diff options
40 files changed, 10 insertions, 8686 deletions
diff --git a/Capstone/Capstone.psd1 b/Capstone/Capstone.psd1 deleted file mode 100644 index d85443f..0000000 --- a/Capstone/Capstone.psd1 +++ /dev/null @@ -1,48 +0,0 @@ -@{ - -# Script module or binary module file associated with this manifest. -ModuleToProcess = 'Capstone.psm1' - -# Version number of this module. -ModuleVersion = '2.0.0.0' - -# ID used to uniquely identify this module -GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b' - -# Author of this module -Author = 'Matthew Graeber' - -# Copyright statement for this module -Copyright = 'see LICENSE.TXT' - -# Description of the functionality provided by this module -Description = 'Capstone Disassembly Framework Binding Module' - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '3.0' - -# Minimum version of the common language runtime (CLR) required by this module -CLRVersion = '4.0' - -# Assemblies that must be loaded prior to importing this module -RequiredAssemblies = 'lib/capstone.dll' - -# Format files (.ps1xml) to be loaded when importing this module -FormatsToProcess = 'Get-CSDisassembly.format.ps1xml' - -# Functions to export from this module -FunctionsToExport = '*' - -# List of all modules packaged with this module. -ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'}) - -# List of all files packaged with this module -FileList = 'Capstone.psm1', - 'Capstone.psd1', - 'Get-CSDisassembly.format.ps1xml', - 'LICENSE.TXT', - 'README', - 'lib/capstone.dll', - 'lib/x86/libcapstone.dll', - 'lib/x64/libcapstone.dll' -} diff --git a/Capstone/Capstone.psm1 b/Capstone/Capstone.psm1 deleted file mode 100644 index 6507c54..0000000 --- a/Capstone/Capstone.psm1 +++ /dev/null @@ -1,171 +0,0 @@ -function Get-CSDisassembly -{ -<# -.SYNOPSIS - - Disassembles a byte array using the Capstone Engine disassembly framework. - - PowerSploit Function: Get-CSDisassembly - Author: Matthew Graeber (@mattifestation) - License: See LICENSE.TXT - Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll - Optional Dependencies: None - -.DESCRIPTION - - Get-CSDisassembly is compatible on 32 and 64-bit. - -.PARAMETER Architecture - - Specifies the architecture of the code to be disassembled. - -.PARAMETER Mode - - Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'. - -.PARAMETER Code - - A byte array consisting of the code to be disassembled. - -.PARAMETER Offset - - Specifies the starting address of the disassembly listing. - -.PARAMETER Count - - Specifies the maximum number of instructions to disassemble. - -.PARAMETER Syntax - - Specifies the syntax flavor to be used (INTEL vs. ATT). - -.PARAMETER DetailOn - - Specifies that detailed parsing should be performed - i.e. provide detailed information for each disassembled instruction. - -.PARAMETER Verstion - - Prints the running Capstone Framework version. - -.EXAMPLE - - $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) - Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000 - - $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) - Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes - - $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) - Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT - - $Bytes = [Byte[]] @( 0x55, 0x48, 0x8b, 0x05, 0xb8, 0x13, 0x00, 0x00 ) - Get-CSDisassembly -Architecture X86 -Mode Mode64 -Code $Bytes -DetailOn - - $Bytes = [Byte[]] @( 0xED, 0xFF, 0xFF, 0xEB, 0x04, 0xe0, 0x2d, 0xe5, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x83, 0x22, 0xe5, 0xf1, 0x02, 0x03, 0x0e, 0x00, 0x00, 0xa0, 0xe3, 0x02, 0x30, 0xc1, 0xe7, 0x00, 0x00, 0x53, 0xe3 ) - Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes - - $Bytes = [Byte[]] @( 0x4f, 0xf0, 0x00, 0x01, 0xbd, 0xe8, 0x00, 0x88, 0xd1, 0xe8, 0x00, 0xf0 ) - Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes - - $Bytes = [Byte[]] @( 0x10, 0xf1, 0x10, 0xe7, 0x11, 0xf2, 0x31, 0xe7, 0xdc, 0xa1, 0x2e, 0xf3, 0xe8, 0x4e, 0x62, 0xf3 ) - Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes - - $Bytes = [Byte[]] @( 0x70, 0x47, 0xeb, 0x46, 0x83, 0xb0, 0xc9, 0x68 ) - Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes -DetailOn - - $Bytes = [Byte[]] @( 0x21, 0x7c, 0x02, 0x9b, 0x21, 0x7c, 0x00, 0x53, 0x00, 0x40, 0x21, 0x4b, 0xe1, 0x0b, 0x40, 0xb9 ) - Get-CSDisassembly -Architecture Arm64 -Mode Arm -Code $Bytes - - $Bytes = [Byte[]] @( 0x0C, 0x10, 0x00, 0x97, 0x00, 0x00, 0x00, 0x00, 0x24, 0x02, 0x00, 0x0c, 0x8f, 0xa2, 0x00, 0x00, 0x34, 0x21, 0x34, 0x56 ) - Get-CSDisassembly -Architecture Mips -Mode 'Mode32, BigEndian' -Code $Bytes - - $Bytes = [Byte[]] @( 0x56, 0x34, 0x21, 0x34, 0xc2, 0x17, 0x01, 0x00 ) - Get-CSDisassembly -Architecture Mips -Mode 'Mode64, LittleEndian' -Code $Bytes - - $Bytes = [Byte[]] @( 0x80, 0x20, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x10, 0x43, 0x23, 0x0e, 0xd0, 0x44, 0x00, 0x80, 0x4c, 0x43, 0x22, 0x02, 0x2d, 0x03, 0x00, 0x80, 0x7c, 0x43, 0x20, 0x14, 0x7c, 0x43, 0x20, 0x93, 0x4f, 0x20, 0x00, 0x21, 0x4c, 0xc8, 0x00, 0x21 ) - Get-CSDisassembly -Architecture PPC -Mode BigEndian -Code $Bytes - -.INPUTS - - None - - You cannot pipe objects to Get-CSDisassembly. - -.OUTPUTS - - Capstone.Instruction[] - - Get-CSDisassembly returns an array of Instruction objects. -#> - - [OutputType([Capstone.Instruction])] - [CmdletBinding(DefaultParameterSetName = 'Disassemble')] - Param ( - [Parameter(Mandatory, ParameterSetName = 'Disassemble')] - [Capstone.Architecture] - $Architecture, - - [Parameter(Mandatory, ParameterSetName = 'Disassemble')] - [Capstone.Mode] - $Mode, - - [Parameter(Mandatory, ParameterSetName = 'Disassemble')] - [ValidateNotNullOrEmpty()] - [Byte[]] - $Code, - - [Parameter( ParameterSetName = 'Disassemble' )] - [UInt64] - $Offset = 0, - - [Parameter( ParameterSetName = 'Disassemble' )] - [UInt32] - $Count = 0, - - [Parameter( ParameterSetName = 'Disassemble' )] - [ValidateSet('Intel', 'ATT')] - [String] - $Syntax, - - [Parameter( ParameterSetName = 'Disassemble' )] - [Switch] - $DetailOn, - - [Parameter( ParameterSetName = 'Version' )] - [Switch] - $Version - ) - - if ($PsCmdlet.ParameterSetName -eq 'Version') - { - $Disassembly = New-Object Capstone.Capstone([Capstone.Architecture]::X86, [Capstone.Mode]::Mode16) - $Disassembly.Version - - return - } - - $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode) - - if ($Disassembly.Version -ne [Capstone.Capstone]::BindingVersion) - { - Write-Error "capstone.dll version ($([Capstone.Capstone]::BindingVersion.ToString())) should be the same as libcapstone.dll version. Otherwise, undefined behavior is likely." - } - - if ($Syntax) - { - switch ($Syntax) - { - 'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel } - 'ATT' { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT } - } - - $Disassembly.SetSyntax($SyntaxMode) - } - - if ($DetailOn) - { - $Disassembly.SetDetail($True) - } - - $Disassembly.Disassemble($Code, $Offset, $Count) -}
\ No newline at end of file diff --git a/Capstone/Get-CSDisassembly.format.ps1xml b/Capstone/Get-CSDisassembly.format.ps1xml deleted file mode 100644 index e9703a2..0000000 --- a/Capstone/Get-CSDisassembly.format.ps1xml +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>InstructionView</Name> - <ViewSelectedBy> - <TypeName>Capstone.Instruction</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>Address</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Mnemonic</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Operands</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>Address</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Mnemonic</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Operands</PropertyName> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - </ViewDefinitions> -</Configuration>
\ No newline at end of file diff --git a/Capstone/LICENSE.TXT b/Capstone/LICENSE.TXT deleted file mode 100644 index 9edde0b..0000000 --- a/Capstone/LICENSE.TXT +++ /dev/null @@ -1,30 +0,0 @@ -This is the software license for Capstone disassembly framework. -Capstone has been designed & implemented by Nguyen Anh Quynh <aquynh@gmail.com> -See http://www.capstone-engine.org for further information. - -Copyright (c) 2013, COSEINC. -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. -* Neither the name of the developer(s) nor the names of its - contributors may be used to endorse or promote products derived from this - software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE -LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. diff --git a/Capstone/README b/Capstone/README deleted file mode 100644 index cbab0cb..0000000 --- a/Capstone/README +++ /dev/null @@ -1,17 +0,0 @@ -This module has three dependencies: -* lib\x86\libcapstone.dll (the 32-bit unmanaged Capstone library) -* lib\x64\libcapstone.dll (the 64-bit unmanaged Capstone library) -* lib\capstone.dll (the managed C# bindings to the Capstone Framework) - -To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. - -The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" -The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" - -To use the module, type `Import-Module Capstone` - -To see the commands imported, type `Get-Command -Module Capstone` - -For help on each individual command, Get-Help is your friend. - -Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file diff --git a/Capstone/lib/capstone.dll b/Capstone/lib/capstone.dll Binary files differdeleted file mode 100644 index 809932b..0000000 --- a/Capstone/lib/capstone.dll +++ /dev/null diff --git a/Capstone/lib/place_capstone.dll_here b/Capstone/lib/place_capstone.dll_here deleted file mode 100644 index e69de29..0000000 --- a/Capstone/lib/place_capstone.dll_here +++ /dev/null diff --git a/Capstone/lib/x64/libcapstone.dll b/Capstone/lib/x64/libcapstone.dll Binary files differdeleted file mode 100644 index 8d0a578..0000000 --- a/Capstone/lib/x64/libcapstone.dll +++ /dev/null diff --git a/Capstone/lib/x64/place_64-bit_libcapstone.dll_here b/Capstone/lib/x64/place_64-bit_libcapstone.dll_here deleted file mode 100644 index e69de29..0000000 --- a/Capstone/lib/x64/place_64-bit_libcapstone.dll_here +++ /dev/null diff --git a/Capstone/lib/x86/libcapstone.dll b/Capstone/lib/x86/libcapstone.dll Binary files differdeleted file mode 100644 index bb919a6..0000000 --- a/Capstone/lib/x86/libcapstone.dll +++ /dev/null diff --git a/Capstone/lib/x86/place_32-bit_libcapstone.dll_here b/Capstone/lib/x86/place_32-bit_libcapstone.dll_here deleted file mode 100644 index e69de29..0000000 --- a/Capstone/lib/x86/place_32-bit_libcapstone.dll_here +++ /dev/null diff --git a/PETools/Get-DllLoadPath.ps1 b/PETools/Get-DllLoadPath.ps1 deleted file mode 100644 index 97b0210..0000000 --- a/PETools/Get-DllLoadPath.ps1 +++ /dev/null @@ -1,190 +0,0 @@ -function Get-DllLoadPath
-{
-<#
-.SYNOPSIS
-
-Outputs the order of paths in which a dll would be loaded.
-
-PowerSploit Function: Get-DllLoadPath
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable.
-
-.PARAMETER ExecutablePath
-
-Path to the executable from which the Dll would be loaded.
-
-.PARAMETER DllName
-
-Name of the Dll in the form 'dllname.dll'.
-
-.EXAMPLE
-
-C:\PS> Get-DllLoadPath C:\Windows\System32\cmd.exe kernel32.dll
-
-Path
-----
-C:\Windows\system32\kernel32.dll
-
-.EXAMPLE
-
-C:\PS> Get-DllLoadPath C:\Windows\SysWOW64\calc.exe Comctl32.dll
-
-Path
-----
-C:\Windows\SysWOW64\Comctl32.dll
-
-.OUTPUTS
-
-System.Management.Automation.PathInfo
-
-.NOTES
-
-This script will not detect if the executable provided intentionally alters the Dll search path via LoadLibraryEx, SetDllDirectory, or AddDllDirectory.
-
-.LINK
-
-http://www.exploit-monday.com
-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
-#>
-
- Param (
- [Parameter(Position = 0, Mandatory = $True)]
- [String]
- $ExecutablePath,
-
- [Parameter(Position = 1, Mandatory = $True)]
- [String]
- $DllName
- )
-
- if (!(Test-Path $ExecutablePath)) {
- Write-Warning 'Invalid path or file does not exist.'
- return
- } else {
- $ExecutablePath = Resolve-Path $ExecutablePath
- $ExecutableDirectory = Split-Path $ExecutablePath
- }
-
- if ($DllName.Contains('.dll')) {
- $DllNameShort = $DllName.Split('.')[0]
- } else {
- Write-Warning 'You must provide a proper dll name (i.e. kernel32.dll)'
- return
- }
-
- function Get-PEArchitecture {
-
- Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path )
-
- # Parse PE header to see if binary was compiled 32 or 64-bit
- $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
-
- [Byte[]] $MZHeader = New-Object Byte[](2)
- $FileStream.Read($MZHeader,0,2) | Out-Null
-
- $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
- if ($Header -ne 'MZ') {
- Write-Warning 'Invalid PE header.'
- $FileStream.Close()
- return
- }
-
- # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
- $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null
-
- [Byte[]] $lfanew = New-Object Byte[](4)
-
- # Read offset to the PE Header (will be read in reverse)
- $FileStream.Read($lfanew,0,4) | Out-Null
- $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))
-
- # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
- $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
- [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)
-
- # Read compiled architecture
- $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
- $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
- $FileStream.Close()
-
- if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) {
- Write-Warning 'Invalid PE header or unsupported architecture.'
- return
- }
-
- if ($Architecture -eq '014C') {
- return 'X86'
- } elseif ($Architecture -eq '8664') {
- return 'X64'
- } else {
- return 'OTHER'
- }
-
- }
-
- # Check if SafeDllSearch is disabled. Note: The logic of this check will fail in XP SP0/1
- $UnsafeSearch = $False
- $SearchMode = (Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager').SafeDllSearchMode
- if ($SearchMode -eq 0) { $UnsafeSearch = $True }
-
- $OSArch = (Get-WmiObject Win32_OperatingSystem -Property OSArchitecture).OSArchitecture
- $PEArch = Get-PEArchitecture $ExecutablePath
- $KnownDlls = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs'
-
- if ($OSArch -eq '32-bit') {
- $DllDirectory = Resolve-Path $KnownDlls.DllDirectory
- } else {
- if ($PEArch -eq 'X86') {
- $DllDirectory = Resolve-Path $KnownDlls.DllDirectory32
- } else {
- $DllDirectory = Resolve-Path $KnownDlls.DllDirectory
- }
- }
-
-
- if ($KnownDlls | Get-Member -MemberType NoteProperty | Where-Object { $_.Name -eq $DllNameShort }) {
- $Expression = '$KnownDlls.' + "$DllNameShort"
- $Filename = Invoke-Expression $Expression
- return Resolve-Path (Join-Path $DllDirectory $Filename)
- }
-
- $FoundInAppDirectory = Get-ChildItem (Join-Path $ExecutableDirectory $DllName) -ErrorAction SilentlyContinue
- if ($FoundInAppDirectory) { return Resolve-Path $FoundInAppDirectory.FullName }
-
- if ($UnsafeSearch) {
- $FoundInWorkingDirectory = Get-ChildItem (Join-Path (Get-Location) $DllName) -ErrorAction SilentlyContinue
- if ($FoundInWorkingDirectory) { return Resolve-Path $FoundInWorkingDirectory.FullName }
- }
-
- $FoundInSystemDirectory = Get-ChildItem (Join-Path $DllDirectory $DllName) -ErrorAction SilentlyContinue
- if ($FoundInSystemDirectory) { return Resolve-Path $FoundInSystemDirectory.FullName }
-
- $FoundIn16BitSystemDir = Get-ChildItem "$($Env:windir)\System\$DllName" -ErrorAction SilentlyContinue
- if ($FoundIn16BitSystemDir) { return Resolve-Path $FoundIn16BitSystemDir.FullName }
-
- $FoundInWindowsDirectory = Get-ChildItem "$($Env:windir)\$DllName" -ErrorAction SilentlyContinue
- if ($FoundInWindowsDirectory) { return Resolve-Path $FoundInWindowsDirectory.FullName }
-
- if (!$UnsafeSearch) {
- $FoundInWorkingDirectory = Get-ChildItem (Join-Path (Get-Location) $DllName) -ErrorAction SilentlyContinue
- if ($FoundInWorkingDirectory) { return Resolve-Path $FoundInWorkingDirectory.FullName }
- }
-
- $Env:Path.Split(';') | ForEach-Object {
- if ($_ -match '%(.{1,})%') {
- $TempPath = $_.Replace($Matches[0], [Environment]::GetEnvironmentVariable($Matches[1]))
- } else {
- $TempPath = $_
- }
-
- $FoundInPathEnvVar = Get-ChildItem (Join-Path $TempPath $DllName) -ErrorAction SilentlyContinue
- if ($FoundInPathEnvVar) { return Resolve-Path $FoundInPathEnvVar.FullName }
- }
-
-}
diff --git a/PETools/Get-LibSymbols.format.ps1xml b/PETools/Get-LibSymbols.format.ps1xml deleted file mode 100644 index 5d4d848..0000000 --- a/PETools/Get-LibSymbols.format.ps1xml +++ /dev/null @@ -1,31 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>SymbolTypeView</Name> - <ViewSelectedBy> - <TypeName>COFF.SymbolInfo</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>SymbolType</PropertyName> - </ListItem> - <ListItem> - <PropertyName>Module</PropertyName> - </ListItem> - <ListItem> - <PropertyName>DecoratedName</PropertyName> - </ListItem> - <ListItem> - <PropertyName>UndecoratedName</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/PETools/Get-LibSymbols.ps1 b/PETools/Get-LibSymbols.ps1 deleted file mode 100644 index 9864676..0000000 --- a/PETools/Get-LibSymbols.ps1 +++ /dev/null @@ -1,282 +0,0 @@ -function Get-LibSymbols -{ -<# -.SYNOPSIS - - Displays symbolic information from Windows lib files. - - PowerSploit Function: Get-LibSymbols - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.DESCRIPTION - - Get-LibSymbols parses and returns symbols in Windows .lib files - in both decorated and undecorated form (for C++ functions). - -.PARAMETER Path - - Specifies a path to one or more lib file locations. - -.EXAMPLE - - C:\PS>Get-LibSymbols -Path msvcrt.lib - -.EXAMPLE - - C:\PS>ls *.lib | Get-LibSymbols - -.INPUTS - - System.String[] - - You can pipe a file system path (in quotation marks) to Get-LibSymbols. - -.OUTPUTS - - COFF.SymbolInfo - -.LINK - - http://www.exploit-monday.com/ -#> - [CmdletBinding()] Param ( - [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)] - [ValidateScript({ Test-Path $_ })] - [Alias('FullName')] - [String[]] - $Path - ) - - BEGIN - { - $Code = @' - using System; - using System.IO; - using System.Text; - using System.Runtime.InteropServices; - - namespace COFF - { - public class HEADER - { - public ushort Machine; - public ushort NumberOfSections; - public DateTime TimeDateStamp; - public uint PointerToSymbolTable; - public uint NumberOfSymbols; - public ushort SizeOfOptionalHeader; - public ushort Characteristics; - - public HEADER(BinaryReader br) - { - this.Machine = br.ReadUInt16(); - this.NumberOfSections = br.ReadUInt16(); - this.TimeDateStamp = (new DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds(br.ReadUInt32()); - this.PointerToSymbolTable = br.ReadUInt32(); - this.NumberOfSymbols = br.ReadUInt32(); - this.SizeOfOptionalHeader = br.ReadUInt16(); - this.Characteristics = br.ReadUInt16(); - } - } - - public class IMAGE_ARCHIVE_MEMBER_HEADER - { - public string Name; - public DateTime Date; - public ulong Size; - public string EndHeader; - - public IMAGE_ARCHIVE_MEMBER_HEADER(BinaryReader br) - { - string tempName = Encoding.UTF8.GetString(br.ReadBytes(16)); - DateTime dt = new DateTime(1970, 1, 1, 0, 0, 0); - this.Name = tempName.Substring(0, tempName.IndexOf((Char) 47)); - this.Date = dt.AddSeconds(Convert.ToDouble(Encoding.UTF8.GetString(br.ReadBytes(12)).Split((Char) 20)[0])); - br.ReadBytes(20); // Skip over UserID, GroupID, and Mode. They are useless fields. - this.Size = Convert.ToUInt64(Encoding.UTF8.GetString(br.ReadBytes(10)).Split((Char) 20)[0]); - this.EndHeader = Encoding.UTF8.GetString(br.ReadBytes(2)); - } - } - - public class Functions - { - [DllImport("dbghelp.dll", SetLastError=true, PreserveSig=true)] - public static extern int UnDecorateSymbolName( - [In] [MarshalAs(UnmanagedType.LPStr)] string DecoratedName, - [Out] StringBuilder UnDecoratedName, - [In] [MarshalAs(UnmanagedType.U4)] uint UndecoratedLength, - [In] [MarshalAs(UnmanagedType.U4)] uint Flags); - } - } -'@ - - Add-Type -TypeDefinition $Code - - function Dispose-Objects - { - $BinaryReader.Close() - $FileStream.Dispose() - } - } - - PROCESS - { - foreach ($File in $Path) - { - # Resolve the absolute path of the lib file. [IO.File]::OpenRead requires an absolute path. - $LibFilePath = Resolve-Path $File - - # Pull out just the file name - $LibFileName = Split-Path $LibFilePath -Leaf - - $IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR = 60 - $IMAGE_ARCHIVE_START = "!<arch>`n" # Magic used for lib files - $IMAGE_SIZEOF_LIB_HDR = $IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR + $IMAGE_ARCHIVE_START.Length - $IMAGE_ARCHIVE_END = "```n" # Footer of an archive header - $SizeofCOFFFileHeader = 20 - - # Open the object file for reading - $FileStream = [IO.File]::OpenRead($LibFilePath) - - $FileLength = $FileStream.Length - - # Validate lib header size - if ($FileLength -lt $IMAGE_SIZEOF_LIB_HDR) - { - # You cannot parse the lib header if the file is not big enough to contain a lib header. - Write-Error "$($LibFileName) is too small to store a lib header." - $FileStream.Dispose() - return - } - - # Open a BinaryReader object for the lib file - $BinaryReader = New-Object IO.BinaryReader($FileStream) - - $ArchiveStart = [Text.Encoding]::UTF8.GetString($BinaryReader.ReadBytes(8)) - - if ($ArchiveStart -ne $IMAGE_ARCHIVE_START) - { - Write-Error "$($LibFileName) does not contain a valid lib header." - Dispose-Objects - return - } - - # Parse the first archive header - $ArchiveHeader = New-Object COFF.IMAGE_ARCHIVE_MEMBER_HEADER($BinaryReader) - - if ($ArchiveHeader.EndHeader -ne $IMAGE_ARCHIVE_END) - { - Write-Error "$($LibFileName) does not contain a valid lib header." - Dispose-Objects - return - } - - # Check for the existence of symbols - if ($ArchiveHeader.Size -eq 0) - { - Write-Warning "$($LibFileName) contains no symbols." - Dispose-Objects - return - } - - $NumberOfSymbols = $BinaryReader.ReadBytes(4) - - # The offsets in the first archive header of a Microsoft lib file are stored in big-endian format - if ([BitConverter]::IsLittleEndian) - { - [Array]::Reverse($NumberOfSymbols) - } - - $NumberOfSymbols = [BitConverter]::ToUInt32($NumberOfSymbols, 0) - - $SymbolOffsets = New-Object UInt32[]($NumberOfSymbols) - - foreach ($Offset in 0..($SymbolOffsets.Length - 1)) - { - $SymbolOffset = $BinaryReader.ReadBytes(4) - - if ([BitConverter]::IsLittleEndian) - { - [Array]::Reverse($SymbolOffset) - } - - $SymbolOffsets[$Offset] = [BitConverter]::ToUInt32($SymbolOffset, 0) - } - - $SymbolStringLength = $ArchiveHeader.Size + $IMAGE_SIZEOF_LIB_HDR - $FileStream.Position - 1 - # $SymbolStrings = [Text.Encoding]::UTF8.GetString($BinaryReader.ReadBytes($SymbolStringLength)).Split([Char] 0) - - # Write-Output $SymbolStrings - - # There will be many duplicate offset entries. Remove them. - $SymbolOffsetsSorted = $SymbolOffsets | Sort-Object -Unique - - $SymbolOffsetsSorted | ForEach-Object { - # Seek to the each repective offset in the file - $FileStream.Seek($_, 'Begin') | Out-Null - - $ArchiveHeader = New-Object COFF.IMAGE_ARCHIVE_MEMBER_HEADER($BinaryReader) - - # This is not a true COFF header. It's the same size and mostly resembles a standard COFF header - # but Microsoft placed a marker (0xFFFF) in the first WORD to indicate that the 'object file' - # consists solely of the module name and symbol. - $CoffHeader = New-Object COFF.HEADER($BinaryReader) - - # Check for 0xFFFF flag value - if ($CoffHeader.NumberOfSections -eq [UInt16]::MaxValue) - { - # Get the total length of the module and symbol name - $SymbolStringLength = $CoffHeader.NumberOfSymbols - $Symbols = [Text.Encoding]::UTF8.GetString($BinaryReader.ReadBytes($SymbolStringLength)).Split([Char] 0) - - $DecoratedSymbol = $Symbols[0] - $UndecoratedSymbol = '' - - # Default to a 'C' type symbol unless it starts with a '?' - $SymbolType = 'C' - - # Is the symbol a C++ type? - if ($DecoratedSymbol.StartsWith('?')) - { - $StrBuilder = New-Object Text.Stringbuilder(512) - # Magically undecorated the convoluted C++ symbol into a proper C++ function definition - [COFF.Functions]::UnDecorateSymbolName($DecoratedSymbol, $StrBuilder, $StrBuilder.Capacity, 0) | Out-Null - $UndecoratedSymbol = $StrBuilder.ToString() - $SymbolType = 'C++' - } - else - { - if ($DecoratedSymbol[0] -eq '_' -or $DecoratedSymbol[0] -eq '@') - { - $UndecoratedSymbol = $DecoratedSymbol.Substring(1).Split('@')[0] - } - else - { - $UndecoratedSymbol = $DecoratedSymbol.Split('@')[0] - } - } - - $SymInfo = @{ - DecoratedName = $DecoratedSymbol - UndecoratedName = $UndecoratedSymbol - Module = $Symbols[1] - SymbolType = $SymbolType - } - - $ParsedSymbol = New-Object PSObject -Property $SymInfo - $ParsedSymbol.PSObject.TypeNames[0] = 'COFF.SymbolInfo' - - Write-Output $ParsedSymbol - } - } - - # Close file and binaryreader objects - Dispose-Objects - } - } - - END {} -} diff --git a/PETools/Get-ObjDump.format.ps1xml b/PETools/Get-ObjDump.format.ps1xml deleted file mode 100644 index 25e13b8..0000000 --- a/PETools/Get-ObjDump.format.ps1xml +++ /dev/null @@ -1,292 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>ObjectFileView</Name> - <ViewSelectedBy> - <TypeName>COFF.OBJECT_FILE</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>COFFHeader</PropertyName> - </ListItem> - <ListItem> - <PropertyName>SectionHeaders</PropertyName> - </ListItem> - <ListItem> - <PropertyName>SymbolTable</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>COFFHeaderView</Name> - <ViewSelectedBy> - <TypeName>COFF.HEADER</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>Machine</PropertyName> - </ListItem> - <ListItem> - <PropertyName>NumberOfSections</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </ListItem> - <ListItem> - <PropertyName>TimeDateStamp</PropertyName> - </ListItem> - <ListItem> - <PropertyName>PointerToSymbolTable</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>NumberOfSymbols</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>SizeOfOptionalHeader</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </ListItem> - <ListItem> - <PropertyName>Characteristics</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>SectionHeaderView</Name> - <ViewSelectedBy> - <TypeName>COFF.SECTION_HEADER</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>Name</PropertyName> - </ListItem> - <ListItem> - <PropertyName>PhysicalAddress</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>VirtualSize</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>VirtualAddress</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>SizeOfRawData</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>PointerToRawData</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>PointerToRelocations</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>PointerToLinenumbers</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>NumberOfRelocations</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </ListItem> - <ListItem> - <PropertyName>NumberOfLinenumbers</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </ListItem> - <ListItem> - <PropertyName>Characteristics</PropertyName> - </ListItem> - <ListItem> - <PropertyName>RawData</PropertyName> - </ListItem> - <ListItem> - <PropertyName>Relocations</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>SymbolTableView</Name> - <ViewSelectedBy> - <TypeName>COFF.SYMBOL_TABLE</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>Name</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Value</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>SectionNumber</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Type</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>StorageClass</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NumberOfAuxSymbols</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>AuxSymbols</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>Name</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Value</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>SectionNumber</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Type</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>StorageClass</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NumberOfAuxSymbols</PropertyName> - <FormatString>0x{0:X2}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>AuxSymbols</PropertyName> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>SectionDefinitionView</Name> - <ViewSelectedBy> - <TypeName>COFF.SECTION_DEFINITION</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>Length</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NumberOfRelocations</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NumberOfLinenumbers</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>CheckSum</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Number</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Selection</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>Length</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NumberOfRelocations</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NumberOfLinenumbers</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>CheckSum</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Number</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Selection</PropertyName> - <FormatString>0x{0:X2}</FormatString> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>RelocationView</Name> - <ViewSelectedBy> - <TypeName>COFF.RelocationEntry</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>VirtualAddress</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>SymbolTableIndex</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Type</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Name</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>VirtualAddress</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>SymbolTableIndex</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Type</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Name</PropertyName> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/PETools/Get-ObjDump.ps1 