Merge branch 'master' of https://github.com/mattifestation/PowerSploit

Conflicts: Recon/Get-ComputerDetails.ps1 Recon/Recon.psd1
author: clymb3r <bialek.joseph@gmail.com> 2014-04-16 21:02:50 -0700
committer: clymb3r <bialek.joseph@gmail.com> 2014-04-16 21:02:50 -0700
commit: b783b459c12112509a733253df9f5935e104200c (patch)
tree: e58bce1f7d2f2584d1426262cc609f153d774e51 /ReverseEngineering
parent: 47b90647c11cb4956c735cfa47628dc7dcb03bb6 (diff)
parent: 946328cf9e6d6c60eca2bb9d71a38e210c1c3b6c (diff)
download: PowerSploit-b783b459c12112509a733253df9f5935e104200c.tar.gz
PowerSploit-b783b459c12112509a733253df9f5935e104200c.zip
16 files changed, 143 insertions, 28 deletions
diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1
index ab46c74..1c030b4 100644
--- a/ReverseEngineering/ConvertTo-String.ps1
+++ b/ReverseEngineering/ConvertTo-String.ps1
@@ -1,4 +1,4 @@
-filter ConvertTo-String
+filter ConvertTo-String
 {
 <#
 .SYNOPSIS
@@ -67,4 +67,4 @@ http://www.exploit-monday.com
     $FileStream.Close()
 
     Write-Output $BinaryText
-}
-\ No newline at end of file
+}
diff --git a/ReverseEngineering/Get-Entropy.ps1 b/ReverseEngineering/Get-Entropy.ps1
new file mode 100644
index 0000000..42e5d28
--- /dev/null
+++ b/ReverseEngineering/Get-Entropy.ps1
@@ -0,0 +1,106 @@
+function Get-Entropy
+{
+<#
+.SYNOPSIS
+
+    Calculates the entropy of a file or byte array.
+
+    PowerSploit Function: Get-Entropy
+    Author: Matthew Graeber (@mattifestation)
+    License: BSD 3-Clause
+    Required Dependencies: None
+    Optional Dependencies: None
+
+.PARAMETER ByteArray
+
+    Specifies the byte array containing the data from which entropy will be calculated.
+
+.PARAMETER FilePath
+
+    Specifies the path to the input file from which entropy will be calculated.
+
+.EXAMPLE
+
+    C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll
+
+.EXAMPLE
+
+    C:\PS>ls C:\Windows\System32\*.dll | % { Get-Entropy -FilePath $_ }
+
+.EXAMPLE
+
+    C:\PS>$RandArray = New-Object Byte[](10000)
+    C:\PS>foreach ($Offset in 0..9999) { $RandArray[$Offset] = [Byte] (Get-Random -Min 0 -Max 256) }
+    C:\PS>$RandArray | Get-Entropy
+
+    Description
+    -----------
+    Calculates the entropy of a large array containing random bytes.
+
+.EXAMPLE
+
+    C:\PS> 0..255 | Get-Entropy
+
+    Description
+    -----------
+    Calculates the entropy of 0-255. This should equal exactly 8.
+
+.OUTPUTS
+
+    System.Double
+
+    Get-Entropy outputs a double representing the entropy of the byte array.
+
+.LINK
+
+    http://www.exploit-monday.com
+#>
+
+    [CmdletBinding()] Param (
+        [Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName = 'Bytes')]
+        [ValidateNotNullOrEmpty()]
+        [Byte[]]
+        $ByteArray,
+
+        [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'File')]
+        [ValidateNotNullOrEmpty()]
+        [IO.FileInfo]
+        $FilePath
+    )
+
+    BEGIN
+    {
+        $FrequencyTable = @{}
+        $ByteArrayLength = 0
+    }
+
+    PROCESS
+    {
+        if ($PsCmdlet.ParameterSetName -eq 'File')
+        {
+            $ByteArray = [IO.File]::ReadAllBytes($FilePath.FullName)
+        }
+
+        foreach ($Byte in $ByteArray)
+        {
+            $FrequencyTable[$Byte]++
+            $ByteArrayLength++
+        }
+    }
+
+    END
+    {
+        $Entropy = 0.0
+
+        foreach ($Byte in 0..255)
+        {
+            $ByteProbability = ([Double] $FrequencyTable[[Byte]$Byte]) / $ByteArrayLength
+            if ($ByteProbability -gt 0)
+            {
+                $Entropy += -$ByteProbability * [Math]::Log($ByteProbability, 2)
+            }
+        }
+
+        Write-Output $Entropy
+    }
+}
+\ No newline at end of file
diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml
index f933e1e..21115d6 100644
--- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml
+++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8" ?>
 <Configuration>
     <ViewDefinitions>
         <View>
@@ -18,6 +18,9 @@
                     <TableColumnHeader>
                         <Label>Operand</Label>
                     </TableColumnHeader>
+                    <TableColumnHeader>
+                        <Label>MetadataToken</Label>
+                    </TableColumnHeader>
                 </TableHeaders>
                 <TableRowEntries>
                     <TableRowEntry>
@@ -31,10 +34,13 @@
                             <TableColumnItem>
                                 <PropertyName>Operand</PropertyName>
                             </TableColumnItem>
+                            <TableColumnItem>
+                                <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock>
+                            </TableColumnItem>
                         </TableColumnItems>
                     </TableRowEntry>
                 </TableRowEntries>
             </TableControl>
         </View>
     </ViewDefinitions>
-</Configuration>
-\ No newline at end of file
+</Configuration>
diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1
index 645dc39..6948919 100644
--- a/ReverseEngineering/Get-ILDisassembly.ps1
+++ b/ReverseEngineering/Get-ILDisassembly.ps1
@@ -68,9 +68,9 @@ Disassembles the System.Array.BinarySearch(Array, Object) method
 
