aboutsummaryrefslogtreecommitdiff
path: root/ReverseEngineering
diff options
context:
space:
mode:
authorbitform <matt@exploit-monday.com>2013-01-19 18:59:40 -0500
committerbitform <matt@exploit-monday.com>2013-01-19 18:59:40 -0500
commit3c87916e19a942d3168cbe8cf37d0e380cdd865b (patch)
tree3e2d5d44dd2cedac7a1eded3bdde3ed618f53730 /ReverseEngineering
parentfcb17a423678dbc5b6acf663df0ebe9d7cfbba17 (diff)
downloadPowerSploit-3c87916e19a942d3168cbe8cf37d0e380cdd865b.tar.gz
PowerSploit-3c87916e19a942d3168cbe8cf37d0e380cdd865b.zip
Renamed RE_Tools. Now ReverseEngineering module
* I renamed RE_Tools to ReverseEngineering and made it a module. * Slight consistency modifications were made to documentation. * This is one step in the process of modularizing all of PowerSploit.
Diffstat (limited to 'ReverseEngineering')
-rw-r--r--ReverseEngineering/Get-ILDisassembly.ps1207
-rw-r--r--ReverseEngineering/Get-KernelModuleInfo.format.ps1xml83
-rw-r--r--ReverseEngineering/Get-KernelModuleInfo.ps1246
-rw-r--r--ReverseEngineering/Get-Member.ps1369
-rw-r--r--ReverseEngineering/Get-MethodAddress.ps1113
-rw-r--r--ReverseEngineering/Get-PEB.format.ps1xml1099
-rw-r--r--ReverseEngineering/Get-PEB.ps11017
-rw-r--r--ReverseEngineering/Get-Strings.ps198
-rw-r--r--ReverseEngineering/Get-StructFromMemory.ps1203
-rw-r--r--ReverseEngineering/ReverseEngineering.psd190
-rw-r--r--ReverseEngineering/ReverseEngineering.psm11
11 files changed, 3526 insertions, 0 deletions
diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1
new file mode 100644
index 0000000..623d904
--- /dev/null
+++ b/ReverseEngineering/Get-ILDisassembly.ps1
@@ -0,0 +1,207 @@
+function Get-ILDisassembly
+{
+<#
+.SYNOPSIS
+
+PowerSploit Module - Get-ILDisassembly
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.DESCRIPTION
+
+Get-ILDisassembly disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
+
+The majority of this code was simply translated from C# (with permission) from a code example taken from: "C# 4.0 in a Nutshell", Copyright 2010, Joseph Albahari and Ben Albahari, pg. 728-733
+
+.PARAMETER MethodInfo
+
+A MethodInfo object that describes the implementation of the method and contains the IL for the method.
+
+.EXAMPLE
+
+C:\PS> [Int].GetMethod('Parse', [String]) | Get-ILDisassembly | Format-Table Position, Instruction, Operand -AutoSize
+
+Position Instruction Operand
+-------- ----------- -------
+IL_0000 ldarg.0
+IL_0001 ldc.i4.7
+IL_0002 call System.Globalization.NumberFormatInfo.get_CurrentInfo
+IL_0007 call System.Number.ParseInt32
+IL_000C ret
+
+Description
+-----------
+Disassembles the System.Int32.Parse(String) method
+
+.EXAMPLE
+
+C:\PS> $MethodInfo = [Array].GetMethod('BinarySearch', [Type[]]([Array], [Object]))
+C:\PS> Get-ILDisassembly $MethodInfo | Format-Table Position, Instruction, Operand -AutoSize
+
+Position Instruction Operand
+-------- ----------- -------
+IL_0000 ldarg.0
+IL_0001 brtrue.s IL_000E
+IL_0003 ldstr 'array'
+IL_0008 newobj System.ArgumentNullException..ctor
+IL_000D throw
+IL_000E ldarg.0
+IL_000F ldc.i4.0
+IL_0010 callvirt System.Array.GetLowerBound
+IL_0015 stloc.0
+IL_0016 ldarg.0
+IL_0017 ldloc.0
+IL_0018 ldarg.0
+IL_0019 callvirt System.Array.get_Length
+IL_001E ldarg.1
+IL_001F ldnull
+IL_0020 call System.Array.BinarySearch
+IL_0025 ret
+
+Description
+-----------
+Disassembles the System.Array.BinarySearch(Array, Object) method
+
+.INPUTS
+
+System.Reflection.MethodInfo
+
+The method description containing the raw IL bytecodes.
+
+.OUTPUTS
+
+System.Object
+
+Returns a custom object consisting of a position, instruction, and opcode parameter.
+
+.LINK
+
+http://www.exploit-monday.com
+http://www.albahari.com/nutshell/cs4ch18.aspx
+http://msdn.microsoft.com/en-us/library/system.reflection.emit.opcodes.aspx
+http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf
+#>
+
+ Param (
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
+ [System.Reflection.MethodInfo]
+ $MethodInfo
+ )
+
+ if (!($MethodInfo.GetMethodBody())) {
+ return
+ }
+
+ $IL = $MethodInfo.GetMethodBody().GetILAsByteArray()
+ $MethodModule = $MethodInfo.DeclaringType.Module
+
+ $OpCodeTable = @{}
+
+ # Fill OpCodeTable with every OpCode so that it can be referenced by numeric byte value
+ [System.Reflection.Emit.OpCodes].GetMembers() |
+ ForEach-Object {
+ try {
+ $OpCode = $_.GetValue($null)
+ $OpCodeTable[[Int16] $OpCode.Value] = $OpCode
+ } catch {}
+ }
+
+ $Position = 0
+
+ # Disassemble every instruction until the end of the IL bytecode array is reached
+ while ($Position -lt $IL.Length) {
+
+ # Get current instruction position
+ $InstructionPostion = "IL_{0}" -f ($Position.ToString('X4'))
+
+ if ($IL[$Position] -eq 0xFE) {
+ # You are dealing with a two-byte opcode in this case
+ $Op = $OpCodeTable[[Int16] ([BitConverter]::ToInt16($IL[($Position+1)..$Position], 0))]
+ $Position++
+ } else {
+ # Otherwise, it's a one-byte opcode
+ $Op = $OpCodeTable[[Int16] $IL[$Position]]
+ }
+
+ $Position++
+
+ $Type = $Op.OperandType
+ $Operand = $null
+
+ if ($Type -eq 'InlineNone') {
+ $OperandLength = 0
+ } elseif (($Type -eq 'ShortInlineBrTarget') -or ($Type -eq 'ShortInlineI') -or ($Type -eq 'ShortInlineVar')) {
+ $OperandLength = 1
+
+ if ($Type -eq 'ShortInlineBrTarget') { # Short relative jump instruction
+ # [SByte]::Parse was used because PowerShell doesn't handle signed bytes well
+ $Target = $Position + ([SByte]::Parse($IL[$Position].ToString('X2'), 'AllowHexSpecifier')) + 1
+ $Operand = "IL_{0}" -f ($Target.ToString('X4'))
+ }
+ } elseif ($Type -eq 'InlineVar') {
+ $OperandLength = 2
+ } elseif (($Type -eq 'InlineI8') -or (($Type -eq 'InlineR'))) {
+ $OperandLength = 8
+ } elseif ($Type -eq 'InlineSwitch') {
+ # This is the only operand type with a variable number of operands
+ $TargetCount = [BitConverter]::ToInt32($IL, $Position)
+ $OperandLength = 4 * ($TargetCount + 1)
+ $Targets = New-Object String[]($TargetCount)
+
+ foreach ($i in 0..($TargetCount - 1)) {
+ # Get all switch jump targets
+ $Target = [BitConverter]::ToInt32($IL, ($Position + ($i + 1) * 4))
+ $Targets[$i] = "IL_{0}" -f (($Position + $Target + $OperandLength).ToString('X4'))
+ }
+
+ $Operand = "({0})" -f ($Targets -join ',')
+ } else {
+ $OperandLength = 4
+ $Operand = $null
+
+ $OpInt = [BitConverter]::ToInt32($IL, $Position)
+
+ if (($Type -eq 'InlineTok') -or ($Type -eq 'InlineMethod') -or ($Type -eq 'InlineField') -or ($Type -eq 'InlineType')) {
+ # Resolve all operands with metadata tokens
+ Write-Verbose "OpCode Metadata for member: $OpInt"
+ try { $MemberInfo = $MethodModule.ResolveMember($OpInt) } catch { $Operand = $null }
+ if (!$MemberInfo) { $Operand = $null }
+
+ # Retrieve the actual name of the class and method
+ if ($MemberInfo.ReflectedType) {
+ $Operand = "{0}.{1}" -f ($MemberInfo.ReflectedType.Fullname), ($MemberInfo.Name)
+ } elseif ($MemberInfo -is [Type]) {
+ $Operand = $MemberInfo.GetType().FullName
+ } else {
+ $Operand = $MemberInfo.Name
+ }
+ } elseif ($Type -eq 'InlineString') {
+ # Retrieve the referenced string
+ $Operand = "`'{0}`'" -f ($MethodModule.ResolveString($OpInt))
+ } elseif ($Type -eq 'InlineBrTarget') {
+ $Operand = "IL_{0}" -f (($Position + $OpInt + 4).ToString('X4'))
+ } else {
+ $Operand = $null
+ }
+ }
+
+ if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
+ # Simply print the hex for all operands with immediate values
+ $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '')
+ }
+
+ $Instruction = @{
+ Position = $InstructionPostion
+ Instruction = $Op.Name
+ Operand = $Operand
+ }
+
+ # Return a custom object containing a position, instruction, and fully-qualified operand
+ New-Object PSObject -Property $Instruction
+
+ # Adjust the position in the opcode array accordingly
+ $Position += $OperandLength
+ }
+} \ No newline at end of file
diff --git a/ReverseEngineering/Get-KernelModuleInfo.format.ps1xml b/ReverseEngineering/Get-KernelModuleInfo.format.ps1xml
new file mode 100644
index 0000000..3e3f347
--- /dev/null
+++ b/ReverseEngineering/Get-KernelModuleInfo.format.ps1xml
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+ <DefaultSettings>
+ <EnumerableExpansions>
+ <EnumerableExpansion>
+ <Expand>Both</Expand>
+ </EnumerableExpansion>
+ </EnumerableExpansions>
+ </DefaultSettings>
+ <ViewDefinitions>
+ <View>
+ <Name>SystemModuleView</Name>
+ <ViewSelectedBy>
+ <TypeName>SystemInformation.SYSTEM_MODULE</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>ImageBaseAddress</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>ImageSize</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Flags</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Id</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Rank</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>W018</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>NameOffset</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Name</Label>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>ImageSize</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Flags</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Id</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Rank</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>w018</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>NameOffset</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Name</PropertyName>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ </ViewDefinitions>
+</Configuration> \ No newline at end of file
diff --git a/ReverseEngineering/Get-KernelModuleInfo.ps1 b/ReverseEngineering/Get-KernelModuleInfo.ps1
new file mode 100644
index 0000000..0704919
--- /dev/null
+++ b/ReverseEngineering/Get-KernelModuleInfo.ps1
@@ -0,0 +1,246 @@
+function Get-KernelModuleInfo
+{
+<#
+.SYNOPSIS
+
+Returns loaded kernel module information.
+
+PowerSploit Module - Get-KernelModuleInfo
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: Get-KernelModuleInfo.format.ps1xml
+
+.DESCRIPTION
+
+Get-KernelModuleInfo wraps NtQuerySystemInformation and returns loaded kernel module information. Get-KernelModuleInfo works on both x86 and x86_64 platforms.
+
+.EXAMPLE
+
+C:\PS> Get-KernelModuleInfo
+
+ImageBaseAddress ImageSize Flags Id Rank W018 NameOffset Name
+---------------- --------- ----- -- ---- ---- ---------- ----
+0xFFFFF800FF200000 0x00749000 0x08804000 0x0000 0x0000 0x0083 0x0015 C:\Windows\system32\ntoskrnl.exe
+0xFFFFF800FF949000 0x0006C000 0x08804000 0x0001 0x0000 0x0027 0x0015 C:\Windows\system32\hal.dll
+0xFFFFF88000C93000 0x0005F000 0x09104000 0x0003 0x0000 0x0001 0x0015 C:\Windows\system32\mcupdate_GenuineIntel.dll
+0xFFFFF88000D71000 0x00015000 0x0D104000 0x0006 0x0000 0x0003 0x0015 C:\Windows\system32\PSHED.dll
+0xFFFFF8800101A000 0x000C2000 0x09104000 0x000A 0x0000 0x0001 0x001D C:\Windows\system32\drivers\Wdf01000.sys
+0xFFFFF8800117B000 0x0000A000 0x0D104000 0x000F 0x0000 0x0011 0x001D C:\Windows\System32\drivers\WMILIB.SYS
+0xFFFFF88000F5C000 0x00017000 0x09104000 0x0015 0x0000 0x0001 0x001D C:\Windows\system32\drivers\pdc.sys
+0xFFFFF880011CC000 0x0001A000 0x09104000 0x001C 0x0000 0x0001 0x001D C:\Windows\System32\drivers\mountmgr.sys
+0xFFFFF88001600000 0x0001B000 0x09104000 0x0024 0x0000 0x0015 0x001D C:\Windows\System32\Drivers\ksecdd.sys
+0xFFFFF88001C00000 0x00076000 0x09104000 0x002D 0x0000 0x0001 0x001D C:\Windows\System32\DRIVERS\fvevol.sys
+0xFFFFF88003CCD000 0x0000E000 0x4D104000 0x0042 0x0000 0x0007 0x001D C:\Windows\system32\DRIVERS\TDI.SYS
+0xFFFFF88004200000 0x0001E000 0x49104000 0x005B 0x0000 0x0001 0x001D C:\Windows\system32\DRIVERS\rassstp.sys
+0xFFFFF88005400000 0x0007B000 0x4D104000 0x0069 0x0000 0x0001 0x001D C:\Windows\System32\drivers\USBPORT.SYS
+0xFFFFF88006598000 0x0000A000 0x49104000 0x0078 0x0000 0x0001 0x001D C:\Windows\System32\drivers\wmiacpi.sys
+0xFFFFF880069EB000 0x0000D000 0x49104000 0x0088 0x0000 0x0002 0x001D C:\Windows\System32\Drivers\dump_diskdump.sys
+0xFFFFF88019542000 0x0004B000 0x49104000 0x0099 0x0000 0x0001 0x001D C:\Windows\system32\DRIVERS\mrxsmb10.sys
+0xFFFFF880194C7000 0x0000B000 0x49104000 0x00AB 0x0000 0x0001 0x001D C:\Windows\System32\drivers\WpdUpFltr.sys
+
+.NOTES
+
+To display the output as seen in the example, ensure that Get-KernelModuleInfo.format.ps1xml resides in the same directory as Get-KernelModuleInfo.ps1.