b/PETools/Get-ObjDump.ps1 deleted file mode 100644 index 2a8ebcb..0000000 --- a/PETools/Get-ObjDump.ps1 +++ /dev/null @@ -1,708 +0,0 @@ -function Get-ObjDump -{ -<# -.SYNOPSIS - - Displays information about one or more Windows object files. - - PowerSploit Function: Get-ObjDump - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.DESCRIPTION - - Get-ObjDump parses and returns nearly identical infomation as the dumpbin - utility. By nature of Get-ObjDump returning objects though, it lends itself - much better to manipulation since every field is an object. - -.PARAMETER Path - - Specifies a path to one or more object file locations. - -.EXAMPLE - - C:\PS>Get-ObjDump -Path main.obj - -.EXAMPLE - - C:\PS>ls *.obj | Get-ObjDump - -.EXAMPLE - - C:\PS>$ObjectFile = Get-ObjDump -Path shellcode.obj - C:\PS>$CodeBytes = $ObjectFile.SectionHeaders | ? {$_.Name -eq '.text'} | % {$_.RawData} - - Description - ----------- - Pulls the raw bytes out of the text section. Note that in this form, - no relocations have been fixed up. - -.INPUTS - - System.String[] - - You can pipe a file system path (in quotation marks) to Get-ObjDump. - -.OUTPUTS - - COFF.OBJECT_FILE - -.LINK - - http://www.exploit-monday.com/ -#> - [CmdletBinding()] Param ( - [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)] - [ValidateScript({ Test-Path $_ })] - [String[]] - $Path - ) - - BEGIN - { - $Code = @' - using System; - using System.IO; - using System.Text; - - namespace COFF - { - public enum Machine : ushort - { - UNKNOWN = 0, - I386 = 0x014C, // Intel 386. - R3000 = 0x0162, // MIPS little-endian =0x160 big-endian - R4000 = 0x0166, // MIPS little-endian - R10000 = 0x0168, // MIPS little-endian - WCEMIPSV2 = 0x0169, // MIPS little-endian WCE v2 - ALPHA = 0x0184, // Alpha_AXP - SH3 = 0x01A2, // SH3 little-endian - SH3DSP = 0x01A3, - SH3E = 0x01A4, // SH3E little-endian - SH4 = 0x01A6, // SH4 little-endian - SH5 = 0x01A8, // SH5 - ARM = 0x01C0, // ARM Little-Endian - THUMB = 0x01C2, - ARMV7 = 0x01C4, // ARM Thumb-2 Little-Endian - AM33 = 0x01D3, - POWERPC = 0x01F0, // IBM PowerPC Little-Endian - POWERPCFP = 0x01F1, - IA64 = 0x0200, // Intel 64 - MIPS16 = 0x0266, // MIPS - ALPHA64 = 0x0284, // ALPHA64 - MIPSFPU = 0x0366, // MIPS - MIPSFPU16 = 0x0466, // MIPS - AXP64 = ALPHA64, - TRICORE = 0x0520, // Infineon - CEF = 0x0CEF, - EBC = 0x0EBC, // EFI public byte Code - AMD64 = 0x8664, // AMD64 (K8) - M32R = 0x9041, // M32R little-endian - ARM64 = 0xAA64, // ARMv8 in 64-bit mode - CEE = 0xC0EE - } - - [Flags] - public enum CoffHeaderCharacteristics : ushort - { - RELOCS_STRIPPED = 0x0001, // Relocation info stripped from file. - EXECUTABLE_IMAGE = 0x0002, // File is executable (i.e. no unresolved external references). - LINE_NUMS_STRIPPED = 0x0004, // Line nunbers stripped from file. - LOCAL_SYMS_STRIPPED = 0x0008, // Local symbols stripped from file. - AGGRESIVE_WS_TRIM = 0x0010, // Agressively trim working set - LARGE_ADDRESS_AWARE = 0x0020, // App can handle >2gb addresses - REVERSED_LO = 0x0080, // public bytes of machine public ushort are reversed. - BIT32_MACHINE = 0x0100, // 32 bit public ushort machine. - DEBUG_STRIPPED = 0x0200, // Debugging info stripped from file in .DBG file - REMOVABLE_RUN_FROM_SWAP = 0x0400, // If Image is on removable media =copy and run from the swap file. - NET_RUN_FROM_SWAP = 0x0800, // If Image is on Net =copy and run from the swap file. - SYSTEM = 0x1000, // System File. - DLL = 0x2000, // File is a DLL. - UP_SYSTEM_ONLY = 0x4000, // File should only be run on a UP machine - REVERSED_HI = 0x8000 // public bytes of machine public ushort are reversed. - } - - public class HEADER - { - public Machine Machine; - public ushort NumberOfSections; - public DateTime TimeDateStamp; - public uint PointerToSymbolTable; - public uint NumberOfSymbols; - public ushort SizeOfOptionalHeader; - public CoffHeaderCharacteristics Characteristics; - - public HEADER(BinaryReader br) - { - this.Machine = (Machine) br.ReadUInt16(); - this.NumberOfSections = br.ReadUInt16(); - this.TimeDateStamp = (new DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds(br.ReadUInt32()); - this.PointerToSymbolTable = br.ReadUInt32(); - this.NumberOfSymbols = br.ReadUInt32(); - this.SizeOfOptionalHeader = br.ReadUInt16(); - this.Characteristics = (CoffHeaderCharacteristics) br.ReadUInt16(); - } - } - - [Flags] - public enum SectionHeaderCharacteristics : uint - { - TYPE_NO_PAD = 0x00000008, // Reserved. - CNT_CODE = 0x00000020, // Section contains code. - CNT_INITIALIZED_DATA = 0x00000040, // Section contains initialized data. - CNT_UNINITIALIZED_DATA = 0x00000080, // Section contains uninitialized data. - LNK_INFO = 0x00000200, // Section contains comments or some other type of information. - LNK_REMOVE = 0x00000800, // Section contents will not become part of image. - LNK_COMDAT = 0x00001000, // Section contents comdat. - NO_DEFER_SPEC_EXC = 0x00004000, // Reset speculative exceptions handling bits in the TLB entries for this section. - GPREL = 0x00008000, // Section content can be accessed relative to GP - MEM_FARDATA = 0x00008000, - MEM_PURGEABLE = 0x00020000, - MEM_16BIT = 0x00020000, - MEM_LOCKED = 0x00040000, - MEM_PRELOAD = 0x00080000, - ALIGN_1BYTES = 0x00100000, - ALIGN_2BYTES = 0x00200000, - ALIGN_4BYTES = 0x00300000, - ALIGN_8BYTES = 0x00400000, - ALIGN_16BYTES = 0x00500000, // Default alignment if no others are specified. - ALIGN_32BYTES = 0x00600000, - ALIGN_64BYTES = 0x00700000, - ALIGN_128BYTES = 0x00800000, - ALIGN_256BYTES = 0x00900000, - ALIGN_512BYTES = 0x00A00000, - ALIGN_1024BYTES = 0x00B00000, - ALIGN_2048BYTES = 0x00C00000, - ALIGN_4096BYTES = 0x00D00000, - ALIGN_8192BYTES = 0x00E00000, - ALIGN_MASK = 0x00F00000, - LNK_NRELOC_OVFL = 0x01000000, // Section contains extended relocations. - MEM_DISCARDABLE = 0x02000000, // Section can be discarded. - MEM_NOT_CACHED = 0x04000000, // Section is not cachable. - MEM_NOT_PAGED = 0x08000000, // Section is not pageable. - MEM_SHARED = 0x10000000, // Section is shareable. - MEM_EXECUTE = 0x20000000, // Section is executable. - MEM_READ = 0x40000000, // Section is readable. - MEM_WRITE = 0x80000000 // Section is writeable. - } - - public enum AMD64RelocationType : ushort - { - ABSOLUTE, - ADDR64, - ADDR32, - ADDR32NB, - REL32, - REL32_1, - REL32_2, - REL32_3, - REL32_4, - REL32_5, - SECTION, - SECREL, - SECREL7, - TOKEN, - SREL32, - PAIR, - SSPAN32 - } - - public enum ARMRelocationType : ushort - { - ABSOLUTE, - ADDR32, - ADDR32NB, - BRANCH24, - BRANCH11, - TOKEN, - BLX24 = 0x08, - BLX11 = 0x09, - SECTION = 0x0E, - SECREL = 0x0F, - MOV32A = 0x10, - MOV32T = 0x11, - BRANCH20T = 0x12, - BRANCH24T = 0x14, - BLX23T = 0x15 - } - - public enum ARMv8RelocationType : ushort - { - ABSOLUTE, - ADDR32, - ADDR32NB, - BRANCH26, - PAGEBASE_REL21, - REL21, - PAGEOFFSET_12A, - PAGEOFFSET_12L, - SECREL, - SECREL_LOW12A, - SECREL_HIGH12A, - SECREL_LOW12L, - TOKEN, - SECTION, - ADDR64 - } - - public enum X86RelocationType : ushort - { - ABSOLUTE, - DIR16, - DIR32 = 0x06, - DIR32NB = 0x07, - SEG12 = 0x09, - SECTION = 0x0A, - SECREL = 0x0B, - TOKEN = 0x0C, - SECREL7 = 0x0D, - REL32 = 0x14 - } - - public class RelocationEntry - { - public uint VirtualAddress; - public uint SymbolTableIndex; - public Enum Type; - public string Name; - - public RelocationEntry(BinaryReader br) - { - this.VirtualAddress = br.ReadUInt32(); - this.SymbolTableIndex = br.ReadUInt32(); - // Default to X86RelocationType. This will be changed once the processor type is determined - this.Type = (X86RelocationType) br.ReadUInt16(); - } - } - - public class SECTION_HEADER - { - public string Name; - public uint PhysicalAddress; - public uint VirtualSize; - public uint VirtualAddress; - public uint SizeOfRawData; - public uint PointerToRawData; - public uint PointerToRelocations; - public uint PointerToLinenumbers; - public ushort NumberOfRelocations; - public ushort NumberOfLinenumbers; - public SectionHeaderCharacteristics Characteristics; - public Byte[] RawData; - public RelocationEntry[] Relocations; - - public SECTION_HEADER(BinaryReader br) - { - this.Name = Encoding.UTF8.GetString(br.ReadBytes(8)).Split((Char) 0)[0]; - this.PhysicalAddress = br.ReadUInt32(); - this.VirtualSize = this.PhysicalAddress; - this.VirtualAddress = br.ReadUInt32(); - this.SizeOfRawData = br.ReadUInt32(); - this.PointerToRawData = br.ReadUInt32(); - this.PointerToRelocations = br.ReadUInt32(); - this.PointerToLinenumbers = br.ReadUInt32(); - this.NumberOfRelocations = br.ReadUInt16(); - this.NumberOfLinenumbers = br.ReadUInt16(); - this.Characteristics = (SectionHeaderCharacteristics) br.ReadUInt32(); - } - } - - public enum SectionNumber : short - { - UNDEFINED, - ABSOLUTE = -1, - DEBUG = -2 - } - - [Flags] - public enum TypeClass : short - { - TYPE_NULL, - TYPE_VOID, - TYPE_CHAR, - TYPE_SHORT, - TYPE_INT, - TYPE_LONG, - TYPE_FLOAT, - TYPE_DOUBLE, - TYPE_STRUCT, - TYPE_UNION, - TYPE_ENUM, - TYPE_MOE, - TYPE_BYTE, - TYPE_WORD, - TYPE_UINT, - TYPE_DWORD, - DTYPE_POINTER = 0x100, - DTYPE_FUNCTION = 0x200, - DTYPE_ARRAY = 0x300, - DTYPE_NULL = 0x400 // Technically, this is defined as 0 in the MSB - } - - public enum StorageClass : byte - { - NULL, - AUTOMATIC, - EXTERNAL, - STATIC, - REGISTER, - EXTERNAL_DEF, - LABEL, - UNDEFINED_LABEL, - MEMBER_OF_STRUCT, - ARGUMENT, - STRUCT_TAG, - MEMBER_OF_UNION, - UNION_TAG, - TYPE_DEFINITION, - ENUM_TAG, - MEMBER_OF_ENUM, - REGISTER_PARAM, - BIT_FIELD, - BLOCK = 0x64, - FUNCTION = 0x65, - END_OF_STRUCT = 0x66, - FILE = 0x67, - SECTION = 0x68, - WEAK_EXTERNAL = 0x69, - CLR_TOKEN = 0x6B, - END_OF_FUNCTION = 0xFF - } - - public class SYMBOL_TABLE - { - public string Name; - public uint Value; - public SectionNumber SectionNumber; - public TypeClass Type; - public StorageClass StorageClass; - public byte NumberOfAuxSymbols; - public Object AuxSymbols; - private Byte[] NameArray; - - public SYMBOL_TABLE(BinaryReader br) - { - this.NameArray = br.ReadBytes(8); - - if (this.NameArray[0] == 0 && this.NameArray[1] == 0 &&this.NameArray[2] == 0 &&this.NameArray[3] == 0) - { - // Per specification, if the high DWORD is 0, then then low DWORD is an index into the string table - this.Name = "/" + BitConverter.ToInt32(NameArray, 4).ToString(); - } - else - { - this.Name = Encoding.UTF8.GetString(NameArray).Trim(((char) 0)); - } - - this.Value = br.ReadUInt32(); - this.SectionNumber = (SectionNumber) br.ReadInt16(); - this.Type = (TypeClass) br.ReadInt16(); - if ((((int) this.Type) & 0xff00) == 0) { this.Type = (TypeClass) Enum.Parse(typeof(TypeClass), ((int) this.Type | 0x400).ToString());} - this.StorageClass = (StorageClass) br.ReadByte(); - this.NumberOfAuxSymbols = br.ReadByte(); - } - } - - public class SECTION_DEFINITION - { - public uint Length; - public ushort NumberOfRelocations; - public ushort NumberOfLinenumbers; - public uint CheckSum; - public ushort Number; - public byte Selection; - - public SECTION_DEFINITION(BinaryReader br) - { - this.Length = br.ReadUInt32(); - this.NumberOfRelocations = br.ReadUInt16(); - this.NumberOfLinenumbers = br.ReadUInt16(); - this.CheckSum = br.ReadUInt32(); - this.Number = br.ReadUInt16(); - this.Selection = br.ReadByte(); - br.ReadBytes(3); - } - } - } -'@ - - Add-Type -TypeDefinition $Code - - function Dispose-Objects - { - $BinaryReader.Dispose() - $FileStream.Dispose() - } - } - - PROCESS - { - foreach ($File in $Path) { - - # Resolve the absolute path of the object file. [IO.File]::OpenRead requires an absolute path. - $ObjFilePath = Resolve-Path $File - - # Pull out just the file name - $ObjFileName = Split-Path $ObjFilePath -Leaf - - # Fixed structure sizes - $SizeofCOFFFileHeader = 20 - $SizeofSectionHeader = 40 - $SizeofSymbolTableEntry = 18 - $SizeofRelocationEntry = 10 - - # Open the object file for reading - $FileStream = [IO.File]::OpenRead($ObjFilePath) - - $FileLength = $FileStream.Length - - if ($FileLength -lt $SizeofCOFFFileHeader) - { - # You cannot parse the COFF header if the file is not big enough to contain a COFF header. - Write-Error "$($ObjFileName) is too small to store a COFF header." - Dispose-Objects - return - } - - # Open a BinaryReader object for the object file - $BinaryReader = New-Object IO.BinaryReader($FileStream) - - # Parse the COFF header - $CoffHeader = New-Object COFF.HEADER($BinaryReader) - - if ($CoffHeader.SizeOfOptionalHeader -ne 0) - { - # Per the PECOFF specification, an object file does not have an optional header - Write-Error "Coff header indicates the existence of an optional header. An object file cannot have an optional header." - Dispose-Objects - return - } - - if ($CoffHeader.PointerToSymbolTable -eq 0) - { - Write-Error 'An object file is supposed to have a symbol table.' - Dispose-Objects - return - } - - if ($FileLength -lt (($CoffHeader.NumberOfSections * $SizeofSectionHeader) + $SizeofCOFFFileHeader)) - { - # The object file isn't big enough to store the number of sections present. - Write-Error "$($ObjFileName) is too small to store section header data." - Dispose-Objects - return - } - - # A string collection used to store section header names. This collection is referenced while - # parsing the symbol table entries whose name is the same as the section header. In this case, - # the symbol entry will have a particular auxiliary symbol table entry. - $SectionHeaderNames = New-Object Collections.Specialized.StringCollection - - # Correlate the processor type to the relocation type. There are more relocation type defined - # in the PECOFF specification, but I don't expect those to be present. In that case, relocation - # entries default to X86RelocationType. - $SectionHeaders = New-Object COFF.SECTION_HEADER[]($CoffHeader.NumberOfSections) - $MachineTypes = @{ [COFF.Machine]::I386 = [COFF.X86RelocationType] - [COFF.Machine]::AMD64 = [COFF.AMD64RelocationType] - [COFF.Machine]::ARMV7 = [COFF.ARMRelocationType] - [COFF.Machine]::ARM64 = [COFF.ARMv8RelocationType] } - - # Parse section headers - for ($i = 0; $i -lt $CoffHeader.NumberOfSections; $i++) - { - $SectionHeaders[$i] = New-Object COFF.SECTION_HEADER($BinaryReader) - - # Add the section name to the string collection. This will be referenced during symbol table parsing. - $SectionHeaderNames.Add($SectionHeaders[$i].Name) | Out-Null - - # Save the current filestream position. We are about to jump out of place. - $SavedFilePosition = $FileStream.Position - - # Check to see if the raw data points beyond the actual file size - if (($SectionHeaders[$i].PointerToRawData + $SectionHeaders[$i].SizeOfRawData) -gt $FileLength) - { - Write-Error "$($SectionHeaders[$i].Name) section header's raw data exceeds the size of the object file." - return - } - else - { - # Read the raw data into a byte array - $FileStream.Seek($SectionHeaders[$i].PointerToRawData, 'Begin') | Out-Null - $SectionHeaders[$i].RawData = $BinaryReader.ReadBytes($SectionHeaders[$i].SizeOfRawData) - } - - # Check to see if the section has a relocation table - if ($SectionHeaders[$i].PointerToRelocations -and $SectionHeaders[$i].NumberOfRelocations) - { - # Check to see if the relocation entries point beyond the actual file size - if (($SectionHeaders[$i].PointerToRelocations + ($SizeofRelocationEntry * $SectionHeaders[$i].NumberOfRelocations)) -gt $FileLength) - { - Write-Error "$($SectionHeaders[$i].Name) section header's relocation entries exceeds the soze of the object file." - return - } - - $FileStream.Seek($SectionHeaders[$i].PointerToRelocations, 'Begin') | Out-Null - - $Relocations = New-Object COFF.RelocationEntry[]($SectionHeaders[$i].NumberOfRelocations) - - for ($j = 0; $j -lt $SectionHeaders[$i].NumberOfRelocations; $j++) - { - $Relocations[$j] = New-Object COFF.RelocationEntry($BinaryReader) - # Cast the relocation as its respective type - $Relocations[$j].Type = ($Relocations[$j].Type.value__ -as $MachineTypes[$CoffHeader.Machine]) - } - - # Add the relocation table entry to the section header - $SectionHeaders[$i].Relocations = $Relocations - } - - # Restore the original filestream pointer - $FileStream.Seek($SavedFilePosition, 'Begin') | Out-Null - } - - # Retrieve the contents of the COFF string table - $SymTableSize = $CoffHeader.NumberOfSymbols * $SizeofSymbolTableEntry - $StringTableOffset = $CoffHeader.PointerToSymbolTable + $SymTableSize - - if ($StringTableOffset -gt $FileLength) - { - Write-Error 'The string table points beyond the end of the file.' - Dispose-Objects - return - } - - $FileStream.Seek($StringTableOffset, 'Begin') | Out-Null - $StringTableLength = $BinaryReader.ReadUInt32() - - if ($StringTableLength -gt $FileLength) - { - Write-Error "The string table's length exceeds the length of the file." - Dispose-Objects - return - } - - $StringTable = [Text.Encoding]::UTF8.GetString($BinaryReader.ReadBytes($StringTableLength)) - - $RawSymbolTable = New-Object COFF.SYMBOL_TABLE[]($CoffHeader.NumberOfSymbols) - - # Retrieve the symbol table - if ($FileLength -lt $StringTableOffset) - { - "Symbol table is larger than the file size." - return - } - - $FileStream.Seek($CoffHeader.PointerToSymbolTable, 'Begin') | Out-Null - $NumberofRegularSymbols = 0 - - <# - Go through each symbol table looking for auxiliary symbols to parse - - Currently supported auxiliary symbol table entry formats: - 1) .file - 2) Entry names that match the name of a section header - #> - for ($i = 0; $i -lt $CoffHeader.NumberOfSymbols; $i++) - { - # Parse the symbol tables regardless of whether they are normal or auxiliary symbols - $RawSymbolTable[$i] = New-Object COFF.SYMBOL_TABLE($BinaryReader) - - if ($RawSymbolTable[$i].NumberOfAuxSymbols -eq 0) - { - # This symbol table entry has no auxiliary symbols - $NumberofRegularSymbols++ - } - elseif ($RawSymbolTable[$i].Name -eq '.file') - { - $TempPosition = $FileStream.Position # Save filestream position - # Retrieve the file name - $RawSymbolTable[$i].AuxSymbols = [Text.Encoding]::UTF8.GetString($BinaryReader.ReadBytes($RawSymbolTable[$i].NumberOfAuxSymbols * $SizeofSymbolTableEntry)).TrimEnd(([Char] 0)) - $FileStream.Seek($TempPosition, 'Begin') | Out-Null # Restore filestream position - } - elseif ($SectionHeaderNames.Contains($RawSymbolTable[$i].Name)) - { - $TempPosition = $FileStream.Position # Save filestream position - $RawSymbolTable[$i].AuxSymbols = New-Object COFF.SECTION_DEFINITION($BinaryReader) - $FileStream.Seek($TempPosition, 'Begin') | Out-Null # Restore filestream position - } - } - - # Create an array of symbol table entries without auxiliary table entries - $SymbolTable = New-Object COFF.SYMBOL_TABLE[]($NumberofRegularSymbols) - $j = 0 - - for ($i = 0; $i -lt $CoffHeader.NumberOfSymbols; $i++) - { - $SymbolTable[$j] = $RawSymbolTable[$i] # FYI, the first symbol table entry will never be an aux symbol - $j++ - - # Skip over the auxiliary symbols - if ($RawSymbolTable[$i].NumberOfAuxSymbols -ne 0) - { - $i += $RawSymbolTable[$i].NumberOfAuxSymbols - } - } - - # Dispose the binaryreader and filestream objects - Dispose-Objects - - # Fix the section names if any of them point to the COFF string table - for ($i = 0; $i -lt $CoffHeader.NumberOfSections; $i++) - { - if ($SectionHeaders[$i].Name.IndexOf('/') -eq 0) - { - $StringTableIndex = $SectionHeaders[$i].Name.SubString(1) - - if ($StringTableIndex -match '^[1-9][0-9]*$') - { - $StringTableIndex = ([Int] $StringTableIndex) - 4 - - if ($StringTableIndex -gt ($StringTableLength + 4)) - { - Write-Error 'String table entry exceeds the bounds of the object file.' - } - - $Length = $StringTable.IndexOf(([Char] 0), $StringTableIndex) - $SectionHeaders[$i].Name = $StringTable.Substring($StringTableIndex, $Length) - } - } - } - - # Fix the symbol table names - for ($i = 0; $i -lt $SymbolTable.Length; $i++) - { - if ($SymbolTable[$i].Name.IndexOf('/') -eq 0) - { - $StringTableIndex = $SymbolTable[$i].Name.SubString(1) - - if ($StringTableIndex -match '^[1-9][0-9]*$') - { - $StringTableIndex = ([Int] $StringTableIndex) - 4 - $Length = $StringTable.IndexOf(([Char] 0), $StringTableIndex) - $StringTableIndex - $SymbolTable[$i].Name = $StringTable.Substring($StringTableIndex, $Length) - } - } - } - - # Apply symbol names to the relocation entries - $SectionHeaders | Where-Object { $_.Relocations } | % { - $_.Relocations | % { $_.Name = $RawSymbolTable[$_.SymbolTableIndex].Name } - } - - $Result = @{ - COFFHeader = $CoffHeader - SectionHeaders = $SectionHeaders - SymbolTable = $SymbolTable - } - - $ParsedObjectFile = New-Object PSObject -Property $Result - $ParsedObjectFile.PSObject.TypeNames[0] = 'COFF.OBJECT_FILE' - Write-Output $ParsedObjectFile - - } - } - - END {} -} diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 deleted file mode 100644 index 0021377..0000000 --- a/PETools/Get-PEHeader.ps1 +++ /dev/null @@ -1,960 +0,0 @@ -function Get-PEHeader -{ -<# -.SYNOPSIS - -Parses and outputs the PE header of a process in memory or a PE file on disk. - -PowerSploit Function: Get-PEHeader -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: PETools.format.ps1xml - -.DESCRIPTION - -Get-PEHeader retrieves PE headers including imports and exports from either a file on disk or a module in memory. Get-PEHeader will operate on single PE header but you can also feed it the output of Get-ChildItem or Get-Process! Get-PEHeader works on both 32 and 64-bit modules. - -.PARAMETER FilePath - -Specifies the path to the portable executable file on disk - -.PARAMETER ProcessID - -Specifies the process ID. - -.PARAMETER Module - -The name of the module. This parameter is typically only used in pipeline expressions - -.PARAMETER ModuleBaseAddress - -The base address of the module - -.PARAMETER GetSectionData - -Retrieves raw section data. - -.OUTPUTS - -System.Object - -Returns a custom object consisting of the following: compile time, section headers, module name, DOS header, imports, exports, file header, optional header, and PE signature. - -.EXAMPLE - -C:\PS> Get-Process cmd | Get-PEHeader - -Description ------------ -Returns the full PE headers of every loaded module in memory - -.EXAMPLE - -C:\PS> Get-ChildItem C:\Windows\*.exe | Get-PEHeader - -Description ------------ -Returns the full PE headers of every exe in C:\Windows\ - -.EXAMPLE - -C:\PS> Get-PEHeader C:\Windows\System32\kernel32.dll - -Module : C:\Windows\System32\kernel32.dll -DOSHeader : PE+_IMAGE_DOS_HEADER -FileHeader : PE+_IMAGE_FILE_HEADER -OptionalHeader : PE+_IMAGE_OPTIONAL_HEADER32 -SectionHeaders : {.text, .data, .rsrc, .reloc} -Imports : {@{Ordinal=; FunctionName=RtlUnwind; ModuleName=API-MS-Win-Core-RtlSupport-L1-1-0. - dll; VA=0x000CB630}, @{Ordinal=; FunctionName=RtlCaptureContext; ModuleName=API-MS - -Win-Core-RtlSupport-L1-1-0.dll; VA=0x000CB63C}, @{Ordinal=; FunctionName=RtlCaptu - reStackBackTrace; ModuleName=API-MS-Win-Core-RtlSupport-L1-1-0.dll; VA=0x000CB650} - , @{Ordinal=; FunctionName=NtCreateEvent; ModuleName=ntdll.dll; VA=0x000CB66C}...} -Exports : {@{ForwardedName=; FunctionName=lstrlenW; Ordinal=0x0552; VA=0x0F022708}, @{Forwar - dedName=; FunctionName=lstrlenA; Ordinal=0x0551; VA=0x0F026A23}, @{ForwardedName=; - FunctionName=lstrlen; Ordinal=0x0550; VA=0x0F026A23}, @{ForwardedName=; FunctionN - ame=lstrcpynW; Ordinal=0x054F; VA=0x0F04E54E}...} - -.EXAMPLE - -C:\PS> $Proc = Get-Process cmd -C:\PS> $Kernel32Base = ($Proc.Modules | Where-Object {$_.ModuleName -eq 'kernel32.dll'}).BaseAddress -C:\PS> Get-PEHeader -ProcessId $Proc.Id -ModuleBaseAddress $Kernel32Base - -Module : -DOSHeader : PE+_IMAGE_DOS_HEADER -FileHeader : PE+_IMAGE_FILE_HEADER -OptionalHeader : PE+_IMAGE_OPTIONAL_HEADER32 -SectionHeaders : {.text, .data, .rsrc, .reloc} -Imports : {@{Ordinal=; FunctionName=RtlUnwind; ModuleName=API-MS-Win-Core-RtlSupport-L1-1-0. - dll; VA=0x77B8B6D9}, @{Ordinal=; FunctionName=RtlCaptureContext; ModuleName=API-MS - -Win-Core-RtlSupport-L1-1-0.dll; VA=0x77B8B4CB}, @{Ordinal=; FunctionName=RtlCaptu - reStackBackTrace; ModuleName=API-MS-Win-Core-RtlSupport-L1-1-0.dll; VA=0x77B95277} - , @{Ordinal=; FunctionName=NtCreateEvent; ModuleName=ntdll.dll; VA=0x77B4FF54}...} -Exports : {@{ForwardedName=; FunctionName=lstrlenW; Ordinal=0x0552; VA=0x08221720}, @{Forwar - dedName=; FunctionName=lstrlenA; Ordinal=0x0551; VA=0x08225A3B}, @{ForwardedName=; - FunctionName=lstrlen; Ordinal=0x0550; VA=0x08225A3B}, @{ForwardedName=; FunctionN - ame=lstrcpynW; Ordinal=0x054F; VA=0x0824D566}...} - -Description ------------ -A PE header is returned upon providing the module's base address. This technique would be useful for dumping the PE header of a rogue module that is invisible to Windows - e.g. a reflectively loaded meterpreter binary (metsrv.dll). - -.NOTES - -Be careful if you decide to specify a module base address. Get-PEHeader does not check for the existence of an MZ header. An MZ header is not a prerequisite for reflectively loading a module in memory. If you provide an address that is not an actual PE header, you could crash the process. - -.LINK - -http://www.exploit-monday.com/2012/07/get-peheader.html -#> - - [CmdletBinding(DefaultParameterSetName = 'OnDisk')] Param ( - [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'OnDisk', ValueFromPipelineByPropertyName = $True)] [Alias('FullName')] [String[]] $FilePath, - [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'InMemory', ValueFromPipelineByPropertyName = $True)] [Alias('Id')] [Int] $ProcessID, - [Parameter(Position = 2, ParameterSetName = 'InMemory', ValueFromPipelineByPropertyName = $True)] [Alias('MainModule')] [Alias('Modules')] [System.Diagnostics.ProcessModule[]] $Module, - [Parameter(Position = 1, ParameterSetName = 'InMemory')] [IntPtr] $ModuleBaseAddress, - [Parameter()] [Switch] $GetSectionData - ) - -PROCESS { - - switch ($PsCmdlet.ParameterSetName) { - 'OnDisk' { - - if ($FilePath.Length -gt 1) { - foreach ($Path in $FilePath) { Get-PEHeader $Path } - } - - if (!