 .INPUTS
 
-System.Reflection.MethodInfo
+System.Reflection.MethodInfo, System.Reflection.ConstructorInfo
 
-The method description containing the raw IL bytecodes.
+A method or constructor description containing the raw IL bytecodes.
 
 .OUTPUTS
 
@@ -88,7 +88,8 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf
 
     Param (
         [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
-        [System.Reflection.MethodInfo]
+        [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]
+        [Object]
         $MethodInfo
     )
 
@@ -131,6 +132,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf
         
         $Type = $Op.OperandType
         $Operand = $null
+        $OpInt = $null
         
         if ($Type -eq 'InlineNone') {
             $OperandLength = 0
@@ -191,13 +193,14 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf
         
         if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
             # Simply print the hex for all operands with immediate values
-            $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '')
+            $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
         }
         
         $Instruction = @{
             Position = $InstructionPostion
-            Instruction = $Op.Name
+            Instruction = $Op
             Operand = $Operand
+            MetadataToken = $OpInt
         }
         
         # Return a custom object containing a position, instruction, and fully-qualified operand
@@ -209,4 +212,4 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf
         # Adjust the position in the opcode array accordingly
         $Position += $OperandLength
     }
-}
-\ No newline at end of file
+}
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1
index 4a488cf..1ab0d41 100644
--- a/ReverseEngineering/Get-MethodAddress.ps1
+++ b/ReverseEngineering/Get-MethodAddress.ps1
@@ -1,4 +1,4 @@
-function Get-MethodAddress
+function Get-MethodAddress
 {
 <#
 .SYNOPSIS
@@ -117,4 +117,4 @@ http://www.exploit-monday.com/2012/11/Get-MethodAddress.html
     {
         Write-Error "$($MethodInfo.Name) cannot return an unmanaged address."
     }
-}
-\ No newline at end of file
+}
diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml
index 41b5280..fa3ed41 100644
--- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml
+++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml
@@ -437,4 +437,4 @@
             </ListControl>
         </View>
     </ViewDefinitions>
-</Configuration>
-\ No newline at end of file
+</Configuration>
diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1
index bb0871a..2bde8f6 100644
--- a/ReverseEngineering/Get-NtSystemInformation.ps1
+++ b/ReverseEngineering/Get-NtSystemInformation.ps1
@@ -1,4 +1,4 @@
-function Get-NtSystemInformation
+function Get-NtSystemInformation
 {
 <#
 .SYNOPSIS
diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml
index 3d075eb..59b5362 100644
--- a/ReverseEngineering/Get-PEB.format.ps1xml
+++ b/ReverseEngineering/Get-PEB.format.ps1xml
@@ -1207,4 +1207,4 @@
             </ListControl>
         </View>
     </ViewDefinitions>
-</Configuration>
-\ No newline at end of file
+</Configuration>
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1
index 86e064d..7ec5089 100644
--- a/ReverseEngineering/Get-PEB.ps1
+++ b/ReverseEngineering/Get-PEB.ps1
@@ -1,4 +1,4 @@
-function Get-PEB
+function Get-PEB
 {
 <#
 .SYNOPSIS
@@ -1089,4 +1089,4 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx
 