+
+.LINK
+
+http://www.exploit-monday.com
+#>
+
+ # Load custom object formatting views
+ $FormatPath = try { Join-Path $PSScriptRoot Get-KernelModuleInfo.format.ps1xml } catch {}
+ # Don't load format ps1xml if it doesn't live in the same folder as this script
+ if ($FormatPath -and (Test-Path $FormatPath))
+ {
+ Update-FormatData -PrependPath (Join-Path $PSScriptRoot Get-KernelModuleInfo.format.ps1xml)
+ }
+
+ $Domain = [AppDomain]::CurrentDomain
+ $DynAssembly = New-Object System.Reflection.AssemblyName('TestAssembly')
+ $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TestModule', $False)
+
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+ $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_MODULE64', $Attributes, [System.ValueType], 1, 296)
+ $TypeBuilder32 = $ModuleBuilder.DefineType('_SYSTEM_MODULE32', $Attributes, [System.ValueType], 1, 284)
+
+ $TypeBuilder.DefineField('Reserved1', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ImageBaseAddress', [UInt64], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ImageSize', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('Id', [UInt16], 'Public') | Out-Null
+ $TypeBuilder.DefineField('Rank', [UInt16], 'Public') | Out-Null
+ $TypeBuilder.DefineField('w018', [UInt16], 'Public') | Out-Null
+ $TypeBuilder.DefineField('NameOffset', [UInt16], 'Public') | Out-Null
+ $NameField = $TypeBuilder.DefineField('Name', [String], 'Public, HasFieldMarshal')
+
+ $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
+ $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValTStr
+ $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
+ $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 256))
+ $NameField.SetCustomAttribute($AttribBuilder)
+
+ $SystemModule64Type = $TypeBuilder.CreateType()
+
+ $TypeBuilder32.DefineField('Reserved1', [UInt16], 'Public') | Out-Null
+ $TypeBuilder32.DefineField('Reserved2', [UInt16], 'Public') | Out-Null
+ $TypeBuilder32.DefineField('ImageBaseAddress', [UInt32], 'Public') | Out-Null
+ $TypeBuilder32.DefineField('ImageSize', [UInt32], 'Public') | Out-Null
+ $TypeBuilder32.DefineField('Flags', [UInt32], 'Public') | Out-Null
+ $TypeBuilder32.DefineField('Id', [UInt16], 'Public') | Out-Null
+ $TypeBuilder32.DefineField('Rank', [UInt16], 'Public') | Out-Null
+ $TypeBuilder32.DefineField('w018', [UInt16], 'Public') | Out-Null
+ $TypeBuilder32.DefineField('NameOffset', [UInt16], 'Public') | Out-Null
+ $NameField = $TypeBuilder32.DefineField('Name', [String], 'Public, HasFieldMarshal')
+ $NameField.SetCustomAttribute($AttribBuilder)
+
+ $SystemModule32Type = $TypeBuilder32.CreateType()
+
+ function Local:Get-DelegateType
+ {
+ Param
+ (
+ [OutputType([Type])]
+
+ [Parameter( Position = 0)]
+ [Type[]]
+ $Parameters = (New-Object Type[](0)),
+
+ [Parameter( Position = 1 )]
+ [Type]
+ $ReturnType = [Void]
+ )
+
+ $Domain = [AppDomain]::CurrentDomain
+ $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
+ $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
+ $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+ $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
+ $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
+ $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
+ $MethodBuilder.SetImplementationFlags('Runtime, Managed')
+
+ Write-Output $TypeBuilder.CreateType()
+ }
+
+ function Local:Get-ProcAddress
+ {
+ Param
+ (
+ [OutputType([IntPtr])]
+
+ [Parameter( Position = 0, Mandatory = $True )]
+ [String]
+ $Module,
+
+ [Parameter( Position = 1, Mandatory = $True )]
+ [String]
+ $Procedure
+ )
+
+ # Get a reference to System.dll in the GAC
+ $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
+ Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
+ $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
+ # Get a reference to the GetModuleHandle and GetProcAddress methods
+ $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
+ $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
+ # Get a handle to the module specified
+ $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
+ $tmpPtr = New-Object IntPtr
+ $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
+
+ # Return the address of the function
+ Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
+ }
+
+ # Returns a string from a byte array
+ function Local:Get-String([Byte[]] $Bytes)
+ {
+ $Char = $Bytes[0]
+ $StringArray = New-Object Byte[](0)
+
+ for ($i = 0; $Char -ne 0; $i++)
+ {
+ $StringArray += $Char; $Char = $Bytes[$i]
+ }
+
+ Write-Output (($StringArray | % {[Char] $_}) -join '')
+ }
+
+ $NtQuerySystemInformationAddr = Get-ProcAddress ntdll.dll NtQuerySystemInformation
+ $NtQuerySystemInformationDelegate = Get-DelegateType @([UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([Int32])
+ $NtQuerySystemInformation = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtQuerySystemInformationAddr, $NtQuerySystemInformationDelegate)
+
+ # $TotalLength represents the total size of the returned structures. This will be used to allocate sufficient memory to store each returned structure.
+ $TotalLength = 0
+
+ # Call NtQuerySystemInformation first to get the total size of the structures to be returned.
+ $NtQuerySystemInformation.Invoke(11, [IntPtr]::Zero, 0, [Ref] $TotalLength) | Out-Null
+
+ $PtrSystemInformation = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength)
+
+ $Result = $NtQuerySystemInformation.Invoke(11, $PtrSystemInformation, $TotalLength, [Ref] 0)
+
+ if ($Result -ne 0)
+ {
+ Throw "An error occured. (NTSTATUS: 0x$($Result.ToString('X8')))"
+ }
+
+ if ([IntPtr]::Size -eq 8)
+ {
+ $SystemModuleType = $SystemModule64Type
+ $StructSize = 296
+ $PtrModule = [IntPtr]($PtrSystemInformation.ToInt64() + 16)
+ }
+ else
+ {
+ $SystemModuleType = $SystemModule32Type
+ $StructSize = 284
+ $PtrModule = [IntPtr]($PtrSystemInformation.ToInt64() + 8)
+ }
+
+ $i = 0
+ $AnotherModule = $True
+
+ # Loop through all the returned _SYSTEM_MODULE structs
+ while ($AnotherModule) {
+ # Move pointer to the next structure
+ $PtrModule = [IntPtr] ($PtrModule.ToInt64() + ($i * $StructSize))
+ # Cast the next struct in memory to type _SYSTEM_MODULE[32|64]
+ $SystemModule = [Runtime.InteropServices.Marshal]::PtrToStructure($PtrModule, [Type] $SystemModuleType)
+
+ if ($SystemModule.NameOffset -ne 0 -and $SystemModule.ImageSize -ne 0)
+ {
+ $ModuleInfo = @{
+ ImageBaseAddress = $SystemModule.ImageBaseAddress
+ ImageSize = $SystemModule.ImageSize
+ Flags = $SystemModule.Flags
+ Id = $SystemModule.Id
+ Rank = $SystemModule.Rank
+ w018 = $SystemModule.w018
+ NameOffset = $SystemModule.NameOffset
+ # Get the full path to the driver and expand SystemRoot in the path
+ Name = $SystemModule.Name -replace '\\SystemRoot', $Env:SystemRoot
+ }
+
+ $Module = New-Object PSObject -Property $ModuleInfo
+ $Module.PSObject.TypeNames[0] = 'SystemInformation.SYSTEM_MODULE'
+
+ Write-Output $Module
+ }
+ else
+ {
+ # No more modules to iterate through
+ $AnotherModule = $False
+ }
+
+ $i++
+ }
+
+ # Free the unmanaged memory used to store the structures
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrSystemInformation)
+} \ No newline at end of file
diff --git a/ReverseEngineering/Get-Member.ps1 b/ReverseEngineering/Get-Member.ps1
new file mode 100644
index 0000000..30d29f4
--- /dev/null
+++ b/ReverseEngineering/Get-Member.ps1
@@ -0,0 +1,369 @@
+function Get-Member
+{
+<#
+.SYNOPSIS
+
+Gets the properties and methods of objects.
+
+PowerSploit Module - Get-Member
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause (Except for the help documentation derived from the original Get-Member)
+Required Dependencies: None
+Optional Dependencies: None
+
+.DESCRIPTION
+
+The Get-Member cmdlet gets the "members" (properties and methods) of objects.
+
+To specify the object, use the InputObject parameter or pipe an object to Get-Member. To retrieve information about static members (members of the class, not of the instance), use the Static parameter. To get only certain types of members, such as NoteProperties, use the MemberType parameter.
+
+.PARAMETER Private
+
+Gets only the non-public members of the object.
+
+These members are typically not exposed and are extracted using reflection.
+
+.PARAMETER Static
+
+Gets only the static properties and methods of the object.
+
+Static properties and methods are defined on the class of objects, not on any particular instance of the class.
+
+If you use the Static parameter with the View parameter, the View parameter is ignored. If you use the Static parameter with the MemberType parameter, Get-Member gets only the members that belong to both sets.
+
+.PARAMETER Force
+
+Adds the intrinsic members (PSBase, PSAdapted, PSObject, PSTypeNames) and the compiler-generated get_, set_, op_, .ctor, and .cctor methods to the display. By default, Get-Member gets these properties in all views other than "Base" and "Adapted," but it does not display them.
+
+The following list describes the properties that are added when you use the Force parameter:
+
+-- PSBase: The original properties of the .NET Framework object without extension or adaptation. These are the properties defined for the object class and listed in MSDN.
+-- PSAdapted: The properties and methods defined in the Windows PowerShell extended type system.
+-- PSExtended: The properties and methods that were added in the Types.ps1xml files or by using the Add-Member cmdlet.
+-- PSObject: The adapter that converts the base object to a Windows PowerShell PSObject object.
+-- PSTypeNames: A list of object types that describe the object, in order of specificity. When formatting the object, Windows PowerShell searches for the types in the Format.ps1xml files in the Windows PowerShell installation directory ($pshome). It uses the formatting definition for the first type that it finds.
+-- get_*: The object's getter methods
+-- set_*: The object's setter methods
+-- op_*: The object's operator methods
+-- .ctor: The object's constructor
+-- .cctor: The object's copy constructor
+
+.PARAMETER InputObject
+
+Specifies the object whose members are retrieved.
+
+Using the InputObject parameter is not the same as piping an object to Get-Member. The differences are as follows:
+
+-- When you pipe a collection of objects to Get-Member, Get-Member gets the members of the individual objects in the collection, such as the properties of the integers in an array of integers.
+
+-- When you use InputObject to submit a collection of objects, Get-Member gets the members of the collection, such as the properties of the array in an array of integers.
+
+.PARAMETER PrivateMemberType
+
+When the 'Private' parameter is specified, only members with the specified member type. The default is All.
+
+The valid values for this parameter are:
+
+-- Constructor: A constructor method of the underlying .NET Framework object.
+-- Event: Indicates that the object sends a message to indicate an action or a change in state.
+-- Field: A private field of the underlying .NET Framework object.
+-- Method: A method of the underlying .NET Framework object.
+-- Property: A property of the underlying .NET Framework object.
+-- TypeInfo: A type of the underlying .NET Framework object.
+-- Custom: A custom member type
+-- NestedType: A nested type of the underlying .NET Framework object.
+
+-- All: Gets all member types.
+
+.PARAMETER MemberType
+
+Gets only members with the specified PowerShell member type. The default is All.
+
+The valid values for this parameter are:
+
+-- AliasProperty: A property that defines a new name for an existing property.
+-- CodeMethod: A method that references a static method of a .NET Framework class.
+-- CodeProperty: A property that references a static property of a .NET Framework class.
+-- Event: Indicates that the object sends a message to indicate an action or a change in state.
+-- MemberSet: A predefined collection of properties and methods, such as PSBase, PSObject, and PSTypeNames.
+-- Method: A method of the underlying .NET Framework object.
+-- NoteProperty: A property with a static value.
+-- ParameterizedProperty: A property that takes parameters and parameter values.
+-- Property: A property of the underlying .NET Framework object.
+-- PropertySet: A predefined collection of object properties.
+-- ScriptMethod: A method whose value is the output of a script.
+-- ScriptProperty: A property whose value is the output of a script.
+
+-- All: Gets all member types.
+-- Methods: Gets all types of methods of the object (for example, Method, CodeMethod, ScriptMethod).
+-- Properties: Gets all types of properties of the object (for example, Property, CodeProperty, AliasProperty, ScriptProperty).
+
+Not all objects have every type of member. If you specify a member type that the object does not have, Windows PowerShell returns a null value.
+
+To get related types of members, such as all extended members, use the View parameter. If you use the MemberType parameter with the Static or View parameters, Get-Member gets the members that belong to both sets.
+
+.PARAMETER Name
+
+Specifies the names of one or more properties or methods of the object. Get-Member gets only the specified properties and methods.
+
+If you use the Name parameter with the MemberType, View, or Static parameters, Get-Member gets only the members that satisfy the criteria of all parameters.
+
+To get a static member by name, use the Static parameter with the Name parameter.
+
+.PARAMETER View
+
+Gets only particular types of members (properties and methods). Specify one or more of the values. The default is "Adapted, Extended".
+
+Valid values are:
+-- Base: Gets only the original properties and methods of the .NET Framework object (without extension or adaptation).
+-- Adapted: Gets only the properties and methods defined in the Windows PowerShell extended type system.