(Test-Path $FilePath)) { - Write-Warning 'Invalid path or file does not exist.' - return - } - - $FilePath = Resolve-Path $FilePath - - if ($FilePath.GetType() -eq [System.Array]) { - $ModuleName = $FilePath[0] - } else { - $ModuleName = $FilePath - } - - } - 'InMemory' { - - if ($Module.Length -gt 1) { - foreach ($Mod in $Module) { - $BaseAddr = $Mod.BaseAddress - Get-PEHeader -ProcessID $ProcessID -Module $Mod -ModuleBaseAddress $BaseAddr - } - } - - if (-not $ModuleBaseAddress) { return } - - if ($ProcessID -eq $PID) { - Write-Warning 'You cannot parse the PE header of the current process. Open another instance of PowerShell.' - return - } - - if ($Module) { - $ModuleName = $Module[0].FileName - } else { - $ModuleName = '' - } - - } - } - - try { [PE] | Out-Null } catch [Management.Automation.RuntimeException] - { - $code = @" - using System; - using System.Runtime.InteropServices; - - public class PE - { - [Flags] - public enum IMAGE_DOS_SIGNATURE : ushort - { - DOS_SIGNATURE = 0x5A4D, // MZ - OS2_SIGNATURE = 0x454E, // NE - OS2_SIGNATURE_LE = 0x454C, // LE - VXD_SIGNATURE = 0x454C, // LE - } - - [Flags] - public enum IMAGE_NT_SIGNATURE : uint - { - VALID_PE_SIGNATURE = 0x00004550 // PE00 - } - - [Flags] - public enum IMAGE_FILE_MACHINE : ushort - { - UNKNOWN = 0, - I386 = 0x014c, // Intel 386. - R3000 = 0x0162, // MIPS little-endian =0x160 big-endian - R4000 = 0x0166, // MIPS little-endian - R10000 = 0x0168, // MIPS little-endian - WCEMIPSV2 = 0x0169, // MIPS little-endian WCE v2 - ALPHA = 0x0184, // Alpha_AXP - SH3 = 0x01a2, // SH3 little-endian - SH3DSP = 0x01a3, - SH3E = 0x01a4, // SH3E little-endian - SH4 = 0x01a6, // SH4 little-endian - SH5 = 0x01a8, // SH5 - ARM = 0x01c0, // ARM Little-Endian - THUMB = 0x01c2, - ARMNT = 0x01c4, // ARM Thumb-2 Little-Endian - AM33 = 0x01d3, - POWERPC = 0x01F0, // IBM PowerPC Little-Endian - POWERPCFP = 0x01f1, - IA64 = 0x0200, // Intel 64 - MIPS16 = 0x0266, // MIPS - ALPHA64 = 0x0284, // ALPHA64 - MIPSFPU = 0x0366, // MIPS - MIPSFPU16 = 0x0466, // MIPS - AXP64 = ALPHA64, - TRICORE = 0x0520, // Infineon - CEF = 0x0CEF, - EBC = 0x0EBC, // EFI public byte Code - AMD64 = 0x8664, // AMD64 (K8) - M32R = 0x9041, // M32R little-endian - CEE = 0xC0EE - } - - [Flags] - public enum IMAGE_FILE_CHARACTERISTICS : ushort - { - IMAGE_RELOCS_STRIPPED = 0x0001, // Relocation info stripped from file. - IMAGE_EXECUTABLE_IMAGE = 0x0002, // File is executable (i.e. no unresolved external references). - IMAGE_LINE_NUMS_STRIPPED = 0x0004, // Line nunbers stripped from file. - IMAGE_LOCAL_SYMS_STRIPPED = 0x0008, // Local symbols stripped from file. - IMAGE_AGGRESIVE_WS_TRIM = 0x0010, // Agressively trim working set - IMAGE_LARGE_ADDRESS_AWARE = 0x0020, // App can handle >2gb addresses - IMAGE_REVERSED_LO = 0x0080, // public bytes of machine public ushort are reversed. - IMAGE_32BIT_MACHINE = 0x0100, // 32 bit public ushort machine. - IMAGE_DEBUG_STRIPPED = 0x0200, // Debugging info stripped from file in .DBG file - IMAGE_REMOVABLE_RUN_FROM_SWAP = 0x0400, // If Image is on removable media =copy and run from the swap file. - IMAGE_NET_RUN_FROM_SWAP = 0x0800, // If Image is on Net =copy and run from the swap file. - IMAGE_SYSTEM = 0x1000, // System File. - IMAGE_DLL = 0x2000, // File is a DLL. - IMAGE_UP_SYSTEM_ONLY = 0x4000, // File should only be run on a UP machine - IMAGE_REVERSED_HI = 0x8000 // public bytes of machine public ushort are reversed. - } - - [Flags] - public enum IMAGE_NT_OPTIONAL_HDR_MAGIC : ushort - { - PE32 = 0x10b, - PE64 = 0x20b - } - - [Flags] - public enum IMAGE_SUBSYSTEM : ushort - { - UNKNOWN = 0, // Unknown subsystem. - NATIVE = 1, // Image doesn't require a subsystem. - WINDOWS_GUI = 2, // Image runs in the Windows GUI subsystem. - WINDOWS_CUI = 3, // Image runs in the Windows character subsystem. - OS2_CUI = 5, // image runs in the OS/2 character subsystem. - POSIX_CUI = 7, // image runs in the Posix character subsystem. - NATIVE_WINDOWS = 8, // image is a native Win9x driver. - WINDOWS_CE_GUI = 9, // Image runs in the Windows CE subsystem. - EFI_APPLICATION = 10, - EFI_BOOT_SERVICE_DRIVER = 11, - EFI_RUNTIME_DRIVER = 12, - EFI_ROM = 13, - XBOX = 14, - WINDOWS_BOOT_APPLICATION = 16 - } - - [Flags] - public enum IMAGE_DLLCHARACTERISTICS : ushort - { - DYNAMIC_BASE = 0x0040, // DLL can move. - FORCE_INTEGRITY = 0x0080, // Code Integrity Image - NX_COMPAT = 0x0100, // Image is NX compatible - NO_ISOLATION = 0x0200, // Image understands isolation and doesn't want it - NO_SEH = 0x0400, // Image does not use SEH. No SE handler may reside in this image - NO_BIND = 0x0800, // Do not bind this image. - WDM_DRIVER = 0x2000, // Driver uses WDM model - TERMINAL_SERVER_AWARE = 0x8000 - } - - [Flags] - public enum IMAGE_SCN : uint - { - TYPE_NO_PAD = 0x00000008, // Reserved. - CNT_CODE = 0x00000020, // Section contains code. - CNT_INITIALIZED_DATA = 0x00000040, // Section contains initialized data. - CNT_UNINITIALIZED_DATA = 0x00000080, // Section contains uninitialized data. - LNK_INFO = 0x00000200, // Section contains comments or some other type of information. - LNK_REMOVE = 0x00000800, // Section contents will not become part of image. - LNK_COMDAT = 0x00001000, // Section contents comdat. - NO_DEFER_SPEC_EXC = 0x00004000, // Reset speculative exceptions handling bits in the TLB entries for this section. - GPREL = 0x00008000, // Section content can be accessed relative to GP - MEM_FARDATA = 0x00008000, - MEM_PURGEABLE = 0x00020000, - MEM_16BIT = 0x00020000, - MEM_LOCKED = 0x00040000, - MEM_PRELOAD = 0x00080000, - ALIGN_1BYTES = 0x00100000, - ALIGN_2BYTES = 0x00200000, - ALIGN_4BYTES = 0x00300000, - ALIGN_8BYTES = 0x00400000, - ALIGN_16BYTES = 0x00500000, // Default alignment if no others are specified. - ALIGN_32BYTES = 0x00600000, - ALIGN_64BYTES = 0x00700000, - ALIGN_128BYTES = 0x00800000, - ALIGN_256BYTES = 0x00900000, - ALIGN_512BYTES = 0x00A00000, - ALIGN_1024BYTES = 0x00B00000, - ALIGN_2048BYTES = 0x00C00000, - ALIGN_4096BYTES = 0x00D00000, - ALIGN_8192BYTES = 0x00E00000, - ALIGN_MASK = 0x00F00000, - LNK_NRELOC_OVFL = 0x01000000, // Section contains extended relocations. - MEM_DISCARDABLE = 0x02000000, // Section can be discarded. - MEM_NOT_CACHED = 0x04000000, // Section is not cachable. - MEM_NOT_PAGED = 0x08000000, // Section is not pageable. - MEM_SHARED = 0x10000000, // Section is shareable. - MEM_EXECUTE = 0x20000000, // Section is executable. - MEM_READ = 0x40000000, // Section is readable. - MEM_WRITE = 0x80000000 // Section is writeable. - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_DOS_HEADER - { - public IMAGE_DOS_SIGNATURE e_magic; // Magic number - public ushort e_cblp; // public bytes on last page of file - public ushort e_cp; // Pages in file - public ushort e_crlc; // Relocations - public ushort e_cparhdr; // Size of header in paragraphs - public ushort e_minalloc; // Minimum extra paragraphs needed - public ushort e_maxalloc; // Maximum extra paragraphs needed - public ushort e_ss; // Initial (relative) SS value - public ushort e_sp; // Initial SP value - public ushort e_csum; // Checksum - public ushort e_ip; // Initial IP value - public ushort e_cs; // Initial (relative) CS value - public ushort e_lfarlc; // File address of relocation table - public ushort e_ovno; // Overlay number - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)] - public string e_res; // This will contain 'Detours!' if patched in memory - public ushort e_oemid; // OEM identifier (for e_oeminfo) - public ushort e_oeminfo; // OEM information; e_oemid specific - [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=10)] // , ArraySubType=UnmanagedType.U4 - public ushort[] e_res2; // Reserved public ushorts - public int e_lfanew; // File address of new exe header - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_FILE_HEADER - { - public IMAGE_FILE_MACHINE Machine; - public ushort NumberOfSections; - public uint TimeDateStamp; - public uint PointerToSymbolTable; - public uint NumberOfSymbols; - public ushort SizeOfOptionalHeader; - public IMAGE_FILE_CHARACTERISTICS Characteristics; - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_NT_HEADERS32 - { - public IMAGE_NT_SIGNATURE Signature; - public _IMAGE_FILE_HEADER FileHeader; - public _IMAGE_OPTIONAL_HEADER32 OptionalHeader; - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_NT_HEADERS64 - { - public IMAGE_NT_SIGNATURE Signature; - public _IMAGE_FILE_HEADER FileHeader; - public _IMAGE_OPTIONAL_HEADER64 OptionalHeader; - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_OPTIONAL_HEADER32 - { - public IMAGE_NT_OPTIONAL_HDR_MAGIC Magic; - public byte MajorLinkerVersion; - public byte MinorLinkerVersion; - public uint SizeOfCode; - public uint SizeOfInitializedData; - public uint SizeOfUninitializedData; - public uint AddressOfEntryPoint; - public uint BaseOfCode; - public uint BaseOfData; - public uint ImageBase; - public uint SectionAlignment; - public uint FileAlignment; - public ushort MajorOperatingSystemVersion; - public ushort MinorOperatingSystemVersion; - public ushort MajorImageVersion; - public ushort MinorImageVersion; - public ushort MajorSubsystemVersion; - public ushort MinorSubsystemVersion; - public uint Win32VersionValue; - public uint SizeOfImage; - public uint SizeOfHeaders; - public uint CheckSum; - public IMAGE_SUBSYSTEM Subsystem; - public IMAGE_DLLCHARACTERISTICS DllCharacteristics; - public uint SizeOfStackReserve; - public uint SizeOfStackCommit; - public uint SizeOfHeapReserve; - public uint SizeOfHeapCommit; - public uint LoaderFlags; - public uint NumberOfRvaAndSizes; - [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=16)] - public _IMAGE_DATA_DIRECTORY[] DataDirectory; - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_OPTIONAL_HEADER64 - { - public IMAGE_NT_OPTIONAL_HDR_MAGIC Magic; - public byte MajorLinkerVersion; - public byte MinorLinkerVersion; - public uint SizeOfCode; - public uint SizeOfInitializedData; - public uint SizeOfUninitializedData; - public uint AddressOfEntryPoint; - public uint BaseOfCode; - public ulong ImageBase; - public uint SectionAlignment; - public uint FileAlignment; - public ushort MajorOperatingSystemVersion; - public ushort MinorOperatingSystemVersion; - public ushort MajorImageVersion; - public ushort MinorImageVersion; - public ushort MajorSubsystemVersion; - public ushort MinorSubsystemVersion; - public uint Win32VersionValue; - public uint SizeOfImage; - public uint SizeOfHeaders; - public uint CheckSum; - public IMAGE_SUBSYSTEM Subsystem; - public IMAGE_DLLCHARACTERISTICS DllCharacteristics; - public ulong SizeOfStackReserve; - public ulong SizeOfStackCommit; - public ulong SizeOfHeapReserve; - public ulong SizeOfHeapCommit; - public uint LoaderFlags; - public uint NumberOfRvaAndSizes; - [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=16)] - public _IMAGE_DATA_DIRECTORY[] DataDirectory; - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_DATA_DIRECTORY - { - public uint VirtualAddress; - public uint Size; - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_EXPORT_DIRECTORY - { - public uint Characteristics; - public uint TimeDateStamp; - public ushort MajorVersion; - public ushort MinorVersion; - public uint Name; - public uint Base; - public uint NumberOfFunctions; - public uint NumberOfNames; - public uint AddressOfFunctions; // RVA from base of image - public uint AddressOfNames; // RVA from base of image - public uint AddressOfNameOrdinals; // RVA from base of image - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_SECTION_HEADER - { - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)] - public string Name; - public uint VirtualSize; - public uint VirtualAddress; - public uint SizeOfRawData; - public uint PointerToRawData; - public uint PointerToRelocations; - public uint PointerToLinenumbers; - public ushort NumberOfRelocations; - public ushort NumberOfLinenumbers; - public IMAGE_SCN Characteristics; - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_IMPORT_DESCRIPTOR - { - public uint OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) - public uint TimeDateStamp; // 0 if not bound, - // -1 if bound, and real date/time stamp - // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) - // O.W. date/time stamp of DLL bound to (Old BIND) - public uint ForwarderChain; // -1 if no forwarders - public uint Name; - public uint FirstThunk; // RVA to IAT (if bound this IAT has actual addresses) - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_THUNK_DATA32 - { - public Int32 AddressOfData; // PIMAGE_IMPORT_BY_NAME - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_THUNK_DATA64 - { - public Int64 AddressOfData; // PIMAGE_IMPORT_BY_NAME - } - - [StructLayout(LayoutKind.Sequential, Pack=1)] - public struct _IMAGE_IMPORT_BY_NAME - { - public ushort Hint; - public char Name; - } - } -"@ - - $compileParams = New-Object System.CodeDom.Compiler.CompilerParameters - $compileParams.ReferencedAssemblies.AddRange(@('System.dll', 'mscorlib.dll')) - $compileParams.GenerateInMemory = $True - Add-Type -TypeDefinition $code -CompilerParameters $compileParams -PassThru -WarningAction SilentlyContinue | Out-Null - } - - function Get-DelegateType - { - Param ( - [Parameter(Position = 0, Mandatory = $True)] [Type[]] $Parameters, - [Parameter(Position = 1)] [Type] $ReturnType = [Void] - ) - - $Domain = [AppDomain]::CurrentDomain - $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') - $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) - $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) - $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) - $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') - $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) - $MethodBuilder.SetImplementationFlags('Runtime, Managed') - - return $TypeBuilder.CreateType() - } - - function Get-ProcAddress - { - Param ( - [Parameter(Position = 0, Mandatory = $True)] [String] $Module, - [Parameter(Position = 1, Mandatory = $True)] [String] $Procedure - ) - - # Get a reference to System.dll in the GAC - $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | - Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } - $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') - # Get a reference to the GetModuleHandle and GetProcAddress methods - $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') - $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress') - # Get a handle to the module specified - $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) - $tmpPtr = New-Object IntPtr - $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) - # Return the address of the function - - return $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) - } - - $OnDisk = $True - if ($PsCmdlet.ParameterSetName -eq 'InMemory') { $OnDisk = $False } - - - $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess - $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) - $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, [Type] $OpenProcessDelegate) - $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory - $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [Int], [Int].MakeByRefType()) ([Bool]) - $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, [Type] $ReadProcessMemoryDelegate) - $CloseHandleAddr = Get-ProcAddress kernel32.dll CloseHandle - $CloseHandleDelegate = Get-DelegateType @([IntPtr]) ([Bool]) - $CloseHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CloseHandleAddr, [Type] $CloseHandleDelegate) - - if ($OnDisk) { - - $FileStream = New-Object System.IO.FileStream($FilePath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) - $FileByteArray = New-Object Byte[]($FileStream.Length) - $FileStream.Read($FileByteArray, 0, $FileStream.Length) | Out-Null - $FileStream.Close() - $Handle = [System.Runtime.InteropServices.GCHandle]::Alloc($FileByteArray, 'Pinned') - $PEBaseAddr = $Handle.AddrOfPinnedObject() - - } else { - - # Size of the memory page allocated for the PE header - $HeaderSize = 0x1000 - # Allocate space for when the PE header is read from the remote process - $PEBaseAddr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($HeaderSize + 1) - # Get handle to the process - $hProcess = $OpenProcess.Invoke(0x10, $false, $ProcessID) # PROCESS_VM_READ (0x00000010) - - # Read PE header from remote process - if (!$ReadProcessMemory.Invoke($hProcess, $ModuleBaseAddress, $PEBaseAddr, $HeaderSize, [Ref] 0)) { - if ($ModuleName) { - Write-Warning "Failed to read PE header of $ModuleName" - } else { - Write-Warning "Failed to read PE header of process ID: $ProcessID" - } - - Write-Warning "Error code: 0x$([System.Runtime.InteropServices.Marshal]::GetLastWin32Error().ToString('X8'))" - $CloseHandle.Invoke($hProcess) | Out-Null - return - } - - } - - $DosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEBaseAddr, [Type] [PE+_IMAGE_DOS_HEADER]) - $PointerNtHeader = [IntPtr] ($PEBaseAddr.ToInt64() + $DosHeader.e_lfanew) - $NtHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PointerNtHeader, [Type] [PE+_IMAGE_NT_HEADERS32]) - $Architecture = ($NtHeader.FileHeader.Machine).ToString() - - $BinaryPtrWidth = 4 - - # Define relevant structure types depending upon whether the binary is 32 or 64-bit - if ($Architecture -eq 'AMD64') { - - $BinaryPtrWidth = 8 - - $PEStruct = @{ - IMAGE_OPTIONAL_HEADER = [PE+_IMAGE_OPTIONAL_HEADER64] - NT_HEADER = [PE+_IMAGE_NT_HEADERS64] - } - - $ThunkDataStruct = [PE+_IMAGE_THUNK_DATA64] - - Write-Verbose "Architecture: $Architecture" - Write-Verbose 'Proceeding with parsing a 64-bit binary.' - - } elseif ($Architecture -eq 'I386' -or $Architecture -eq 'ARMNT' -or $Architecture -eq 'THUMB') { - - $PEStruct = @{ - IMAGE_OPTIONAL_HEADER = [PE+_IMAGE_OPTIONAL_HEADER32] - NT_HEADER = [PE+_IMAGE_NT_HEADERS32] - } - - $ThunkDataStruct = [PE+_IMAGE_THUNK_DATA32] - - Write-Verbose "Architecture: $Architecture" - Write-Verbose 'Proceeding with parsing a 32-bit binary.' - - } else { - - Write-Warning 'Get-PEHeader only supports binaries compiled for x86, AMD64, and ARM.' - return - - } - - # Need to get a new NT header in case the architecture changed - $NtHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PointerNtHeader, [Type] $PEStruct['NT_HEADER']) - # Display all section headers - $NumSections = $NtHeader.FileHeader.NumberOfSections - $NumRva = $NtHeader.OptionalHeader.NumberOfRvaAndSizes - $PointerSectionHeader = [IntPtr] ($PointerNtHeader.ToInt64() + [System.Runtime.InteropServices.Marshal]::SizeOf([Type] $PEStruct['NT_HEADER'])) - $SectionHeaders = New-Object PSObject[]($NumSections) - foreach ($i in 0..($NumSections - 1)) - { - $SectionHeaders[$i] = [System.Runtime.InteropServices.Marshal]::PtrToStructure(([IntPtr] ($PointerSectionHeader.ToInt64() + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type] [PE+_IMAGE_SECTION_HEADER])))), [Type] [PE+_IMAGE_SECTION_HEADER]) - } - - - if (!$OnDisk) { - - $ReadSize = $NtHeader.OptionalHeader.SizeOfImage - # Free memory allocated for the PE header - [System.Runtime.InteropServices.Marshal]::FreeHGlobal($PEBaseAddr) - $PEBaseAddr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($ReadSize + 1) - - # Read process memory of each section header - foreach ($SectionHeader in $SectionHeaders) { - if (!$ReadProcessMemory.Invoke($hProcess, [IntPtr] ($ModuleBaseAddress.ToInt64() + $SectionHeader.VirtualAddress), [IntPtr] ($PEBaseAddr.ToInt64() + $SectionHeader.VirtualAddress), $SectionHeader.VirtualSize, [Ref] 0)) { - if ($ModuleName) { - Write-Warning "Failed to read $($SectionHeader.Name) section of $ModuleName" - } else { - Write-Warning "Failed to read $($SectionHeader.Name) section of process ID: $ProcessID" - } - - Write-Warning "Error code: 0x$([System.Runtime.InteropServices.Marshal]::GetLastWin32Error().ToString('X8'))" - $CloseHandle.Invoke($hProcess) | Out-Null - return - } - } - - # Close handle to the remote process since we no longer need to access the process. - $CloseHandle.Invoke($hProcess) | Out-Null - - } - - if ($PSBoundParameters['GetSectionData']) - { - foreach ($i in 0..($NumSections - 1)) - { - $RawBytes = $null - - if ($OnDisk) - { - $RawBytes = New-Object Byte[]($SectionHeaders[$i].SizeOfRawData) - [Runtime.InteropServices.Marshal]::Copy([IntPtr] ($PEBaseAddr.ToInt64() + $SectionHeaders[$i].PointerToRawData), $RawBytes, 0, $SectionHeaders[$i].SizeOfRawData) - } - else - { - $RawBytes = New-Object Byte[]($SectionHeaders[$i].VirtualSize) - [Runtime.InteropServices.Marshal]::Copy([IntPtr] ($PEBaseAddr.ToInt64() + $SectionHeaders[$i].VirtualAddress), $RawBytes, 0, $SectionHeaders[$i].VirtualSize) - } - - $SectionHeaders[$i] = Add-Member -InputObject ($SectionHeaders[$i]) -MemberType NoteProperty -Name RawData -Value $RawBytes -PassThru -Force - } - } - - function Get-Exports() - { - - if ($NTHeader.OptionalHeader.DataDirectory[0].VirtualAddress -eq 0) { - Write-Verbose 'Module does not contain any exports' - return - } - - # List all function Rvas in the export table - $ExportPointer = [IntPtr] ($PEBaseAddr.ToInt64() + $NtHeader.OptionalHeader.DataDirectory[0].VirtualAddress) - # This range will be used to test for the existence of forwarded functions - $ExportDirLow = $NtHeader.OptionalHeader.DataDirectory[0].VirtualAddress - if ($OnDisk) { - $ExportPointer = Convert-RVAToFileOffset $ExportPointer - $ExportDirLow = Convert-RVAToFileOffset $ExportDirLow - $ExportDirHigh = $ExportDirLow.ToInt32() + $NtHeader.OptionalHeader.DataDirectory[0].Size - } else { $ExportDirHigh = $ExportDirLow + $NtHeader.OptionalHeader.DataDirectory[0].Size } - - $ExportDirectory = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportPointer, [Type] [PE+_IMAGE_EXPORT_DIRECTORY]) - $AddressOfNamePtr = [IntPtr] ($PEBaseAddr.ToInt64() + $ExportDirectory.AddressOfNames) - $NameOrdinalAddrPtr = [IntPtr] ($PEBaseAddr.ToInt64() + $ExportDirectory.AddressOfNameOrdinals) - $AddressOfFunctionsPtr = [IntPtr] ($PEBaseAddr.ToInt64() + $ExportDirectory.AddressOfFunctions) - $NumNamesFuncs = $ExportDirectory.NumberOfFunctions - $ExportDirectory.NumberOfNames - $NumNames = $ExportDirectory.NumberOfNames - $NumFunctions = $ExportDirectory.NumberOfFunctions - $Base = $ExportDirectory.Base - - # Recalculate file offsets based upon relative virtual addresses - if ($OnDisk) { - $AddressOfNamePtr = Convert-RVAToFileOffset $AddressOfNamePtr - $NameOrdinalAddrPtr = Convert-RVAToFileOffset $NameOrdinalAddrPtr - $AddressOfFunctionsPtr = Convert-RVAToFileOffset $AddressOfFunctionsPtr - } - - if ($NumFunctions -gt 0) { - - # Create an empty hash table that will contain indices to exported functions and their RVAs - $FunctionHashTable = @{} - - foreach ($i in 0..($NumFunctions - 1)) - { - - $RvaFunction = [System.Runtime.InteropServices.Marshal]::ReadInt32($AddressOfFunctionsPtr.ToInt64() + ($i * 4)) - # Function is exported by ordinal if $RvaFunction -ne 0. I.E. NumberOfFunction != the number of actual, exported functions. - if ($RvaFunction) { $FunctionHashTable[[Int]$i] = $RvaFunction } - - } - - # Create an empty hash table that will contain indices into RVA array and the function's name - $NameHashTable = @{} - - foreach ($i in 0..($NumNames - 1)) - { - - $RvaName = [System.Runtime.InteropServices.Marshal]::ReadInt32($AddressOfNamePtr.ToInt64() + ($i * 4)) - $FuncNameAddr = [IntPtr] ($PEBaseAddr.ToInt64() + $RvaName) - if ($OnDisk) { $FuncNameAddr= Convert-RVAToFileOffset $FuncNameAddr } - $FuncName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FuncNameAddr) - $NameOrdinal = [Int][System.Runtime.InteropServices.Marshal]::ReadInt16($NameOrdinalAddrPtr.ToInt64() + ($i * 2)) - $NameHashTable[$NameOrdinal] = $FuncName - - } - - foreach ($Key in $FunctionHashTable.Keys) - { - $Result = @{} - - if ($NameHashTable[$Key]) { - $Result['FunctionName'] = $NameHashTable[$Key] - } else { - $Result['FunctionName'] = '' - } - - if (($FunctionHashTable[$Key] -ge $ExportDirLow) -and ($FunctionHashTable[$Key] -lt $ExportDirHigh)) { - $ForwardedNameAddr = [IntPtr] ($PEBaseAddr.ToInt64() + $FunctionHashTable[$Key]) - if ($OnDisk) { $ForwardedNameAddr = Convert-RVAToFileOffset $ForwardedNameAddr } - $ForwardedName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ForwardedNameAddr) - # This script does not attempt to resolve the virtual addresses of forwarded functions - $Result['ForwardedName'] = $ForwardedName - } else { - $Result['ForwardedName'] = '' - } - - $Result['Ordinal'] = "0x$(($Key + $Base).ToString('X4'))" - $Result['RVA'] = "0x$($FunctionHashTable[$Key].ToString("X$($BinaryPtrWidth*2)"))" - #$Result['VA'] = "0x$(($FunctionHashTable[$Key] + $PEBaseAddr.ToInt64()).ToString("X$($BinaryPtrWidth*2)"))" - - $Export = New-Object PSObject -Property $Result - $Export.PSObject.TypeNames.Insert(0, 'Export') - - $Export - - } - - } else { Write-Verbose 'Module does not export any functions.' } - - } - - function Get-Imports() - { - if ($NTHeader.OptionalHeader.DataDirectory[1].VirtualAddress -eq 0) { - Write-Verbose 'Module does not contain any imports' - return - } - - $FirstImageImportDescriptorPtr = [IntPtr] ($PEBaseAddr.ToInt64() + $NtHeader.OptionalHeader.DataDirectory[1].VirtualAddress) - if ($OnDisk) { $FirstImageImportDescriptorPtr = Convert-RVAToFileOffset $FirstImageImportDescriptorPtr } - $ImportDescriptorPtr = $FirstImageImportDescriptorPtr - - $i = 0 - # Get all imported modules - while ($true) - { - $ImportDescriptorPtr = [IntPtr] ($FirstImageImportDescriptorPtr.ToInt64() + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type] [PE+_IMAGE_IMPORT_DESCRIPTOR]))) - $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type] [PE+_IMAGE_IMPORT_DESCRIPTOR]) - if ($ImportDescriptor.OriginalFirstThunk -eq 0) { break } - $DllNamePtr = [IntPtr] ($PEBaseAddr.ToInt64() + $ImportDescriptor.Name) - if ($OnDisk) { $DllNamePtr = Convert-RVAToFileOffset $DllNamePtr } - $DllName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($DllNamePtr) - $FirstFuncAddrPtr = [IntPtr] ($PEBaseAddr.ToInt64() + $ImportDescriptor.FirstThunk) - if ($OnDisk) { $FirstFuncAddrPtr = Convert-RVAToFileOffset $FirstFuncAddrPtr } - $FuncAddrPtr = $FirstFuncAddrPtr - $FirstOFTPtr = [IntPtr] ($PEBaseAddr.ToInt64() + $ImportDescriptor.OriginalFirstThunk) - if ($OnDisk) { $FirstOFTPtr = Convert-RVAToFileOffset $FirstOFTPtr } - $OFTPtr = $FirstOFTPtr - $j = 0 - while ($true) - { - $FuncAddrPtr = [IntPtr] ($FirstFuncAddrPtr.ToInt64() + ($j * [System.Runtime.InteropServices.Marshal]::SizeOf([Type] $ThunkDataStruct))) - $FuncAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncAddrPtr, [Type] $ThunkDataStruct) - $OFTPtr = [IntPtr] ($FirstOFTPtr.ToInt64() + ($j * [System.Runtime.InteropServices.Marshal]::SizeOf([Type] $ThunkDataStruct))) - $ThunkData = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OFTPtr, [Type] $ThunkDataStruct) - $Result = @{ ModuleName = $DllName } - - if (([System.Convert]::ToString($ThunkData.AddressOfData, 2)).PadLeft(32, '0')[0] -eq '1') - { - # Trim high order bit in order to get the ordinal value - $TempOrdinal = [System.Convert]::ToInt64(([System.Convert]::ToString($ThunkData.AddressOfData, 2))[1..63] -join '', 2) - $TempOrdinal = $TempOrdinal.ToString('X16')[-1..-4] - [Array]::Reverse($TempOrdinal) - $Ordinal = '' - $TempOrdinal | ForEach-Object { $Ordinal += $_ } - $Result['Ordinal'] = "0x$Ordinal" - $Result['FunctionName'] = '' - } - else - { - $ImportByNamePtr = [IntPtr] ($PEBaseAddr.ToInt64() + [Int64]$ThunkData.AddressOfData + 2) - if ($OnDisk) { $ImportByNamePtr = Convert-RVAToFileOffset $ImportByNamePtr } - $FuncName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportByNamePtr) - $Result['Ordinal'] = '' - $Result['FunctionName'] = $FuncName - } - - $Result['RVA'] = "0x$($FuncAddr.AddressOfData.ToString("X$($BinaryPtrWidth*2)"))" - - if ($FuncAddr.AddressOfData -eq 0) { break } - if ($OFTPtr -eq 0) { break } - - $Import = New-Object PSObject -Property $Result - $Import.PSObject.TypeNames.Insert(0, 'Import') - - $Import - - $j++ - - } - - $i++ - - } - - } - - function Convert-RVAToFileOffset([IntPtr] $Rva) - { - - foreach ($Section in $SectionHeaders) { - if ((($Rva.ToInt64() - $PEBaseAddr.ToInt64()) -ge $Section.VirtualAddress) -and (($Rva.ToInt64() - $PEBaseAddr.ToInt64()) -lt ($Section.VirtualAddress + $Section.VirtualSize))) { - return [IntPtr] ($Rva.ToInt64() - ($Section.VirtualAddress - $Section.PointerToRawData)) - } - } - - # Pointer did not fall in the address ranges of the section headers - return $Rva - - } - - $PEFields = @{ - Module = $ModuleName - DOSHeader = $DosHeader - PESignature = $NTHeader.Signature - FileHeader = $NTHeader.FileHeader - OptionalHeader = $NTHeader.OptionalHeader - SectionHeaders = $SectionHeaders - Imports = Get-Imports - Exports = Get-Exports - } - - if ($Ondisk) { - $Handle.Free() - } else { - # Free memory allocated for the PE header - [System.Runtime.InteropServices.Marshal]::FreeHGlobal($PEBaseAddr) - } - - $PEHeader = New-Object PSObject -Property $PEFields - $PEHeader.PSObject.TypeNames.Insert(0, 'PEHeader') - - $ScriptBlock = { - $SymServerURL = 'http://msdl.microsoft.com/download/symbols' - $FileName = $this.Module.Split('\')[-1] - $Request = "{0}/{1}/{2:X8}{3:X}/{1}" -f $SymServerURL, $FileName, $this.FileHeader.TimeDateStamp, $this.OptionalHeader.SizeOfImage - $Request = "$($Request.Substring(0, $Request.Length - 1))_" - $WebClient = New-Object Net.WebClient - $WebClient.Headers.Add('User-Agent', 'Microsoft-Symbol-Server/6.6.0007.5') - Write-Host "Downloading $FileName from the Microsoft symbol server..." - $CabBytes = $WebClient.DownloadData($Request) - $CabPath = "$PWD\$($FileName.Split('.')[0]).cab" - Write-Host "Download complete. Saving it to $("$(Split-Path $CabPath)\$FileName")." - [IO.File]::WriteAllBytes($CabPath, $CabBytes) - $Shell = New-Object -Comobject Shell.Application - $CabFile = $Shell.Namespace($CabPath).Items() - $Destination = $Shell.Namespace((Split-Path $CabPath)) - $Destination.CopyHere($CabFile) - Remove-Item $CabPath -Force - } - - $PEHeader = Add-Member -InputObject $PEHeader -MemberType ScriptMethod -Name DownloadFromMSSymbolServer -Value $ScriptBlock -PassThru -Force - - return $PEHeader - -} - -} diff --git a/PETools/PETools.format.ps1xml b/PETools/PETools.format.ps1xml deleted file mode 100644 index c510281..0000000 --- a/PETools/PETools.format.ps1xml +++ /dev/null @@ -1,374 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <SelectionSets> - <SelectionSet> - <Name>OptionHeaderTypes</Name> - <Types> - <TypeName>PE+_IMAGE_OPTIONAL_HEADER32</TypeName> - <TypeName>PE+_IMAGE_OPTIONAL_HEADER64</TypeName> - </Types> - </SelectionSet> - </SelectionSets> - <ViewDefinitions> - <View> - <Name>PEView</Name> - <ViewSelectedBy> - <TypeName>PEHeader</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>Module</PropertyName> - </ListItem> - <ListItem> - <PropertyName>DOSHeader</PropertyName> - </ListItem> - <ListItem> - <PropertyName>FileHeader</PropertyName> - </ListItem> - <ListItem> - <PropertyName>OptionalHeader</PropertyName> - </ListItem> - <ListItem> - <PropertyName>SectionHeaders</PropertyName> - </ListItem> - <ListItem> - <PropertyName>Imports</PropertyName> - </ListItem> - <ListItem> - <PropertyName>Exports</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>OptionalHeaderView</Name> - <ViewSelectedBy> - <SelectionSetName>OptionHeaderTypes</SelectionSetName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>Magic</PropertyName> - </ListItem> - <ListItem> - <PropertyName>MajorLinkerVersion</PropertyName> - </ListItem> - <ListItem> - <PropertyName>MinorLinkerVersion</PropertyName> - </ListItem> - <ListItem> - <Label>SizeOfCode</Label> - <ScriptBlock>"0x$($_.SizeOfCode.