diff options
| author | mattifestation <mattgraeber@gmail.com> | 2014-11-16 10:26:11 -0500 |
|---|---|---|
| committer | mattifestation <mattgraeber@gmail.com> | 2014-11-16 10:26:11 -0500 |
| commit | 956e4c968a1795d868e35fcb72311704d616cbaf (patch) | |
| tree | ca962602b87d3a7c89b6d864f6e17c541eb3cce2 /ReverseEngineering/ProcessModuleTrace.ps1 | |
| parent | 97034006f63f2691cde8ddb1055b1253c6f93cce (diff) | |
| download | PowerSploit-956e4c968a1795d868e35fcb72311704d616cbaf.tar.gz PowerSploit-956e4c968a1795d868e35fcb72311704d616cbaf.zip | |
Moving all RE functionality to PowerShellArsenal
https://github.com/mattifestation/PowerShellArsenal
PowerSploit will now stay true to its roots of being a purely offensive
PowerShell module.
Diffstat (limited to 'ReverseEngineering/ProcessModuleTrace.ps1')
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.ps1 | 103 |
1 files changed, 0 insertions, 103 deletions
diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 deleted file mode 100644 index 85f7105..0000000 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ /dev/null @@ -1,103 +0,0 @@ -function Register-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Starts a trace of loaded process modules - - PowerSploit Function: Register-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.OUTPUTS - - System.Management.Automation.PSEventJob - - If desired, you can manipulate the event returned with the *-Event cmdlets. - -.LINK - - http://www.exploit-monday.com/ -#> - - [CmdletBinding()] Param () - - if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) - { - throw 'You must run this cmdlet from an elevated PowerShell session.' - } - - $ModuleLoadedAction = { - $Event = $EventArgs.NewEvent - - $ModuleInfo = @{ - TimeCreated = [DateTime]::FromFileTime($Event.TIME_CREATED) - ProcessId = $Event.ProcessId - FileName = $Event.FileName - ImageBase = $Event.ImageBase - ImageSize = $Event.ImageSize - } - - $ModuleObject = New-Object PSObject -Property $ModuleInfo - $ModuleObject.PSObject.TypeNames[0] = 'LOADED_MODULE' - - $ModuleObject - } - - Register-WmiEvent 'Win32_ModuleLoadTrace' -SourceIdentifier 'ModuleLoaded' -Action $ModuleLoadedAction -} - -function Get-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace - - PowerSploit Function: Get-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: Register-ProcessModuleTrace - Optional Dependencies: None - -.OUTPUTS - - PSObject - -.LINK - - http://www.exploit-monday.com/ -#> - - $Events = Get-EventSubscriber -SourceIdentifier 'ModuleLoaded' -ErrorVariable NoEventRegistered -ErrorAction SilentlyContinue - - if ($NoEventRegistered) - { - throw 'You must execute Register-ProcessModuleTrace before you can retrieve a loaded module list' - } - - $Events.Action.Output -} - -function Unregister-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Stops the running process module trace - - PowerSploit Function: Unregister-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: Register-ProcessModuleTrace - Optional Dependencies: None - -.LINK - - http://www.exploit-monday.com/ -#> - - Unregister-Event -SourceIdentifier 'ModuleLoaded' -} |