+-- Extended: Gets only the properties and methods that were added in the Types.ps1xml files or by using the Add-Member cmdlet.
+-- All: Gets the members in the Base, Adapted, and Extended views.
+
+The View parameter determines the members retrieved, not just the display of those members.
+
+To get particular member types, such as script properties, use the MemberType parameter. If you use the MemberType and View parameters in the same command, Get-Member gets the members that belong to both sets. If you use the Static and View parameters in the same command, the View parameter is ignored.
+
+.EXAMPLE
+
+C:\PS> [String] | Get-Member -Static -Private
+
+Description
+-----------
+Returns all staic, non-public members of the String class.
+
+.EXAMPLE
+
+C:\PS> [Diagnostics.Process] | Get-Member -Private -PrivateMemberType Method
+
+Description
+-----------
+Returns all non-public instance methods of the Diagnostics.Process class
+
+.EXAMPLE
+
+C:\PS> "Hello, World" | Get-Member -Private -Force
+
+Description
+-----------
+Returns all instance members including those with special names (like .ctor) of the string instance
+
+.LINK
+
+http://www.exploit-monday.com/2012/08/surgical-net-dissection.html
+
+#>
+ [CmdletBinding(DefaultParameterSetName = 'Default')]
+ Param (
+ [Parameter(ValueFromPipeline=$true, ParameterSetName = 'Default')]
+ [Parameter(ValueFromPipeline=$true, ParameterSetName = 'Private')]
+ [System.Management.Automation.PSObject]
+ $InputObject,
+
+ [Parameter(Position=0, ParameterSetName = 'Default')]
+ [Parameter(Position=0, ParameterSetName = 'Private')]
+ [ValidateNotNullOrEmpty()]
+ [System.String[]]
+ $Name,
+
+ [Parameter(ParameterSetName = 'Default')]
+ [Alias('Type')]
+ [System.Management.Automation.PSMemberTypes]
+ $MemberType,
+
+ [Parameter(ParameterSetName = 'Private')]
+ [System.Reflection.MemberTypes]
+ $PrivateMemberType = [System.Reflection.MemberTypes]::All,
+
+ [Parameter(ParameterSetName = 'Default')]
+ [System.Management.Automation.PSMemberViewTypes]
+ $View,
+
+ [Parameter(ParameterSetName = 'Default')]
+ [Parameter(ParameterSetName = 'Private')]
+ [Switch]
+ $Static,
+
+ [Parameter(ParameterSetName = 'Default')]
+ [Parameter(ParameterSetName = 'Private')]
+ [Switch]
+ $Force,
+
+ [Parameter(ParameterSetName = 'Private')]
+ [Switch]
+ $Private
+ )
+
+ BEGIN
+ {
+ try {
+ $outBuffer = $null
+ if ($PSBoundParameters.TryGetValue('OutBuffer', [ref]$outBuffer))
+ {
+ $PSBoundParameters['OutBuffer'] = 1
+ }
+ $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Microsoft.PowerShell.Utility\Get-Member', [System.Management.Automation.CommandTypes]::Cmdlet)
+ # Redirect the output of the command to $out variable
+ $null = $PSBoundParameters.Add('OutVariable', 'out')
+ # Redirect original output to $null
+ if ($PSBoundParameters['Private']) {
+ $null = $PSBoundParameters.Remove('Private')
+ $Private = $True
+ }
+ if ($PSBoundParameters['PrivateMemberType']) {
+ $PrivateMemberType = $PSBoundParameters['PrivateMemberType']
+ $null = $PSBoundParameters.Remove('PrivateMemberType')
+ }
+ $scriptCmd = {& $wrappedCmd @PSBoundParameters | Out-Null }
+ $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin)
+ $steppablePipeline.Begin($PSCmdlet)
+ } catch {
+ }
+ }
+
+ PROCESS
+ {
+ try {
+ $steppablePipeline.Process($_)
+ } catch {
+ }
+ }
+
+ END
+ {
+ try {
+ $steppablePipeline.End()
+ if ($Private) {
+
+ $Object = $PSBoundParameters['InputObject']
+ if ($Object.GetType().FullName -ne 'System.RuntimeType') {
+ # If InputObject is an instance of an object, get its type
+ # Otherwise, it's assumed that what was passed in was already a type
+ $Object = $Object.GetType()
+ }
+
+ if ($PSBoundParameters['Static']) {
+ $Flags = 'Static, NonPublic'
+
+ # Retrieve all static, nonpublic members except for constructors
+ $Types = foreach ($Val in [Enum]::GetValues([System.Reflection.MemberTypes])) {
+ $Object.GetMembers($Flags) | Where-Object { ($_.MemberType -eq ($Val.value__ -band $PrivateMemberType)) -and ($Val -ne [System.Reflection.MemberTypes]::All) -and ($_.MemberType -ne 'Constructor') }
+ }
+
+ # Retrieve all static constructors (both public and nonpublic)
+ # Public constructors are retrieved because the original 'Get-Member -Force' does not retrieve constructors
+ $Types += $Object.GetConstructors('Static, NonPublic, Public')
+ } else {
+ $Flags = 'Instance, NonPublic'
+
+ # Retrieve all instance, nonpublic members except for constructors
+ $Types = foreach ($Val in [Enum]::GetValues([System.Reflection.MemberTypes])) {
+ $Object.GetMembers($Flags) | Where-Object { ($_.MemberType -eq ($Val.value__ -band $PrivateMemberType)) -and ($Val -ne [System.Reflection.MemberTypes]::All) -and ($_.MemberType -ne 'Constructor') }
+ }
+
+ # Retrieve all instance constructors (both public and nonpublic)
+ # Public constructors are retrieved because the original 'Get-Member -Force' does not retrieve constructors
+ $Types += $Object.GetConstructors('Instance, NonPublic, Public')
+ }
+
+ # Filter out types with special names if '-Force' is not specified
+ if (!$Force) {
+ $Types = $Types | Where-Object { !$_.IsSpecialName }
+ }
+
+ $TypeTable = @{}
+
+ # For each type, build an array of object equivalent to an array of Microsoft.PowerShell.Commands.MemberDefinition objects.
+ # An array of custom objects is required because the MemberDefinition object doesn't take System.Reflection.MemberTypes
+ # objects in its constructor.
+ $Results = $Types | ForEach-Object {
+
+ $Type = $_
+
+ switch ($Type.MemberType) {
+ 'Constructor' {
+ $Parameters = ($Type.GetParameters() | % {$_.ParameterType.FullName}) -join ', '
+ $Definition = "$(if ($Type.IsStatic){'static '})$($Type.Name)($($Parameters))"
+ }
+ 'Field' {
+ $Definition = "$(if ($Type.IsStatic){'static '})$($Type.FieldType)"
+ }
+ 'Method' {
+ $Parameters = ($Type.GetParameters() | % {$_.ParameterType.FullName}) -join ', '
+ $Definition = "$(if ($Type.IsStatic){'static '})$($Type.ReturnType) $($Type.Name)($($Parameters))"
+ }
+ 'Property' {
+ $Definition = "$(if ($Type.IsStatic){'static '})$($Type.PropertyType) $($Type.Name) {$(if ($Type.CanRead){'get;'})$(if ($Type.CanWrite){'set;'})}"
+ }
+ 'NestedType' {
+ $Definition = "$(if ($Type.IsStatic){'static '})$($Type.FullName) BaseType=$($Type.BaseType)"
+ }
+ 'Event' {
+ $Parameters = ($Type.GetAddMethod().GetParameters() | % {$_.ParameterType.FullName}) -join ', '
+ $Definition = "$(if ($Type.IsStatic){'static '})$($Type.EventHandlerType) $($Type.Name)(System.Object, $($Parameters))"
+ }
+ }
+
+ # Identical properties as the Microsoft.PowerShell.Commands.MemberDefinition object
+ $InternalMemberType = @{
+ TypeName = $Type.DeclaringType.FullName
+ Name = $Type.Name
+ MemberType = $Type.MemberType
+ Definition = $Definition
+ }
+
+ New-Object PSObject -Property $InternalMemberType
+ }
+
+ # For members with the same name, compress them into an array that will be stored in a hashtable
+ $Results | ForEach-Object {
+ $TypeTable["$($_.Name)"] += @($_)
+ }
+
+ $Results = foreach ($Type in $TypeTable.Keys) {
+ $ReturnType = @{
+ TypeName = $TypeTable[$Type][0].TypeName
+ Name = $TypeTable[$Type][0].Name
+ MemberType = $TypeTable[$Type][0].MemberType
+ # Append each definition into a single definition.
+ # This behavior is indentical to what the unmodified
+ # Get-Member does.
+ Definition = ($TypeTable[$Type] | ForEach-Object { $_.Definition }) -join ', '
+ }
+
+ $MemberDef = New-Object PSObject -Property $ReturnType
+ <#
+ Cool trick. Even though the custom object is actually a Microsoft.PowerShell.Commands.MemberDefinition
+ object, you can trick it into thinking it is so that it will display the same way the result of the
+ original Get-Member cmdlet would.
+ #>
+ $MemberDef.PSObject.TypeNames.Insert(0, 'Microsoft.PowerShell.Commands.MemberDefinition')
+ $MemberDef
+ }
+
+ # If '-Name' parameter is specified, only return members matching the name specified
+ if ($PSBoundParameters['Name']) {
+ $MemberNames = [String[]] $PSBoundParameters['Name']
+
+ $Tmp = New-Object PSObject[](0)
+
+ foreach ($MemberName in $MemberNames) {
+ $Tmp += $Results | Where-Object { $_.Name -eq $MemberName }
+ }
+
+ $Results = $Tmp
+ }
+
+ # Return the results if the results are non-null
+ if ($Results.Count) {
+ $Results | Sort-Object TypeName, MemberType, Name
+ }
+ } else {
+ # If '-Private' is not set, return the results of the original Get-Member cmdlet
+ $out | Sort-Object TypeName, MemberType, Name
+ }
+ } catch {
+ }
+ }
+}
+
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1
new file mode 100644
index 0000000..bd6c627
--- /dev/null
+++ b/ReverseEngineering/Get-MethodAddress.ps1
@@ -0,0 +1,113 @@
+function Get-MethodAddress
+{
+<#
+.SYNOPSIS
+
+Get the unmanaged function address of a .NET method.
+
+PowerSploit Module - Get-MethodAddress
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.DESCRIPTION
+
+Get-MethodAddress aids in the process of reverse engineering and exploitation by returning an unmanaged function pointer to any .NET method. This method is useful for those interested in seeing what JITed MSIL opcodes look like in their assembly language representation.
+
+For example, here is the MSIL representation of [System.IntPtr].ToPointer:
+0x02 ldarg.0
+0x7B,0x53,0x04,0x00,0x04 ldfld void* System.IntPtr::m_value
+0x2A ret
+
+After calling Get-MethodAddress and inspecting it in WinDbg, here is the x86_64 ASM representation:
+C:\PS> Get-MethodAddress ([IntPtr].GetMethod('ToPointer'))
+0x000007FF35544CC0
+
+mscorlib_ni+0xd04cc0:
+000007ff`35544cc0 488b01 mov rax,qword ptr [rcx]
+000007ff`35544cc3 c3 ret
+000007ff`35544cc4 cc int 3
+
+This MSIL to ASM translation makes sense because all the assembly instructions are doing is dereferencing the pointer in rcx.
+
+.PARAMETER MethodInfo
+
+The method whose unmanaged address will be returned.
+
+.EXAMPLE
+
+C:\PS> Get-MethodAddress ([String].GetMethod('Trim', [Type[]]@()))
+
+Description
+-----------
+Returns the unmanaged address of [System.Object].Trim() method.
+
+.EXAMPLE
+
+C:\PS> [Int].Module.GetTypes().GetMethods() | ForEach-Object {Get-MethodAddress $_ -ErrorAction SilentlyContinue -WarningAction SilentlyContinue}
+
+Description
+-----------
+Returns an unmanaged address for every method (in which an address can be returned) in mscorlib.
+
+.OUTPUTS
+
+System.String
+
+A hexadecimal representation of the method address.
+
+.NOTES
+
+Not all methods will be able to return an address. For example, methods with implementation flags of AggressiveInlining, Synchronized, or CodeTypeMask will not return an address. Also note that any InternalCall method will return the same pointer every time because the CLR determines its address at runtime.
+
+Lastly, note that the MSIL opcodes used to implement this cmdlet are unverifiable. This means for example, that this technique won't aid exploiting Silverlight applications. :'(
+
+.LINK
+
+http://www.exploit-monday.com/2012/11/Get-MethodAddress.html
+#>
+
+ [CmdletBinding()] Param (
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
+ [System.Reflection.MethodInfo]
+ $MethodInfo
+ )
+
+ if ($MethodInfo.MethodImplementationFlags -eq 'InternalCall')
+ {
+ Write-Warning "$($MethodInfo.Name) is an InternalCall method. These methods always point to the same address."
+ }
+
+ $Domain = [AppDomain]::CurrentDomain
+ $DynAssembly = New-Object System.Reflection.AssemblyName('MethodLeakAssembly')
+ # Assemble in memory
+ $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MethodLeakModule')
+ $TypeBuilder = $ModuleBuilder.DefineType('MethodLeaker', [System.Reflection.TypeAttributes]::Public)
+ # Declaration of the LeakMethod method
+ $MethodBuilder = $TypeBuilder.DefineMethod('LeakMethod', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, [UInt64], $null)
+ $Generator = $MethodBuilder.GetILGenerator()
+
+ # Push unmanaged pointer to MethodInfo onto the evaluation stack
+ $Generator.Emit([System.Reflection.Emit.OpCodes]::Ldftn, $MethodInfo)
+ # Convert the pointer to type - unsigned int64
+ $Generator.Emit([System.Reflection.Emit.OpCodes]::Conv_Ovf_U8)
+ $Generator.Emit([System.Reflection.Emit.OpCodes]::Ret)
+
+ # Assemble everything
+ $Type = $TypeBuilder.CreateType()
+ $Method = $Type.GetMethod('LeakMethod')
+
+ try
+ {
+ # Call the method and return its JITed address
+ $Address = $Method.Invoke($null, @())
+
+ Write-Output "0x$($Address.ToString("X$([IntPtr]::Size * 2)"))"
+ }
+ catch [System.Management.Automation.MethodInvocationException]
+ {
+ Write-Error "$($MethodInfo.Name) cannot return an unmanaged address."