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>SizeOfInitializedData</Label> - <ScriptBlock>"0x$($_.SizeOfInitializedData.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>SizeOfUninitializedData</Label> - <ScriptBlock>"0x$($_.SizeOfUninitializedData.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>AddressOfEntryPoint</Label> - <ScriptBlock>"0x$($_.AddressOfEntryPoint.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>BaseOfCode</Label> - <ScriptBlock>"0x$($_.BaseOfCode.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>BaseOfData</Label> - <ScriptBlock>"0x$($_.BaseOfData.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>ImageBase</Label> - <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock> - </ListItem> - <ListItem> - <Label>SectionAlignment</Label> - <ScriptBlock>"0x$($_.SectionAlignment.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>FileAlignment</Label> - <ScriptBlock>"0x$($_.FileAlignment.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>MajorOperatingSystemVersion</PropertyName> - </ListItem> - <ListItem> - <PropertyName>MinorOperatingSystemVersion</PropertyName> - </ListItem> - <ListItem> - <PropertyName>MajorSubsystemVersion</PropertyName> - </ListItem> - <ListItem> - <PropertyName>MinorSubsystemVersion</PropertyName> - </ListItem> - <ListItem> - <PropertyName>Win32VersionValue</PropertyName> - </ListItem> - <ListItem> - <Label>SizeOfImage</Label> - <ScriptBlock>"0x$($_.SizeOfImage.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>SizeOfHeaders</Label> - <ScriptBlock>"0x$($_.SizeOfHeaders.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>CheckSum</Label> - <ScriptBlock>"0x$($_.CheckSum.ToString('X8'))"</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>Subsystem</PropertyName> - </ListItem> - <ListItem> - <PropertyName>DllCharacteristics</PropertyName> - </ListItem> - <ListItem> - <Label>SizeOfStackReserve</Label> - <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfStackReserve.ToString('X8'))" } else { "0x$($_.SizeOfStackReserve.ToString('X16'))" }</ScriptBlock> - </ListItem> - <ListItem> - <Label>SizeOfStackCommit</Label> - <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfStackCommit.ToString('X8'))" } else { "0x$($_.SizeOfStackCommit.ToString('X16'))" }</ScriptBlock> - </ListItem> - <ListItem> - <Label>SizeOfHeapReserve</Label> - <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfHeapReserve.ToString('X8'))" } else { "0x$($_.SizeOfHeapReserve.ToString('X16'))" }</ScriptBlock> - </ListItem> - <ListItem> - <Label>SizeOfHeapCommit</Label> - <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.SizeOfHeapCommit.ToString('X8'))" } else { "0x$($_.SizeOfHeapCommit.ToString('X16'))" }</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>LoaderFlags</PropertyName> - </ListItem> - <ListItem> - <PropertyName>NumberOfRvaAndSizes</PropertyName> - </ListItem> - <ListItem> - <PropertyName>DataDirectory</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>SectionHeaderView</Name> - <ViewSelectedBy> - <TypeName>PE+_IMAGE_SECTION_HEADER</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>Name</Label> - <Alignment>Right</Alignment> - </TableColumnHeader> - <TableColumnHeader> - <Label>VirtualSize</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>VirtualAddress</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>SizeOfRawData</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>PointerToRawData</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Characteristics</Label> - <Alignment>Left</Alignment> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <Alignment>Right</Alignment> - <PropertyName>Name</PropertyName> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>"0x$($_.VirtualSize.ToString('X8'))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>"0x$($_.SizeOfRawData.ToString('X8'))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>"0x$($_.PointerToRawData.ToString('X8'))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Characteristics</PropertyName> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>FileHeaderView</Name> - <ViewSelectedBy> - <TypeName>PE+_IMAGE_FILE_HEADER</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>Machine</PropertyName> - </ListItem> - <ListItem> - <PropertyName>NumberOfSections</PropertyName> - </ListItem> - <ListItem> - <Label>TimeDateStamp</Label> - <!-- GMT compile time --> - <ScriptBlock>(New-Object DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock> - <!-- Compile time assuming it was compiled in Redmond, Washington (PST - GMT-8) --> - <!-- <ScriptBlock>(New-Object DateTime(1969, 12, 31, 16, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock> --> - </ListItem> - <ListItem> - <PropertyName>PointerToSymbolTable</PropertyName> - </ListItem> - <ListItem> - <PropertyName>NumberOfSymbols</PropertyName> - </ListItem> - <ListItem> - <PropertyName>SizeOfOptionalHeader</PropertyName> - </ListItem> - <ListItem> - <PropertyName>Characteristics</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>DataDirectoryView</Name> - <ViewSelectedBy> - <TypeName>PE+_IMAGE_DATA_DIRECTORY</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>VirtualAddress</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Size</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>"0x$($_.Size.ToString('X8'))"</ScriptBlock> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>ImportView</Name> - <ViewSelectedBy> - <TypeName>Import</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>ModuleName</Label> - <Alignment>Right</Alignment> - </TableColumnHeader> - <TableColumnHeader> - <Label>VA/FT</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Ordinal</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>FunctionName</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <Alignment>Right</Alignment> - <PropertyName>ModuleName</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>RVA</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Ordinal</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>FunctionName</PropertyName> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>ExportView</Name> - <ViewSelectedBy> - <TypeName>Export</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>RVA</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Ordinal</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>FunctionName</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ForwardedName</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>RVA</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Ordinal</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>FunctionName</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ForwardedName</PropertyName> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1 deleted file mode 100644 index ef470a7..0000000 --- a/PETools/PETools.psd1 +++ /dev/null @@ -1,89 +0,0 @@ -@{
-
-# Script module or binary module file associated with this manifest.
-ModuleToProcess = 'PETools.psm1'
-
-# Version number of this module.
-ModuleVersion = '1.0.0.0'
-
-# ID used to uniquely identify this module
-GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'
-
-# Author of this module
-Author = 'Matthew Graeber'
-
-# Company or vendor of this module
-CompanyName = ''
-
-# Copyright statement for this module
-Copyright = 'BSD 3-Clause'
-
-# Description of the functionality provided by this module
-Description = 'PowerSploit Portable Executable Analysis Module'
-
-# Minimum version of the Windows PowerShell engine required by this module
-PowerShellVersion = '2.0'
-
-# Name of the Windows PowerShell host required by this module
-# PowerShellHostName = ''
-
-# Minimum version of the Windows PowerShell host required by this module
-# PowerShellHostVersion = ''
-
-# Minimum version of the .NET Framework required by this module
-# DotNetFrameworkVersion = ''
-
-# Minimum version of the common language runtime (CLR) required by this module
-# CLRVersion = ''
-
-# Processor architecture (None, X86, Amd64) required by this module
-# ProcessorArchitecture = ''
-
-# Modules that must be imported into the global environment prior to importing this module
-# RequiredModules = @()
-
-# Assemblies that must be loaded prior to importing this module
-# RequiredAssemblies = @()
-
-# Script files (.ps1) that are run in the caller's environment prior to importing this module.
-# ScriptsToProcess = ''
-
-# Type files (.ps1xml) to be loaded when importing this module
-# TypesToProcess = @()
-
-# Format files (.ps1xml) to be loaded when importing this module
-FormatsToProcess = 'PETools.format.ps1xml', 'Get-ObjDump.format.ps1xml', 'Get-LibSymbols.format.ps1xml'
-
-# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-# NestedModules = @()
-
-# Functions to export from this module
-FunctionsToExport = '*'
-
-# Cmdlets to export from this module
-CmdletsToExport = '*'
-
-# Variables to export from this module
-VariablesToExport = ''
-
-# Aliases to export from this module
-AliasesToExport = ''
-
-# List of all modules packaged with this module.
-ModuleList = @(@{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'})
-
-# List of all files packaged with this module
-FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoadPath.ps1',
- 'Get-PEHeader.ps1', 'Get-ObjDump.ps1', 'Get-ObjDump.format.ps1xml', 'Get-LibSymbols.ps1',
- 'Usage.md'
-
-# Private data to pass to the module specified in RootModule/ModuleToProcess
-# PrivateData = ''
-
-# HelpInfo URI of this module
-# HelpInfoURI = ''
-
-# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
-# DefaultCommandPrefix = ''
-
-}
diff --git a/PETools/PETools.psm1 b/PETools/PETools.psm1 deleted file mode 100644 index 81d3818..0000000 --- a/PETools/PETools.psm1 +++ /dev/null @@ -1 +0,0 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/PETools/Usage.md b/PETools/Usage.md deleted file mode 100644 index 6c96b10..0000000 --- a/PETools/Usage.md +++ /dev/null @@ -1,12 +0,0 @@ -To install this module, drop the entire PETools folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
-
-The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
-The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
-
-To use the module, type `Import-Module PETools`
-
-To see the commands imported, type `Get-Command -Module PETools`
-
-For help on each individual command, Get-Help is your friend.
-
-Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 049c491..678294b 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -1,5 +1,4 @@ @{ - # Script module or binary module file associated with this manifest. ModuleToProcess = 'PowerSploit.psm1' @@ -24,39 +23,6 @@ Description = 'PowerSploit Root Module' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '2.0' -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of the .NET Framework required by this module -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -# RequiredModules = @() - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = '' - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - # Functions to export from this module FunctionsToExport = '*' @@ -70,28 +36,10 @@ VariablesToExport = '' AliasesToExport = '' # List of all modules packaged with this module. -ModuleList = @( @{ModuleName = 'PowerSploit'; ModuleVersion = '1.0.0.0'; GUID = '6753b496-d842-40a3-924a-0f09e248640c'}, - @{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'}, +ModuleList = @( @{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'}, @{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'}, @{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'}, - @{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'}, @{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'}, - @{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'}, @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'}, - @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'} - @{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'} - ) - -# List of all files packaged with this module -FileList = 'PowerSploit.psd1', 'PowerSploit.psm1' - -# Private data to pass to the module specified in RootModule/ModuleToProcess -# PrivateData = '' - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - + @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'} ) } @@ -1,4 +1,6 @@ -### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: +### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: + +### Note: All reverse engineering components of PowerSploit now reside in the [PowerShellArsenal](https://github.com/mattifestation/PowerShellArsenal). ## CodeExecution @@ -64,86 +66,6 @@ Installs a security support provider (SSP) dll. Enumerates all loaded security packages (SSPs). -## PETools - -**Parse/manipulate Windows portable executables.** - -#### `Get-PEHeader` - -An in-memory and on-disk PE parsing utility. - -#### `Get-ObjDump` - -Displays information about one or more Windows object files. - -#### `Get-LibSymbols` - -Displays symbolic information from Windows lib files. - -#### `Get-DllLoadPath` - -Returns the path from which Windows will load a Dll for the given executable. - -## Capstone - -**A PowerShell binding for the Capstone Engine disassembly framework.** - -#### `Get-CSDisassembly` - -Disassembles a byte array using the Capstone Engine disassembly framework. - -## ReverseEngineering - -**Tools to aid in reverse engineering.** - -#### `Get-PEB` - -Returns the process environment block (PEB) of a process. - -#### `Get-ILDisassembly` - -Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm. - -#### `Get-NtSystemInformation` - -A utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user. - -#### `Get-StructFromMemory` - -Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type. - -#### `Get-Member` - -A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Private' parameter allowing you to display non-public .NET members - -#### `Get-Strings` - -Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals. - -#### `ConvertTo-String` - -Converts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions. - -#### `Get-MethodAddress` - -Get the unmanaged function address of a .NET method. - -#### `Register-ProcessModuleTrace` - -Starts a trace of loaded process modules - -#### `Get-ProcessModuleTrace` - -Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace - -#### `Unregister-ProcessModuleTrace` - -Stops the running process module trace - -#### `Get-Entropy` - -Calculates the entropy of a file or byte array. - ## AntivirusBypass **AV doesn't stand a chance against PowerShell!** @@ -275,7 +197,7 @@ Note: The tools contained within this module were all designed such that they ca * Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license). -* Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. +* Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis. * I prefer that variable names be capitalized and be as descriptive as possible. @@ -285,29 +207,23 @@ Note: The tools contained within this module were all designed such that they ca * Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error. -* If you are writing a script that interfaces with the Win32 API, do not compile C# code unless absolutely necessary. It is imperative that nothing aside from the script touches the disk. +* If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible. * Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to. -* I don't want any v3 dependencies right now. In fact, it would be ideal to use `Set-StrictMode -Version 2.0` to ensure you are conforming to PowerShell v2 best practices. +* PowerShell v2 compatibility is highly desired. * Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following: * `[Parameter(Position = 0, Mandatory = $True)]` * Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias. -* Don't let commands run on for too long. For example, a pipeline is a natural place for a line break. +* Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break. * Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader. -* Use Out-Null to suppress unwanted/irrelevant output. - -* Only use .NET code when absolutely necessary. - -* Use the Write-Output keyword when returning an object from a function. I know it's not necessary but it makes the code more readable. +* Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement. * Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. -* Scripts that are intended to run on a remote machine should be self-contained and not rely upon any additional scripts. Scripts that are designed to run on your host machine can have dependencies on other scripts. - * If a script creates complex custom objects, include a ps1xml file that will properly format the object's output.
\ No newline at end of file diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 deleted file mode 100644 index 1c030b4..0000000 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ /dev/null @@ -1,70 +0,0 @@ -filter ConvertTo-String -{ -<# -.SYNOPSIS - -Converts the bytes of a file to a string. - -PowerSploit Function: ConvertTo-String -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -ConvertTo-String converts the bytes of a file to a string that has a -1-to-1 mapping back to the file's original bytes. ConvertTo-String is -useful for performing binary regular expressions. - -.PARAMETER Path - -Specifies the path to the file to convert. - -.EXAMPLE - -PS C:\>$BinaryString = ConvertTo-String C:\Windows\SysWow64\kernel32.dll -PS C:\>$HotpatchableRegex = [Regex] '[\xCC\x90]{5}\x8B\xFF' -PS C:\>$HotpatchableRegex.Matches($BinaryString) - -Description ------------ -Converts kernel32.dll into a string. A binary regular expression is -then performed on the string searching for a hotpatchable code -sequence - i.e. 5 nop/int3 followed by a mov edi, edi instruction. - -.NOTES - -The intent of ConvertTo-String is not to replicate the functionality -of strings.exe, rather it is intended to be used when -performing regular expressions on binary data. - -.LINK - -http://www.exploit-monday.com -#> - - [OutputType([String])] - Param ( - [Parameter( Mandatory = $True, - Position = 0, - ValueFromPipeline = $True )] - [ValidateScript({-not (Test-Path $_ -PathType Container)})] - [String] - $Path - ) - - $FileStream = New-Object -TypeName IO.FileStream -ArgumentList (Resolve-Path $Path), 'Open', 'Read' - - # Note: Codepage 28591 returns a 1-to-1 char to byte mapping - $Encoding = [Text.Encoding]::GetEncoding(28591) - - $StreamReader = New-Object IO.StreamReader($FileStream, $Encoding) - - $BinaryText = $StreamReader.ReadToEnd() - - $StreamReader.Close() - $FileStream.Close() - - Write-Output $BinaryText -} diff --git a/ReverseEngineering/Get-Entropy.ps1 b/ReverseEngineering/Get-Entropy.ps1 deleted file mode 100644 index 42e5d28..0000000 --- a/ReverseEngineering/Get-Entropy.ps1 +++ /dev/null @@ -1,106 +0,0 @@ -function Get-Entropy -{ -<# -.SYNOPSIS - - Calculates the entropy of a file or byte array. - - PowerSploit Function: Get-Entropy - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.PARAMETER ByteArray - - Specifies the byte array containing the data from which entropy will be calculated. - -.PARAMETER FilePath - - Specifies the path to the input file from which entropy will be calculated. - -.EXAMPLE - - C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll - -.EXAMPLE - - C:\PS>ls C:\Windows\System32\*.dll | % { Get-Entropy -FilePath $_ } - -.EXAMPLE - - C:\PS>$RandArray = New-Object Byte[](10000) - C:\PS>foreach ($Offset in 0..9999) { $RandArray[$Offset] = [Byte] (Get-Random -Min 0 -Max 256) } - C:\PS>$RandArray | Get-Entropy - - Description - ----------- - Calculates the entropy of a large array containing random bytes. - -.EXAMPLE - - C:\PS> 0..255 | Get-Entropy - - Description - ----------- - Calculates the entropy of 0-255. This should equal exactly 8. - -.OUTPUTS - - System.Double - - Get-Entropy outputs a double representing the entropy of the byte array. - -.LINK - - http://www.exploit-monday.com -#> - - [CmdletBinding()] Param ( - [Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName = 'Bytes')] - [ValidateNotNullOrEmpty()] - [Byte[]] - $ByteArray, - - [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'File')] - [ValidateNotNullOrEmpty()] - [IO.FileInfo] - $FilePath - ) - - BEGIN - { - $FrequencyTable = @{} - $ByteArrayLength = 0 - } - - PROCESS - { - if ($PsCmdlet.ParameterSetName -eq 'File') - { - $ByteArray = [IO.File]::ReadAllBytes($FilePath.FullName) - } - - foreach ($Byte in $ByteArray) - { - $FrequencyTable[$Byte]++ - $ByteArrayLength++ - } - } - - END - { - $Entropy = 0.0 - - foreach ($Byte in 0..255) - { - $ByteProbability = ([Double] $FrequencyTable[[Byte]$Byte]) / $ByteArrayLength - if ($ByteProbability -gt 0) - { - $Entropy += -$ByteProbability * [Math]::Log($ByteProbability, 2) - } - } - - Write-Output $Entropy - } -}
\ No newline at end of file diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml deleted file mode 100644 index 21115d6..0000000 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ /dev/null @@ -1,46 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>ILInstructionView</Name> - <ViewSelectedBy> - <TypeName>IL_INSTRUCTION</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>Position</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Instruction</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Operand</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>MetadataToken</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>Position</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Instruction</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Operand</PropertyName> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 deleted file mode 100644 index 6948919..0000000 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ /dev/null @@ -1,215 +0,0 @@ -function Get-ILDisassembly
-{
-<#
-.SYNOPSIS
-
-A MSIL (Microsoft Intermediate Language) disassembler.
-
-PowerSploit Function: Get-ILDisassembly
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-Get-ILDisassembly disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
-
-The majority of this code was simply translated from C# (with permission) from a code example taken from: "C# 4.0 in a Nutshell", Copyright 2010, Joseph Albahari and Ben Albahari, pg. 728-733
-
-.PARAMETER MethodInfo
-
-A MethodInfo object that describes the implementation of the method and contains the IL for the method.
-
-.EXAMPLE
-
-C:\PS> [Int].GetMethod('Parse', [String]) | Get-ILDisassembly | Format-Table Position, Instruction, Operand -AutoSize
-
-Position Instruction Operand
--------- ----------- -------
-IL_0000 ldarg.0
-IL_0001 ldc.i4.7
-IL_0002 call System.Globalization.NumberFormatInfo.get_CurrentInfo
-IL_0007 call System.Number.ParseInt32
-IL_000C ret
-
-Description
------------
-Disassembles the System.Int32.Parse(String) method
-
-.EXAMPLE
-
-C:\PS> $MethodInfo = [Array].GetMethod('BinarySearch', [Type[]]([Array], [Object]))
-C:\PS> Get-ILDisassembly $MethodInfo | Format-Table Position, Instruction, Operand -AutoSize
-
-Position Instruction Operand
--------- ----------- -------
-IL_0000 ldarg.0
-IL_0001 brtrue.s IL_000E
-IL_0003 ldstr 'array'
-IL_0008 newobj System.ArgumentNullException..ctor
-IL_000D throw
-IL_000E ldarg.0
-IL_000F ldc.i4.0
-IL_0010 callvirt System.Array.GetLowerBound
-IL_0015 stloc.0
-IL_0016 ldarg.0
-IL_0017 ldloc.0
-IL_0018 ldarg.0
-IL_0019 callvirt System.Array.get_Length
-IL_001E ldarg.1
-IL_001F ldnull
-IL_0020 call System.Array.BinarySearch
-IL_0025 ret
-
-Description
------------
-Disassembles the System.Array.BinarySearch(Array, Object) method
-
-.INPUTS
-
-System.Reflection.MethodInfo, System.Reflection.ConstructorInfo
-
-A method or constructor description containing the raw IL bytecodes.
-
-.OUTPUTS
-
-System.Object
-
-Returns a custom object consisting of a position, instruction, and opcode parameter.
-
-.LINK
-
-http://www.exploit-monday.com
-http://www.albahari.com/nutshell/cs4ch18.aspx
-http://msdn.microsoft.com/en-us/library/system.reflection.emit.opcodes.aspx
-http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf
-#>
-
- Param (
- [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
- [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]
- [Object]
- $MethodInfo
- )
-
- if (!($MethodInfo.GetMethodBody())) {
- return
- }
-
- $IL = $MethodInfo.GetMethodBody().GetILAsByteArray()
- $MethodModule = $MethodInfo.DeclaringType.Module
-
- $OpCodeTable = @{}
-
- # Fill OpCodeTable with every OpCode so that it can be referenced by numeric byte value
- [System.Reflection.Emit.OpCodes].GetMembers() |
- ForEach-Object {
- try {
- $OpCode = $_.GetValue($null)
- $OpCodeTable[[Int16] $OpCode.Value] = $OpCode
- } catch {}
- }
-
- $Position = 0
-
- # Disassemble every instruction until the end of the IL bytecode array is reached
- while ($Position -lt $IL.Length) {
-
- # Get current instruction position
- $InstructionPostion = "IL_{0}" -f ($Position.ToString('X4'))
-
- if ($IL[$Position] -eq 0xFE) {
- # You are dealing with a two-byte opcode in this case
- $Op = $OpCodeTable[[Int16] ([BitConverter]::ToInt16($IL[($Position+1)..$Position], 0))]
- $Position++
- } else {
- # Otherwise, it's a one-byte opcode
- $Op = $OpCodeTable[[Int16] $IL[$Position]]
- }
-
- $Position++
-
- $Type = $Op.OperandType
- $Operand = $null
- $OpInt = $null
-
- if ($Type -eq 'InlineNone') {
- $OperandLength = 0
- } elseif (($Type -eq 'ShortInlineBrTarget') -or ($Type -eq 'ShortInlineI') -or ($Type -eq 'ShortInlineVar')) {
- $OperandLength = 1
-
- if ($Type -eq 'ShortInlineBrTarget') { # Short relative jump instruction
- # [SByte]::Parse was used because PowerShell doesn't handle signed bytes well
- $Target = $Position + ([SByte]::Parse($IL[$Position].ToString('X2'), 'AllowHexSpecifier')) + 1
- $Operand = "IL_{0}" -f ($Target.ToString('X4'))
- }
- } elseif ($Type -eq 'InlineVar') {
- $OperandLength = 2
- } elseif (($Type -eq 'InlineI8') -or (($Type -eq 'InlineR'))) {
- $OperandLength = 8
- } elseif ($Type -eq 'InlineSwitch') {
- # This is the only operand type with a variable number of operands
- $TargetCount = [BitConverter]::ToInt32($IL, $Position)
- $OperandLength = 4 * ($TargetCount + 1)
- $Targets = New-Object String[]($TargetCount)
-
- foreach ($i in 0..($TargetCount - 1)) {
- # Get all switch jump targets
- $Target = [BitConverter]::ToInt32($IL, ($Position + ($i + 1) * 4))
- $Targets[$i] = "IL_{0}" -f (($Position + $Target + $OperandLength).ToString('X4'))
- }
-
- $Operand = "({0})" -f ($Targets -join ',')
- } else {
- $OperandLength = 4
- $Operand = $null
-
- $OpInt = [BitConverter]::ToInt32($IL, $Position)
-
- if (($Type -eq 'InlineTok') -or ($Type -eq 'InlineMethod') -or ($Type -eq 'InlineField') -or ($Type -eq 'InlineType')) {
- # Resolve all operands with metadata tokens
- Write-Verbose "OpCode Metadata for member: $OpInt"
- try { $MemberInfo = $MethodModule.ResolveMember($OpInt) } catch { $Operand = $null }
- if (!$MemberInfo) { $Operand = $null }
-
- # Retrieve the actual name of the class and method
- if ($MemberInfo.ReflectedType) {
- $Operand = "{0}.{1}" -f ($MemberInfo.ReflectedType.Fullname), ($MemberInfo.Name)
- } elseif ($MemberInfo -is [Type]) {
- $Operand = $MemberInfo.GetType().FullName
- } else {
- $Operand = $MemberInfo.Name
- }
- } elseif ($Type -eq 'InlineString') {
- # Retrieve the referenced string
- $Operand = "`'{0}`'" -f ($MethodModule.ResolveString($OpInt))
- } elseif ($Type -eq 'InlineBrTarget') {
- $Operand = "IL_{0}" -f (($Position + $OpInt + 4).ToString('X4'))
- } else {
- $Operand = $null
- }
- }
-
- if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
- # Simply print the hex for all operands with immediate values
- $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
- }
-
- $Instruction = @{
- Position = $InstructionPostion
- Instruction = $Op
- Operand = $Operand
- MetadataToken = $OpInt
- }
-
- # Return a custom object containing a position, instruction, and fully-qualified operand
- $InstructionObject = New-Object PSObject -Property $Instruction
- $InstructionObject.PSObject.TypeNames.Insert(0, 'IL_INSTRUCTION')
-
- $InstructionObject
-
- # Adjust the position in the opcode array accordingly
- $Position += $OperandLength
- }
-}
diff --git a/ReverseEngineering/Get-Member.ps1 b/ReverseEngineering/Get-Member.ps1 deleted file mode 100644 index 2f04deb..0000000 --- a/ReverseEngineering/Get-Member.ps1 +++ /dev/null @@ -1,369 +0,0 @@ -function Get-Member
-{
-<#
-.SYNOPSIS
-
-Gets the properties and methods of objects.
