diff options
| author | mattifestation <mattgraeber@gmail.com> | 2013-08-29 19:56:01 +0000 |
|---|---|---|
| committer | mattifestation <mattgraeber@gmail.com> | 2013-08-29 19:56:01 +0000 |
| commit | 6807da424fca9e1f4b4946e695486aefb7eae1fa (patch) | |
| tree | 38b769c7bf3c13c2c6fafd8bf907256270c95908 /ReverseEngineering/ProcessModuleTrace.ps1 | |
| parent | fcdd3ad6428b4f1ecfd7f63be629af8cbe3204af (diff) | |
| download | PowerSploit-6807da424fca9e1f4b4946e695486aefb7eae1fa.tar.gz PowerSploit-6807da424fca9e1f4b4946e695486aefb7eae1fa.zip | |
Added ProcessModuleTrace cmdlets
Added *-ProcessModuleTrace cmdlets to trace details when modules are
loaded into a process. These can be useful for malware analysis.
Diffstat (limited to 'ReverseEngineering/ProcessModuleTrace.ps1')
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.ps1 | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 new file mode 100644 index 0000000..3eb57a7 --- /dev/null +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -0,0 +1,103 @@ +function Register-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Starts a trace of loaded process modules + + PowerSploit Function: Register-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.OUTPUTS + + System.Management.Automation.PSEventJob + + If desired, you can manipulate the event returned with the *-Event cmdlets. + +.LINK + + http://www.exploit-monday.com/ +#> + + [CmdletBinding()] Param () + + if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) + { + throw 'You must run this cmdlet from an elevated PowerShell session.' + } + + $ModuleLoadedAction = { + $Event = $EventArgs.NewEvent + + $ModuleInfo = @{ + TimeCreated = [DateTime]::FromFileTime($Event.TIME_CREATED) + ProcessId = $Event.ProcessId + FileName = $Event.FileName + ImageBase = $Event.ImageBase + ImageSize = $Event.ImageSize + } + + $ModuleObject = New-Object PSObject -Property $ModuleInfo + $ModuleObject.PSObject.TypeNames[0] = 'LOADED_MODULE' + + $ModuleObject + } + + Register-WmiEvent 'Win32_ModuleLoadTrace' -SourceIdentifier 'ModuleLoaded' -Action $ModuleLoadedAction +} + +function Get-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace + + PowerSploit Function: Get-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: Register-ProcessModuleTrace + Optional Dependencies: None + +.OUTPUTS + + PSObject + +.LINK + + http://www.exploit-monday.com/ +#> + + $Events = Get-EventSubscriber -SourceIdentifier 'ModuleLoaded' -ErrorVariable NoEventRegistered -ErrorAction SilentlyContinue + + if ($NoEventRegistered) + { + throw 'You must execute Register-ProcessModuleTrace before you can retrieve a loaded module list' + } + + $Events.Action.Output +} + +function Unregister-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Stops the running process module trace + + PowerSploit Function: Unregister-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: Register-ProcessModuleTrace + Optional Dependencies: None + +.LINK + + http://www.exploit-monday.com/ +#> + + Unregister-Event -SourceIdentifier 'ModuleLoaded' +}
\ No newline at end of file |