+ }
+} \ No newline at end of file
diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml
new file mode 100644
index 0000000..9c25dc1
--- /dev/null
+++ b/ReverseEngineering/Get-PEB.format.ps1xml
@@ -0,0 +1,1099 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+ <DefaultSettings>
+ <EnumerableExpansions>
+ <EnumerableExpansion>
+ <Expand>Both</Expand>
+ </EnumerableExpansion>
+ </EnumerableExpansions>
+ </DefaultSettings>
+ <ViewDefinitions>
+ <View>
+ <Name>ProcessEnvironmentBlock_VistaView</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.Vista</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>ProcessName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InheritedAddressSpace</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ReadImageFileExecOptions</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>BeingDebugged</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageUsesLargePages</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsProtectedProcess</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsLegacyProcess</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsImageDynamicallyRelocated</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SkipPatchingUser32Forwarders</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsPackagedProcess</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsAppContainer</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>Mutant</Label>
+ <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ImageBaseAddress</Label>
+ <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Ldr</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InLoadOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InMemoryOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InInitializationOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessParameters</Label>
+ <ScriptBlock>"0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SubSystemData</Label>
+ <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeap</Label>
+ <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebLock</Label>
+ <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AtlThunkSListPtr</Label>
+ <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>IFEOKey</Label>
+ <ScriptBlock>"0x$($_.IFEOKey.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessInJob</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessInitializing</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessUsingVEH</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessUsingVCH</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessUsingFTH</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>KernelCallbackTable</Label>
+ <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SystemReserved</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AtlThunkSListPtr32</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ApiSetMap</Label>
+ <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TlsExpansionCounter</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmapBits</Label>
+ <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryBase</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HotpatchInformation</Label>
+ <ScriptBlock>"0x$($_.HotpatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlyStaticServerData</Label>
+ <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AnsiCodePageData</Label>
+ <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>OemCodePageData</Label>
+ <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>UnicodeCaseTableData</Label>
+ <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfProcessors</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NtGlobalFlag</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CriticalSectionTimeout</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentReserve</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentCommit</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitTotalFreeThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitFreeBlockThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MaximumNumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeaps</Label>
+ <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiSharedHandleTable</Label>
+ <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessStarterHelper</Label>
+ <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>GdiDCAttributeList</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>LoaderLock</Label>
+ <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSBuildNumber</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSCSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSPlatformId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystem</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActiveProcessAffinityMask</Label>
+ <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiHandleBuffer</Label>
+ <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>PostProcessInitRoutine</Label>
+ <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmapBits</Label>
+ <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SessionId</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlags</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlagsUser</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>pShimData</Label>
+ <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatInfo</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActivationContextData</Label>
+ <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemDefaultActivationContextData</Label>
+ <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>MinimumStackCommit</Label>
+ <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FlsCallback</Label>
+ <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FlsListHead</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>FlsBitmap</Label>
+ <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FlsBitmapBits</Label>
+ <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FlsHighIndex</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>WerRegistrationData</Label>
+ <ScriptBlock>"0x$($_.WerRegistrationData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>WerShipAssertPtr</Label>
+ <ScriptBlock>"0x$($_.WerShipAssertPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>pUnused</Label>
+ <ScriptBlock>"0x$($_.pUnused.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>pImageHeaderHash</Label>
+ <ScriptBlock>"0x$($_.pImageHeaderHash.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>HeapTracingEnabled</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CritSecTracingEnabled</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LibLoaderTracingEnabled</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CsrServerReadOnlySharedMemoryBase</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>ProcessEnvironmentBlock_Server2003View</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.Server2003</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>ProcessName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>InheritedAddressSpace</Label>
+ <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadImageFileExecOptions</Label>
+ <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>BeingDebugged</Label>
+ <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageUsesLargePages</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>Mutant</Label>
+ <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ImageBaseAddress</Label>
+ <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Ldr</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InLoadOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InMemoryOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InInitializationOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessParameters</Label>
+ <ScriptBlock>"0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SubSystemData</Label>
+ <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeap</Label>
+ <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebLock</Label>
+ <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AtlThunkSListPtr</Label>
+ <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SparePtr2</Label>
+ <ScriptBlock>"0x$($_.SparePtr2.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>EnvironmentUpdateCount</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>KernelCallbackTable</Label>
+ <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SystemReserved</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AtlThunkSListPtr32</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ApiSetMap</Label>
+ <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TlsExpansionCounter</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmapBits</Label>
+ <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryBase</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryHeap</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlyStaticServerData</Label>
+ <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AnsiCodePageData</Label>
+ <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>OemCodePageData</Label>
+ <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>UnicodeCaseTableData</Label>
+ <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfProcessors</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NtGlobalFlag</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CriticalSectionTimeout</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentReserve</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentCommit</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitTotalFreeThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitFreeBlockThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MaximumNumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeaps</Label>
+ <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiSharedHandleTable</Label>
+ <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessStarterHelper</Label>
+ <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>GdiDCAttributeList</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>LoaderLock</Label>
+ <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSBuildNumber</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSCSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSPlatformId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystem</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActiveProcessAffinityMask</Label>
+ <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiHandleBuffer</Label>
+ <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>PostProcessInitRoutine</Label>
+ <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmapBits</Label>
+ <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SessionId</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlags</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlagsUser</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>pShimData</Label>
+ <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatInfo</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActivationContextData</Label>
+ <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemDefaultActivationContextData</Label>
+ <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>MinimumStackCommit</Label>
+ <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FlsCallback</Label>
+ <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FlsListHead</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>FlsBitmap</Label>
+ <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FlsBitmapBits</Label>
+ <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FlsHighIndex</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>ProcessEnvironmentBlock_XPView</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.XP</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>ProcessName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>InheritedAddressSpace</Label>
+ <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadImageFileExecOptions</Label>
+ <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>BeingDebugged</Label>
+ <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>Mutant</Label>
+ <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ImageBaseAddress</Label>
+ <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Ldr</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InLoadOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InMemoryOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InInitializationOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessParameters</Label>
+ <ScriptBlock>"0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SubSystemData</Label>
+ <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeap</Label>
+ <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebLock</Label>
+ <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebLockRoutine</Label>
+ <ScriptBlock>"0x$($_.FastPebLockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebUnlockRoutine</Label>
+ <ScriptBlock>"0x$($_.FastPebUnlockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>EnvironmentUpdateCount</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>KernelCallbackTable</Label>
+ <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SystemReserved</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AtlThunkSListPtr32</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ApiSetMap</Label>
+ <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TlsExpansionCounter</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmapBits</Label>
+ <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryBase</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryHeap</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlyStaticServerData</Label>
+ <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AnsiCodePageData</Label>
+ <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>OemCodePageData</Label>
+ <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>UnicodeCaseTableData</Label>
+ <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfProcessors</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NtGlobalFlag</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CriticalSectionTimeout</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentReserve</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentCommit</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitTotalFreeThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitFreeBlockThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MaximumNumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeaps</Label>
+ <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiSharedHandleTable</Label>
+ <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessStarterHelper</Label>
+ <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>GdiDCAttributeList</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>LoaderLock</Label>
+ <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSBuildNumber</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSCSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSPlatformId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystem</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActiveProcessAffinityMask</Label>
+ <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiHandleBuffer</Label>
+ <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>PostProcessInitRoutine</Label>
+ <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmapBits</Label>
+ <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SessionId</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlags</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlagsUser</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>pShimData</Label>
+ <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatInfo</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActivationContextData</Label>
+ <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemDefaultActivationContextData</Label>
+ <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>MinimumStackCommit</Label>
+ <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>ProcessEnvironmentBlock_ModuleEntryView</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.ModuleEntry</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>InLoadOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InMemoryOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InInitializationOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>BaseAddress</Label>
+ <ScriptBlock>"0x$($_.BaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>EntryPoint</Label>
+ <ScriptBlock>"0x$($_.EntryPoint.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SizeOfImage</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FullDllName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>BaseDllName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>PackagedBinary</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageDll</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoadNotificationsSent</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TelemetryEntryProcessed</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessStaticImport</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InLegacyLists</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InIndexes</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ShimDll</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InExceptionTable</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoadInProgress</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>EntryProcessed</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DontCallForThreads</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessAttachCalled</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessAttachFailed</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CorDeferredValidate</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CorImage</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DontRelocate</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CorILOnly</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Redirected</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CompatDatabaseProcessed</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ObsoleteLoadCount</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TlsIndex</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>HashLinks</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TimeDateStamp</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>EntryPointActivationContext</Label>
+ <ScriptBlock>"0x$($_.EntryPointActivationContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>PatchInformation</Label>
+ <ScriptBlock>"0x$($_.PatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>DdagNode</Label>
+ <ScriptBlock>"0x$($_.DdagNode.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NodeModuleLink</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>SnapContext</Label>
+ <ScriptBlock>"0x$($_.SnapContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ParentDllBase</Label>
+ <ScriptBlock>"0x$($_.ParentDllBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SwitchBackContext</Label>
+ <ScriptBlock>"0x$($_.SwitchBackContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>BaseAddressIndexNode</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MappingInfoIndexNode</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>OriginalBase</Label>
+ <ScriptBlock>"0x$($_.OriginalBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoadTime</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>BaseNameHashValue</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoadReason</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ </ViewDefinitions>
+</Configuration> \ No newline at end of file
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1
new file mode 100644
index 0000000..6dbd55a
--- /dev/null
+++ b/ReverseEngineering/Get-PEB.ps1
@@ -0,0 +1,1017 @@
+function Get-PEB
+{
+<#
+.SYNOPSIS
+
+Returns the process environment block (PEB) of a process.
+
+PowerSploit Module - Get-PEB
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: Get-PEB.format.ps1xml
+
+.DESCRIPTION
+
+Get-PEB returns a fully parsed process environment block (PEB) of any process. Because the PEB and its underlying structure differ according to OS version and architecture, Get-PEB builds the PEB dynamically at runtime. Get-PEB is designed to work in Windows XP - Windows 8 32/64-bit. It will also return the PEB of Wow64 processes.
+
+.PARAMETER Id
+
+The process ID of the process whose PEB will be retrieved.
+
+.EXAMPLE
+
+C:\PS> $AllPEBs = Get-Process | Get-PEB
+
+Description
+-----------
+Get the PEB of every process. Note: To get the PEBs for all processes, run this command from an elevated instance of PowerShell
+
+.EXAMPLE
+
+C:\PS> $NotepadPEB = Get-PEB -Id (ps notepad)
+C:\PS> $NotepadPEB.InInitializationOrderModuleList
+
+Description
+-----------
+Display all loaded modules of the notepad process in initialization order.
+
+.NOTES
+
+Some processes will not issue a handle unless you are running Get-PEB from an elevated instance of PowerShell.
+
+.LINK
+
+http://www.exploit-monday.com/2013/01/Get-PEB.html
+http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx
+#>
+
+ [CmdletBinding()] Param (
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('PID')]
+ [UInt16[]]
+ $Id
+ )
+
+ BEGIN
+ {
+ Set-StrictMode -Version 2
+
+ # Load custom object formatting views
+ if (Test-Path .\Get-PEB.format.ps1xml)
+ {
+ Update-FormatData -PrependPath .\Get-PEB.format.ps1xml -ErrorAction SilentlyContinue
+ }
+ else
+ {
+ try { Update-FormatData -PrependPath (Join-Path $PSScriptRoot Get-PEB.format.ps1xml) -ErrorAction SilentlyContinue }
+ catch { Write-Warning 'To ensure proper output display, place Get-PEB.format.ps1xml in the same folder as this script.' }
+ }
+
+ $mscorlib = [AppDomain]::CurrentDomain.GetAssemblies() | ? { $_.FullName.Split(',')[0].ToLower() -eq 'mscorlib' }
+ $Win32Native = $mscorlib.GetTypes() | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native' }
+
+ if ($Win32Native -eq $null)
+ {
+ throw 'Unable to get a reference to type: Microsoft.Win32.Win32Native'
+ }
+
+ function Local:Get-NTStatusException
+ {
+ [CmdletBinding()] Param (
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
+ [Int32[]]
+ $ErrorCode
+ )
+
+ BEGIN
+ {
+ $LsaNtStatusToWinError = $Win32Native.GetMethod('LsaNtStatusToWinError', [Reflection.BindingFlags] 'NonPublic, Static')
+ $GetMessage = $Win32Native.GetMethod('GetMessage', [Reflection.BindingFlags] 'NonPublic, Static')
+ }
+ PROCESS
+ {
+ foreach ($Error in $ErrorCode)
+ {
+ $WinErrorCode = $LsaNtStatusToWinError.Invoke($null, @($ErrorCode))
+
+ Write-Output $GetMessage.Invoke($null, @($WinErrorCode))
+ }
+ }
+ END{}
+ }
+
+ # The return value from Get-WindowsNTDDIVersion will be compared against these values to determine the structure of the PEB.
+ $NTDDI_VISTA = 0x06000000
+ $NTDDI_WS03 = 0x05020000
+ $NTDDI_WINXP = 0x05010000
+
+ function Local:Get-WindowsNTDDIVersion
+ {
+ # Return Windows version information as NTDDI_VERSION as defined in SdkDdkVer.h
+ # This will aid in determining version specific PEB fields to return
+ # Could this be accomplished with `Get-WmiObject Win32_OperatingSystem`? Yes, but I prefer not rely upon services that might be turned off.
+ $OSVersionInfoEx = $Win32Native.GetNestedTypes('NonPublic') | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native+OSVERSIONINFOEX' }
+
+ if ($OSVersionInfoEx -eq $null)
+ {
+ Write-Error "Unable to get a reference to kernel32!OSVersionInfoEx."
