |