5 files changed, 182 insertions, 80 deletions
diff --git a/PETools/Get-DllLoadPath.ps1 b/PETools/Get-DllLoadPath.ps1
index 687f9e9..360c913 100644
--- a/PETools/Get-DllLoadPath.ps1
+++ b/PETools/Get-DllLoadPath.ps1
@@ -1,52 +1,53 @@
 function Get-DllLoadPath {
 <#
-.Synopsis
+.SYNOPSIS
 
- PowerSploit Module - Get-DllLoadPath
- Author: Matthew Graeber (@mattifestation)
- License: BSD 3-Clause
+PowerSploit Module - Get-DllLoadPath
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
  
-.Description
+.DESCRIPTION
 
- Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable.
- 
-.Parameter ExecutablePath
+Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable.
+
+.PARAMETER ExecutablePath
 
  Path to the executable from which the Dll would be loaded.
 
-.Parameter DllName
+.PARAMETER DllName
 
- Name of the Dll in the form 'dllname.dll'.
- 
-.Example
+Name of the Dll in the form 'dllname.dll'.
 
- PS> Get-DllLoadPath C:\Windows\System32\cmd.exe kernel32.dll
- 
- Path
- ----
- C:\Windows\system32\kernel32.dll
- 
-.Example
+.EXAMPLE
 
- PS> Get-DllLoadPath C:\Windows\SysWOW64\calc.exe Comctl32.dll
- 
- Path
- ----
- C:\Windows\SysWOW64\Comctl32.dll
+C:\PS> Get-DllLoadPath C:\Windows\System32\cmd.exe kernel32.dll
 
-.Outputs
+Path
+----
+C:\Windows\system32\kernel32.dll
 
- None or System.Management.Automation.PathInfo
- 
-.Notes
+.EXAMPLE
+
+C:\PS> Get-DllLoadPath C:\Windows\SysWOW64\calc.exe Comctl32.dll
+
+Path
+----
+C:\Windows\SysWOW64\Comctl32.dll
+
+.OUTPUTS
+
+$null, System.Management.Automation.PathInfo
+
+.NOTES
 
- This script will not detect if the executable provided intentionally alters the Dll search path via
- LoadLibraryEx, SetDllDirectory, or AddDllDirectory.
+This script will not detect if the executable provided intentionally alters the Dll search path via LoadLibraryEx, SetDllDirectory, or AddDllDirectory.
  
-.Link
+.LINK
 
- My blog: http://www.exploit-monday.com
- Dll Search Order Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
+http://www.exploit-monday.com
+http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
 #>
 
     Param (
diff --git a/PETools/Get-PEArchitecture.ps1 b/PETools/Get-PEArchitecture.ps1
index e53c5ff..6272153 100644
--- a/PETools/Get-PEArchitecture.ps1
+++ b/PETools/Get-PEArchitecture.ps1
@@ -1,35 +1,43 @@
 function Get-PEArchitecture {
 <#
-.Synopsis
+.SYNOPSIS
 
- PowerSploit Module - Get-PEArchitecture
- Author: Matthew Graeber (@mattifestation)
- License: BSD 3-Clause
- 
-.Description
+PowerSploit Module - Get-PEArchitecture
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
 
- Get-PEArchitecture returns the architecture for which
- a Windows portable executable was compiled.
- 
-.Parameter Path
+.DESCRIPTION
 
- Path to the executable.
- 
-.Example
+Get-PEArchitecture returns the architecture for which a Windows portable executable was compiled.
+
+.PARAMETER Path
+
+Path to the executable.
 
- PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe
- X86
+.EXAMPLE
+
+C:\PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe
+
+X86
  
-.Example
+.EXAMPLE
 
- PS> Get-PEArchitecture C:\Windows\System32\cmd.exe
- X64
+C:\PS> Get-PEArchitecture C:\Windows\System32\cmd.exe
+
+X64
  
-.Link
+.LINK
 
- My blog: http://www.exploit-monday.com
+http://www.exploit-monday.com
 #>
-    Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path )
+
+    Param (
+        [Parameter(Position = 0, Mandatory = $True)]
+        [String]
+        $Path
+    )
 
     if (!(Test-Path $Path)) {
         Write-Warning 'Invalid path or file does not exist.'
@@ -67,7 +75,7 @@ function Get-PEArchitecture {
     $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
     $FileStream.Close()
     