+ return
+ }
+
+ $MajorVersion = $OSVersionInfoEx.GetField('MajorVersion', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $MinorVersion = $OSVersionInfoEx.GetField('MinorVersion', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $ServicePackMajor = $OSVersionInfoEx.GetField('ServicePackMajor', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $ServicePackMinor = $OSVersionInfoEx.GetField('ServicePackMinor', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $ProductTypeField = $OSVersionInfoEx.GetField('ProductType', [Reflection.BindingFlags] 'NonPublic, Instance')
+
+ $OSVersionInfoContructor = $OSVersionInfoEx.GetConstructors()[0]
+ $OSVersionEx = $OSVersionInfoContructor.Invoke($null)
+ # This version is present in .NET 2
+ $GetVersionEx = $Win32Native.GetMethod('GetVersionEx', [Reflection.BindingFlags] 'NonPublic, Static', $null, @($OSVersionInfoEx), $null)
+ if ($GetVersionEx -eq $null)
+ {
+ # This version is present in .NET 4
+ $GetVersionEx = [Environment].GetMethod('GetVersionEx', [Reflection.BindingFlags] 'NonPublic, Static', $null, @($OSVersionInfoEx), $null)
+ }
+ if ($GetVersionEx -eq $null)
+ {
+ Write-Error "Unable to get a reference to GetVersionEx method."
+ return
+ }
+ $Success = $GetVersionEx.Invoke($null, @($OSVersionEx))
+
+ if (-not $Success)
+ {
+ Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
+ return
+ }
+
+ # Build the version string
+ $Version = [Int32] "0x$($MajorVersion.GetValue($OSVersionEx).ToString('D2'))$($MinorVersion.GetValue($OSVersionEx).ToString('D2'))$($ServicePackMajor.GetValue($OSVersionEx).ToString('D2'))$($ServicePackMinor.GetValue($OSVersionEx).ToString('D2'))"
+ $ProductType = $ProductTypeField.GetValue($OSVersionEx)
+
+ if ($Version -lt $NTDDI_WINXP)
+ {
+ throw 'Could not determine the correct Windows version! Windows ME, Windows 3.1, and OS/2 Warp are not supported. :P'
+ }
+
+ Write-Output $Version
+ }
+
+ $NTDDI_VERSION = Get-WindowsNTDDIVersion
+
+ try { $NativeMethods = @([AppDomain]::CurrentDomain.GetAssemblies() | % { $_.GetTypes() } | ? { $_.FullName -eq 'Microsoft.Win32.NativeMethods' })[0] } catch {}
+ $NtProcessBasicInfo = $NativeMethods.GetNestedType('NtProcessBasicInfo', [Reflection.BindingFlags]::NonPublic)
+ $NtProcessBasicInfoConstructor = $NtProcessBasicInfo.GetConstructors()[0]
+ $ProcessBasicInfo = $NtProcessBasicInfoConstructor.Invoke($null)
+
+ $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
+ $PROCESS_QUERY_INFORMATION = 0x400
+ $PROCESS_VM_READ = 0x0010
+
+ # Sanity check to make sure that we can proceed. Without proper references, a call to NtQueryInformationProcess will crash PowerShell.
+ if ($ProcessBasicInfo -eq $null)
+ {
+ Write-Error "Unable to get a reference to ProcessBasicInfo."
+ return
+ }
+
+ $MEMORY_BASIC_INFORMATION = $Win32Native.GetNestedType('MEMORY_BASIC_INFORMATION', [Reflection.BindingFlags] 'NonPublic')
+
+ if ($MEMORY_BASIC_INFORMATION -eq $null)
+ {
+ Write-Error 'Unable to get a reference to the MEMORY_BASIC_INFORMATION structure.'
+ return
+ }
+
+ $OSArchitecture = (Get-WmiObject Win32_Processor).DataWidth
+
+ try { $NativeUtils = [NativeUtils] } catch [Management.Automation.RuntimeException] # Only build the assembly if it hasn't already been defined
+ {
+ $DynAssembly = New-Object Reflection.AssemblyName('MemHacker')
+ $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MemHacker', $False)
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+ $TypeBuilder = $ModuleBuilder.DefineType('NativeUtils', $Attributes, [ValueType])
+ $TypeBuilder.DefinePInvokeMethod('ReadProcessMemory', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
+ $TypeBuilder.DefinePInvokeMethod('VirtualQueryEx', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [IntPtr], $MEMORY_BASIC_INFORMATION.MakeByRefType(), [UInt32]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
+ if ($OSArchitecture -eq 64)
+ {
+ $TypeBuilder.DefinePInvokeMethod('IsWow64Process', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [Bool].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
+ }
+ $TypeBuilder.DefinePInvokeMethod('NtQueryInformationProcess', 'ntdll.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [Int], $NtProcessBasicInfo, [Int], [IntPtr]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
+ $NativeUtils = $TypeBuilder.CreateType()
+ }
+
+ #region Determine OS/Process/PowerShell bitness
+
+ # Get PowerShell's bit-ness accordingly to [IntPtr]::Size. The bitness of PowerShell is used as the basis for determining
+ # the bitness of the processes you're interested in. For example, calling Get-Process from 32-bit PowerShell will only
+ # return 32-bit processes. Get-Process on 64-bit PowerShell however will return 64-bit and Wow64 processes.
+ if ([IntPtr]::Size -eq 4)
+ {
+ $PowerShellArchitecture = 32
+ }
+ else
+ {
+ $PowerShellArchitecture = 64
+ }
+ #endregion
+
+ #region Build PEB structure dynamically
+ try
+ {
+ $PEBStruct = [_PEB]
+ $UnicodeStringStruct = [_UNICODE_STRING]
+ $ListEntryStruct = [_LIST_ENTRY]
+ $LdrDataStruct = [_PEB_LDR_DATA]
+ $BalancedNodeStruct = [_RTL_BALANCED_NODE]
+ $LoadReasonEnum = [_LDR_DLL_LOAD_REASON]
+ $LdrModuleStruct = [_LDR_DATA_TABLE_ENTRY]
+ }
+ catch
+ {
+ # Note: Once this strcuture is built, it cannot be rebuilt or unloaded without restarting PowerShell
+ $DynAssembly = New-Object Reflection.AssemblyName('PEBTools')
+ $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('PEBModule', $False)
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+ $TypeBuilder = $ModuleBuilder.DefineType('_PEB', $Attributes, [ValueType])
+
+ $ConstructorInfo = [Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
+ $ConstructorValue = [Runtime.InteropServices.UnmanagedType]::ByValArray
+ $FieldArray = @([Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
+
+ # Build type for _UNICODE_STRING
+ $UnicodeTypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $Attributes, [ValueType])
+ $UnicodeTypeBuilder.DefineField('Length', [UInt16], 'Public') | Out-Null
+ $UnicodeTypeBuilder.DefineField('MaximumLength', [UInt16], 'Public') | Out-Null
+ $UnicodeTypeBuilder.DefineField('Buffer', [IntPtr], 'Public') | Out-Null
+ $UnicodeStringStruct = $UnicodeTypeBuilder.CreateType()
+
+ # Build type for _LIST_ENTRY
+ $ListEntryTypeBuilder = $ModuleBuilder.DefineType('_LIST_ENTRY', $Attributes, [System.ValueType])
+ $ListEntryTypeBuilder.DefineField('Flink', [IntPtr], 'Public') | Out-Null
+ $ListEntryTypeBuilder.DefineField('Blink', [IntPtr], 'Public') | Out-Null
+ $ListEntryStruct = $ListEntryTypeBuilder.CreateType()
+
+ # Build type for _PEB_LDR_DATA
+ $PEBLdrDataTypeBuilder = $ModuleBuilder.DefineType('_PEB_LDR_DATA', $Attributes, [System.ValueType])
+ $PEBLdrDataTypeBuilder.DefineField('Length', [UInt32], 'Public') | Out-Null
+ $InitializedField = $PEBLdrDataTypeBuilder.DefineField('Initialized', [Byte[]], 'Public')
+ $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
+ $InitializedField.SetCustomAttribute($AttribBuilder)
+ $PEBLdrDataTypeBuilder.DefineField('SsHandle', [IntPtr], 'Public') | Out-Null
+ $PEBLdrDataTypeBuilder.DefineField('InLoadOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
+ $PEBLdrDataTypeBuilder.DefineField('InMemoryOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
+ $PEBLdrDataTypeBuilder.DefineField('InInitializationOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
+ $PEBLdrDataTypeBuilder.DefineField('EntryInProgress', [IntPtr], 'Public') | Out-Null
+ $ShutdownInProgressField = $PEBLdrDataTypeBuilder.DefineField('ShutdownInProgress', [Byte[]], 'Public')
+ $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 2))
+ $ShutdownInProgressField.SetCustomAttribute($AttribBuilder)
+ $PEBLdrDataTypeBuilder.DefineField('ShutdownThreadId', [IntPtr], 'Public') | Out-Null
+ $LdrDataStruct = $PEBLdrDataTypeBuilder.CreateType()
+
+ # Build type for _RTL_BALANCED_NODE
+ $BalancedNodeTypeBuilder = $ModuleBuilder.DefineType('_RTL_BALANCED_NODE', $Attributes, [System.ValueType])
+ $BalancedNodeTypeBuilder.DefineField('Left', [IntPtr], 'Public') | Out-Null
+ $BalancedNodeTypeBuilder.DefineField('Right', [IntPtr], 'Public') | Out-Null
+ if ($PowerShellArchitecture -eq 64) { $BalancedNodeTypeBuilder.DefineField('ParentValue', [UInt64], 'Public') | Out-Null }
+ else { $BalancedNodeTypeBuilder.DefineField('ParentValue', [UInt32], 'Public') | Out-Null }
+ $BalancedNodeStruct = $BalancedNodeTypeBuilder.CreateType()
+
+ # Build type for _LDR_DLL_LOAD_REASON enum
+ $EnumBuilder = $ModuleBuilder.DefineEnum('_LDR_DLL_LOAD_REASON', 'Public', [Int32])
+ # Define values of the enum
+ $EnumBuilder.DefineLiteral('StaticDependency', [Int32] 0) | Out-Null
+ $EnumBuilder.DefineLiteral('StaticForwarderDependency', [Int32] 1) | Out-Null
+ $EnumBuilder.DefineLiteral('DynamicForwarderDependency', [Int32] 2) | Out-Null
+ $EnumBuilder.DefineLiteral('DelayloadDependency', [Int32] 3) | Out-Null
+ $EnumBuilder.DefineLiteral('DynamicLoad', [Int32] 4) | Out-Null
+ $EnumBuilder.DefineLiteral('AsImageLoad', [Int32] 5) | Out-Null
+ $EnumBuilder.DefineLiteral('AsDataLoad', [Int32] 6) | Out-Null
+ $EnumBuilder.DefineLiteral('Unknown', [Int32] -1) | Out-Null
+ $LoadReasonEnum = $EnumBuilder.CreateType()
+
+ # Build type for _LDR_DATA_TABLE_ENTRY
+ $PEBLdrModuleTypeBuilder = $ModuleBuilder.DefineType('_LDR_DATA_TABLE_ENTRY', $Attributes, [System.ValueType])
+ $PEBLdrModuleTypeBuilder.DefineField('InLoadOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('InMemoryOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('InInitializationOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('BaseAddress', [IntPtr], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('EntryPoint', [IntPtr], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('FullDllName', [_UNICODE_STRING], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('BaseDllName', [_UNICODE_STRING], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('ObsoleteLoadCount', [UInt16], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('TlsIndex', [UInt16], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('HashLinks', [_LIST_ENTRY], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('EntryPointActivationContext', [IntPtr], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('PatchInformation', [IntPtr], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('DdagNode', [IntPtr], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('NodeModuleLink', [_LIST_ENTRY], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('SnapContext', [IntPtr], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('ParentDllBase', [IntPtr], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('SwitchBackContext', [IntPtr], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('BaseAddressIndexNode', [_RTL_BALANCED_NODE], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('MappingInfoIndexNode', [_RTL_BALANCED_NODE], 'Public') | Out-Null
+ if ($PowerShellArchitecture -eq 64) { $PEBLdrModuleTypeBuilder.DefineField('OriginalBase', [UInt64], 'Public') | Out-Null }
+ else { $PEBLdrModuleTypeBuilder.DefineField('OriginalBase', [UInt32], 'Public') | Out-Null }
+ $PEBLdrModuleTypeBuilder.DefineField('LoadTime', [UInt64], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('BaseNameHashValue', [UInt32], 'Public') | Out-Null
+ $PEBLdrModuleTypeBuilder.DefineField('LoadReason', [_LDR_DLL_LOAD_REASON], 'Public') | Out-Null
+ $LdrModuleStruct = $PEBLdrModuleTypeBuilder.CreateType()
+
+ $TypeBuilder.DefineField('InheritedAddressSpace', [Byte], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ReadImageFileExecOptions', [Byte], 'Public') | Out-Null
+ $TypeBuilder.DefineField('BeingDebugged', [Byte], 'Public') | Out-Null
+ $TypeBuilder.DefineField('BitField', [Byte], 'Public') | Out-Null
+ if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public, HasFieldMarshal') | Out-Null }
+ $TypeBuilder.DefineField('Mutant', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ImageBaseAddress', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('Ldr', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ProcessParameters', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('SubSystemData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ProcessHeap', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('FastPebLock', [IntPtr], 'Public') | Out-Null
+
+ if ($NTDDI_VERSION -ge $NTDDI_VISTA)
+ {
+ $TypeBuilder.DefineField('AtlThunkSListPtr', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('IFEOKey', [IntPtr], 'Public') | Out-Null
+ if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('CrossProcessFlags', [UInt64], 'Public') | Out-Null
+ } else { $TypeBuilder.DefineField('CrossProcessFlags', [UInt32], 'Public') | Out-Null }
+ $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
+ }
+ elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
+ {
+ $TypeBuilder.DefineField('AtlThunkSListPtr', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('SparePtr2', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('EnvironmentUpdateCount', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
+ }
+ else
+ {
+ $TypeBuilder.DefineField('FastPebLockRoutine', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('FastPebUnlockRoutine', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('EnvironmentUpdateCount', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
+ }
+ $TypeBuilder.DefineField('SystemReserved', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('AtlThunkSListPtr32', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ApiSetMap', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('TlsExpansionCounter', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('TlsBitmap', [IntPtr], 'Public') | Out-Null
