diff options
| -rw-r--r-- | Capstone/Capstone.psd1 | 50 | ||||
| -rw-r--r-- | Capstone/Capstone.psm1 | 1 | ||||
| -rw-r--r-- | Capstone/Get-CSDisassembly.format.ps1xml | 41 | ||||
| -rw-r--r-- | Capstone/Get-CSDisassembly.ps1 | 119 | ||||
| -rw-r--r-- | Capstone/LICENSE.TXT | 30 | ||||
| -rw-r--r-- | Capstone/Usage.md | 16 | ||||
| -rw-r--r-- | Capstone/lib/capstone.dll | bin | 0 -> 78336 bytes | |||
| -rw-r--r-- | Capstone/lib/libcapstone.dll | bin | 0 -> 6326103 bytes | |||
| -rw-r--r-- | PowerSploit.psd1 | 1 | ||||
| -rw-r--r-- | README.md | 8 |
10 files changed, 266 insertions, 0 deletions
diff --git a/Capstone/Capstone.psd1 b/Capstone/Capstone.psd1 new file mode 100644 index 0000000..6632558 --- /dev/null +++ b/Capstone/Capstone.psd1 @@ -0,0 +1,50 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'Capstone.psm1' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b' + +# Author of this module +Author = 'Matthew Graeber' + +# Copyright statement for this module +Copyright = 'BSD 3-Clause' + +# Description of the functionality provided by this module +Description = 'Capstone Disassembly Framework Binding Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '3.0' + +# Minimum version of the common language runtime (CLR) required by this module +CLRVersion = '4.0' + +# Processor architecture (None, X86, Amd64) required by this module +ProcessorArchitecture = 'Amd64' + +# Assemblies that must be loaded prior to importing this module +RequiredAssemblies = 'lib/capstone.dll' + +# Format files (.ps1xml) to be loaded when importing this module +FormatsToProcess = 'Get-CSDisassembly.format.ps1xml' + +# Functions to export from this module +FunctionsToExport = '*' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'}) + +# List of all files packaged with this module +FileList = 'Capstone.psm1', + 'Capstone.psd1', + 'Get-CSDisassembly.ps1', + 'Usage.md', + 'lib/capstone.dll', + 'lib/libcapstone.dll' + +} diff --git a/Capstone/Capstone.psm1 b/Capstone/Capstone.psm1 new file mode 100644 index 0000000..81d3818 --- /dev/null +++ b/Capstone/Capstone.psm1 @@ -0,0 +1 @@ +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Capstone/Get-CSDisassembly.format.ps1xml b/Capstone/Get-CSDisassembly.format.ps1xml new file mode 100644 index 0000000..e9703a2 --- /dev/null +++ b/Capstone/Get-CSDisassembly.format.ps1xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="utf-8" ?> +<Configuration> + <ViewDefinitions> + <View> + <Name>InstructionView</Name> + <ViewSelectedBy> + <TypeName>Capstone.Instruction</TypeName> + </ViewSelectedBy> + <TableControl> + <AutoSize/> + <TableHeaders> + <TableColumnHeader> + <Label>Address</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Mnemonic</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Operands</Label> + </TableColumnHeader> + </TableHeaders> + <TableRowEntries> + <TableRowEntry> + <TableColumnItems> + <TableColumnItem> + <PropertyName>Address</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Mnemonic</PropertyName> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Operands</PropertyName> + </TableColumnItem> + </TableColumnItems> + </TableRowEntry> + </TableRowEntries> + </TableControl> + </View> + </ViewDefinitions> +</Configuration>
\ No newline at end of file diff --git a/Capstone/Get-CSDisassembly.ps1 b/Capstone/Get-CSDisassembly.ps1 new file mode 100644 index 0000000..89c17db --- /dev/null +++ b/Capstone/Get-CSDisassembly.ps1 @@ -0,0 +1,119 @@ +#requires -Version 3 + +function Get-CSDisassembly +{ +<# +.SYNOPSIS + + Disassembles a byte array using the Capstone Engine disassembly framework. + + PowerSploit Function: Get-CSDisassembly + Author: Matthew Graeber (@mattifestation) + License: See LICENSE.TXT + Required Dependencies: lib\capstone.dll, lib\libcapstone.dll (64-bit) + Optional Dependencies: None + +.PARAMETER Architecture + + Specifies the architecture of the code to be disassembled. + +.PARAMETER Mode + + Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'. + +.PARAMETER Code + + A byte array consisting of the code to be disassembled. + +.PARAMETER Offset + + Specifies the starting address of the disassembly listing. + +.PARAMETER Count + + Specifies the maximum