diff options
| author | mattifestation <mattgraeber@gmail.com> | 2013-08-29 19:56:01 +0000 |
|---|---|---|
| committer | mattifestation <mattgraeber@gmail.com> | 2013-08-29 19:56:01 +0000 |
| commit | 6807da424fca9e1f4b4946e695486aefb7eae1fa (patch) | |
| tree | 38b769c7bf3c13c2c6fafd8bf907256270c95908 /ReverseEngineering/ProcessModuleTrace.format.ps1xml | |
| parent | fcdd3ad6428b4f1ecfd7f63be629af8cbe3204af (diff) | |
| download | PowerSploit-6807da424fca9e1f4b4946e695486aefb7eae1fa.tar.gz PowerSploit-6807da424fca9e1f4b4946e695486aefb7eae1fa.zip | |
Added ProcessModuleTrace cmdlets
Added *-ProcessModuleTrace cmdlets to trace details when modules are
loaded into a process. These can be useful for malware analysis.
Diffstat (limited to 'ReverseEngineering/ProcessModuleTrace.format.ps1xml')
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.format.ps1xml | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml new file mode 100644 index 0000000..fbad0b9 --- /dev/null +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="utf-8" ?> +<Configuration> + <ViewDefinitions> + <View> + <Name>ProcessModuleTraceView</Name> + <ViewSelectedBy> + <TypeName>LOADED_MODULE</TypeName> + </ViewSelectedBy> + <ListControl> + <ListEntries> + <ListEntry> + <ListItems> + <ListItem> + <PropertyName>TimeCreated</PropertyName> + </ListItem> + <ListItem> + <PropertyName>ProcessId</PropertyName> + </ListItem> + <ListItem> + <PropertyName>FileName</PropertyName> + </ListItem> + <ListItem> + <Label>ImageBase</Label> + <ScriptBlock>"0x$($_.ImageBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> + </ListItem> + <ListItem> + <PropertyName>ImageSize</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </ListItem> + </ListItems> + </ListEntry> + </ListEntries> + </ListControl> + </View> + </ViewDefinitions> +</Configuration>
\ No newline at end of file |