+ $TlsBitmapBitsField = $TypeBuilder.DefineField('TlsBitmapBits', [UInt32[]], 'Public, HasFieldMarshal')
+ $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 2))
+ $TlsBitmapBitsField.SetCustomAttribute($AttribBuilder)
+ $TypeBuilder.DefineField('ReadOnlySharedMemoryBase', [IntPtr], 'Public') | Out-Null
+ if ($NTDDI_VERSION -ge $NTDDI_VISTA)
+ {
+ $TypeBuilder.DefineField('HotpatchInformation', [IntPtr], 'Public') | Out-Null
+ }
+ else
+ {
+ $TypeBuilder.DefineField('ReadOnlySharedMemoryHeap', [IntPtr], 'Public') | Out-Null
+ }
+ $TypeBuilder.DefineField('ReadOnlyStaticServerData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('AnsiCodePageData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('OemCodePageData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('UnicodeCaseTableData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('NumberOfProcessors', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('NtGlobalFlag', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('CriticalSectionTimeout', [Int64], 'Public') | Out-Null
+ if ($PowerShellArchitecture -eq 64)
+ {
+ $TypeBuilder.DefineField('HeapSegmentReserve', [UInt64], 'Public') | Out-Null
+ $TypeBuilder.DefineField('HeapSegmentCommit', [UInt64], 'Public') | Out-Null
+ }
+ else
+ {
+ $TypeBuilder.DefineField('HeapSegmentReserve', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('HeapSegmentCommit', [UInt32], 'Public') | Out-Null
+ }
+ $TypeBuilder.DefineField('HeapDeCommitTotalFreeThreshold', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('HeapDeCommitFreeBlockThreshold', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('NumberOfHeaps', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('MaximumNumberOfHeaps', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ProcessHeaps', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('GdiSharedHandleTable', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ProcessStarterHelper', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('GdiDCAttributeList', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('LoaderLock', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('OSMajorVersion', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('OSMinorVersion', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('OSBuildNumber', [UInt16], 'Public') | Out-Null
+ $TypeBuilder.DefineField('OSCSDVersion', [UInt16], 'Public') | Out-Null
+ $TypeBuilder.DefineField('OSPlatformId', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ImageSubsystem', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ImageSubsystemMajorVersion', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ImageSubsystemMinorVersion', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ActiveProcessAffinityMask', [IntPtr], 'Public') | Out-Null
+ $GdiHandleBufferField = $TypeBuilder.DefineField('GdiHandleBuffer', [UInt32[]], 'Public, HasFieldMarshal')
+ if ($PowerShellArchitecture -eq 64) { $GDI_HANDLE_BUFFER_SIZE = 60 } else { $GDI_HANDLE_BUFFER_SIZE = 34 }
+ $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] $GDI_HANDLE_BUFFER_SIZE))
+ $GdiHandleBufferField.SetCustomAttribute($AttribBuilder)
+ $TypeBuilder.DefineField('PostProcessInitRoutine', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('TlsExpansionBitmap', [IntPtr], 'Public') | Out-Null
+ $TlsExpansionBitmapBitsField = $TypeBuilder.DefineField('TlsExpansionBitmapBits', [UInt32[]], 'Public, HasFieldMarshal')
+ $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 32))
+ $TlsExpansionBitmapBitsField.SetCustomAttribute($AttribBuilder)
+ $TypeBuilder.DefineField('SessionId', [UInt32], 'Public') | Out-Null
+
+ if ($NTDDI_VERSION -ge $NTDDI_WINXP)
+ {
+ $TypeBuilder.DefineField('AppCompatFlags', [UInt64], 'Public') | Out-Null
+ $TypeBuilder.DefineField('AppCompatFlagsUser', [UInt64], 'Public') | Out-Null
+ $TypeBuilder.DefineField('pShimData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('AppCompatInfo', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('CSDVersion', [_UNICODE_STRING], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ActivationContextData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('ProcessAssemblyStorageMap', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('SystemDefaultActivationContextData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('SystemAssemblyStorageMap', [IntPtr], 'Public') | Out-Null
+ if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('MinimumStackCommit', [UInt64], 'Public') | Out-Null
+ } else { $TypeBuilder.DefineField('MinimumStackCommit', [UInt32], 'Public') | Out-Null }
+ }
+ if ($NTDDI_VERSION -ge $NTDDI_WS03)
+ {
+ $TypeBuilder.DefineField('FlsCallback', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('FlsListHead', [_LIST_ENTRY], 'Public') | Out-Null
+ $TypeBuilder.DefineField('FlsBitmap', [IntPtr], 'Public') | Out-Null
+ $FlsBitmapBitsField = $TypeBuilder.DefineField('FlsBitmapBits', [UInt32[]], 'Public')
+ $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
+ $FlsBitmapBitsField.SetCustomAttribute($AttribBuilder)
+ $TypeBuilder.DefineField('FlsHighIndex', [UInt32], 'Public') | Out-Null
+ }
+ if ($NTDDI_VERSION -ge $NTDDI_VISTA)
+ {
+ $TypeBuilder.DefineField('WerRegistrationData', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('WerShipAssertPtr', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('pUnused', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('pImageHeaderHash', [IntPtr], 'Public') | Out-Null
+ $TypeBuilder.DefineField('TracingFlags', [UInt32], 'Public') | Out-Null
+ $TypeBuilder.DefineField('CsrServerReadOnlySharedMemoryBase', [UInt64], 'Public') | Out-Null
+ }
+
+ $PEBStruct = $TypeBuilder.CreateType()
+ }
+
+ $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf($PEBStruct)
+ #endregion
+
+ function Local:Get-StructFromMemory
+ {
+ [CmdletBinding()] Param (
+ [Parameter(Position = 0, Mandatory = $True)]
+ [Alias('ProcessId')]
+ [UInt16]
+ $ProcId,
+
+ [Parameter(Position = 1, Mandatory = $True)]
+ [IntPtr]
+ $MemoryAddress,
+
+ [Parameter(Position = 2, Mandatory = $True)]
+ [Alias('Type')]
+ [Type]
+ $StructType,
+
+ [ValidateSet('InLoadOrderModuleList','InMemoryOrderModuleList','InInitializationOrderModuleList')]
+ [String]
+ $LoadOrder,
+
+ [UInt16]
+ $UnicodeStringSize
+ )
+
+ if (($StructType -eq [String]) -and ($MemoryAddress -eq 0)) { Write-Output ''; return }
+ elseif ($MemoryAddress -eq 0) { Write-Output $null; return }
+
+ $PROCESS_VM_READ = 0x0010 # The process permissions we'l ask for when getting a handle to the process
+
+ $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
+
+ try
+ {
+ $Process = Get-Process -Id $ProcId -ErrorVariable GetProcessError
+ $Handle = $Process.Handle
+ }
+ catch [Exception]
+ {
+ Write-Error $GetProcessError
+ return
+ }
+
+ if ($Handle -eq $null)
+ {
+ Write-Error "Unable to obtain a handle for PID $ProcId. You will likely need to run this script elevated."
+ return
+ }
+
+ $ProtectField = $MEMORY_BASIC_INFORMATION.GetField('Protect', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $AllocationBaseField = $MEMORY_BASIC_INFORMATION.GetField('BaseAddress', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $RegionSizeField = $MEMORY_BASIC_INFORMATION.GetField('RegionSize', [Reflection.BindingFlags] 'NonPublic, Instance')
+
+ try
+ {
+ $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
+ $Handle = $SafeHandle.DangerousGetHandle()
+ }
+ catch
+ {
+ Write-Error $Error[0]
+ return
+ }
+
+ $PAGE_EXECUTE_READ = 0x20
+ $PAGE_EXECUTE_READWRITE = 0x40
+ $PAGE_READONLY = 2
+ $PAGE_READWRITE = 4
+
+ if ($StructType -eq $LdrModuleStruct -and $LoadOrder)
+ {
+ $OriginalFlink = $MemoryAddress
+ $Flink = $OriginalFlink
+
+ do
+ {
+ $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
+ $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+
+ $Protection = $ProtectField.GetValue($MemoryBasicInformation)
+ $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
+ $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
+ $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
+
+ if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
+ {
+ $SafeHandle.Close()
+ Write-Error 'The address specified does not have read access.'
+ return
+ }
+
+ $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($LdrModuleStruct)
+ $EndOfAllocation = $AllocationBase + $RegionSize
+ $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
+
+ if ($EndOfStruct -gt $EndOfAllocation)
+ {
+ $SafeHandle.Close()
+ Write-Error 'You are attempting to read beyond what was allocated.'
+ return
+ }
+
+ try
+ {
+ $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
+ }
+ catch [OutOfMemoryException]
+ {
+ Write-Error $Error[0]
+ return
+ }
+
+ $ZeroBytes = New-Object Byte[]($StructSize)
+ [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
+
+ $BytesRead = [UInt32] 0
+
+ if ($NativeUtils::ReadProcessMemory($Handle, $Flink, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
+ {
+ $SafeHandle.Close()
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
+ Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
+ return
+ }
+
+ $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $LdrModuleStruct)
+
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
+
+ switch ($LoadOrder)
+ {
+ 'InLoadOrderModuleList' { $Flink = $ParsedLdrModule.InLoadOrderModuleList.Flink }
+ 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct)) }
+ 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct))) }
+ }
+
+ $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
+ $Handle = $SafeHandle.DangerousGetHandle()
+
+ if ($ParsedLdrModule.SizeOfImage)
+ {
+ Write-Output $ParsedLdrModule
+ }
+ } while (($Flink -ne 0) -and ($Flink -ne $OriginalFlink))
+
+ $SafeHandle.Close()
+ }
+ elseif ($StructType -eq [String] -and $UnicodeStringSize)
+ {
+ $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
+ $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+
+ $Protection = $ProtectField.GetValue($MemoryBasicInformation)
+ $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
+ $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
+ $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
+
+ if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
+ {
+ $SafeHandle.Close()
+ Write-Error 'The address specified does not have read access.'
+ return
+ }
+
+ $StructSize = $UnicodeStringSize
+ $EndOfAllocation = $AllocationBase + $RegionSize
+ $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
+
+ if ($EndOfStruct -gt $EndOfAllocation)
+ {
+ $SafeHandle.Close()
+ Write-Error 'You are attempting to read beyond what was allocated.'
+ return
+ }
+
+ try
+ {
+ $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
+ }
+ catch [OutOfMemoryException]
+ {
+ Write-Error $Error[0]
+ return
+ }
+
+ $ZeroBytes = New-Object Byte[]($StructSize)
+ [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
+
+ $BytesRead = [UInt32] 0
+
+ if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
+ {
+ $SafeHandle.Close()
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
+ Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
+ return
+ }
+
+ $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStringUni($LocalStructPtr)
+
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
+ $SafeHandle.Close()
+
+ Write-Output $ParsedStruct
+ }
+ else
+ {
+ $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
+ $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+
+ $Protection = $ProtectField.GetValue($MemoryBasicInformation)
+ $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
+ $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
+ $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
+
+ if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
+ {
+ $SafeHandle.Close()
+ Write-Error 'The address specified does not have read access.'
+ return
+ }
+
+ $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($StructType)
+ $EndOfAllocation = $AllocationBase + $RegionSize
+ $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
+
+ if ($EndOfStruct -gt $EndOfAllocation)
+ {
+ $SafeHandle.Close()
+ Write-Error 'You are attempting to read beyond what was allocated.'
+ return
+ }
+
+ try
+ {
+ $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
+ }
+ catch [OutOfMemoryException]
+ {
+ Write-Error $Error[0]
+ return
+ }
+
+ $ZeroBytes = New-Object Byte[]($StructSize)
+ [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
+
+ $BytesRead = [UInt32] 0
+
+ if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
+ {
+ $SafeHandle.Close()
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
+ Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
+ return
+ }
+
+ $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $StructType)
+
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
+ $SafeHandle.Close()
+
+ Write-Output $ParsedStruct
+ }
+ }
+ }
+
+ PROCESS
+ {
+ foreach ($ProcessId in $Id)
+ {
+ $Handle = $null
+
+ try
+ {
+ $Process = Get-Process -Id $ProcessId -ErrorVariable GetProcessError
+ # Get the process handle
+ $Handle = $Process.Handle
+ }
+ catch { }
+
+ if ($Handle -eq $null)
+ {
+ Write-Error "Unable to obtain a handle for PID $ProcessId. You will likely need to run this script elevated."
+ }
+ else
+ {
+ $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_QUERY_INFORMATION -bor $PROCESS_VM_READ))
+ $Handle = $SafeHandle.DangerousGetHandle()
+
+ Write-Verbose "ProcessName: $($Process.ProcessName)"
+ Write-Verbose "Handle: $Handle"
+
+ if ($OSArchitecture -eq 64)
+ {
+ $IsWow64 = $False
+ $NativeUtils::IsWow64Process($Handle, [Ref] $IsWow64) | Out-Null
+
+ if ($PowerShellArchitecture -eq 32 -and (-not $IsWow64))
+ {
+ $SafeHandle.Close()
+ Write-Error 'Cannot get the PEB of a 64-bit process from a Wow64 process. Use 64-bit PowerShell and try again.'