number of instructions to disassemble. + +.PARAMETER Syntax + + Specifies the syntax flavor to be used (INTEL vs. ATT). + +.PARAMETER DetailOff + + Specifies that detailed parsing should not be performed - i.e. do not perform additional analysis beyond disassembling. + +.EXAMPLE + + C:\PS>$Bytes = [Byte[]] @( 0x8d, 0x4c, 0x32, 0x08, 0x01, 0xd8, 0x81, 0xc6, 0x34, 0x12, 0x00, 0x00 ) + C:\PS>Get-CSDisassembly -Architecture X86 -Mode MODE_16 -Code $Bytes -Offset 0x1000 + +.EXAMPLE + + C:\PS>$Bytes = [Byte[]] @( 0x8d, 0x4c, 0x32, 0x08, 0x01, 0xd8, 0x81, 0xc6, 0x34, 0x12, 0x00, 0x00 ) + C:\PS>Get-CSDisassembly -Architecture X86 -Mode MODE_32 -Code $Bytes -Syntax ATT + +.INPUTS + + None + + You cannot pipe objects to Get-CSDisassembly. + +.OUTPUTS + + Capstone.Instruction[] + + Get-CSDisassembly returns an array of Instruction objects. + +.NOTES + + Get-CSDisassembly must be run from 64-bit PowerShell v3. +#> + + [OutputType([Capstone.Instruction])] + [CmdletBinding()] Param ( + [Parameter(Mandatory)] + [Capstone.ARCH] + $Architecture, + + [Parameter(Mandatory)] + [Capstone.MODE] + $Mode, + + [Parameter(Mandatory)] + [ValidateNotNullOrEmpty()] + [Byte[]] + $Code, + + [UInt64] + $Offset = 0, + + [UInt32] + $Count = 0, + + [ValidateSet('Intel', 'ATT')] + [String] + $Syntax, + + [Switch] + $DetailOff + ) + + $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode) + + if ($Syntax) + { + switch ($Syntax) + { + 'Intel' { $SyntaxMode = [Capstone.OPT_VALUE]::SYNTAX_INTEL } + 'ATT' { $SyntaxMode = [Capstone.OPT_VALUE]::SYNTAX_ATT } + } + + $Disassembly.SetSyntax($SyntaxMode) + } + + if ($DetailOff) + { + $Disassembly.SetDetail($False) + } + + $Disassembly.Disassemble($Code, $Offset, $Count) +}
\ No newline at end of file diff --git a/Capstone/LICENSE.TXT b/Capstone/LICENSE.TXT new file mode 100644 index 0000000..9edde0b --- /dev/null +++ b/Capstone/LICENSE.TXT @@ -0,0 +1,30 @@ +This is the software license for Capstone disassembly framework. +Capstone has been designed & implemented by Nguyen Anh Quynh <aquynh@gmail.com> +See http://www.capstone-engine.org for further information. + +Copyright (c) 2013, COSEINC. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +* Neither the name of the developer(s) nor the names of its + contributors may be used to endorse or promote products derived from this + software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. diff --git a/Capstone/Usage.md b/Capstone/Usage.md new file mode 100644 index 0000000..8276ef6 --- /dev/null +++ b/Capstone/Usage.md @@ -0,0 +1,16 @@ +This module has two dependencies: +* lib\libcapstone.dll (the 64-bit unmanaged Capstone library) +* lib\capstone.dll (the managed C# bindings to the Capstone Framework) + +To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module Capstone` + +To see the commands imported, type `Get-Command -Module Capstone` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file diff --git a/Capstone/lib/capstone.dll b/Capstone/lib/capstone.dll Binary files differnew file mode 100644 index 0000000..bb08559 --- /dev/null +++ b/Capstone/lib/capstone.dll diff --git a/Capstone/lib/libcapstone.dll b/Capstone/lib/libcapstone.dll Binary files differnew file mode 100644 index 0000000..e4f5e33 --- /dev/null +++ b/Capstone/lib/libcapstone.dll diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 54156d2..049c491 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -79,6 +79,7 @@ ModuleList = @( @{ModuleName = 'PowerSploit'; ModuleVersion = '1.0.0.0'; GUID = @{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'}, @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'}, @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'} + @{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'} ) # List of all files packaged with this module @@ -80,6 +80,14 @@ Displays symbolic information from Windows lib files. Returns the path from which Windows will load a Dll for the given executable. +## Capstone + +**A PowerShell binding for the Capstone Engine disassembly framework.** + +#### `Get-CSDisassembly` + +Disassembles a byte array using the Capstone Engine disassembly framework. + ## ReverseEngineering **Tools to aid in reverse engineering.** |