-    if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) {
+    if (($Architecture -ne '014C') -and ($Architecture -ne '8664') -and ($Architecture -ne '01C4')) {
         Write-Warning 'Invalid PE header or unsupported architecture.'
         return
     }
@@ -76,6 +84,8 @@ function Get-PEArchitecture {
         return 'X86'
     } elseif ($Architecture -eq '8664') {
         return 'X64'
+    } elseif ($Architecture -eq '01C4') {
+        return 'ARM'
     } else {
         return 'OTHER'
     }
diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1
index 8422390..354b675 100644
--- a/PETools/Get-PEHeader.ps1
+++ b/PETools/Get-PEHeader.ps1
@@ -1,34 +1,42 @@
 function Get-PEHeader {
 <#
 .SYNOPSIS
+
 PowerSploit Module - Get-PEHeader
 Author: Matthew Graeber (@mattifestation)
 License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: PETools.format.ps1xml
 
 .DESCRIPTION
-Get-PEHeader retrieves PE headers including imports and exports from either a
-file on disk or a module in memory. Get-PEHeader will operate on single PE header
-but you can also feed it the output of Get-ChildItem or Get-Process! Get-PEHeader
-works on both 32 and 64-bit modules.
+
+Get-PEHeader retrieves PE headers including imports and exports from either a file on disk or a module in memory. Get-PEHeader will operate on single PE header but you can also feed it the output of Get-ChildItem or Get-Process! Get-PEHeader works on both 32 and 64-bit modules.
 
 .OUTPUTS
-System.Object. Returns a custom object consisting of the following: compile time,
-section headers, module name, DOS header, imports, exports, file header,
-optional header, and PE signature
+
+System.Object
+
+Returns a custom object consisting of the following: compile time, section headers, module name, DOS header, imports, exports, file header, optional header, and PE signature.
 
 .EXAMPLE
-PS > Get-Process cmd | Get-PEHeader
+
+C:\PS> Get-Process cmd | Get-PEHeader
+
 Description
 -----------
 Returns the full PE headers of every loaded module in memory
 
-PS > Get-ChildItem C:\Windows\*.exe | Get-PEHeader
+.EXAMPLE
+
+C:\PS> Get-ChildItem C:\Windows\*.exe | Get-PEHeader
+
 Description
 -----------
 Returns the full PE headers of every exe in C:\Windows\
 
 .EXAMPLE
-PS > Get-PEHeader C:\Windows\System32\kernel32.dll
+
+C:\PS> Get-PEHeader C:\Windows\System32\kernel32.dll
 
 Module         : C:\Windows\System32\kernel32.dll
 DOSHeader      : PE+_IMAGE_DOS_HEADER
@@ -44,11 +52,12 @@ Exports        : {@{ForwardedName=; FunctionName=lstrlenW; Ordinal=0x0552; VA=0x
                  dedName=; FunctionName=lstrlenA; Ordinal=0x0551; VA=0x0F026A23}, @{ForwardedName=;
                   FunctionName=lstrlen; Ordinal=0x0550; VA=0x0F026A23}, @{ForwardedName=; FunctionN
                  ame=lstrcpynW; Ordinal=0x054F; VA=0x0F04E54E}...}
-                 
+
 .EXAMPLE
-PS > $Proc = Get-Process cmd
-PS > $Kernel32Base = ($Proc.Modules | Where-Object {$_.ModuleName -eq 'kernel32.dll'}).BaseAddress
-PS > Get-PEHeader -ProcessId $Proc.Id -ModuleBaseAddress $Kernel32Base
+
+C:\PS> $Proc = Get-Process cmd
+C:\PS> $Kernel32Base = ($Proc.Modules | Where-Object {$_.ModuleName -eq 'kernel32.dll'}).BaseAddress
+C:\PS> Get-PEHeader -ProcessId $Proc.Id -ModuleBaseAddress $Kernel32Base
 
 Module         :
 DOSHeader      : PE+_IMAGE_DOS_HEADER
@@ -67,18 +76,15 @@ Exports        : {@{ForwardedName=; FunctionName=lstrlenW; Ordinal=0x0552; VA=0x
 
 Description
 -----------
-A PE header is returned upon providing the module's base address. This technique would be useful
-for dumping the PE header of a rogue module that is invisible to Windows - e.g. a reflectively
-loaded meterpreter binary (metsrv.dll).
+A PE header is returned upon providing the module's base address. This technique would be useful for dumping the PE header of a rogue module that is invisible to Windows - e.g. a reflectively loaded meterpreter binary (metsrv.dll).
 