-
-PowerSploit Proxy Function: Get-Member
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause (Except for the help documentation derived from the original Get-Member)
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-The Get-Member cmdlet gets the "members" (properties and methods) of objects.
-
-To specify the object, use the InputObject parameter or pipe an object to Get-Member. To retrieve information about static members (members of the class, not of the instance), use the Static parameter. To get only certain types of members, such as NoteProperties, use the MemberType parameter.
-
-.PARAMETER Private
-
-Gets only the non-public members of the object.
-
-These members are typically not exposed and are extracted using reflection.
-
-.PARAMETER Static
-
-Gets only the static properties and methods of the object.
-
-Static properties and methods are defined on the class of objects, not on any particular instance of the class.
-
-If you use the Static parameter with the View parameter, the View parameter is ignored. If you use the Static parameter with the MemberType parameter, Get-Member gets only the members that belong to both sets.
-
-.PARAMETER Force
-
-Adds the intrinsic members (PSBase, PSAdapted, PSObject, PSTypeNames) and the compiler-generated get_, set_, op_, .ctor, and .cctor methods to the display. By default, Get-Member gets these properties in all views other than "Base" and "Adapted," but it does not display them.
-
-The following list describes the properties that are added when you use the Force parameter:
-
--- PSBase: The original properties of the .NET Framework object without extension or adaptation. These are the properties defined for the object class and listed in MSDN.
--- PSAdapted: The properties and methods defined in the Windows PowerShell extended type system.
--- PSExtended: The properties and methods that were added in the Types.ps1xml files or by using the Add-Member cmdlet.
--- PSObject: The adapter that converts the base object to a Windows PowerShell PSObject object.
--- PSTypeNames: A list of object types that describe the object, in order of specificity. When formatting the object, Windows PowerShell searches for the types in the Format.ps1xml files in the Windows PowerShell installation directory ($pshome). It uses the formatting definition for the first type that it finds.
--- get_*: The object's getter methods
--- set_*: The object's setter methods
--- op_*: The object's operator methods
--- .ctor: The object's constructor
--- .cctor: The object's copy constructor
-
-.PARAMETER InputObject
-
-Specifies the object whose members are retrieved.
-
-Using the InputObject parameter is not the same as piping an object to Get-Member. The differences are as follows:
-
--- When you pipe a collection of objects to Get-Member, Get-Member gets the members of the individual objects in the collection, such as the properties of the integers in an array of integers.
-
--- When you use InputObject to submit a collection of objects, Get-Member gets the members of the collection, such as the properties of the array in an array of integers.
-
-.PARAMETER PrivateMemberType
-
-When the 'Private' parameter is specified, only members with the specified member type. The default is All.
-
-The valid values for this parameter are:
-
--- Constructor: A constructor method of the underlying .NET Framework object.
--- Event: Indicates that the object sends a message to indicate an action or a change in state.
--- Field: A private field of the underlying .NET Framework object.
--- Method: A method of the underlying .NET Framework object.
--- Property: A property of the underlying .NET Framework object.
--- TypeInfo: A type of the underlying .NET Framework object.
--- Custom: A custom member type
--- NestedType: A nested type of the underlying .NET Framework object.
-
--- All: Gets all member types.
-
-.PARAMETER MemberType
-
-Gets only members with the specified PowerShell member type. The default is All.
-
-The valid values for this parameter are:
-
--- AliasProperty: A property that defines a new name for an existing property.
--- CodeMethod: A method that references a static method of a .NET Framework class.
--- CodeProperty: A property that references a static property of a .NET Framework class.
--- Event: Indicates that the object sends a message to indicate an action or a change in state.
--- MemberSet: A predefined collection of properties and methods, such as PSBase, PSObject, and PSTypeNames.
--- Method: A method of the underlying .NET Framework object.
--- NoteProperty: A property with a static value.
--- ParameterizedProperty: A property that takes parameters and parameter values.
--- Property: A property of the underlying .NET Framework object.
--- PropertySet: A predefined collection of object properties.
--- ScriptMethod: A method whose value is the output of a script.
--- ScriptProperty: A property whose value is the output of a script.
-
--- All: Gets all member types.
--- Methods: Gets all types of methods of the object (for example, Method, CodeMethod, ScriptMethod).
--- Properties: Gets all types of properties of the object (for example, Property, CodeProperty, AliasProperty, ScriptProperty).
-
-Not all objects have every type of member. If you specify a member type that the object does not have, Windows PowerShell returns a null value.
-
-To get related types of members, such as all extended members, use the View parameter. If you use the MemberType parameter with the Static or View parameters, Get-Member gets the members that belong to both sets.
-
-.PARAMETER Name
-
-Specifies the names of one or more properties or methods of the object. Get-Member gets only the specified properties and methods.
-
-If you use the Name parameter with the MemberType, View, or Static parameters, Get-Member gets only the members that satisfy the criteria of all parameters.
-
-To get a static member by name, use the Static parameter with the Name parameter.
-
-.PARAMETER View
-
-Gets only particular types of members (properties and methods). Specify one or more of the values. The default is "Adapted, Extended".
-
-Valid values are:
--- Base: Gets only the original properties and methods of the .NET Framework object (without extension or adaptation).
--- Adapted: Gets only the properties and methods defined in the Windows PowerShell extended type system.
--- Extended: Gets only the properties and methods that were added in the Types.ps1xml files or by using the Add-Member cmdlet.
--- All: Gets the members in the Base, Adapted, and Extended views.
-
-The View parameter determines the members retrieved, not just the display of those members.
-
-To get particular member types, such as script properties, use the MemberType parameter. If you use the MemberType and View parameters in the same command, Get-Member gets the members that belong to both sets. If you use the Static and View parameters in the same command, the View parameter is ignored.
-
-.EXAMPLE
-
-C:\PS> [String] | Get-Member -Static -Private
-
-Description
------------
-Returns all staic, non-public members of the String class.
-
-.EXAMPLE
-
-C:\PS> [Diagnostics.Process] | Get-Member -Private -PrivateMemberType Method
-
-Description
------------
-Returns all non-public instance methods of the Diagnostics.Process class
-
-.EXAMPLE
-
-C:\PS> "Hello, World" | Get-Member -Private -Force
-
-Description
------------
-Returns all instance members including those with special names (like .ctor) of the string instance
-
-.LINK
-
-http://www.exploit-monday.com/2012/08/surgical-net-dissection.html
-
-#>
- [CmdletBinding(DefaultParameterSetName = 'Default')]
- Param (
- [Parameter(ValueFromPipeline=$true, ParameterSetName = 'Default')]
- [Parameter(ValueFromPipeline=$true, ParameterSetName = 'Private')]
- [System.Management.Automation.PSObject]
- $InputObject,
-
- [Parameter(Position=0, ParameterSetName = 'Default')]
- [Parameter(Position=0, ParameterSetName = 'Private')]
- [ValidateNotNullOrEmpty()]
- [System.String[]]
- $Name,
-
- [Parameter(ParameterSetName = 'Default')]
- [Alias('Type')]
- [System.Management.Automation.PSMemberTypes]
- $MemberType,
-
- [Parameter(ParameterSetName = 'Private')]
- [System.Reflection.MemberTypes]
- $PrivateMemberType = [System.Reflection.MemberTypes]::All,
-
- [Parameter(ParameterSetName = 'Default')]
- [System.Management.Automation.PSMemberViewTypes]
- $View,
-
- [Parameter(ParameterSetName = 'Default')]
- [Parameter(ParameterSetName = 'Private')]
- [Switch]
- $Static,
-
- [Parameter(ParameterSetName = 'Default')]
- [Parameter(ParameterSetName = 'Private')]
- [Switch]
- $Force,
-
- [Parameter(ParameterSetName = 'Private')]
- [Switch]
- $Private
- )
-
- BEGIN
- {
- try {
- $outBuffer = $null
- if ($PSBoundParameters.TryGetValue('OutBuffer', [ref]$outBuffer))
- {
- $PSBoundParameters['OutBuffer'] = 1
- }
- $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Microsoft.PowerShell.Utility\Get-Member', [System.Management.Automation.CommandTypes]::Cmdlet)
- # Redirect the output of the command to $out variable
- $null = $PSBoundParameters.Add('OutVariable', 'out')
- # Redirect original output to $null
- if ($PSBoundParameters['Private']) {
- $null = $PSBoundParameters.Remove('Private')
- $Private = $True
- }
- if ($PSBoundParameters['PrivateMemberType']) {
- $PrivateMemberType = $PSBoundParameters['PrivateMemberType']
- $null = $PSBoundParameters.Remove('PrivateMemberType')
- }
- $scriptCmd = {& $wrappedCmd @PSBoundParameters | Out-Null }
- $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin)
- $steppablePipeline.Begin($PSCmdlet)
- } catch {
- }
- }
-
- PROCESS
- {
- try {
- $steppablePipeline.Process($_)
- } catch {
- }
- }
-
- END
- {
- try {
- $steppablePipeline.End()
- if ($Private) {
-
- $Object = $PSBoundParameters['InputObject']
- if ($Object.GetType().FullName -ne 'System.RuntimeType') {
- # If InputObject is an instance of an object, get its type
- # Otherwise, it's assumed that what was passed in was already a type
- $Object = $Object.GetType()
- }
-
- if ($PSBoundParameters['Static']) {
- $Flags = 'Static, NonPublic'
-
- # Retrieve all static, nonpublic members except for constructors
- $Types = foreach ($Val in [Enum]::GetValues([System.Reflection.MemberTypes])) {
- $Object.GetMembers($Flags) | Where-Object { ($_.MemberType -eq ($Val.value__ -band $PrivateMemberType)) -and ($Val -ne [System.Reflection.MemberTypes]::All) -and ($_.MemberType -ne 'Constructor') }
- }
-
- # Retrieve all static constructors (both public and nonpublic)
- # Public constructors are retrieved because the original 'Get-Member -Force' does not retrieve constructors
- $Types += $Object.GetConstructors('Static, NonPublic, Public')
- } else {
- $Flags = 'Instance, NonPublic'
-
- # Retrieve all instance, nonpublic members except for constructors
- $Types = foreach ($Val in [Enum]::GetValues([System.Reflection.MemberTypes])) {
- $Object.GetMembers($Flags) | Where-Object { ($_.MemberType -eq ($Val.value__ -band $PrivateMemberType)) -and ($Val -ne [System.Reflection.MemberTypes]::All) -and ($_.MemberType -ne 'Constructor') }
- }
-
- # Retrieve all instance constructors (both public and nonpublic)
- # Public constructors are retrieved because the original 'Get-Member -Force' does not retrieve constructors
- $Types += $Object.GetConstructors('Instance, NonPublic, Public')
- }
-
- # Filter out types with special names if '-Force' is not specified
- if (!$Force) {
- $Types = $Types | Where-Object { !$_.IsSpecialName }
- }
-
- $TypeTable = @{}
-
- # For each type, build an array of object equivalent to an array of Microsoft.PowerShell.Commands.MemberDefinition objects.
- # An array of custom objects is required because the MemberDefinition object doesn't take System.Reflection.MemberTypes
- # objects in its constructor.
- $Results = $Types | ForEach-Object {
-
- $Type = $_
-
- switch ($Type.MemberType) {
- 'Constructor' {
- $Parameters = ($Type.GetParameters() | % {$_.ParameterType.FullName}) -join ', '
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.Name)($($Parameters))"
- }
- 'Field' {
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.FieldType)"
- }
- 'Method' {
- $Parameters = ($Type.GetParameters() | % {$_.ParameterType.FullName}) -join ', '
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.ReturnType) $($Type.Name)($($Parameters))"
- }
- 'Property' {
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.PropertyType) $($Type.Name) {$(if ($Type.CanRead){'get;'})$(if ($Type.CanWrite){'set;'})}"
- }
- 'NestedType' {
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.FullName) BaseType=$($Type.BaseType)"
- }
- 'Event' {
- $Parameters = ($Type.GetAddMethod().GetParameters() | % {$_.ParameterType.FullName}) -join ', '
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.EventHandlerType) $($Type.Name)(System.Object, $($Parameters))"
- }
- }
-
- # Identical properties as the Microsoft.PowerShell.Commands.MemberDefinition object
- $InternalMemberType = @{
- TypeName = $Type.DeclaringType.FullName
- Name = $Type.Name
- MemberType = $Type.MemberType
- Definition = $Definition
- }
-
- New-Object PSObject -Property $InternalMemberType
- }
-
- # For members with the same name, compress them into an array that will be stored in a hashtable
- $Results | ForEach-Object {
- $TypeTable["$($_.Name)"] += @($_)
- }
-
- $Results = foreach ($Type in $TypeTable.Keys) {
- $ReturnType = @{
- TypeName = $TypeTable[$Type][0].TypeName
- Name = $TypeTable[$Type][0].Name
- MemberType = $TypeTable[$Type][0].MemberType
- # Append each definition into a single definition.
- # This behavior is indentical to what the unmodified
- # Get-Member does.
- Definition = ($TypeTable[$Type] | ForEach-Object { $_.Definition }) -join ', '
- }
-
- $MemberDef = New-Object PSObject -Property $ReturnType
- <#
- Cool trick. Even though the custom object is actually a Microsoft.PowerShell.Commands.MemberDefinition
- object, you can trick it into thinking it is so that it will display the same way the result of the
- original Get-Member cmdlet would.
- #>
- $MemberDef.PSObject.TypeNames.Insert(0, 'Microsoft.PowerShell.Commands.MemberDefinition')
- $MemberDef
- }
-
- # If '-Name' parameter is specified, only return members matching the name specified
- if ($PSBoundParameters['Name']) {
- $MemberNames = [String[]] $PSBoundParameters['Name']
-
- $Tmp = New-Object PSObject[](0)
-
- foreach ($MemberName in $MemberNames) {
- $Tmp += $Results | Where-Object { $_.Name -eq $MemberName }
- }
-
- $Results = $Tmp
- }
-
- # Return the results if the results are non-null
- if ($Results.Count) {
- $Results | Sort-Object TypeName, MemberType, Name
- }
- } else {
- # If '-Private' is not set, return the results of the original Get-Member cmdlet
- $out | Sort-Object TypeName, MemberType, Name
- }
- } catch {
- }
- }
-}
-
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 deleted file mode 100644 index 1ab0d41..0000000 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ /dev/null @@ -1,120 +0,0 @@ -function Get-MethodAddress -{ -<# -.SYNOPSIS - -Get the unmanaged function address of a .NET method. - -PowerSploit Function: Get-MethodAddress -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Get-MethodAddress aids in the process of reverse engineering and exploitation by returning an unmanaged function pointer to any .NET method. This method is useful for those interested in seeing what JITed MSIL opcodes look like in their assembly language representation. - -For example, here is the MSIL representation of [System.IntPtr].ToPointer: -0x02 ldarg.0 -0x7B,0x53,0x04,0x00,0x04 ldfld void* System.IntPtr::m_value -0x2A ret - -After calling Get-MethodAddress and inspecting it in WinDbg, here is the x86_64 ASM representation: -C:\PS> Get-MethodAddress ([IntPtr].GetMethod('ToPointer')) -0x000007FF35544CC0 - -mscorlib_ni+0xd04cc0: -000007ff`35544cc0 488b01 mov rax,qword ptr [rcx] -000007ff`35544cc3 c3 ret -000007ff`35544cc4 cc int 3 - -This MSIL to ASM translation makes sense because all the assembly instructions are doing is dereferencing the pointer in rcx. - -.PARAMETER MethodInfo - -The method whose unmanaged address will be returned. - -.EXAMPLE - -C:\PS> Get-MethodAddress ([String].GetMethod('Trim', [Type[]]@())) - -Description ------------ -Returns the unmanaged address of [System.Object].Trim() method. - -.EXAMPLE - -C:\PS> [Int].Module.GetTypes().GetMethods() | ForEach-Object {Get-MethodAddress $_ -ErrorAction SilentlyContinue -WarningAction SilentlyContinue} - -Description ------------ -Returns an unmanaged address for every method (in which an address can be returned) in mscorlib. - -.OUTPUTS - -System.String - -A hexadecimal representation of the method address. - -.NOTES - -Not all methods will be able to return an address. For example, methods with implementation flags of AggressiveInlining, Synchronized, or CodeTypeMask will not return an address. Also note that any InternalCall method will return the same pointer every time because the CLR determines its address at runtime. - -Lastly, note that the MSIL opcodes used to implement this cmdlet are unverifiable. This means for example, that this technique won't aid exploiting Silverlight applications. :'( - -.LINK - -http://www.exploit-monday.com/2012/11/Get-MethodAddress.html -#> - - [CmdletBinding()] Param ( - [Parameter(Mandatory = $True, ValueFromPipeline = $True)] - [System.Reflection.MethodInfo] - $MethodInfo - ) - - if ($MethodInfo.MethodImplementationFlags -eq 'InternalCall') - { - Write-Warning "$($MethodInfo.Name) is an InternalCall method. These methods always point to the same address." - } - - if ([IntPtr]::Size -eq 4) - { - $ReturnType = [UInt32] - } - else - { - $ReturnType = [UInt64] - } - - $Domain = [AppDomain]::CurrentDomain - $DynAssembly = New-Object System.Reflection.AssemblyName('MethodLeakAssembly') - # Assemble in memory - $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MethodLeakModule') - $TypeBuilder = $ModuleBuilder.DefineType('MethodLeaker', [System.Reflection.TypeAttributes]::Public) - # Declaration of the LeakMethod method - $MethodBuilder = $TypeBuilder.DefineMethod('LeakMethod', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, $ReturnType, $null) - $Generator = $MethodBuilder.GetILGenerator() - - # Push unmanaged pointer to MethodInfo onto the evaluation stack - $Generator.Emit([System.Reflection.Emit.OpCodes]::Ldftn, $MethodInfo) - $Generator.Emit([System.Reflection.Emit.OpCodes]::Ret) - - # Assemble everything - $Type = $TypeBuilder.CreateType() - $Method = $Type.GetMethod('LeakMethod') - - try - { - # Call the method and return its JITed address - $Address = $Method.Invoke($null, @()) - - Write-Output (New-Object IntPtr -ArgumentList $Address) - } - catch [System.Management.Automation.MethodInvocationException] - { - Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." - } -} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml deleted file mode 100644 index fa3ed41..0000000 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ /dev/null @@ -1,440 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>SystemModuleView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_MODULE</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>ImageBaseAddress</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ImageSize</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Flags</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Index</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Rank</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>LoadCount</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NameOffset</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Name</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ImageSize</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Flags</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Index</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Rank</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>LoadCount</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NameOffset</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>$_.Name -replace '\\SystemRoot', $Env:SystemRoot</ScriptBlock> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>SystemLockView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_LOCK_INFORMATION</TypeName> - </ViewSelectedBy> - <TableControl> - <TableHeaders> - <TableColumnHeader> - <Label>Address</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Type</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ExclusiveOwnerThreadId</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ActiveCount</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ContentionCount</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NumberOfSharedWaiters</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NumberOfExclusiveWaiters</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <ScriptBlock>"0x$($_.Address.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Type</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ExclusiveOwnerThreadId</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ActiveCount</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ContentionCount</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NumberOfSharedWaiters</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NumberOfExclusiveWaiters</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>PoolTagView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_POOL_TAG_INFORMATION</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>Tag</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>PagedPoolAllocs</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>PagedPoolFrees</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>PagedPoolUsage</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NonPagedPoolAllocs</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NonPagedPoolFrees</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NonPagedPoolUsage</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>Tag</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>PagedPoolAllocs</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>PagedPoolFrees</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>PagedPoolUsage</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NonPagedPoolAllocs</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NonPagedPoolFrees</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NonPagedPoolUsage</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>SystemHandleView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_HANDLE_INFORMATION</TypeName> - </ViewSelectedBy> - <TableControl> - <TableHeaders> - <TableColumnHeader> - <Label>UniqueProcessId</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>CreatorBackTraceIndex</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ObjectType</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>HandleAttribute</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>HandleValue</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Object</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>GrantedAccess</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>UniqueProcessId</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>CreatorBackTraceIndex</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ObjectType</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>HandleAttribute</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>HandleValue</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <PropertyName>GrantedAccess</PropertyName> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>GenericMappingView</Name> - <ViewSelectedBy> - <TypeName>_GENERIC_MAPPING</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>GenericRead</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>GenericWrite</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>GenericExecute</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>GenericAll</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>GenericRead</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>GenericWrite</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>GenericExecute</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>GenericAll</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>ObjectTypeView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_OBJECTTYPE_INFORMATION</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>NumberOfObjects</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>NumberOfHandles</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>TypeIndex</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>InvalidAttributes</PropertyName> - </ListItem> - <ListItem> - <PropertyName>GenericMapping</PropertyName> - </ListItem> - <ListItem> - <PropertyName>ValidAccessMask</PropertyName> - </ListItem> - <ListItem> - <PropertyName>PoolType</PropertyName> - </ListItem> - <ListItem> - <PropertyName>SecurityRequired</PropertyName> - <FormatString>0x{0:X2}</FormatString> - </ListItem> - <ListItem> - <PropertyName>WaitableObject</PropertyName> - <FormatString>0x{0:X2}</FormatString> - </ListItem> - <ListItem> - <PropertyName>TypeName</PropertyName> - </ListItem> - <ListItem> - <PropertyName>Objects</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>ObjectView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_OBJECT_INFORMATION</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <Label>Object</Label> - <ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>CreatorUniqueProcess</Label> - <ScriptBlock>"0x$($_.CreatorUniqueProcess.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>CreatorBackTraceIndex</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </ListItem> - <ListItem> - <PropertyName>Flags</PropertyName> - </ListItem> - <ListItem> - <PropertyName>PointerCount</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>HandleCount</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>PagedPoolCharge</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>NonPagedPoolCharge</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <Label>ExclusiveProcessId</Label> - <ScriptBlock>"0x$($_.ExclusiveProcessId.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>SecurityDescriptor</Label> - <ScriptBlock>"0x$($_.SecurityDescriptor.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>NameInfo</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>CodeIntegrityTypeView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_CODEINTEGRITY_INFORMATION</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>CodeIntegrityOptions</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>LockdownState</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 deleted file mode 100644 index 2bde8f6..0000000 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ /dev/null @@ -1,1082 +0,0 @@ -function Get-NtSystemInformation -{ -<# -.SYNOPSIS - - Returns various forms of internal OS information. - - PowerSploit Function: Get-NtSystemInformation - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.DESCRIPTION - - Get-NtSystemInformation is a utility that calls and parses the output of the - ntdll!NtQuerySystemInformation function. This utility can be used to query - internal OS information that is typically not made visible to a user. - -.PARAMETER PoolTagInformation - - Returns information on tagged kernel pool allocations. - -.PARAMETER ModuleInformation - - Returns loaded kernel module information. - -.PARAMETER HandleInformation - - Returns handle information about user-mode handles and their respective - address in the kernel. - -.PARAMETER ObjectType - - Specifies the object type to be returned when listing handles. The following - types are permitted: - - Adapter, ALPC Port, Callback, CompositionSurface, Controller, DebugObject, - Desktop, Device, Directory, Driver, DxgkSharedResource, DxgkSharedSyncObject, - EtwConsumer, EtwRegistration, Event, EventPair, File, FilterCommunicationPort, - FilterConnectionPort, IoCompletion, IoCompletionReserve, IRTimer, Job, Key, - KeyedEvent, Mutant, PcwObject, Port, PowerRequest, Process, Profile, Section, - Semaphore, Session, SymbolicLink, Thread, Timer, TmEn, TmRm, TmTm, TmTx, Token, - TpWorkerFactory, Type, UserApcReserve, WaitablePort, WaitCompletionPacket, - WindowStation, WmiGuid - -.PARAMETER ObjectInformation - - Returns information about user-mode objects and their respective kernel pool - allocations. - -.PARAMETER CodeIntegrityInformation - - Returns user-mode code integrity flags. - -.PARAMETER GlobalFlags - - Returns a list of all enabled global flags. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -PoolTagInformation - - Description - ----------- - Returns information on tagged kernel pool allocations. The output is similar - to that of poolmon.exe. The output is the result of parsing _SYSTEM_POOLTAG - structures. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -ModuleInformation - - Description - ----------- - Returns loaded kernel module information including the base address of - loaded kernel modules. The output is the result of parsing the - undocumented _SYSTEM_MODULE_INFORMATION structure. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -HandleInformation - - Description - ----------- - Returns handle information about user-mode handles and their respective - address in the kernel. The output is similar to that of handle.exe but - doesn't require an elevated prompt. handle.exe also doesn't display the - kernel address of the object that the handle represents. The output is the - result of parsing _SYSTEM_HANDLE_TABLE_ENTRY_INFO structures. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -ObjectInformation - - Description - ----------- - Returns information about user-mode objects and their respective kernel pool - allocations. The output is the result of parsing - _SYSTEM_OBJECTTYPE_INFORMATION and _SYSTEM_OBJECT_INFORMATION structures. - - Note: FLG_MAINTAIN_OBJECT_TYPELIST (0x4000), FLG_ENABLE_HANDLE_TYPE_TAGGING - (0x01000000) global flags must be set in order to retrieve the output of this - command. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -GlobalFlags - - Description - ----------- - Returns a list of all enabled global flags. This is similar to running - gflags.exe /r - -.LINK - - http://www.exploit-monday.com/ -#> - - [CmdletBinding()] Param ( - [Parameter( ParameterSetName = 'PoolTagInformation' )] - [Switch] - $PoolTagInformation, - - [Parameter( ParameterSetName = 'ModuleInformation' )] - [Switch] - $ModuleInformation, - - [Parameter( ParameterSetName = 'HandleInformation' )] - [Switch] - $HandleInformation, - - [Parameter( ParameterSetName = 'HandleInformation' )] - [ValidateSet('Adapter', 'ALPC Port', 'Callback', 'CompositionSurface', 'Controller', 'DebugObject', 'Desktop', 'Device', 'Directory', 'Driver', 'DxgkSharedResource', 'DxgkSharedSyncObject', 'EtwConsumer', 'EtwRegistration', 'Event', 'EventPair', 'File', 'FilterCommunicationPort', 'FilterConnectionPort', 'IoCompletion', 'IoCompletionReserve', 'IRTimer', 'Job', 'Key', 'KeyedEvent', 'Mutant', 'PcwObject', 'Port', 'PowerRequest', 'Process', 'Profile', 'Section', 'Semaphore', 'Session', 'SymbolicLink', 'Thread', 'Timer', 'TmEn', 'TmRm', 'TmTm', 'TmTx', 'Token', 'TpWorkerFactory', 'Type', 'UserApcReserve', 'WaitablePort', 'WaitCompletionPacket', 'WindowStation', 'WmiGuid')] - [String] - $ObjectType, - - [Parameter( ParameterSetName = 'ObjectInformation' )] - [Switch] - $ObjectInformation, - - [Parameter( ParameterSetName = 'LockInformation' )] - [Switch] - $LockInformation, - - [Parameter( ParameterSetName = 'CodeIntegrityInformation' )] - [Switch] - $CodeIntegrityInformation, - - [Parameter( ParameterSetName = 'GlobalFlags' )] - [Switch] - $GlobalFlags - ) - -#region Define the assembly/module that will hold all of our dynamic types. - try { $ntdll = [ntdll] } catch [Management.Automation.RuntimeException] - { - $DynAssembly = New-Object System.Reflection.AssemblyName('SysUtils') - $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('SysUtils', $False) - - # Define [ntdll]::NtQuerySystemInformation method - $TypeBuilder = $ModuleBuilder.DefineType('ntdll', 'Public, Class') - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtQuerySystemInformation', 'ntdll.dll', ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) - $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) - $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') - $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('ntdll.dll'), [Reflection.FieldInfo[]]@($SetLastError), @($true)) - $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) - $ntdll = $TypeBuilder.CreateType() - } -#endregion - -#region Define global custom attributes - $LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind]) - $CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet') - $StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor, @([Runtime.InteropServices.LayoutKind]::Explicit), $CharsetField, @([Runtime.InteropServices.CharSet]::Ansi)) - - $FlagsConstructor = [FlagsAttribute].GetConstructor(@()) - $FlagsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($FlagsConstructor, @()) - - $MarshalAsConstructor = [Runtime.InteropServices.MarshalAsAttribute].GetConstructor([Runtime.InteropServices.UnmanagedType]) - $SizeConst = [Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst') - - $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' -#endregion - -#region Define enum types - try { $SystemInformationClass = [SYSTEM_INFORMATION_CLASS] } catch [Management.Automation.RuntimeException] - { - # The entries that are commented out I'll get around to when I feel like it. - - $EnumBuilder = $ModuleBuilder.DefineEnum('SYSTEM_INFORMATION_CLASS', 'Public', [Int32]) - #$EnumBuilder.DefineLiteral('SystemBasicInformation', [Int32] 0x00000000) | Out-Null - #$EnumBuilder.DefineLiteral('SystemProcessorInformation', [Int32] 0x00000001) | Out-Null - #$EnumBuilder.DefineLiteral('SystemPerformanceInformation', [Int32] 0x00000002) | Out-Null - #$EnumBuilder.DefineLiteral('SystemTimeOfDayInformation', [Int32] 0x00000003) | Out-Null - #$EnumBuilder.DefineLiteral('SystemProcessInformation', [Int32] 0x00000005) | Out-Null - #$EnumBuilder.DefineLiteral('SystemCallCounts', [Int32] 0x00000006) | Out-Null - #$EnumBuilder.DefineLiteral('SystemConfigurationInformation', [Int32] 0x00000007) | Out-Null - #$EnumBuilder.DefineLiteral('SystemProcessorPerformanceInformation', [Int32] 0x00000008) | Out-Null - $EnumBuilder.DefineLiteral('SystemGlobalFlag', [Int32] 0x00000009) | Out-Null - $EnumBuilder.DefineLiteral('SystemModuleInformation', [Int32] 0x0000000B) | Out-Null - $EnumBuilder.DefineLiteral('SystemLockInformation', [Int32] 0x0000000C) | Out-Null - $EnumBuilder.DefineLiteral('SystemHandleInformation', [Int32] 0x00000010) | Out-Null - $EnumBuilder.DefineLiteral('SystemObjectInformation', [Int32] 0x00000011) | Out-Null - #$EnumBuilder.DefineLiteral('SystemPagefileInformation', [Int32] 0x00000012) | Out-Null - #$EnumBuilder.DefineLiteral('SystemInstructionEmulationCounts', [Int32] 0x00000013) | Out-Null - $EnumBuilder.DefineLiteral('SystemPoolTagInformation', [Int32] 0x00000016) | Out-Null - #$EnumBuilder.DefineLiteral('SystemInterruptInformation', [Int32] 0x00000017) | Out-Null - #$EnumBuilder.DefineLiteral('SystemExceptionInformation', [Int32] 0x00000021) | Out-Null - #$EnumBuilder.DefineLiteral('SystemRegistryQuotaInformation', [Int32] 0x00000025) | Out-Null - #$EnumBuilder.DefineLiteral('SystemLookasideInformation', [Int32] 0x0000002D) | Out-Null - $EnumBuilder.DefineLiteral('SystemCodeIntegrityInformation', [Int32] 0x00000067) | Out-Null - $SystemInformationClass = $EnumBuilder.CreateType() - } - - try { $NtStatus = [NTSTATUS] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('NTSTATUS', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('STATUS_SUCCESS', [Int32] 0x00000000) | Out-Null - $EnumBuilder.DefineLiteral('STATUS_INFO_LENGTH_MISMATCH', [Int32] 0xC0000004) | Out-Null - $NtStatus = $EnumBuilder.CreateType() - } - - try { $LockdownState = [LOCKDOWN_STATE] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('LOCKDOWN_STATE', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('UMCINONE', [Int32] 0x00000000) | Out-Null - $EnumBuilder.DefineLiteral('UMCIENFORCE', [Int32] 0x00000004) | Out-Null - $EnumBuilder.DefineLiteral('UMCIAUDIT', [Int32] 0xC0000008) | Out-Null - $LockdownState = $EnumBuilder.CreateType() - } - - try { $PoolType = [POOL_TYPE] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('POOL_TYPE', 'Public', [UInt32]) - $EnumBuilder.DefineLiteral('NonPagedPoolExecute', [UInt32] 0x00000000) | Out-Null - $EnumBuilder.DefineLiteral('PagedPool', [UInt32] 0x00000001) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolMustSucceed', [UInt32] 0x00000002) | Out-Null - $EnumBuilder.DefineLiteral('DontUseThisType', [UInt32] 0x00000003) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolCacheAligned', [UInt32] 0x00000004) | Out-Null - $EnumBuilder.DefineLiteral('PagedPoolCacheAligned', [UInt32] 0x00000005) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolCacheAlignedMustS', [UInt32] 0x00000006) | Out-Null - $EnumBuilder.DefineLiteral('MaxPoolType', [UInt32] 0x00000007) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolSession', [UInt32] 0x00000020) | Out-Null - $EnumBuilder.DefineLiteral('PagedPoolSession', [UInt32] 0x00000021) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolMustSucceedSession', [UInt32] 0x00000022) | Out-Null - $EnumBuilder.DefineLiteral('DontUseThisTypeSession', [UInt32] 0x00000023) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolCacheAlignedSession', [UInt32] 0x00000024) | Out-Null - $EnumBuilder.DefineLiteral('PagedPoolCacheAlignedSession', [UInt32] 0x00000025) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolCacheAlignedMustSSession', [UInt32] 0x00000026) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolNx', [UInt32] 0x00000200) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolNxCacheAligned', [UInt32] 0x00000204) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolSessionNx', [UInt32] 0x00000220) | Out-Null - $PoolType = $EnumBuilder.CreateType() - } - - try { $HandleFlags = [HANDLE_FLAGS] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('HANDLE_FLAGS', 'Public', [Byte]) - $EnumBuilder.DefineLiteral('PROTECT_FROM_CLOSE', [Byte] 1) | Out-Null - $EnumBuilder.DefineLiteral('INHERIT', [Byte] 2) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $HandleFlags = $EnumBuilder.CreateType() - } - - try { $ObjectAttributes = [OBJECT_ATTRIBUTES] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('OBJECT_ATTRIBUTES', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('OBJ_INHERIT', [Int32] 0x00000002) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_PERMANENT', [Int32] 0x00000010) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_EXCLUSIVE', [Int32] 0x00000020) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_CASE_INSENSITIVE', [Int32] 0x00000040) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_OPENIF', [Int32] 0x00000080) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_OPENLINK', [Int32] 0x00000100) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $ObjectAttributes = $EnumBuilder.CreateType() - } - - try { $ObjectFlags = [OBJECT_FLAGS] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('OBJECT_FLAGS', 'Public', [UInt16]) - $EnumBuilder.DefineLiteral('SINGLE_HANDLE_ENTRY', [UInt16] 0x0040) | Out-Null - $EnumBuilder.DefineLiteral('DEFAULT_SECURITY_QUOTA', [UInt16] 0x0020) | Out-Null - $EnumBuilder.DefineLiteral('PERMANENT', [UInt16] 0x0010) | Out-Null - $EnumBuilder.DefineLiteral('EXCLUSIVE', [UInt16] 0x0008) | Out-Null - $EnumBuilder.DefineLiteral('CREATOR_INFO', [UInt16] 0x0004) | Out-Null - $EnumBuilder.DefineLiteral('KERNEL_MODE', [UInt16] 0x0002) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $ObjectFlags = $EnumBuilder.CreateType() - } - - try { $AccessMask = [ACCESS_MASK] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('ACCESS_MASK', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('DELETE', [Int32] 0x00010000) | Out-Null - $EnumBuilder.DefineLiteral('READ_CONTROL', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('WRITE_DAC', [Int32] 0x00040000) | Out-Null - $EnumBuilder.DefineLiteral('WRITE_OWNER', [Int32] 0x00080000) | Out-Null - $EnumBuilder.DefineLiteral('SYNCHRONIZE', [Int32] 0x00100000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_REQUIRED', [Int32] 0x000F0000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_READ', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_WRITE', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_EXECUTE', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_ALL', [Int32] 0x001F0000) | Out-Null - $EnumBuilder.DefineLiteral('ACCESS_SYSTEM_SECURITY', [Int32] 0x01000000) | Out-Null - $EnumBuilder.DefineLiteral('GENERIC_READ', [Int32] 0x80000000) | Out-Null - $EnumBuilder.DefineLiteral('GENERIC_WRITE', [Int32] 0x40000000) | Out-Null - $EnumBuilder.DefineLiteral('GENERIC_EXECUTE', [Int32] 0x20000000) | Out-Null - $EnumBuilder.DefineLiteral('GENERIC_ALL', [Int32] 0x10000000) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $AccessMask = $EnumBuilder.CreateType() - } - - try { $GFlagsEnum = [GLOBAL_FLAGS] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('GLOBAL_FLAGS', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('FLG_DISABLE_DBGPRINT', [Int32] 0x08000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_KERNEL_STACK_TRACE_DB', [Int32] 0x00002000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_USER_STACK_TRACE_DB', [Int32] 0x00001000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DEBUG_INITIAL_COMMAND', [Int32] 0x00000004) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DEBUG_INITIAL_COMMAND_EX', [Int32] 0x04000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_DISABLE_COALESCING', [Int32] 0x00200000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DISABLE_PAGE_KERNEL_STACKS', [Int32] 0x00080000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DISABLE_PROTDLLS', [Int32] 0x80000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DISABLE_STACK_EXTENSION', [Int32] 0x00010000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_CRITSEC_EVENT_CREATION', [Int32] 0x10000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_APPLICATION_VERIFIER', [Int32] 0x00000100) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_HANDLE_EXCEPTIONS', [Int32] 0x40000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_CLOSE_EXCEPTIONS', [Int32] 0x00400000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_CSRDEBUG', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_EXCEPTION_LOGGING', [Int32] 0x00800000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_ENABLE_FREE_CHECK', [Int32] 0x00000020) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_VALIDATE_PARAMETERS', [Int32] 0x00000040) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_ENABLE_TAGGING', [Int32] 0x00000800) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_ENABLE_TAG_BY_DLL', [Int32] 0x00008000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_ENABLE_TAIL_CHECK', [Int32] 0x00000010) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_VALIDATE_ALL', [Int32] 0x00000080) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_KDEBUG_SYMBOL_LOAD', [Int32] 0x00040000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_HANDLE_TYPE_TAGGING', [Int32] 0x01000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_PAGE_ALLOCS', [Int32] 0x02000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_POOL_ENABLE_TAGGING', [Int32] 0x00000400) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_SYSTEM_CRIT_BREAKS', [Int32] 0x00100000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_MAINTAIN_OBJECT_TYPELIST', [Int32] 0x00004000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_MONITOR_SILENT_PROCESS_EXIT', [Int32] 0x00000200) | Out-Null - $EnumBuilder.DefineLiteral('FLG_SHOW_LDR_SNAPS', [Int32] 0x00000002) | Out-Null - $EnumBuilder.DefineLiteral('FLG_STOP_ON_EXCEPTION', [Int32] 0x00000001) | Out-Null - $EnumBuilder.DefineLiteral('FLG_STOP_ON_HUNG_GUI', [Int32] 0x00000008) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $GFlagsEnum = $EnumBuilder.CreateType() - } -#endregion - -#region Define structs for each respective SYSTEM_INFORMATION_CLASS - if ([IntPtr]::Size -eq 8) - { - $Size_SYSTEM_MODULE = 296 - $Size_SYSTEM_POOL_TAG_INFORMATION = 40 - $Size_SYSTEM_HANDLE_INFORMATION = 24 - $Size_SYSTEM_OBJECTTYPE_INFORMATION = 64 - $Size_SYSTEM_OBJECT_INFORMATION = 80 - $Size_SYSTEM_LOCK_INFORMATION = 40 - } - else - { - $Size_SYSTEM_MODULE = 284 - $Size_SYSTEM_POOL_TAG_INFORMATION = 28 - $Size_SYSTEM_HANDLE_INFORMATION = 16 - $Size_SYSTEM_OBJECTTYPE_INFORMATION = 56 - $Size_SYSTEM_OBJECT_INFORMATION = 48 - $Size_SYSTEM_LOCK_INFORMATION = 36 - } - - try { $UnicodeStringClass = [_UNICODE_STRING] } catch [Management.Automation.RuntimeException] - { - $MarshalAsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($MarshalAsConstructor, @([Runtime.InteropServices.UnmanagedType]::LPWStr)) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $StructAttributes, [ValueType], 2, 16) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - $TypeBuilder.DefineField('Length', [UInt16], 'Public').SetOffset(0) - $TypeBuilder.DefineField('MaximumLength', [UInt16], 'Public').SetOffset(2) - $BufferField = $TypeBuilder.DefineField('Buffer', [String], 'Public, HasFieldMarshal') - $BufferField.SetCustomAttribute($MarshalAsCustomAttribute) - $BufferField.SetOffset(8) - } - else - { - $TypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $StructAttributes, [ValueType], 2, 8) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - $TypeBuilder.DefineField('Length', [UInt16], 'Public').SetOffset(0) - $TypeBuilder.DefineField('MaximumLength', [UInt16], 'Public').SetOffset(2) - $BufferField = $TypeBuilder.DefineField('Buffer', [String], 'Public, HasFieldMarshal') - $BufferField.SetCustomAttribute($MarshalAsCustomAttribute) - $BufferField.SetOffset(4) - } - - $UnicodeStringClass = $TypeBuilder.CreateType() - } - - try { $GenericMappingClass = [_GENERIC_MAPPING] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_GENERIC_MAPPING', $StructAttributes, [ValueType], 4, 16) - - $TypeBuilder.DefineField('GenericRead', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('GenericWrite', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('GenericExecute', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('GenericAll', [UInt32], 'Public') | Out-Null - - $GenericMappingClass = $TypeBuilder.CreateType() - } - - try { $HandleInfoClass = [_SYSTEM_HANDLE_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_HANDLE_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_HANDLE_INFORMATION) - - $TypeBuilder.DefineField('UniqueProcessId', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('ObjectTypeIndex', [Byte], 'Public') | Out-Null - $TypeBuilder.DefineField('HandleAttribute', [Byte], 'Public') | Out-Null - $TypeBuilder.DefineField('HandleValue', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Object', [IntPtr], 'Public') | Out-Null - $TypeBuilder.DefineField('GrantedAccess', [UInt32], 'Public') | Out-Null - - $HandleInfoClass = $TypeBuilder.CreateType() - } - - try { $ModuleInfoClass = [_SYSTEM_MODULE] } catch [Management.Automation.RuntimeException] - { - $MarshalAsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($MarshalAsConstructor, @([Runtime.InteropServices.UnmanagedType]::ByValTStr), [Reflection.FieldInfo[]]@($SizeConst), @(256)) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_MODULE', $StructAttributes, [ValueType], 1, $Size_SYSTEM_MODULE) - - $TypeBuilder.DefineField('Reserved1', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('ImageBaseAddress', [UInt64], 'Public') | Out-Null - $TypeBuilder.DefineField('ImageSize', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Index', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Rank', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('LoadCount', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('NameOffset', [UInt16], 'Public') | Out-Null - $NameField = $TypeBuilder.DefineField('Name', [String], 'Public, HasFieldMarshal') - } - else - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_MODULE', $StructAttributes, [ValueType], 1, $Size_SYSTEM_MODULE) - - $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Reserved2', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('ImageBaseAddress', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('ImageSize', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Index', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Rank', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('LoadCount', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('NameOffset', [UInt16], 'Public') | Out-Null - $NameField = $TypeBuilder.DefineField('Name', [String], 'Public, HasFieldMarshal') - } - - $NameField.SetCustomAttribute($MarshalAsCustomAttribute) - $ModuleInfoClass = $TypeBuilder.CreateType() - } - - try { $LockInfoClass = [_SYSTEM_LOCK_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_LOCK_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_LOCK_INFORMATION) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetOffset(0) - $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetOffset(8) - $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetOffset(10) - $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetOffset(16) - $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetOffset(24) - $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetOffset(28) - $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetOffset(32) - $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetOffset(36) - $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetOffset(40) - $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetOffset(44) - } - else - { - $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetOffset(0) - $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetOffset(4) - $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetOffset(6) - $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetOffset(8) - $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetOffset(12) - $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetOffset(16) - $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetOffset(20) - $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetOffset(24) - $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetOffset(28) - $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetOffset(32) - } - - $LockInfoClass = $TypeBuilder.CreateType() - } - - try { $PoolTagInfoClass = [_SYSTEM_POOL_TAG_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_POOL_TAG_INFORMATION', $StructAttributes, [ValueType], 4, $Size_SYSTEM_POOL_TAG_INFORMATION) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder.DefineField('TagValue', [UInt32], 'Public, HasFieldMarshal').SetOffset(0) - $TypeBuilder.DefineField('PagedPoolAllocs', [UInt32], 'Public').SetOffset(4) - $TypeBuilder.DefineField('PagedPoolFrees', [UInt32], 'Public').SetOffset(8) - $TypeBuilder.DefineField('PagedPoolUsage', [UInt32], 'Public').SetOffset(16) - $TypeBuilder.DefineField('NonPagedPoolAllocs', [UInt32], 'Public').SetOffset(24) - $TypeBuilder.DefineField('NonPagedPoolFrees', [UInt32], 'Public').SetOffset(28) - $TypeBuilder.DefineField('NonPagedPoolUsage', [UInt32], 'Public').SetOffset(32) - } - else - { - $TypeBuilder.DefineField('TagValue', [UInt32], 'Public, HasFieldMarshal').SetOffset(0) - $TypeBuilder.DefineField('PagedPoolAllocs', [UInt32], 'Public').SetOffset(4) - $TypeBuilder.DefineField('PagedPoolFrees', [UInt32], 'Public').SetOffset(8) - $TypeBuilder.DefineField('PagedPoolUsage', [UInt32], 'Public').SetOffset(12) - $TypeBuilder.DefineField('NonPagedPoolAllocs', [UInt32], 'Public').SetOffset(16) - $TypeBuilder.DefineField('NonPagedPoolFrees', [UInt32], 'Public').SetOffset(20) - $TypeBuilder.DefineField('NonPagedPoolUsage', [UInt32], 'Public').SetOffset(24) - } - - $PoolTagInfoClass = $TypeBuilder.CreateType() - } - - try { $ObjectTypeClass = [_SYSTEM_OBJECTTYPE_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_OBJECTTYPE_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_OBJECTTYPE_INFORMATION) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) - $TypeBuilder.DefineField('NumberOfObjects', [UInt32], 'Public').SetOffset(0x04) - $TypeBuilder.DefineField('NumberOfHandles', [UInt32], 'Public').SetOffset(0x08) - $TypeBuilder.DefineField('TypeIndex', [UInt32], 'Public').SetOffset(0x0C) - $TypeBuilder.DefineField('InvalidAttributes', [UInt32], 'Public').SetOffset(0x10) - $TypeBuilder.DefineField('GenericMapping', $GenericMappingClass, 'Public').SetOffset(0x14) - $TypeBuilder.DefineField('ValidAccessMask', [UInt32], 'Public').SetOffset(0x24) - $TypeBuilder.DefineField('PoolType', $PoolType, 'Public').SetOffset(0x28) - $TypeBuilder.DefineField('SecurityRequired', [Byte], 'Public').SetOffset(0x2C) - $TypeBuilder.DefineField('WaitableObject', [Byte], 'Public').SetOffset(0x2D) - $TypeBuilder.DefineField('TypeName', $UnicodeStringClass, 'Public').SetOffset(0x30) - - $ObjectTypeClass = $TypeBuilder.CreateType() - } - - try { $ObjectTypeClass = [_SYSTEM_OBJECT_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_OBJECT_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_OBJECT_INFORMATION) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) - $TypeBuilder.DefineField('Object', [IntPtr], 'Public').SetOffset(0x08) - $TypeBuilder.DefineField('CreatorUniqueProcess', [IntPtr], 'Public').SetOffset(0x10) - $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public').SetOffset(0x018) - $TypeBuilder.DefineField('Flags', [UInt16], 'Public').SetOffset(0x1A) - $TypeBuilder.DefineField('PointerCount', [Int32], 'Public').SetOffset(0x1C) - $TypeBuilder.DefineField('HandleCount', [Int32], 'Public').SetOffset(0x20) - $TypeBuilder.DefineField('PagedPoolCharge', [UInt32], 'Public').SetOffset(0x24) - $TypeBuilder.DefineField('NonPagedPoolCharge', [UInt32], 'Public').SetOffset(0x28) - $TypeBuilder.DefineField('ExclusiveProcessId', [IntPtr], 'Public').SetOffset(0x30) - $TypeBuilder.DefineField('SecurityDescriptor', [IntPtr], 'Public').SetOffset(0x38) - $TypeBuilder.DefineField('NameInfo', $UnicodeStringClass, 'Public').SetOffset(0x40) - } - else - { - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) - $TypeBuilder.DefineField('Object', [IntPtr], 'Public').SetOffset(0x04) - $TypeBuilder.DefineField('CreatorUniqueProcess', [IntPtr], 'Public').SetOffset(0x08) - $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public').SetOffset(0x0C) - $TypeBuilder.DefineField('Flags', [UInt16], 'Public').SetOffset(0x0E) - $TypeBuilder.DefineField('PointerCount', [Int32], 'Public').SetOffset(0x10) - $TypeBuilder.DefineField('HandleCount', [Int32], 'Public').SetOffset(0x14) - $TypeBuilder.DefineField('PagedPoolCharge', [UInt32], 'Public').SetOffset(0x18) - $TypeBuilder.DefineField('NonPagedPoolCharge', [UInt32], 'Public').SetOffset(0x1C) - $TypeBuilder.DefineField('ExclusiveProcessId', [IntPtr], 'Public').SetOffset(0x20) - $TypeBuilder.DefineField('SecurityDescriptor', [IntPtr], 'Public').SetOffset(0x24) - $TypeBuilder.DefineField('NameInfo', $UnicodeStringClass, 'Public').SetOffset(0x28) - } - - $ObjectClass = $TypeBuilder.CreateType() - } -#endregion - - # Local helper function for parsing structures returned by NtQuerySystemInformation that begin with a 'Count' field - function Local:Get-Struct($InformationClass, $StructType, $X86Size, $X64Size, $OffsetMultiplier, $ErrorText) - { - $TotalLength = 0 - $ReturnedLength = 0 - - if ([IntPtr]::Size -eq 8) - { - $StructSize = $X64Size - } - else - { - $StructSize = $X86Size - } - - if ((($ntdll::NtQuerySystemInformation($InformationClass, [IntPtr]::Zero, 0, [Ref] $TotalLength) -as $NtStatus) -ne $NtStatus::STATUS_INFO_LENGTH_MISMATCH) -and ($TotalLength -gt 0)) - { - Write-Error "Unable to obtain $($ErrorText) information." - return - } - - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength) - $ntdll::NtQuerySystemInformation($InformationClass, $PtrData, $TotalLength, [Ref] $ReturnedLength) | Out-Null - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - - $PtrData2 = [Runtime.InteropServices.Marshal]::AllocHGlobal($ReturnedLength) - - if (($ntdll::NtQuerySystemInformation($InformationClass, $PtrData2, $ReturnedLength, [Ref] 0) -as $NtStatus) -ne $NtStatus::STATUS_SUCCESS) - { - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData2) - Write-Error "Unable to obtain $($ErrorText) information." - return - } - - # Retrieve the structure count - $Count = [Runtime.InteropServices.Marshal]::ReadInt32($PtrData2) - - # Point to the first structure - $StructAddress = ([IntPtr]($PtrData2.ToInt64() + ([IntPtr]::Size * $OffsetMultiplier))) - - foreach ($i in 0..($Count-1)) - { - [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $StructType) - $StructAddress = ([IntPtr]($StructAddress.ToInt64() + $StructSize)) - } - - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData2) - } - -#region Main program logic - switch ($PsCmdlet.ParameterSetName) - { - 'ModuleInformation' { - $Arguments = @{ - InformationClass = $SystemInformationClass::SystemModuleInformation - StructType = $ModuleInfoClass - X86Size = 284 - X64Size = 296 - OffsetMultiplier = 2 - ErrorText = 'system module' - } - - Get-Struct @Arguments - } - - 'PoolTagInformation' { - $Arguments = @{ - InformationClass = $SystemInformationClass::SystemPoolTagInformation - StructType = $PoolTagInfoClass - X86Size = 28 - X64Size = 40 - OffsetMultiplier = 1 - ErrorText = 'system pool tag' - } - - Get-Struct @Arguments | % { - $Result = @{ - Tag = [Text.Encoding]::ASCII.GetString([BitConverter]::GetBytes($_.TagValue)) - PagedPoolAllocs = $_.PagedPoolAllocs - PagedPoolFrees = $_.PagedPoolFrees - PagedPoolUsage = $_.PagedPoolUsage - NonPagedPoolAllocs = $_.NonPagedPoolAllocs - NonPagedPoolFrees = $_.NonPagedPoolFrees - NonPagedPoolUsage = $_.NonPagedPoolUsage - } - - $PoolTag = New-Object PSObject -Property $Result - $PoolTag.PSObject.TypeNames.Insert(0, '_SYSTEM_POOL_TAG_INFORMATION') - - Write-Output $PoolTag - } - } - - 'HandleInformation' { - # Get OS version info. This will be used to resolve object type index values - $OSVersion = [Version](Get-WmiObject Win32_OperatingSystem).Version - $OSMajorMinor = "$($OSVersion.Major).$($OSVersion.Minor)" - - # Type indexes differ according to OS. These values were obtained via some KD-fu - switch ($OSMajorMinor) - { - '6.2' # Windows 8 and Windows Server 2012 - { - $IndexTable = @{ - 0x02 = 'Type' - 0x03 = 'Directory' - 0x04 = 'SymbolicLink' - 0x05 = 'Token' - 0x06 = 'Job' - 0x07 = 'Process' - 0x08 = 'Thread' - 0x09 = 'UserApcReserve' - 0x0A = 'IoCompletionReserve' - 0x0B = 'DebugObject' - 0x0C = 'Event' - 0x0D = 'EventPair' - 0x0E = 'Mutant' - 0x0F = 'Callback' - 0x10 = 'Semaphore' - 0x11 = 'Timer' - 0x12 = 'IRTimer' - 0x13 = 'Profile' - 0x14 = 'KeyedEvent' - 0x15 = 'WindowStation' - 0x16 = 'Desktop' - 0x17 = 'CompositionSurface' - 0x18 = 'TpWorkerFactory' - 0x19 = 'Adapter' - 0x1A = 'Controller' - 0x1B = 'Device' - 0x1C = 'Driver' - 0x1D = 'IoCompletion' - 0x1E = 'WaitCompletionPacket' - 0x1F = 'File' - 0x20 = 'TmTm' - 0x21 = 'TmTx' - 0x22 = 'TmRm' - 0x23 = 'TmEn' - 0x24 = 'Section' - 0x25 = 'Session' - 0x26 = 'Key' - 0x27 = 'ALPC Port' - 0x28 = 'PowerRequest' - 0x29 = 'WmiGuid' - 0x2A = 'EtwRegistration' - 0x2B = 'EtwConsumer' - 0x2C = 'FilterConnectionPort' - 0x2D = 'FilterCommunicationPort' - 0x2E = 'PcwObject' - 0x2F = 'DxgkSharedResource' - 0x30 = 'DxgkSharedSyncObject' - } - } - - '6.1' # Windows 7 and Window Server 2008 R2 - { - $IndexTable = @{ - 0x02 = 'Type' - 0x03 = 'Directory' - 0x04 = 'SymbolicLink' - 0x05 = 'Token' - 0x06 = 'Job' - 0x07 = 'Process' - 0x08 = 'Thread' - 0x09 = 'UserApcReserve' - 0x0a = 'IoCompletionReserve' - 0x0b = 'DebugObject' - 0x0c = 'Event' - 0x0d = 'EventPair' - 0x0e = 'Mutant' - 0x0f = 'Callback' - 0x10 = 'Semaphore' - 0x11 = 'Timer' - 0x12 = 'Profile' - 0x13 = 'KeyedEvent' - 0x14 = 'WindowStation' - 0x15 = 'Desktop' - 0x16 = 'TpWorkerFactory' - 0x17 = 'Adapter' - 0x18 = 'Controller' - 0x19 = 'Device' - 0x1a = 'Driver' - 0x1b = 'IoCompletion' - 0x1c = 'File' - 0x1d = 'TmTm' - 0x1e = 'TmTx' - 0x1f = 'TmRm' - 0x20 = 'TmEn' - 0x21 = 'Section' - 0x22 = 'Session' - 0x23 = 'Key' - 0x24 = 'ALPC Port' - 0x25 = 'PowerRequest' - 0x26 = 'WmiGuid' - 0x27 = 'EtwRegistration' - 0x28 = 'EtwConsumer' - 0x29 = 'FilterConnectionPort' - 0x2a = 'FilterCommunicationPort' - 0x2b = 'PcwObject' - } - } - - '6.0' # Windows Vista and Windows Server 2008 - { - $IndexTable = @{ - 0x01 = 'Type' - 0x02 = 'Directory' - 0x03 = 'SymbolicLink' - 0x04 = 'Token' - 0x05 = 'Job' - 0x06 = 'Process' - 0x07 = 'Thread' - 0x08 = 'DebugObject' - 0x09 = 'Event' - 0x0a = 'EventPair' - 0x0b = 'Mutant' - 0x0c = 'Callback' - 0x0d = 'Semaphore' - 0x0e = 'Timer' - 0x0f = 'Profile' - 0x10 = 'KeyedEvent' - 0x11 = 'WindowStation' - 0x12 = 'Desktop' - 0x13 = 'TpWorkerFactory' - 0x14 = 'Adapter' - 0x15 = 'Controller' - 0x16 = 'Device' - 0x17 = 'Driver' - 0x18 = 'IoCompletion' - 0x19 = 'File' - 0x1a = 'TmTm' - 0x1b = 'TmTx' - 0x1c = 'TmRm' - 0x1d = 'TmEn' - 0x1e = 'Section' - 0x1f = 'Session' - 0x20 = 'Key' - 0x21 = 'ALPC Port' - 0x22 = 'WmiGuid' - 0x23 = 'EtwRegistration' - 0x24 = 'FilterConnectionPort' - 0x25 = 'FilterCommunicationPort' - } - } - - '5.1' # Windows XP - { - $IndexTable = @{ - 0x01 = 'Type' - 0x02 = 'Directory' - 0x03 = 'SymbolicLink' - 0x04 = 'Token' - 0x05 = 'Process' - 0x06 = 'Thread' - 0x07 = 'Job' - 0x08 = 'DebugObject' - 0x09 = 'Event' - 0x0a = 'EventPair' - 0x0b = 'Mutant' - 0x0c = 'Callback' - 0x0d = 'Semaphore' - 0x0e = 'Timer' - 0x0f = 'Profile' - 0x10 = 'KeyedEvent' - 0x11 = 'WindowStation' - 0x12 = 'Desktop' - 0x13 = 'Section' - 0x14 = 'Key' - 0x15 = 'Port' - 0x16 = 'WaitablePort' - 0x17 = 'Adapter' - 0x18 = 'Controller' - 0x19 = 'Device' - 0x1a = 'Driver' - 0x1b = 'IoCompletion' - 0x1c = 'File' - 0x1d = 'WmiGuid' - 0x1e = 'FilterConnectionPort' - 0x1f = 'FilterCommunicationPort' - } - } - - default # I didn't feel like resolving the values for Server 2003 - { - $IndexTable = @{} - } - } - - $Arguments = @{ - InformationClass = $SystemInformationClass::SystemHandleInformation - StructType = $HandleInfoClass - X86Size = 16 - X64Size = 24 - OffsetMultiplier = 1 - ErrorText = 'system handle' - } - - Get-Struct @Arguments | % { - $Handle = $_.HandleAttribute -as $HandleFlags - if ($Handle -eq 0) {$HandleValue = $null} else {$HandleValue = $Handle} - - $Access = ( ($_.GrantedAccess -band 0xFFFF0000) -as $AccessMask ) - if ($Access -eq 0) {$AccessValue = $null} else {$AccessValue = $Access} - - $Result = @{ - UniqueProcessId = $_.UniqueProcessId - CreatorBackTraceIndex = $_.CreatorBackTraceIndex - ObjectTypeIndex = $_.ObjectTypeIndex - ObjectType = $IndexTable[([Int32]$_.ObjectTypeIndex)] - HandleAttribute = $HandleValue - HandleValue = $_.HandleValue - Object = $_.Object - GrantedAccess = $AccessValue - } - - $Handle = New-Object PSObject -Property $Result - $Handle.PSObject.TypeNames.Insert(0, '_SYSTEM_HANDLE_INFORMATION') - - if ($PSBoundParameters['ObjectType']) - { - if ($Result['ObjectType'] -eq $ObjectType) - { - Write-Output $Handle - } - } - else - { - Write-Output $Handle - } - } - } - - 'ObjectInformation' { - # Get system global flags first to ensure the correct flags are set - $Flags = Get-NtSystemInformation -GlobalFlags - - $RequiredFlags = [GLOBAL_FLAGS] 'FLG_MAINTAIN_OBJECT_TYPELIST, FLG_ENABLE_HANDLE_TYPE_TAGGING' - - if (($Flags -band $RequiredFlags) -ne $RequiredFlags) - { - Write-Error 'Global flags FLG_MAINTAIN_OBJECT_TYPELIST and FLG_ENABLE_HANDLE_TYPE_TAGGING have not been set. They must be set in gflags.exe (i.e. `gflags.exe -r +otl +eot`) or in the registry.' - return - } - - Write-Warning 'It can take over a minute to return object information. Please be patient.' - - $TotalLength = 1 - $ReturnedLength = 0 - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength) - - while ((($ntdll::NtQuerySystemInformation($SystemInformationClass::SystemObjectInformation, $PtrData, $TotalLength, [Ref] $ReturnedLength) -as [NTSTATUS]) -eq [NTSTATUS]::STATUS_INFO_LENGTH_MISMATCH)) - { - if ($TotalLength -ne $ReturnedLength) - { - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - $TotalLength = $ReturnedLength - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength) - } - } - - $NextTypeOffset = 0 - - do - { - # Base address of the _SYSTEM_OBJECTTYPE_INFORMATION struct - $ObjectTypeAbsoluteAddress = [IntPtr]($PtrData.ToInt64() + $NextTypeOffset) - - $Result = [Runtime.InteropServices.Marshal]::PtrToStructure($ObjectTypeAbsoluteAddress, [Type] $ObjectTypeClass) - - if ($Result.NumberOfObjects -gt 0) - { - # Calculate the offset to the first _SYSTEM_OBJECT_INFORMATION structure - $NextObjectOffset = $Size_SYSTEM_OBJECTTYPE_INFORMATION + $Result.TypeName.MaximumLength - $ObjectBaseAddr = $ObjectTypeAbsoluteAddress - - $ObjectArray = @() - - do - { - $ObjectResult = [Runtime.InteropServices.Marshal]::PtrToStructure(( [IntPtr]($ObjectBaseAddr.ToInt64() + $NextObjectOffset) ), [Type] $ObjectClass) - - $ResultHashTable2 = @{ - Object = $ObjectResult.Object - CreatorUniqueProcess = $ObjectResult.CreatorUniqueProcess - CreatorBackTraceIndex = $ObjectResult.CreatorBackTraceIndex - Flags = ($ObjectResult.Flags -as $ObjectFlags) - PointerCount = $ObjectResult.PointerCount - HandleCount = $ObjectResult.HandleCount - PagedPoolCharge = $ObjectResult.PagedPoolCharge - NonPagedPoolCharge = $ObjectResult.NonPagedPoolCharge - ExclusiveProcessId = $ObjectResult.ExclusiveProcessId - SecurityDescriptor = $ObjectResult.SecurityDescriptor - NameInfo = $ObjectResult.NameInfo.Buffer - } - - $Object = New-Object PSObject -Property $ResultHashTable2 - $Object.PSObject.TypeNames.Insert(0, '_SYSTEM_OBJECT_INFORMATION') - - $ObjectArray += $Object - - $NextObjectOffset = $ObjectResult.NextEntryOffset - $ObjectBaseAddr = $PtrData - } while ($ObjectResult.NextEntryOffset -ne 0) - } - - $Access = ( ($_.ValidAccessMask -band 0xFFFF0000) -as $AccessMask ) - if ($Access -eq 0) {$AccessValue = $null} else {$AccessValue = $Access} - - $ResultHashTable = @{ - NumberOfObjects = $Result.NumberOfObjects - NumberOfHandles = $Result.NumberOfHandles - TypeIndex = $Result.TypeIndex - InvalidAttributes = ($Result.InvalidAttributes -as $ObjectAttributes) - GenericMapping = $Result.GenericMapping - ValidAccessMask = $AccessValue - PoolType = $Result.PoolType - SecurityRequired = $Result.SecurityRequired - WaitableObject = $Result.WaitableObject - TypeName = $Result.TypeName.Buffer - Objects = $ObjectArray - } - - $ObjectType = New-Object PSObject -Property $ResultHashTable - $ObjectType.PSObject.TypeNames.Insert(0, '_SYSTEM_OBJECTTYPE_INFORMATION') - - Write-Output $ObjectType - - $NextTypeOffset = $Result.NextEntryOffset - } while ($NextTypeOffset -ne 0) - - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - } - - 'LockInformation' { - $Arguments = @{ - InformationClass = $SystemInformationClass::SystemLockInformation - StructType = $LockInfoClass - X86Size = 36 - X64Size = 48 - OffsetMultiplier = 1 - ErrorText = 'system lock' - } - - Get-Struct @Arguments - } - - 'CodeIntegrityInformation' { - $CIStructLength = 8 - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($CIStructLength) - [Runtime.InteropServices.Marshal]::WriteInt64($PtrData, 0) - [Runtime.InteropServices.Marshal]::WriteByte($PtrData, 8) # The length field in SYSTEM_CODEINTEGRITY_INFORMATION must be set to 8 - $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemCodeIntegrityInformation, $PtrData, $CIStructLength, [Ref] 0) | Out-Null - $CIInfo = [Runtime.InteropServices.Marshal]::ReadInt32(([IntPtr]($PtrData.ToInt64() + 4))) - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - - $ResultHashTable = @{ - CodeIntegrityOptions = $CIInfo - LockdownState = ($CIInfo -band 0x1C) -as $LockdownState - } - - $CodeIntegrityType = New-Object PSObject -Property $ResultHashTable - $CodeIntegrityType.PSObject.TypeNames.Insert(0, '_SYSTEM_CODEINTEGRITY_INFORMATION') - - Write-Output $CodeIntegrityType - } - - 'GlobalFlags' { - $TotalLength = 0 - $ReturnedLength = 0 - - if ((($ntdll::NtQuerySystemInformation($SystemInformationClass::SystemGlobalFlag, [IntPtr]::Zero, 0, [Ref] $TotalLength) -as [NTSTATUS]) -ne [NTSTATUS]::STATUS_INFO_LENGTH_MISMATCH) -and ($TotalLength -gt 0)) - { - Write-Error 'Unable to obtain global flags information information.' - } - else - { - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength) - $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemGlobalFlag, $PtrData, $TotalLength, [Ref] $ReturnedLength) | Out-Null - $Gflags = [Runtime.InteropServices.Marshal]::ReadInt32($PtrData) -as $GFlagsEnum - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - - Write-Output $Gflags - } - } - - default { return } - } -} -#endregion diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml deleted file mode 100644 index 59b5362..0000000 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ /dev/null @@ -1,1210 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?>