+ return
+ }
+ }
+
+ $ProcessBasicInfo = $NtProcessBasicInfoConstructor.Invoke($null)
+
+ $Status = $NativeUtils::NtQueryInformationProcess($Handle, 0, $ProcessBasicInfo, [Runtime.InteropServices.Marshal]::SizeOf($ProcessBasicInfo), [IntPtr]::Zero)
+
+ Write-Verbose 'ProcessBasicInfo:'
+ Write-Verbose ($ProcessBasicInfo | Out-String)
+
+ if ($Status -ne 0)
+ {
+ $SafeHandle.Close()
+ Write-Error (Get-NTStatusException $Status)
+ return
+ }
+
+ $SafeHandle.Close()
+
+ $PEB = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessBasicInfo.PebBaseAddress) -StructType ($PEBStruct)
+
+ # Get custom objects for the PEB based upon OS version
+ # First, build up the custom object with fields common amongst all versions of the PEB
+ $CustomPEB = @{
+ ProcessName = $Process.ProcessName
+ ProcessId = $ProcessId
+ InheritedAddressSpace = if($PEB.InheritedAddressSpace -eq 0){$False}else{$True}
+ ReadImageFileExecOptions = if($PEB.ReadImageFileExecOptions -eq 0){$False}else{$True}
+ BeingDebugged = if($PEB.BeingDebugged -eq 0){$False}else{$True}
+ Mutant = $PEB.Mutant
+ ImageBaseAddress = $PEB.ImageBaseAddress
+ Ldr = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.Ldr) -StructType ($LdrDataStruct)
+ ProcessParameters = $PEB.ProcessParameters
+ SubSystemData = $PEB.SubSystemData
+ ProcessHeap = $PEB.ProcessHeap
+ FastPebLock = $PEB.FastPebLock
+ SystemReserved = $PEB.SystemReserved
+ AtlThunkSListPtr32 = $PEB.AtlThunkSListPtr32
+ ApiSetMap = $PEB.ApiSetMap
+ TlsExpansionCounter = $PEB.TlsExpansionCounter
+ TlsBitmap = $PEB.TlsBitmap
+ TlsBitmapBits = $PEB.TlsBitmapBits
+ ReadOnlySharedMemoryBase = $PEB.ReadOnlySharedMemoryBase
+ ReadOnlyStaticServerData = $PEB.ReadOnlyStaticServerData
+ AnsiCodePageData = $PEB.AnsiCodePageData
+ OemCodePageData = $PEB.OemCodePageData
+ UnicodeCaseTableData = $PEB.UnicodeCaseTableData
+ NumberOfProcessors = $PEB.NumberOfProcessors
+ NtGlobalFlag = $PEB.NtGlobalFlag
+ CriticalSectionTimeout = $PEB.CriticalSectionTimeout
+ HeapSegmentReserve = $PEB.HeapSegmentReserve
+ HeapSegmentCommit = $PEB.HeapSegmentCommit
+ HeapDeCommitTotalFreeThreshold = $PEB.HeapDeCommitTotalFreeThreshold
+ HeapDeCommitFreeBlockThreshold = $PEB.HeapDeCommitFreeBlockThreshold
+ NumberOfHeaps = $PEB.NumberOfHeaps
+ MaximumNumberOfHeaps = $PEB.MaximumNumberOfHeaps
+ ProcessHeaps = $PEB.ProcessHeaps
+ GdiSharedHandleTable = $PEB.GdiSharedHandleTable
+ ProcessStarterHelper = $PEB.ProcessStarterHelper
+ GdiDCAttributeList = $PEB.GdiDCAttributeList
+ LoaderLock = $PEB.LoaderLock
+ OSMajorVersion = $PEB.OSMajorVersion
+ OSMinorVersion = $PEB.OSMinorVersion
+ OSBuildNumber = $PEB.OSBuildNumber
+ OSCSDVersion = $PEB.OSCSDVersion
+ OSPlatformId = $PEB.OSPlatformId
+ ImageSubsystem = $PEB.ImageSubsystem
+ ImageSubsystemMajorVersion = $PEB.ImageSubsystemMajorVersion
+ ImageSubsystemMinorVersion = $PEB.ImageSubsystemMinorVersion
+ ActiveProcessAffinityMask = $PEB.ActiveProcessAffinityMask
+ GdiHandleBuffer = $PEB.GdiHandleBuffer
+ PostProcessInitRoutine = $PEB.PostProcessInitRoutine
+ TlsExpansionBitmap = $PEB.TlsExpansionBitmap
+ TlsExpansionBitmapBits = $PEB.TlsExpansionBitmapBits
+ SessionId = $PEB.SessionId
+ AppCompatFlags = $PEB.AppCompatFlags
+ AppCompatFlagsUser = $PEB.AppCompatFlagsUser
+ pShimData = $PEB.pShimData
+ AppCompatInfo = $PEB.AppCompatInfo
+ CSDVersion = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.CSDVersion.Buffer) -StructType ([String]) -UnicodeStringSize ($PEB.CSDVersion.MaximumLength)
+ ActivationContextData = $PEB.ActivationContextData
+ ProcessAssemblyStorageMap = $PEB.ProcessAssemblyStorageMap
+ SystemDefaultActivationContextData = $PEB.SystemDefaultActivationContextData
+ SystemAssemblyStorageMap = $PEB.SystemAssemblyStorageMap
+ MinimumStackCommit = $PEB.MinimumStackCommit
+ }
+
+ foreach ($j in 1..3)
+ {
+ switch ($j)
+ {
+ 1 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($CustomPEB['Ldr'].InLoadOrderModuleList.Flink) -StructType ($LdrModuleStruct) -LoadOrder 'InLoadOrderModuleList' }
+ 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' }
+ 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' }
+ }
+
+ $ParsedOrderedModules = New-Object Hashtable[]($OrderedModules.Length)
+ $Modules = New-Object PSObject[]($OrderedModules.Length)
+
+ $i = 0
+ foreach ($Module in $OrderedModules)
+ {
+ $ParsedOrderedModules[$i] = @{
+ InLoadOrderModuleList = $Module.InLoadOrderModuleList
+ InMemoryOrderModuleList = $Module.InMemoryOrderModuleList
+ InInitializationOrderModuleList = $Module.InInitializationOrderModuleList
+ BaseAddress = $Module.BaseAddress
+ EntryPoint = $Module.EntryPoint
+ SizeOfImage = $Module.SizeOfImage
+ FullDllName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($Module.FullDllName.Buffer) -StructType ([String]) -UnicodeStringSize ($Module.FullDllName.MaximumLength)
+ BaseDllName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($Module.BaseDllName.Buffer) -StructType ([String]) -UnicodeStringSize ($Module.BaseDllName.MaximumLength)
+ PackagedBinary = if(($Module.Flags -band 1) -eq 0){$False}else{$True}
+ MarkedForRemoval = if(($Module.Flags -band 2) -eq 0){$False}else{$True}
+ ImageDll = if(($Module.Flags -band 4) -eq 0){$False}else{$True}
+ LoadNotificationsSent = if(($Module.Flags -band 8) -eq 0){$False}else{$True}
+ TelemetryEntryProcessed = if(($Module.Flags -band 16) -eq 0){$False}else{$True}
+ ProcessStaticImport = if(($Module.Flags -band 32) -eq 0){$False}else{$True}
+ InLegacyLists = if(($Module.Flags -band 64) -eq 0){$False}else{$True}
+ InIndexes = if(($Module.Flags -band 128) -eq 0){$False}else{$True}
+ ShimDll = if(($Module.Flags -band 256) -eq 0){$False}else{$True}
+ InExceptionTable = if(($Module.Flags -band 512) -eq 0){$False}else{$True}
+ LoadInProgress = if(($Module.Flags -band 4096) -eq 0){$False}else{$True}
+ EntryProcessed = if(($Module.Flags -band 16384) -eq 0){$False}else{$True}
+ DontCallForThreads = if(($Module.Flags -band 262144) -eq 0){$False}else{$True}
+ ProcessAttachCalled = if(($Module.Flags -band 524288) -eq 0){$False}else{$True}
+ ProcessAttachFailed = if(($Module.Flags -band 1048576) -eq 0){$False}else{$True}
+ CorDeferredValidate = if(($Module.Flags -band 2097152) -eq 0){$False}else{$True}
+ CorImage = if(($Module.Flags -band 4194304) -eq 0){$False}else{$True}
+ DontRelocate = if(($Module.Flags -band 8388608) -eq 0){$False}else{$True}
+ CorILOnly = if(($Module.Flags -band 16777216) -eq 0){$False}else{$True}
+ Redirected = if(($Module.Flags -band 268435456) -eq 0){$False}else{$True}
+ CompatDatabaseProcessed = if(($Module.Flags -band 2147483648) -eq 0){$False}else{$True}
+ ObsoleteLoadCount = $Module.ObsoleteLoadCount
+ TlsIndex = $Module.TlsIndex
+ HashLinks = $Module.HashLinks
+ TimeDateStamp = (New-Object DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds($Module.TimeDateStamp)
+ EntryPointActivationContext = $Module.EntryPointActivationContext
+ PatchInformation = $Module.PatchInformation
+ DdagNode = $Module.DdagNode
+ NodeModuleLink = $Module.NodeModuleLink
+ SnapContext = $Module.SnapContext
+ ParentDllBase = $Module.ParentDllBase
+ SwitchBackContext = $Module.SwitchBackContext
+ BaseAddressIndexNode = $Module.BaseAddressIndexNode
+ MappingInfoIndexNode = $Module.MappingInfoIndexNode
+ OriginalBase = $Module.OriginalBase
+ LoadTime = $Module.LoadTime
+ BaseNameHashValue = $Module.BaseNameHashValue
+ LoadReason = $Module.LoadReason
+ }
+
+ $CustomModuleObject = New-Object PSObject -Property $ParsedOrderedModules[$i]
+ $CustomModuleObject.PSObject.TypeNames[0] = 'PEB.ModuleEntry'
+ $Modules[$i] = $CustomModuleObject
+
+ $i++
+ }
+
+ switch ($j)
+ {
+ 1 { $CustomPEB['InLoadOrderModuleList'] = $Modules }
+ 2 { $CustomPEB['InMemoryOrderModuleList'] = $Modules }
+ 3 { $CustomPEB['InInitializationOrderModuleList'] = $Modules }
+ }
+ }
+
+ if ($NTDDI_VERSION -ge $NTDDI_VISTA)
+ {
+ $CustomPEB['ImageUsesLargePages'] = if(($PEB.BitField -band 1) -eq 0){$False}else{$True}
+ $CustomPEB['IsProtectedProcess'] = if(($PEB.BitField -band 2) -eq 0){$False}else{$True}
+ $CustomPEB['IsLegacyProcess'] = if(($PEB.BitField -band 4) -eq 0){$False}else{$True}
+ $CustomPEB['IsImageDynamicallyRelocated'] = if(($PEB.BitField -band 8) -eq 0){$False}else{$True}
+ $CustomPEB['SkipPatchingUser32Forwarders'] = if(($PEB.BitField -band 16) -eq 0){$False}else{$True}
+ $CustomPEB['IsPackagedProcess'] = if(($PEB.BitField -band 32) -eq 0){$False}else{$True}
+ $CustomPEB['IsAppContainer'] = if(($PEB.BitField -band 64) -eq 0){$False}else{$True}
+ $CustomPEB['AtlThunkSListPtr'] = $PEB.AtlThunkSListPtr
+ $CustomPEB['IFEOKey'] = $PEB.IFEOKey
+ $CustomPEB['ProcessInJob'] = if(($PEB.CrossProcessFlags -band 1) -eq 0){$False}else{$True}
+ $CustomPEB['ProcessInitializing'] = if(($PEB.CrossProcessFlags -band 2) -eq 0){$False}else{$True}
+ $CustomPEB['ProcessUsingVEH'] = if(($PEB.CrossProcessFlags -band 4) -eq 0){$False}else{$True}
+ $CustomPEB['ProcessUsingVCH'] = if(($PEB.CrossProcessFlags -band 8) -eq 0){$False}else{$True}
+ $CustomPEB['ProcessUsingFTH'] = if(($PEB.CrossProcessFlags -band 16) -eq 0){$False}else{$True}
+ $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
+ $CustomPEB['HotpatchInformation'] = $PEB.HotpatchInformation
+ $CustomPEB['FlsCallback'] = $PEB.FlsCallback
+ $CustomPEB['FlsListHead'] = $PEB.FlsListHead
+ $CustomPEB['FlsBitmap'] = $PEB.FlsBitmap
+ $CustomPEB['FlsBitmapBits'] = $PEB.FlsBitmapBits
+ $CustomPEB['FlsHighIndex'] = $PEB.FlsHighIndex
+ $CustomPEB['WerRegistrationData'] = $PEB.WerRegistrationData
+ $CustomPEB['WerShipAssertPtr'] = $PEB.WerShipAssertPtr
+ $CustomPEB['pUnused'] = $PEB.pUnused
+ $CustomPEB['pImageHeaderHash'] = $PEB.pImageHeaderHash
+ $CustomPEB['HeapTracingEnabled'] = if(($PEB.TracingFlags -band 1) -eq 0){$False}else{$True}
+ $CustomPEB['CritSecTracingEnabled'] = if(($PEB.TracingFlags -band 2) -eq 0){$False}else{$True}
+ $CustomPEB['LibLoaderTracingEnabled'] = if(($PEB.TracingFlags -band 4) -eq 0){$False}else{$True}
+ $CustomPEB['CsrServerReadOnlySharedMemoryBase'] = $PEB.CsrServerReadOnlySharedMemoryBase
+ }
+ elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
+ {
+ $CustomPEB['ImageUsesLargePages'] = if(($PEB.BitField -band 1) -eq 0){$False}else{$True}
+ $CustomPEB['AtlThunkSListPtr'] = $PEB.AtlThunkSListPtr
+ $CustomPEB['SparePtr2'] = $PEB.SparePtr2
+ $CustomPEB['EnvironmentUpdateCount'] = $PEB.EnvironmentUpdateCount
+ $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
+ $CustomPEB['ReadOnlySharedMemoryHeap'] = $PEB.ReadOnlySharedMemoryHeap
+ $CustomPEB['FlsCallback'] = $PEB.FlsCallback
+ $CustomPEB['FlsListHead'] = $PEB.FlsListHead
+ $CustomPEB['FlsBitmap'] = $PEB.FlsBitmap
+ $CustomPEB['FlsBitmapBits'] = $PEB.FlsBitmapBits
+ $CustomPEB['FlsHighIndex'] = $PEB.FlsHighIndex
+ }
+ else
+ {
+ $CustomPEB['FastPebLockRoutine'] = $PEB.FastPebLockRoutine
+ $CustomPEB['FastPebUnlockRoutine'] = $PEB.FastPebUnlockRoutine
+ $CustomPEB['EnvironmentUpdateCount'] = $PEB.EnvironmentUpdateCount
+ $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
+ $CustomPEB['ReadOnlySharedMemoryHeap'] = $PEB.ReadOnlySharedMemoryHeap
+ }
+
+ $NewPEB = New-Object PSObject -Property $CustomPEB
+
+ # _PEB will be interpreted by PowerShell depending upon the detected OS. This only applies if Get-PEB.format.ps1xml was loaded
+ if ($NTDDI_VERSION -ge $NTDDI_VISTA)
+ {
+ $NewPEB.PSObject.TypeNames[0] = 'PEB.Vista'
+ }
+ elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
+ {
+ $NewPEB.PSObject.TypeNames[0] = 'PEB.Server2003'
+ }
+ else
+ {
+ $NewPEB.PSObject.TypeNames[0] = 'PEB.XP'
+ }
+
+ $Handle = $null
+
+ Write-Output $NewPEB
+ }
+ }
+ }
+
+ END{}
+
+} \ No newline at end of file
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1
new file mode 100644
index 0000000..87f5f6a
--- /dev/null
+++ b/ReverseEngineering/Get-Strings.ps1
@@ -0,0 +1,98 @@
+function Get-Strings
+{
+<#
+.SYNOPSIS
+
+Gets strings from a file.