     END{}
 
-}
-\ No newline at end of file
+}
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1
index 7acb9f1..2cb971c 100644
--- a/ReverseEngineering/Get-Strings.ps1
+++ b/ReverseEngineering/Get-Strings.ps1
@@ -1,4 +1,4 @@
-function Get-Strings
+function Get-Strings
 {
 <#
 .SYNOPSIS
@@ -95,4 +95,4 @@ http://www.exploit-monday.com
         }
     }
     END {}
-}
-\ No newline at end of file
+}
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1
index c32c190..68f7651 100644
--- a/ReverseEngineering/Get-StructFromMemory.ps1
+++ b/ReverseEngineering/Get-StructFromMemory.ps1
@@ -1,4 +1,4 @@
-function Get-StructFromMemory
+function Get-StructFromMemory
 {
 <#
 .SYNOPSIS
@@ -200,4 +200,4 @@ http://www.exploit-monday.com
     $SafeHandle.Close()
 
     Write-Output $ParsedStruct
-}
-\ No newline at end of file
+}
diff --git a/ReverseEngineering/New-Object.ps1 b/ReverseEngineering/New-Object.ps1
index 77b24f6..52c38c8 100644
--- a/ReverseEngineering/New-Object.ps1
+++ b/ReverseEngineering/New-Object.ps1
diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml
index fbad0b9..ffb6761 100644
--- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml
+++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8" ?>
 <Configuration>
     <ViewDefinitions>
         <View>
@@ -33,4 +33,4 @@
             </ListControl>
         </View>
     </ViewDefinitions>
-</Configuration>
-\ No newline at end of file
+</Configuration>
diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1
index 3eb57a7..85f7105 100644
--- a/ReverseEngineering/ProcessModuleTrace.ps1
+++ b/ReverseEngineering/ProcessModuleTrace.ps1
@@ -1,4 +1,4 @@
-function Register-ProcessModuleTrace
+function Register-ProcessModuleTrace
 {
 <#
 .SYNOPSIS
@@ -100,4 +100,4 @@ function Unregister-ProcessModuleTrace
 #>
 
     Unregister-Event -SourceIdentifier 'ModuleLoaded'
-}
-\ No newline at end of file
+}
diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1
index b7da355..d9c733f 100644
--- a/ReverseEngineering/ReverseEngineering.psd1
+++ b/ReverseEngineering/ReverseEngineering.psd1
@@ -1,4 +1,4 @@
-@{
+@{
 
 # Script module or binary module file associated with this manifest.
 ModuleToProcess = 'ReverseEngineering.psm1'
@@ -76,7 +76,7 @@ ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; G
 FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
                'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
                'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
-               'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
+               'Get-Entropy.ps1', 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
 
 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1
index 5bb81d3..81d3818 100644
--- a/ReverseEngineering/ReverseEngineering.psm1
+++ b/ReverseEngineering/ReverseEngineering.psm1
@@ -1 +1 @@
-Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
-\ No newline at end of file
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
author	clymb3r <bialek.joseph@gmail.com>	2014-04-16 21:02:50 -0700
committer	clymb3r <bialek.joseph@gmail.com>	2014-04-16 21:02:50 -0700
commit	b783b459c12112509a733253df9f5935e104200c (patch)
tree	e58bce1f7d2f2584d1426262cc609f153d774e51 /ReverseEngineering
parent	47b90647c11cb4956c735cfa47628dc7dcb03bb6 (diff)
parent	946328cf9e6d6c60eca2bb9d71a38e210c1c3b6c (diff)
download	PowerSploit-b783b459c12112509a733253df9f5935e104200c.tar.gz PowerSploit-b783b459c12112509a733253df9f5935e104200c.zip