-<Configuration>
- <DefaultSettings>
- <EnumerableExpansions>
- <EnumerableExpansion>
- <Expand>Both</Expand>
- </EnumerableExpansion>
- </EnumerableExpansions>
- </DefaultSettings>
- <ViewDefinitions>
- <View>
- <Name>ProcessEnvironmentBlock_VistaView</Name>
- <ViewSelectedBy>
- <TypeName>PEB.Vista</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>ProcessName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessId</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InheritedAddressSpace</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ReadImageFileExecOptions</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>BeingDebugged</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageUsesLargePages</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsProtectedProcess</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsLegacyProcess</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsImageDynamicallyRelocated</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>SkipPatchingUser32Forwarders</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsPackagedProcess</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsAppContainer</PropertyName>
- </ListItem>
- <ListItem>
- <Label>Mutant</Label>
- <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ImageBaseAddress</Label>
- <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>Ldr</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InLoadOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InMemoryOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InInitializationOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessParameters</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SubSystemData</Label>
- <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessHeap</Label>
- <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebLock</Label>
- <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AtlThunkSListPtr</Label>
- <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>IFEOKey</Label>
- <ScriptBlock>"0x$($_.IFEOKey.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessInJob</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessInitializing</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessUsingVEH</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessUsingVCH</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessUsingFTH</PropertyName>
- </ListItem>
- <ListItem>
- <Label>KernelCallbackTable</Label>
- <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SystemReserved</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AtlThunkSListPtr32</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ApiSetMap</Label>
- <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>TlsExpansionCounter</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>TlsBitmap</Label>
- <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsBitmapBits</Label>
- <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryBase</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HotpatchInformation</Label>
- <ScriptBlock>"0x$($_.HotpatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlyStaticServerData</Label>
- <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AnsiCodePageData</Label>
- <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>OemCodePageData</Label>
- <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>UnicodeCaseTableData</Label>
- <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfProcessors</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>NtGlobalFlag</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CriticalSectionTimeout</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentReserve</Label>
- <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentCommit</Label>
- <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitTotalFreeThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitFreeBlockThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>MaximumNumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ProcessHeaps</Label>
- <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiSharedHandleTable</Label>
- <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessStarterHelper</Label>
- <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>GdiDCAttributeList</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>LoaderLock</Label>
- <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>OSMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSBuildNumber</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSCSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSPlatformId</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystem</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActiveProcessAffinityMask</Label>
- <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiHandleBuffer</Label>
- <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>PostProcessInitRoutine</Label>
- <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmap</Label>
- <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmapBits</Label>
- <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SessionId</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlags</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlagsUser</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>pShimData</Label>
- <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatInfo</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActivationContextData</Label>
- <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemDefaultActivationContextData</Label>
- <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>MinimumStackCommit</Label>
- <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FlsCallback</Label>
- <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>FlsListHead</PropertyName>
- </ListItem>
- <ListItem>
- <Label>FlsBitmap</Label>
- <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FlsBitmapBits</Label>
- <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>FlsHighIndex</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>WerRegistrationData</Label>
- <ScriptBlock>"0x$($_.WerRegistrationData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>WerShipAssertPtr</Label>
- <ScriptBlock>"0x$($_.WerShipAssertPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>pUnused</Label>
- <ScriptBlock>"0x$($_.pUnused.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>pImageHeaderHash</Label>
- <ScriptBlock>"0x$($_.pImageHeaderHash.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>HeapTracingEnabled</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CritSecTracingEnabled</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>LibLoaderTracingEnabled</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CsrServerReadOnlySharedMemoryBase</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>ProcessEnvironmentBlock_Server2003View</Name>
- <ViewSelectedBy>
- <TypeName>PEB.Server2003</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>ProcessName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessId</PropertyName>
- </ListItem>
- <ListItem>
- <Label>InheritedAddressSpace</Label>
- <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadImageFileExecOptions</Label>
- <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>BeingDebugged</Label>
- <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>ImageUsesLargePages</PropertyName>
- </ListItem>
- <ListItem>
- <Label>Mutant</Label>
- <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ImageBaseAddress</Label>
- <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>Ldr</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InLoadOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InMemoryOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InInitializationOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessParameters</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SubSystemData</Label>
- <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessHeap</Label>
- <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebLock</Label>
- <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AtlThunkSListPtr</Label>
- <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SparePtr2</Label>
- <ScriptBlock>"0x$($_.SparePtr2.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>EnvironmentUpdateCount</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>KernelCallbackTable</Label>
- <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SystemReserved</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AtlThunkSListPtr32</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ApiSetMap</Label>
- <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>TlsExpansionCounter</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>TlsBitmap</Label>
- <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsBitmapBits</Label>
- <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryBase</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryHeap</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlyStaticServerData</Label>
- <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AnsiCodePageData</Label>
- <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>OemCodePageData</Label>
- <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>UnicodeCaseTableData</Label>
- <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfProcessors</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>NtGlobalFlag</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CriticalSectionTimeout</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentReserve</Label>
- <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentCommit</Label>
- <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitTotalFreeThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitFreeBlockThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>MaximumNumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ProcessHeaps</Label>
- <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiSharedHandleTable</Label>
- <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessStarterHelper</Label>
- <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>GdiDCAttributeList</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>LoaderLock</Label>
- <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>OSMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSBuildNumber</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSCSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSPlatformId</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystem</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActiveProcessAffinityMask</Label>
- <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiHandleBuffer</Label>
- <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>PostProcessInitRoutine</Label>
- <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmap</Label>
- <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmapBits</Label>
- <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SessionId</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlags</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlagsUser</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>pShimData</Label>
- <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatInfo</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActivationContextData</Label>
- <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemDefaultActivationContextData</Label>
- <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>MinimumStackCommit</Label>
- <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FlsCallback</Label>
- <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>FlsListHead</PropertyName>
- </ListItem>
- <ListItem>
- <Label>FlsBitmap</Label>
- <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FlsBitmapBits</Label>
- <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>FlsHighIndex</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>ProcessEnvironmentBlock_XPView</Name>
- <ViewSelectedBy>
- <TypeName>PEB.XP</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>ProcessName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessId</PropertyName>
- </ListItem>
- <ListItem>
- <Label>InheritedAddressSpace</Label>
- <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadImageFileExecOptions</Label>
- <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>BeingDebugged</Label>
- <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>Mutant</Label>
- <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ImageBaseAddress</Label>
- <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>Ldr</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InLoadOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InMemoryOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InInitializationOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessParameters</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SubSystemData</Label>
- <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessHeap</Label>
- <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebLock</Label>
- <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebLockRoutine</Label>
- <ScriptBlock>"0x$($_.FastPebLockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebUnlockRoutine</Label>
- <ScriptBlock>"0x$($_.FastPebUnlockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>EnvironmentUpdateCount</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>KernelCallbackTable</Label>
- <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SystemReserved</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AtlThunkSListPtr32</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ApiSetMap</Label>
- <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>TlsExpansionCounter</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>TlsBitmap</Label>
- <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsBitmapBits</Label>
- <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryBase</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryHeap</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlyStaticServerData</Label>
- <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AnsiCodePageData</Label>
- <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>OemCodePageData</Label>
- <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>UnicodeCaseTableData</Label>
- <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfProcessors</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>NtGlobalFlag</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CriticalSectionTimeout</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentReserve</Label>
- <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentCommit</Label>
- <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitTotalFreeThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitFreeBlockThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>MaximumNumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ProcessHeaps</Label>
- <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiSharedHandleTable</Label>
- <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessStarterHelper</Label>
- <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>GdiDCAttributeList</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>LoaderLock</Label>
- <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>OSMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSBuildNumber</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSCSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSPlatformId</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystem</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActiveProcessAffinityMask</Label>
- <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiHandleBuffer</Label>
- <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>PostProcessInitRoutine</Label>
- <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmap</Label>
- <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmapBits</Label>
- <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SessionId</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlags</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlagsUser</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>pShimData</Label>
- <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatInfo</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActivationContextData</Label>
- <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemDefaultActivationContextData</Label>
- <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>MinimumStackCommit</Label>
- <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>ProcessEnvironmentBlock_ModuleEntryView</Name>
- <ViewSelectedBy>
- <TypeName>PEB.ModuleEntry</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>InLoadOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InMemoryOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InInitializationOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <Label>BaseAddress</Label>
- <ScriptBlock>"0x$($_.BaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>EntryPoint</Label>
- <ScriptBlock>"0x$($_.EntryPoint.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SizeOfImage</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>FullDllName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>BaseDllName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>PackagedBinary</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageDll</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>LoadNotificationsSent</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>TelemetryEntryProcessed</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessStaticImport</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InLegacyLists</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InIndexes</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ShimDll</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InExceptionTable</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>LoadInProgress</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>EntryProcessed</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DontCallForThreads</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessAttachCalled</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessAttachFailed</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CorDeferredValidate</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CorImage</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DontRelocate</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CorILOnly</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>Redirected</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CompatDatabaseProcessed</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ObsoleteLoadCount</PropertyName>
- <FormatString>0x{0:X4}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>TlsIndex</PropertyName>
- <FormatString>0x{0:X4}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>HashLinks</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>TimeDateStamp</PropertyName>
- </ListItem>
- <ListItem>
- <Label>EntryPointActivationContext</Label>
- <ScriptBlock>"0x$($_.EntryPointActivationContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>PatchInformation</Label>
- <ScriptBlock>"0x$($_.PatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>DdagNode</Label>
- <ScriptBlock>"0x$($_.DdagNode.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NodeModuleLink</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SnapContext</Label>
- <ScriptBlock>"0x$($_.SnapContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ParentDllBase</Label>
- <ScriptBlock>"0x$($_.ParentDllBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SwitchBackContext</Label>
- <ScriptBlock>"0x$($_.SwitchBackContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>BaseAddressIndexNode</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>MappingInfoIndexNode</PropertyName>
- </ListItem>
- <ListItem>
- <Label>OriginalBase</Label>
- <ScriptBlock>"0x$($_.OriginalBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>LoadTime</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>BaseNameHashValue</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>LoadReason</PropertyName>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>ProcessParameters</Name>
- <ViewSelectedBy>
- <TypeName>PEB.ProcessParameters</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>MaximumLength</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>Length</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>Flags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>DebugFlags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ConsoleHandle</Label>
- <ScriptBlock>"0x$($_.ConsoleHandle.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>ConsoleFlags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>StandardInput</Label>
- <ScriptBlock>"0x$($_.StandardInput.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>StandardOutput</Label>
- <ScriptBlock>"0x$($_.StandardOutput.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>StandardError</Label>
- <ScriptBlock>"0x$($_.StandardError.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>CurrentDirectory</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DllPath</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImagePathName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CommandLine</PropertyName>
- </ListItem>
- <ListItem>
- <Label>Environment</Label>
- <ScriptBlock>"0x$($_.Environment.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>StartingX</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>StartingY</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CountX</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CountY</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CountCharsX</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CountCharsY</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>FillAttribute</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>WindowFlags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>ShowWindowFlags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>WindowTitle</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DesktopInfo</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ShellInfo</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>RuntimeData</PropertyName>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- </ViewDefinitions>
-</Configuration>
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 deleted file mode 100644 index 7ec5089..0000000 --- a/ReverseEngineering/Get-PEB.ps1 +++ /dev/null @@ -1,1092 +0,0 @@ -function Get-PEB
-{
-<#
-.SYNOPSIS
-
-Returns the process environment block (PEB) of a process.
-
-PowerSploit Function: Get-PEB
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: Get-PEB.format.ps1xml
-
-.DESCRIPTION
-
-Get-PEB returns a fully parsed process environment block (PEB) of any process. Because the PEB and its underlying structure differ according to OS version and architecture, Get-PEB builds the PEB dynamically at runtime. Get-PEB is designed to work in Windows XP - Windows 8 32/64-bit. It will also return the PEB of Wow64 processes.
-
-.PARAMETER Id
-
-The process ID of the process whose PEB will be retrieved.
-
-.EXAMPLE
-
-C:\PS> $AllPEBs = Get-Process | Get-PEB
-
-Description
------------
-Get the PEB of every process. Note: To get the PEBs for all processes, run this command from an elevated instance of PowerShell
-
-.EXAMPLE
-
-C:\PS> $NotepadPEB = Get-PEB -Id (ps notepad)
-C:\PS> $NotepadPEB.InInitializationOrderModuleList
-
-Description
------------
-Display all loaded modules of the notepad process in initialization order.
-
-.NOTES
-
-Some processes will not issue a handle unless you are running Get-PEB from an elevated instance of PowerShell.
-
-.LINK
-
-http://www.exploit-monday.com/2013/01/Get-PEB.html
-http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx
-#>
-
- [CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
- [Alias('PID')]
- [UInt16[]]
- $Id
- )
-
- BEGIN
- {
- Set-StrictMode -Version 2
-
- $mscorlib = [AppDomain]::CurrentDomain.GetAssemblies() | ? { $_.FullName.Split(',')[0].ToLower() -eq 'mscorlib' }
- $Win32Native = $mscorlib.GetTypes() | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native' }
-
- if ($Win32Native -eq $null)
- {
- throw 'Unable to get a reference to type: Microsoft.Win32.Win32Native'
- }
-
- function Local:Get-NTStatusException
- {
- [CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
- [Int32[]]
- $ErrorCode
- )
-
- BEGIN
- {
- $LsaNtStatusToWinError = $Win32Native.GetMethod('LsaNtStatusToWinError', [Reflection.BindingFlags] 'NonPublic, Static')
- $GetMessage = $Win32Native.GetMethod('GetMessage', [Reflection.BindingFlags] 'NonPublic, Static')
- }
- PROCESS
- {
- foreach ($Error in $ErrorCode)
- {
- $WinErrorCode = $LsaNtStatusToWinError.Invoke($null, @($ErrorCode))
-
- Write-Output $GetMessage.Invoke($null, @($WinErrorCode))
- }
- }
- END{}
- }
-
- # The return value from Get-WindowsNTDDIVersion will be compared against these values to determine the structure of the PEB.
- $NTDDI_VISTA = 0x06000000
- $NTDDI_WS03 = 0x05020000
- $NTDDI_WINXP = 0x05010000
-
- function Local:Get-WindowsNTDDIVersion
- {
- # Return Windows version information as NTDDI_VERSION as defined in SdkDdkVer.h
- # This will aid in determining version specific PEB fields to return
- # Could this be accomplished with `Get-WmiObject Win32_OperatingSystem`? Yes, but I prefer not rely upon services that might be turned off.
- $OSVersionInfoEx = $Win32Native.GetNestedTypes('NonPublic') | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native+OSVERSIONINFOEX' }
-
- if ($OSVersionInfoEx -eq $null)
- {
- Write-Error "Unable to get a reference to kernel32!OSVersionInfoEx."
- return
- }
-
- $MajorVersion = $OSVersionInfoEx.GetField('MajorVersion', [Reflection.BindingFlags] 'NonPublic, Instance')
- $MinorVersion = $OSVersionInfoEx.GetField('MinorVersion', [Reflection.BindingFlags] 'NonPublic, Instance')
- $ServicePackMajor = $OSVersionInfoEx.GetField('ServicePackMajor', [Reflection.BindingFlags] 'NonPublic, Instance')
- $ServicePackMinor = $OSVersionInfoEx.GetField('ServicePackMinor', [Reflection.BindingFlags] 'NonPublic, Instance')
- $ProductTypeField = $OSVersionInfoEx.GetField('ProductType', [Reflection.BindingFlags] 'NonPublic, Instance')
-
- $OSVersionInfoContructor = $OSVersionInfoEx.GetConstructors()[0]
- $OSVersionEx = $OSVersionInfoContructor.Invoke($null)
- # This version is present in .NET 2
- $GetVersionEx = $Win32Native.GetMethod('GetVersionEx', [Reflection.BindingFlags] 'NonPublic, Static', $null, @($OSVersionInfoEx), $null)
- if ($GetVersionEx -eq $null)
- {
- # This version is present in .NET 4
- $GetVersionEx = [Environment].GetMethod('GetVersionEx', [Reflection.BindingFlags] 'NonPublic, Static', $null, @($OSVersionInfoEx), $null)
- }
- if ($GetVersionEx -eq $null)
- {
- Write-Error "Unable to get a reference to GetVersionEx method."
- return
- }
- $Success = $GetVersionEx.Invoke($null, @($OSVersionEx))
-
- if (-not $Success)
- {
- Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- return
- }
-
- # Build the version string
- $Version = [Int32] "0x$($MajorVersion.GetValue($OSVersionEx).ToString('D2'))$($MinorVersion.GetValue($OSVersionEx).ToString('D2'))$($ServicePackMajor.GetValue($OSVersionEx).ToString('D2'))$($ServicePackMinor.GetValue($OSVersionEx).ToString('D2'))"
- $ProductType = $ProductTypeField.GetValue($OSVersionEx)
-
- if ($Version -lt $NTDDI_WINXP)
- {
- throw 'Could not determine the correct Windows version! Windows ME, Windows 3.1, and OS/2 Warp are not supported. :P'
- }
-
- Write-Output $Version
- }
-
- $NTDDI_VERSION = Get-WindowsNTDDIVersion
-
- try { $NativeMethods = @([AppDomain]::CurrentDomain.GetAssemblies() | % { $_.GetTypes() } | ? { $_.FullName -eq 'Microsoft.Win32.NativeMethods' })[0] } catch {}
- $NtProcessBasicInfo = $NativeMethods.GetNestedType('NtProcessBasicInfo', [Reflection.BindingFlags]::NonPublic)
- $NtProcessBasicInfoConstructor = $NtProcessBasicInfo.GetConstructors()[0]
- $ProcessBasicInfo = $NtProcessBasicInfoConstructor.Invoke($null)
-
- $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
- $PROCESS_QUERY_INFORMATION = 0x400
- $PROCESS_VM_READ = 0x0010
-
- # Sanity check to make sure that we can proceed. Without proper references, a call to NtQueryInformationProcess will crash PowerShell.
- if ($ProcessBasicInfo -eq $null)
- {
- Write-Error "Unable to get a reference to ProcessBasicInfo."
- return
- }
-
- $MEMORY_BASIC_INFORMATION = $Win32Native.GetNestedType('MEMORY_BASIC_INFORMATION', [Reflection.BindingFlags] 'NonPublic')
-
- if ($MEMORY_BASIC_INFORMATION -eq $null)
- {
- Write-Error 'Unable to get a reference to the MEMORY_BASIC_INFORMATION structure.'
- return
- }
-
- $OSArchitecture = [Int](Get-WmiObject Win32_OperatingSystem).OSArchitecture.Split('-')[0]
-
- try { $NativeUtils = [NativeUtils] } catch [Management.Automation.RuntimeException] # Only build the assembly if it hasn't already been defined
- {
- $DynAssembly = New-Object Reflection.AssemblyName('MemHacker')
- $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MemHacker', $False)
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('NativeUtils', $Attributes, [ValueType])
- $TypeBuilder.DefinePInvokeMethod('ReadProcessMemory', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- $TypeBuilder.DefinePInvokeMethod('VirtualQueryEx', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [IntPtr], $MEMORY_BASIC_INFORMATION.MakeByRefType(), [UInt32]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- if ($OSArchitecture -eq 64)
- {
- $TypeBuilder.DefinePInvokeMethod('IsWow64Process', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [Bool].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- }
- $TypeBuilder.DefinePInvokeMethod('NtQueryInformationProcess', 'ntdll.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [Int], $NtProcessBasicInfo, [Int], [IntPtr]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- $NativeUtils = $TypeBuilder.CreateType()
- }
-
- #region Determine OS/Process/PowerShell bitness
-
- # Get PowerShell's bit-ness accordingly to [IntPtr]::Size. The bitness of PowerShell is used as the basis for determining
- # the bitness of the processes you're interested in. For example, calling Get-Process from 32-bit PowerShell will only
- # return 32-bit processes. Get-Process on 64-bit PowerShell however will return 64-bit and Wow64 processes.