+
+PowerSploit Module - Inject-Shellcode
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.DESCRIPTION
+
+The Get-Strings cmdlet returns strings (Unicode and/or Ascii) from a file. This cmdlet is useful for dumping strings from binary file and was designed to replicate the functionality of strings.exe from Sysinternals.
+
+.PARAMETER Path
+
+Specifies the path to an item.
+
+.PARAMETER Encoding
+
+Specifies the file encoding. The default value returns both Unicode and Ascii.
+
+.PARAMETER MinimumLength
+
+Specifies the minimum length string to return. The default string length is 3.
+
+.EXAMPLE
+
+C:\PS> Get-Strings C:\Windows\System32\calc.exe
+
+Description
+-----------
+Dump Unicode and Ascii strings of calc.exe.
+
+.EXAMPLE
+
+C:\PS> Get-ChildItem C:\Windows\System32\*.dll | Get-Strings -MinimumLength 12 -Encoding Ascii
+
+Description
+-----------
+Dumps Ascii strings of at least length 12 of every dll located in C:\Windows\System32.
+
+.NOTES
+
+This cmdlet was designed to intentionally use only PowerShell cmdlets (no .NET methods) in order to be compatible with PowerShell on Windows RT (or any ConstrainedLanguage runspace).
+
+.LINK
+
+http://www.exploit-monday.com
+#>
+
+ Param
+ (
+ [Parameter(Position = 1, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
+ [ValidateScript({Test-Path $_ -PathType 'Leaf'})]
+ [String[]]
+ [Alias('PSPath')]
+ $Path,
+
+ [ValidateSet('Default','Ascii','Unicode')]
+ [String]
+ $Encoding = 'Default',
+
+ [UInt32]
+ $MinimumLength = 3
+ )
+
+ BEGIN
+ {
+ $FileContents = ''
+ }
+ PROCESS
+ {
+ foreach ($File in $Path)
+ {
+ if ($Encoding -eq 'Unicode' -or $Encoding -eq 'Default')
+ {
+ $UnicodeFileContents = Get-Content -Encoding 'Unicode' $File
+ $UnicodeRegex = [Regex] "[\u0020-\u007E]{$MinimumLength,}"
+ $Results += $UnicodeRegex.Matches($UnicodeFileContents)
+ }
+
+ if ($Encoding -eq 'Ascii' -or $Encoding -eq 'Default')
+ {
+ $AsciiFileContents = Get-Content -Encoding 'UTF7' $File
+ $AsciiRegex = [Regex] "[\x20-\x7E]{$MinimumLength,}"
+ $Results = $AsciiRegex.Matches($AsciiFileContents)
+ }
+
+ $Results | ForEach-Object { Write-Output $_.Value }
+ }
+ }
+ END {}
+} \ No newline at end of file
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1
new file mode 100644
index 0000000..9a265c5
--- /dev/null
+++ b/ReverseEngineering/Get-StructFromMemory.ps1
@@ -0,0 +1,203 @@
+function Get-StructFromMemory
+{
+<#
+.SYNOPSIS
+
+Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
+
+PowerSploit Module - Get-StructFromMemory
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.DESCRIPTION
+
+Get-StructFromMemory is similar to the Marshal.PtrToStructure method but will parse and return a structure from any process.
+
+.PARAMETER Id
+
+Process ID of the process whose virtual memory space you want to access.
+
+.PARAMETER MemoryAddress
+
+The address containing the structure to be parsed.
+
+.PARAMETER StructType
+
+The type (System.Type) of the desired structure to be parsed.
+
+.EXAMPLE
+
+C:\PS> Get-Process | ForEach-Object { Get-StructFromMemory -Id $_.Id -MemoryAddress $_.MainModule.BaseAddress -StructType ([PE+_IMAGE_DOS_HEADER]) }
+
+Description
+-----------
+Parses the DOS headers of every loaded process. Note: In this example, this assumes that [PE+_IMAGE_DOS_HEADER] is defined. You can get the code to define [PE+_IMAGE_DOS_HEADER] here: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
+
+.NOTES
+
+Be sure to enclose the StructType parameter with parenthesis in order to force PowerShell to cast it as a Type object.
+
+Get-StructFromMemory does a good job with error handling however it will crash if the structure contains fields that attempt to marshal pointers. For example, if a field has a custom attribute of UnmanagedType.LPStr, when the structure is parsed, it will attempt to dererence a string pointer for virtual memory in another process and access violate.
+
+.LINK
+
+http://www.exploit-monday.com
+#>
+
+ [CmdletBinding()] Param (
+ [Parameter(Position = 0, Mandatory = $True)]
+ [Alias('ProcessId')]
+ [Alias('PID')]
+ [UInt16]
+ $Id,
+
+ [Parameter(Position = 1, Mandatory = $True)]
+ [IntPtr]
+ $MemoryAddress,
+
+ [Parameter(Position = 2, Mandatory = $True)]
+ [Alias('Type')]
+ [Type]
+ $StructType
+ )
+
+ Set-StrictMode -Version 2
+
+ $PROCESS_VM_READ = 0x0010 # The process permissions we'l ask for when getting a handle to the process
+
+ # Get a reference to the private GetProcessHandle method is System.Diagnostics.Process
+ $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
+
+ try
+ {
+ # Make sure user didn't pass in a non-existent PID
+ $Process = Get-Process -Id $Id -ErrorVariable GetProcessError
+ # Get the default process handle
+ $Handle = $Process.Handle
+ }
+ catch [Exception]
+ {
+ throw $GetProcessError
+ }
+
+ if ($Handle -eq $null)
+ {
+ throw "Unable to obtain a handle for PID $Id. You will likely need to run this script elevated."
+ }
+
+ # Get a reference to MEMORY_BASIC_INFORMATION. I don't feel like making the structure myself
+ $mscorlib = [AppDomain]::CurrentDomain.GetAssemblies() | ? { $_.FullName.Split(',')[0].ToLower() -eq 'mscorlib' }
+ $Win32Native = $mscorlib.GetTypes() | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native' }
+ $MEMORY_BASIC_INFORMATION = $Win32Native.GetNestedType('MEMORY_BASIC_INFORMATION', [Reflection.BindingFlags] 'NonPublic')
+
+ if ($MEMORY_BASIC_INFORMATION -eq $null)
+ {
+ throw 'Unable to get a reference to the MEMORY_BASIC_INFORMATION structure.'
+ }
+
+ # Get references to private fields in MEMORY_BASIC_INFORMATION
+ $ProtectField = $MEMORY_BASIC_INFORMATION.GetField('Protect', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $AllocationBaseField = $MEMORY_BASIC_INFORMATION.GetField('BaseAddress', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $RegionSizeField = $MEMORY_BASIC_INFORMATION.GetField('RegionSize', [Reflection.BindingFlags] 'NonPublic, Instance')
+
+ try { $NativeUtils = [NativeUtils] } catch [Management.Automation.RuntimeException] # Only build the assembly if it hasn't already been defined
+ {
+ # Build dynamic assembly in order to use P/Invoke for interacting with the following Win32 functions: ReadProcessMemory, VirtualQueryEx
+ $DynAssembly = New-Object Reflection.AssemblyName('MemHacker')
+ $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+ $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MemHacker', $False)
+ $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
+ $TypeBuilder = $ModuleBuilder.DefineType('NativeUtils', $Attributes, [ValueType])
+ $TypeBuilder.DefinePInvokeMethod('ReadProcessMemory', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
+ $TypeBuilder.DefinePInvokeMethod('VirtualQueryEx', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [IntPtr], $MEMORY_BASIC_INFORMATION.MakeByRefType(), [UInt32]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
+
+ $NativeUtils = $TypeBuilder.CreateType()
+ }
+
+ # Request a handle to the process in interest
+ try
+ {
+ $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
+ $Handle = $SafeHandle.DangerousGetHandle()
+ }
+ catch
+ {
+ throw $Error[0]
+ }
+
+ # Create an instance of MEMORY_BASIC_INFORMATION
+ $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
+
+ # Confirm you can actually read the address you're interested in
+ $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+
+ $PAGE_EXECUTE_READ = 0x20
+ $PAGE_EXECUTE_READWRITE = 0x40
+ $PAGE_READONLY = 2
+ $PAGE_READWRITE = 4
+
+ $Protection = $ProtectField.GetValue($MemoryBasicInformation)
+ $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
+ $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
+ $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
+ $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
+
+ Write-Verbose "Protection: $Protection"
+ Write-Verbose "AllocationBase: $AllocationBase"
+ Write-Verbose "RegionSize: $RegionSize"
+
+ if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
+ {
+ $SafeHandle.Close()
+ throw 'The address specified does not have read access.'
+ }
+
+ $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($StructType)
+ $EndOfAllocation = $AllocationBase + $RegionSize
+ $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
+
+ if ($EndOfStruct -gt $EndOfAllocation)
+ {
+ $SafeHandle.Close()
+ throw 'You are attempting to read beyond what was allocated.'
+ }
+
+ try
+ {
+ # Allocate unmanaged memory. This will be used to store the memory read from ReadProcessMemory
+ $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
+ }
+ catch [OutOfMemoryException]
+ {
+ throw Error[0]
+ }
+
+ Write-Verbose "Memory allocated at 0x$($LocalStructPtr.ToString("X$([IntPtr]::Size * 2)"))"
+
+ # Zero out the memory that was just allocated. According to MSDN documentation:
+ # "When AllocHGlobal calls LocalAlloc, it passes a LMEM_FIXED flag, which causes the allocated memory to be locked in place. Also, the allocated memory is not zero-filled."
+ # http://msdn.microsoft.com/en-us/library/s69bkh17.aspx
+ $ZeroBytes = New-Object Byte[]($StructSize)
+ [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
+
+ $BytesRead = [UInt32] 0
+
+ if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
+ {
+ $SafeHandle.Close()
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
+ throw ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
+ }
+
+ Write-Verbose "Struct Size: $StructSize"
+ Write-Verbose "Bytes read: $BytesRead"
+
+ $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $StructType)
+
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
+ $SafeHandle.Close()
+
+ Write-Output $ParsedStruct
+} \ No newline at end of file
diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1
new file mode 100644
index 0000000..3ad890d
--- /dev/null
+++ b/ReverseEngineering/ReverseEngineering.psd1
@@ -0,0 +1,90 @@
+@{
+
+# Script module or binary module file associated with this manifest.
+ModuleToProcess = 'ReverseEngineering.psm1'
+
+# Version number of this module.
+ModuleVersion = '1.0.0.0'
+
+# ID used to uniquely identify this module
+GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'
+
+# Author of this module
+Author = 'Matthew Graeber'
+
+# Company or vendor of this module
+CompanyName = ''
+
+# Copyright statement for this module
+Copyright = 'BSD 3-Clause'
+
+# Description of the functionality provided by this module
+Description = 'PowerSploit Reverse Engineering Module'
+
+# Minimum version of the Windows PowerShell engine required by this module
+PowerShellVersion = '2.0'
+
+# Name of the Windows PowerShell host required by this module
+# PowerShellHostName = ''
+
+# Minimum version of the Windows PowerShell host required by this module
+# PowerShellHostVersion = ''
+
+# Minimum version of the .NET Framework required by this module
+# DotNetFrameworkVersion = ''
+
+# Minimum version of the common language runtime (CLR) required by this module
+# CLRVersion = ''
+
+# Processor architecture (None, X86, Amd64) required by this module
+# ProcessorArchitecture = ''
+
+# Modules that must be imported into the global environment prior to importing this module
+# RequiredModules = @()
+
+# Assemblies that must be loaded prior to importing this module
+# RequiredAssemblies = @()
+
+# Script files (.ps1) that are run in the caller's environment prior to importing this module.
+# ScriptsToProcess = ''
+
+# Type files (.ps1xml) to be loaded when importing this module
+# TypesToProcess = @()
+
+# Format files (.ps1xml) to be loaded when importing this module
+FormatsToProcess = 'Get-KernelModuleInfo.format.ps1xml', 'Get-PEB.format.ps1xml'
+
+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+# NestedModules = @()
+
+# Functions to export from this module
+FunctionsToExport = '*'
+
+# Cmdlets to export from this module
+CmdletsToExport = '*'
+
+# Variables to export from this module
+VariablesToExport = ''
+
+# Aliases to export from this module
+AliasesToExport = ''
+
+# List of all modules packaged with this module.
+ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'})
+
+# List of all files packaged with this module
+FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-KernelModuleInfo.format.ps1xml',
+ 'Get-KernelModuleInfo.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
+ 'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1'
+
+# Private data to pass to the module specified in RootModule/ModuleToProcess
+# PrivateData = ''
+
+# HelpInfo URI of this module
+# HelpInfoURI = ''
+
+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+# DefaultCommandPrefix = ''
+
+}
+
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1
new file mode 100644
index 0000000..5bb81d3
--- /dev/null
+++ b/ReverseEngineering/ReverseEngineering.psm1
@@ -0,0 +1 @@
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file