 .NOTES
-Be careful if you decide to specify a module base address. Get-PEHeader does not check for the
-existence of an MZ header. An MZ header is not a prerequisite for reflectively loading a module
-in memory. If you provide an address that is not an actual PE header, you could crash the process.
+
+Be careful if you decide to specify a module base address. Get-PEHeader does not check for the existence of an MZ header. An MZ header is not a prerequisite for reflectively loading a module in memory. If you provide an address that is not an actual PE header, you could crash the process.
 
 .LINK
-http://www.exploit-monday.com/2012/07/get-peheader.html
 
+http://www.exploit-monday.com/2012/07/get-peheader.html
 #>
 
     [CmdletBinding(DefaultParameterSetName = 'OnDisk')] Param (
diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1
new file mode 100644
index 0000000..7f4d7c6
--- /dev/null
+++ b/PETools/PETools.psd1
@@ -0,0 +1,88 @@
+@{
+
+# Script module or binary module file associated with this manifest.
+ModuleToProcess = 'PETools.psm1'
+
+# Version number of this module.
+ModuleVersion = '1.0.0.0'
+
+# ID used to uniquely identify this module
+GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'
+
+# Author of this module
+Author = 'Matthew Graeber'
+
+# Company or vendor of this module
+CompanyName = ''
+
+# Copyright statement for this module
+Copyright = 'BSD 3-Clause'
+
+# Description of the functionality provided by this module
+Description = 'PowerSploit Portable Executable Analysis Module'
+
+# Minimum version of the Windows PowerShell engine required by this module
+PowerShellVersion = '2.0'
+
+# Name of the Windows PowerShell host required by this module
+# PowerShellHostName = ''
+
+# Minimum version of the Windows PowerShell host required by this module
+# PowerShellHostVersion = ''
+
+# Minimum version of the .NET Framework required by this module
+# DotNetFrameworkVersion = ''
+
+# Minimum version of the common language runtime (CLR) required by this module
+# CLRVersion = ''
+
+# Processor architecture (None, X86, Amd64) required by this module
+# ProcessorArchitecture = ''
+
+# Modules that must be imported into the global environment prior to importing this module
+# RequiredModules = @()
+
+# Assemblies that must be loaded prior to importing this module
+# RequiredAssemblies = @()
+
+# Script files (.ps1) that are run in the caller's environment prior to importing this module.
+# ScriptsToProcess = ''
+
+# Type files (.ps1xml) to be loaded when importing this module
+# TypesToProcess = @()
+
+# Format files (.ps1xml) to be loaded when importing this module
+FormatsToProcess = 'PETools.format.ps1xml'
+
+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+# NestedModules = @()
+
+# Functions to export from this module
+FunctionsToExport = '*'
+
+# Cmdlets to export from this module
+CmdletsToExport = '*'
+
+# Variables to export from this module
+VariablesToExport = ''
+
+# Aliases to export from this module
+AliasesToExport = ''
+
+# List of all modules packaged with this module.
+ModuleList = @(@{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'})
+
+# List of all files packaged with this module
+FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoadPath.ps1', 
+               'Get-PEArchitecture.ps1', 'Get-PEHeader.ps1', 'Usage.txt'
+
+# Private data to pass to the module specified in RootModule/ModuleToProcess
+# PrivateData = ''
+
+# HelpInfo URI of this module
+# HelpInfoURI = ''
+
+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+# DefaultCommandPrefix = ''
+
+}
+\ No newline at end of file
diff --git a/PETools/PETools.psm1 b/PETools/PETools.psm1
index 7f16c2f..e5234fb 100644
--- a/PETools/PETools.psm1
+++ b/PETools/PETools.psm1
@@ -1,4 +1 @@
-# Pull in all of the PE Tools
-. (Join-Path $PSScriptRoot Get-PEHeader.ps1)
-. (Join-Path $PSScriptRoot Get-DllLoadPath.ps1)
-. (Join-Path $PSScriptRoot Get-PEArchitecture.ps1)
-\ No newline at end of file
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
+\ No newline at end of file