- if ([IntPtr]::Size -eq 4)
- {
- $PowerShellArchitecture = 32
- }
- else
- {
- $PowerShellArchitecture = 64
- }
- #endregion
-
- #region Build PEB structure dynamically
- try
- {
- $PEBStruct = [_PEB]
- $UnicodeStringStruct = [_UNICODE_STRING]
- $ProcessParametersStruct = [_RTL_USER_PROCESS_PARAMETERS]
- $ListEntryStruct = [_LIST_ENTRY]
- $LdrDataStruct = [_PEB_LDR_DATA]
- $BalancedNodeStruct = [_RTL_BALANCED_NODE]
- $LoadReasonEnum = [_LDR_DLL_LOAD_REASON]
- $LdrModuleStruct = [_LDR_DATA_TABLE_ENTRY]
- }
- catch
- {
- # Note: Once this strcuture is built, it cannot be rebuilt or unloaded without restarting PowerShell
- $DynAssembly = New-Object Reflection.AssemblyName('PEBTools')
- $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('PEBModule', $False)
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('_PEB', $Attributes, [ValueType])
-
- $ConstructorInfo = [Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
- $ConstructorValue = [Runtime.InteropServices.UnmanagedType]::ByValArray
- $FieldArray = @([Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
-
- # Build type for _UNICODE_STRING
- $UnicodeTypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $Attributes, [ValueType])
- $UnicodeTypeBuilder.DefineField('Length', [UInt16], 'Public') | Out-Null
- $UnicodeTypeBuilder.DefineField('MaximumLength', [UInt16], 'Public') | Out-Null
- $UnicodeTypeBuilder.DefineField('Buffer', [IntPtr], 'Public') | Out-Null
- $UnicodeStringStruct = $UnicodeTypeBuilder.CreateType()
-
- # Build type for _RTL_USER_PROCESS_PARAMETERS
- $ProcParamTypeBuilder = $ModuleBuilder.DefineType('_RTL_USER_PROCESS_PARAMETERS', $Attributes, [ValueType], 4)
- $ProcParamTypeBuilder.DefineField('MaximumLength', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('Length', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('DebugFlags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ConsoleHandle', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ConsoleFlags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StandardInput', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StandardOutput', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StandardError', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CurrentDirectory', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CurrentDirectoryHandle', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('DllPath', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ImagePathName', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CommandLine', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('Environment', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StartingX', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StartingY', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CountX', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CountY', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CountCharsX', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CountCharsY', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('FillAttribute', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('WindowFlags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ShowWindowFlags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('WindowTitle', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('DesktopInfo', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ShellInfo', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('RuntimeData', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcessParametersStruct = $ProcParamTypeBuilder.CreateType()
-
- # Build type for _LIST_ENTRY
- $ListEntryTypeBuilder = $ModuleBuilder.DefineType('_LIST_ENTRY', $Attributes, [System.ValueType])
- $ListEntryTypeBuilder.DefineField('Flink', [IntPtr], 'Public') | Out-Null
- $ListEntryTypeBuilder.DefineField('Blink', [IntPtr], 'Public') | Out-Null
- $ListEntryStruct = $ListEntryTypeBuilder.CreateType()
-
- # Build type for _PEB_LDR_DATA
- $PEBLdrDataTypeBuilder = $ModuleBuilder.DefineType('_PEB_LDR_DATA', $Attributes, [System.ValueType])
- $PEBLdrDataTypeBuilder.DefineField('Length', [UInt32], 'Public') | Out-Null
- $InitializedField = $PEBLdrDataTypeBuilder.DefineField('Initialized', [Byte[]], 'Public')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
- $InitializedField.SetCustomAttribute($AttribBuilder)
- $PEBLdrDataTypeBuilder.DefineField('SsHandle', [IntPtr], 'Public') | Out-Null
- $PEBLdrDataTypeBuilder.DefineField('InLoadOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrDataTypeBuilder.DefineField('InMemoryOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrDataTypeBuilder.DefineField('InInitializationOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrDataTypeBuilder.DefineField('EntryInProgress', [IntPtr], 'Public') | Out-Null
- $ShutdownInProgressField = $PEBLdrDataTypeBuilder.DefineField('ShutdownInProgress', [Byte[]], 'Public')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 2))
- $ShutdownInProgressField.SetCustomAttribute($AttribBuilder)
- $PEBLdrDataTypeBuilder.DefineField('ShutdownThreadId', [IntPtr], 'Public') | Out-Null
- $LdrDataStruct = $PEBLdrDataTypeBuilder.CreateType()
-
- # Build type for _RTL_BALANCED_NODE
- $BalancedNodeTypeBuilder = $ModuleBuilder.DefineType('_RTL_BALANCED_NODE', $Attributes, [System.ValueType])
- $BalancedNodeTypeBuilder.DefineField('Left', [IntPtr], 'Public') | Out-Null
- $BalancedNodeTypeBuilder.DefineField('Right', [IntPtr], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $BalancedNodeTypeBuilder.DefineField('ParentValue', [UInt64], 'Public') | Out-Null }
- else { $BalancedNodeTypeBuilder.DefineField('ParentValue', [UInt32], 'Public') | Out-Null }
- $BalancedNodeStruct = $BalancedNodeTypeBuilder.CreateType()
-
- # Build type for _LDR_DLL_LOAD_REASON enum
- $EnumBuilder = $ModuleBuilder.DefineEnum('_LDR_DLL_LOAD_REASON', 'Public', [Int32])
- # Define values of the enum
- $EnumBuilder.DefineLiteral('StaticDependency', [Int32] 0) | Out-Null
- $EnumBuilder.DefineLiteral('StaticForwarderDependency', [Int32] 1) | Out-Null
- $EnumBuilder.DefineLiteral('DynamicForwarderDependency', [Int32] 2) | Out-Null
- $EnumBuilder.DefineLiteral('DelayloadDependency', [Int32] 3) | Out-Null
- $EnumBuilder.DefineLiteral('DynamicLoad', [Int32] 4) | Out-Null
- $EnumBuilder.DefineLiteral('AsImageLoad', [Int32] 5) | Out-Null
- $EnumBuilder.DefineLiteral('AsDataLoad', [Int32] 6) | Out-Null
- $EnumBuilder.DefineLiteral('Unknown', [Int32] -1) | Out-Null
- $LoadReasonEnum = $EnumBuilder.CreateType()
-
- # Build type for _LDR_DATA_TABLE_ENTRY
- $PEBLdrModuleTypeBuilder = $ModuleBuilder.DefineType('_LDR_DATA_TABLE_ENTRY', $Attributes, [System.ValueType])
- $PEBLdrModuleTypeBuilder.DefineField('InLoadOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('InMemoryOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('InInitializationOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('BaseAddress', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('EntryPoint', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('FullDllName', [_UNICODE_STRING], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('BaseDllName', [_UNICODE_STRING], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('ObsoleteLoadCount', [UInt16], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('TlsIndex', [UInt16], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('HashLinks', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('EntryPointActivationContext', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('PatchInformation', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('DdagNode', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('NodeModuleLink', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('SnapContext', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('ParentDllBase', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('SwitchBackContext', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('BaseAddressIndexNode', [_RTL_BALANCED_NODE], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('MappingInfoIndexNode', [_RTL_BALANCED_NODE], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $PEBLdrModuleTypeBuilder.DefineField('OriginalBase', [UInt64], 'Public') | Out-Null }
- else { $PEBLdrModuleTypeBuilder.DefineField('OriginalBase', [UInt32], 'Public') | Out-Null }
- $PEBLdrModuleTypeBuilder.DefineField('LoadTime', [UInt64], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('BaseNameHashValue', [UInt32], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('LoadReason', [_LDR_DLL_LOAD_REASON], 'Public') | Out-Null
- $LdrModuleStruct = $PEBLdrModuleTypeBuilder.CreateType()
-
- $TypeBuilder.DefineField('InheritedAddressSpace', [Byte], 'Public') | Out-Null
- $TypeBuilder.DefineField('ReadImageFileExecOptions', [Byte], 'Public') | Out-Null
- $TypeBuilder.DefineField('BeingDebugged', [Byte], 'Public') | Out-Null
- $TypeBuilder.DefineField('BitField', [Byte], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public, HasFieldMarshal') | Out-Null }
- $TypeBuilder.DefineField('Mutant', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ImageBaseAddress', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('Ldr', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessParameters', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('SubSystemData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessHeap', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('FastPebLock', [IntPtr], 'Public') | Out-Null
-
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $TypeBuilder.DefineField('AtlThunkSListPtr', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('IFEOKey', [IntPtr], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('CrossProcessFlags', [UInt64], 'Public') | Out-Null
- } else { $TypeBuilder.DefineField('CrossProcessFlags', [UInt32], 'Public') | Out-Null }
- $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
- }
- elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
- {
- $TypeBuilder.DefineField('AtlThunkSListPtr', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('SparePtr2', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('EnvironmentUpdateCount', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
- }
- else
- {
- $TypeBuilder.DefineField('FastPebLockRoutine', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('FastPebUnlockRoutine', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('EnvironmentUpdateCount', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
- }
- $TypeBuilder.DefineField('SystemReserved', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('AtlThunkSListPtr32', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ApiSetMap', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('TlsExpansionCounter', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('TlsBitmap', [IntPtr], 'Public') | Out-Null
- $TlsBitmapBitsField = $TypeBuilder.DefineField('TlsBitmapBits', [UInt32[]], 'Public, HasFieldMarshal')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 2))
- $TlsBitmapBitsField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('ReadOnlySharedMemoryBase', [IntPtr], 'Public') | Out-Null
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $TypeBuilder.DefineField('HotpatchInformation', [IntPtr], 'Public') | Out-Null
- }
- else
- {
- $TypeBuilder.DefineField('ReadOnlySharedMemoryHeap', [IntPtr], 'Public') | Out-Null
- }
- $TypeBuilder.DefineField('ReadOnlyStaticServerData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('AnsiCodePageData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('OemCodePageData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('UnicodeCaseTableData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfProcessors', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('NtGlobalFlag', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('CriticalSectionTimeout', [Int64], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64)
- {
- $TypeBuilder.DefineField('HeapSegmentReserve', [UInt64], 'Public') | Out-Null
- $TypeBuilder.DefineField('HeapSegmentCommit', [UInt64], 'Public') | Out-Null
- }
- else
- {
- $TypeBuilder.DefineField('HeapSegmentReserve', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('HeapSegmentCommit', [UInt32], 'Public') | Out-Null
- }
- $TypeBuilder.DefineField('HeapDeCommitTotalFreeThreshold', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('HeapDeCommitFreeBlockThreshold', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfHeaps', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('MaximumNumberOfHeaps', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessHeaps', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('GdiSharedHandleTable', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessStarterHelper', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('GdiDCAttributeList', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('LoaderLock', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSMajorVersion', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSMinorVersion', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSBuildNumber', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSCSDVersion', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSPlatformId', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ImageSubsystem', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ImageSubsystemMajorVersion', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ImageSubsystemMinorVersion', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ActiveProcessAffinityMask', [IntPtr], 'Public') | Out-Null
- $GdiHandleBufferField = $TypeBuilder.DefineField('GdiHandleBuffer', [UInt32[]], 'Public, HasFieldMarshal')
- if ($PowerShellArchitecture -eq 64) { $GDI_HANDLE_BUFFER_SIZE = 60 } else { $GDI_HANDLE_BUFFER_SIZE = 34 }
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] $GDI_HANDLE_BUFFER_SIZE))
- $GdiHandleBufferField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('PostProcessInitRoutine', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('TlsExpansionBitmap', [IntPtr], 'Public') | Out-Null
- $TlsExpansionBitmapBitsField = $TypeBuilder.DefineField('TlsExpansionBitmapBits', [UInt32[]], 'Public, HasFieldMarshal')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 32))
- $TlsExpansionBitmapBitsField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('SessionId', [UInt32], 'Public') | Out-Null
-
- if ($NTDDI_VERSION -ge $NTDDI_WINXP)
- {
- $TypeBuilder.DefineField('AppCompatFlags', [UInt64], 'Public') | Out-Null
- $TypeBuilder.DefineField('AppCompatFlagsUser', [UInt64], 'Public') | Out-Null
- $TypeBuilder.DefineField('pShimData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('AppCompatInfo', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('CSDVersion', [_UNICODE_STRING], 'Public') | Out-Null
- $TypeBuilder.DefineField('ActivationContextData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessAssemblyStorageMap', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('SystemDefaultActivationContextData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('SystemAssemblyStorageMap', [IntPtr], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('MinimumStackCommit', [UInt64], 'Public') | Out-Null
- } else { $TypeBuilder.DefineField('MinimumStackCommit', [UInt32], 'Public') | Out-Null }
- }
- if ($NTDDI_VERSION -ge $NTDDI_WS03)
- {
- $TypeBuilder.DefineField('FlsCallback', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('FlsListHead', [_LIST_ENTRY], 'Public') | Out-Null
- $TypeBuilder.DefineField('FlsBitmap', [IntPtr], 'Public') | Out-Null
- $FlsBitmapBitsField = $TypeBuilder.DefineField('FlsBitmapBits', [UInt32[]], 'Public')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
- $FlsBitmapBitsField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('FlsHighIndex', [UInt32], 'Public') | Out-Null
- }
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $TypeBuilder.DefineField('WerRegistrationData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('WerShipAssertPtr', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('pUnused', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('pImageHeaderHash', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('TracingFlags', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('CsrServerReadOnlySharedMemoryBase', [UInt64], 'Public') | Out-Null
- }
-
- $PEBStruct = $TypeBuilder.CreateType()
- }
-
- $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$PEBStruct)
- #endregion
-
- function Local:Get-StructFromMemory
- {
- [CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True)]
- [Alias('ProcessId')]
- [UInt16]
- $ProcId,
-
- [Parameter(Position = 1, Mandatory = $True)]
- [IntPtr]
- $MemoryAddress,
-
- [Parameter(Position = 2, Mandatory = $True)]
- [Alias('Type')]
- [Type]
- $StructType,
-
- [ValidateSet('InLoadOrderModuleList','InMemoryOrderModuleList','InInitializationOrderModuleList')]
- [String]
- $LoadOrder,
-
- [UInt16]
- $UnicodeStringSize
- )
-
- if (($StructType -eq [String]) -and ($MemoryAddress -eq 0)) { Write-Output ''; return }
- elseif ($MemoryAddress -eq 0) { Write-Output $null; return }
-
- $PROCESS_VM_READ = 0x0010 # The process permissions we'l ask for when getting a handle to the process
-
- $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
-
- try
- {
- $Process = Get-Process -Id $ProcId -ErrorVariable GetProcessError
- $Handle = $Process.Handle
- }
- catch [Exception]
- {
- Write-Error $GetProcessError
- return
- }
-
- if ($Handle -eq $null)
- {
- Write-Error "Unable to obtain a handle for PID $ProcId. You will likely need to run this script elevated."
- return
- }
-
- $ProtectField = $MEMORY_BASIC_INFORMATION.GetField('Protect', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBaseField = $MEMORY_BASIC_INFORMATION.GetField('BaseAddress', [Reflection.BindingFlags] 'NonPublic, Instance')
- $RegionSizeField = $MEMORY_BASIC_INFORMATION.GetField('RegionSize', [Reflection.BindingFlags] 'NonPublic, Instance')
-
- try
- {
- $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
- $Handle = $SafeHandle.DangerousGetHandle()
- }
- catch
- {
- Write-Error $Error[0]
- return
- }
-
- $PAGE_EXECUTE_READ = 0x20
- $PAGE_EXECUTE_READWRITE = 0x40
- $PAGE_READONLY = 2
- $PAGE_READWRITE = 4
-
- if ($StructType -eq $LdrModuleStruct -and $LoadOrder)
- {
- $OriginalFlink = $MemoryAddress
- $Flink = $OriginalFlink
-
- do
- {
- $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
-
- $Protection = $ProtectField.GetValue($MemoryBasicInformation)
- $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
- $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
- $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
-
- if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
- {
- $SafeHandle.Close()
- Write-Error 'The address specified does not have read access.'
- return
- }
-
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$LdrModuleStruct)
- $EndOfAllocation = $AllocationBase + $RegionSize
- $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
-
- if ($EndOfStruct -gt $EndOfAllocation)
- {
- $SafeHandle.Close()
- Write-Error 'You are attempting to read beyond what was allocated.'
- return
- }
-
- try
- {
- $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
- }
- catch [OutOfMemoryException]
- {
- Write-Error $Error[0]
- return
- }
-
- $ZeroBytes = New-Object Byte[]($StructSize)
- [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
-
- $BytesRead = [UInt32] 0
-
- if ($NativeUtils::ReadProcessMemory($Handle, $Flink, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
- {
- $SafeHandle.Close()
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- return
- }
-
- $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $LdrModuleStruct)
-
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
-
- switch ($LoadOrder)
- {
- 'InLoadOrderModuleList' { $Flink = $ParsedLdrModule.InLoadOrderModuleList.Flink }
- 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)) }
- 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) }
- }
-
- $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
- $Handle = $SafeHandle.DangerousGetHandle()
-
- if ($ParsedLdrModule.SizeOfImage)
- {
- Write-Output $ParsedLdrModule
- }
- } while (($Flink -ne 0) -and ($Flink -ne $OriginalFlink))
-
- $SafeHandle.Close()
- }
- elseif ($StructType -eq [String] -and $UnicodeStringSize)
- {
- $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
-
- $Protection = $ProtectField.GetValue($MemoryBasicInformation)
- $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
- $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
- $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
-
- if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
- {
- $SafeHandle.Close()
- Write-Error 'The address specified does not have read access.'
- return
- }
-
- $StructSize = $UnicodeStringSize
- $EndOfAllocation = $AllocationBase + $RegionSize
- $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
-
- if ($EndOfStruct -gt $EndOfAllocation)
- {
- $SafeHandle.Close()
- Write-Error 'You are attempting to read beyond what was allocated.'
- return
- }
-
- try
- {
- $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
- }
- catch [OutOfMemoryException]
- {
- Write-Error $Error[0]
- return
- }
-
- $ZeroBytes = New-Object Byte[]($StructSize)
- [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
-
- $BytesRead = [UInt32] 0
-
- if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
- {
- $SafeHandle.Close()
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- return
- }
-
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStringUni($LocalStructPtr)
-
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- $SafeHandle.Close()
-
- Write-Output $ParsedStruct
- }
- else
- {
- $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
-
- $Protection = $ProtectField.GetValue($MemoryBasicInformation)
- $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
- $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
- $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
-
- if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
- {
- $SafeHandle.Close()
- Write-Error 'The address specified does not have read access.'
- return
- }
-
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$StructType)
- $EndOfAllocation = $AllocationBase + $RegionSize
- $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
-
- if ($EndOfStruct -gt $EndOfAllocation)
- {
- $SafeHandle.Close()
- Write-Error 'You are attempting to read beyond what was allocated.'
- return
- }
-
- try
- {
- $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
- }
- catch [OutOfMemoryException]
- {
- Write-Error $Error[0]
- return
- }
-
- $ZeroBytes = New-Object Byte[]($StructSize)
- [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
-
- $BytesRead = [UInt32] 0
-
- if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
- {
- $SafeHandle.Close()
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- return
- }
-
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType)
-
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- $SafeHandle.Close()
-
- Write-Output $ParsedStruct
- }
- }
- }
-
- PROCESS
- {
- foreach ($ProcessId in $Id)
- {
- $Handle = $null
-
- try
- {
- $Process = Get-Process -Id $ProcessId -ErrorVariable GetProcessError
- # Get the process handle
- $Handle = $Process.Handle
- }
- catch { }
-
- if ($Handle -eq $null)
- {
- Write-Error "Unable to obtain a handle for PID $ProcessId. You will likely need to run this script elevated."
- }
- else
- {
- $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_QUERY_INFORMATION -bor $PROCESS_VM_READ))
- $Handle = $SafeHandle.DangerousGetHandle()
-
- Write-Verbose "ProcessName: $($Process.ProcessName)"
- Write-Verbose "Handle: $Handle"
-
- if ($OSArchitecture -eq 64)
- {
- $IsWow64 = $False
- $NativeUtils::IsWow64Process($Handle, [Ref] $IsWow64) | Out-Null
-
- if ($PowerShellArchitecture -eq 32 -and (-not $IsWow64))
- {
- $SafeHandle.Close()
- Write-Error 'Cannot get the PEB of a 64-bit process from a Wow64 process. Use 64-bit PowerShell and try again.'
- return
- }
- }
-
- $ProcessBasicInfo = $NtProcessBasicInfoConstructor.Invoke($null)
-
- $Status = $NativeUtils::NtQueryInformationProcess($Handle, 0, $ProcessBasicInfo, [Runtime.InteropServices.Marshal]::SizeOf($ProcessBasicInfo), [IntPtr]::Zero)
-
- Write-Verbose 'ProcessBasicInfo:'
- Write-Verbose ($ProcessBasicInfo | Out-String)
-
- if ($Status -ne 0)
- {
- $SafeHandle.Close()
- Write-Error (Get-NTStatusException $Status)
- return
- }
-
- $SafeHandle.Close()
-
- $PEB = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessBasicInfo.PebBaseAddress) -StructType ($PEBStruct)
-
- $ProcessParams = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.ProcessParameters) -StructType ($ProcessParametersStruct)
-
- $CurrentDirectory = ''
- $DllPath = ''
- $ImagePathName = ''
- $CommandLine = ''
- $WindowTitle = ''
- $DesktopInfo = ''
- $ShellInfo = ''
- $RuntimeData = ''
-
- if ($ProcessParams.CurrentDirectory.Buffer) { $CurrentDirectory = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.CurrentDirectory.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.CurrentDirectory.MaximumLength) }
- if ($ProcessParams.DllPath.Buffer) { $DllPath = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.DllPath.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.DllPath.MaximumLength) } else { $DllPath = '' }
- if ($ProcessParams.ImagePathName.Buffer) { $ImagePathName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.ImagePathName.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.ImagePathName.MaximumLength) }
- if ($ProcessParams.CommandLine.Buffer) { $CommandLine = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.CommandLine.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.CommandLine.MaximumLength) }
- if ($ProcessParams.WindowTitle.Buffer) { $WindowTitle = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.WindowTitle.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.WindowTitle.MaximumLength) }
- if ($ProcessParams.DesktopInfo.Buffer) { $DesktopInfo = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.DesktopInfo.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.DesktopInfo.MaximumLength) }
- if ($ProcessParams.ShellInfo.Buffer) { $ShellInfo = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.ShellInfo.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.ShellInfo.MaximumLength) }
- if ($ProcessParams.RuntimeData.Buffer) { $RuntimeData = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.RuntimeData.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.RuntimeData.MaximumLength) }
-
- $ProcessParameters = @{
- MaximumLength = $ProcessParams.MaximumLength
- Length = $ProcessParams.Length
- Flags = $ProcessParams.Flags
- DebugFlags = $ProcessParams.DebugFlags
- ConsoleHandle = $ProcessParams.ConsoleHandle
- ConsoleFlags = $ProcessParams.ConsoleFlags
- StandardInput = $ProcessParams.StandardInput
- StandardOutput = $ProcessParams.StandardOutput
- StandardError = $ProcessParams.StandardError
- CurrentDirectory = $CurrentDirectory
- DllPath = $DllPath
- ImagePathName = $ImagePathName
- CommandLine = $CommandLine
- Environment = $ProcessParams.Environment
- StartingX = $ProcessParams.StartingX
- StartingY = $ProcessParams.StartingY
- CountX = $ProcessParams.CountX
- CountY = $ProcessParams.CountY
- CountCharsX = $ProcessParams.CountCharsX
- CountCharsY = $ProcessParams.CountCharsY
- FillAttribute = $ProcessParams.FillAttribute
- WindowFlags = $ProcessParams.WindowFlags
- ShowWindowFlags = $ProcessParams.ShowWindowFlags
- WindowTitle = $WindowTitle
- DesktopInfo = $DesktopInfo
- ShellInfo = $ShellInfo
- RuntimeData = $RuntimeData
- }
-
- $ProcessParamsParsed = New-Object PSObject -Property $ProcessParameters
- $ProcessParamsParsed.PSObject.TypeNames[0] = 'PEB.ProcessParameters'
-
- # Get custom objects for the PEB based upon OS version
- # First, build up the custom object with fields common amongst all versions of the PEB
- $CustomPEB = @{
- ProcessName = $Process.ProcessName
- ProcessId = $ProcessId
- InheritedAddressSpace = if($PEB.InheritedAddressSpace -eq 0){$False}else{$True}
- ReadImageFileExecOptions = if($PEB.ReadImageFileExecOptions -eq 0){$False}else{$True}
- BeingDebugged = if($PEB.BeingDebugged -eq 0){$False}else{$True}
- Mutant = $PEB.Mutant
- ImageBaseAddress = $PEB.ImageBaseAddress
- Ldr = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.Ldr) -StructType ($LdrDataStruct)
- ProcessParameters = $ProcessParamsParsed
- SubSystemData = $PEB.SubSystemData
- ProcessHeap = $PEB.ProcessHeap
- FastPebLock = $PEB.FastPebLock
- SystemReserved = $PEB.SystemReserved
- AtlThunkSListPtr32 = $PEB.AtlThunkSListPtr32
- ApiSetMap = $PEB.ApiSetMap
- TlsExpansionCounter = $PEB.TlsExpansionCounter
- TlsBitmap = $PEB.TlsBitmap
- TlsBitmapBits = $PEB.TlsBitmapBits
- ReadOnlySharedMemoryBase = $PEB.ReadOnlySharedMemoryBase
- ReadOnlyStaticServerData = $PEB.ReadOnlyStaticServerData
- AnsiCodePageData = $PEB.AnsiCodePageData
- OemCodePageData = $PEB.OemCodePageData
- UnicodeCaseTableData = $PEB.UnicodeCaseTableData
- NumberOfProcessors = $PEB.NumberOfProcessors
- NtGlobalFlag = $PEB.NtGlobalFlag
- CriticalSectionTimeout = $PEB.CriticalSectionTimeout
- HeapSegmentReserve = $PEB.HeapSegmentReserve
- HeapSegmentCommit = $PEB.HeapSegmentCommit
- HeapDeCommitTotalFreeThreshold = $PEB.HeapDeCommitTotalFreeThreshold
- HeapDeCommitFreeBlockThreshold = $PEB.HeapDeCommitFreeBlockThreshold
- NumberOfHeaps = $PEB.NumberOfHeaps
- MaximumNumberOfHeaps = $PEB.MaximumNumberOfHeaps
- ProcessHeaps = $PEB.ProcessHeaps
- GdiSharedHandleTable = $PEB.GdiSharedHandleTable
- ProcessStarterHelper = $PEB.ProcessStarterHelper
- GdiDCAttributeList = $PEB.GdiDCAttributeList
- LoaderLock = $PEB.LoaderLock
- OSMajorVersion = $PEB.OSMajorVersion
- OSMinorVersion = $PEB.OSMinorVersion
- OSBuildNumber = $PEB.OSBuildNumber
- OSCSDVersion = $PEB.OSCSDVersion
- OSPlatformId = $PEB.OSPlatformId
- ImageSubsystem = $PEB.ImageSubsystem
- ImageSubsystemMajorVersion = $PEB.ImageSubsystemMajorVersion
- ImageSubsystemMinorVersion = $PEB.ImageSubsystemMinorVersion
- ActiveProcessAffinityMask = $PEB.ActiveProcessAffinityMask
- GdiHandleBuffer = $PEB.GdiHandleBuffer
- PostProcessInitRoutine = $PEB.PostProcessInitRoutine
- TlsExpansionBitmap = $PEB.TlsExpansionBitmap
- TlsExpansionBitmapBits = $PEB.TlsExpansionBitmapBits
- SessionId = $PEB.SessionId
- AppCompatFlags = $PEB.AppCompatFlags
- AppCompatFlagsUser = $PEB.AppCompatFlagsUser
- pShimData = $PEB.pShimData
- AppCompatInfo = $PEB.AppCompatInfo
- CSDVersion = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.CSDVersion.Buffer) -StructType ([String]) -UnicodeStringSize ($PEB.CSDVersion.MaximumLength)
- ActivationContextData = $PEB.ActivationContextData
- ProcessAssemblyStorageMap = $PEB.ProcessAssemblyStorageMap
- SystemDefaultActivationContextData = $PEB.SystemDefaultActivationContextData
- SystemAssemblyStorageMap = $PEB.SystemAssemblyStorageMap
- MinimumStackCommit = $PEB.MinimumStackCommit
- }
-
- foreach ($j in 1..3)
- {
- switch ($j)
- {
- 1 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($CustomPEB['Ldr'].InLoadOrderModuleList.Flink) -StructType ($LdrModuleStruct) -LoadOrder 'InLoadOrderModuleList' }
- 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' }
- 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' }
- }
-
- $ParsedOrderedModules = New-Object Hashtable[]($OrderedModules.Length)
- $Modules = New-Object PSObject[]($OrderedModules.Length)
-
- $i = 0
- foreach ($Module in $OrderedModules)
- {
- $ParsedOrderedModules[$i] = @{
- InLoadOrderModuleList = $Module.InLoadOrderModuleList
- InMemoryOrderModuleList = $Module.InMemoryOrderModuleList
- InInitializationOrderModuleList = $Module.InInitializationOrderModuleList
- BaseAddress = $Module.BaseAddress
- EntryPoint = $Module.EntryPoint
- SizeOfImage = $Module.SizeOfImage
- FullDllName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($Module.FullDllName.Buffer) -StructType ([String]) -UnicodeStringSize ($Module.FullDllName.MaximumLength)
- BaseDllName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($Module.BaseDllName.Buffer) -StructType ([String]) -UnicodeStringSize ($Module.BaseDllName.MaximumLength)
- PackagedBinary = if(($Module.Flags -band 1) -eq 0){$False}else{$True}
- MarkedForRemoval = if(($Module.Flags -band 2) -eq 0){$False}else{$True}
- ImageDll = if(($Module.Flags -band 4) -eq 0){$False}else{$True}
- LoadNotificationsSent = if(($Module.Flags -band 8) -eq 0){$False}else{$True}
- TelemetryEntryProcessed = if(($Module.Flags -band 16) -eq 0){$False}else{$True}
- ProcessStaticImport = if(($Module.Flags -band 32) -eq 0){$False}else{$True}
- InLegacyLists = if(($Module.Flags -band 64) -eq 0){$False}else{$True}
- InIndexes = if(($Module.Flags -band 128) -eq 0){$False}else{$True}
- ShimDll = if(($Module.Flags -band 256) -eq 0){$False}else{$True}
- InExceptionTable = if(($Module.Flags -band 512) -eq 0){$False}else{$True}
- LoadInProgress = if(($Module.Flags -band 4096) -eq 0){$False}else{$True}
- EntryProcessed = if(($Module.Flags -band 16384) -eq 0){$False}else{$True}
- DontCallForThreads = if(($Module.Flags -band 262144) -eq 0){$False}else{$True}
- ProcessAttachCalled = if(($Module.Flags -band 524288) -eq 0){$False}else{$True}
- ProcessAttachFailed = if(($Module.Flags -band 1048576) -eq 0){$False}else{$True}
- CorDeferredValidate = if(($Module.Flags -band 2097152) -eq 0){$False}else{$True}
- CorImage = if(($Module.Flags -band 4194304) -eq 0){$False}else{$True}
- DontRelocate = if(($Module.Flags -band 8388608) -eq 0){$False}else{$True}
- CorILOnly = if(($Module.Flags -band 16777216) -eq 0){$False}else{$True}
- Redirected = if(($Module.Flags -band 268435456) -eq 0){$False}else{$True}
- CompatDatabaseProcessed = if(($Module.Flags -band 2147483648) -eq 0){$False}else{$True}
- ObsoleteLoadCount = $Module.ObsoleteLoadCount
- TlsIndex = $Module.TlsIndex
- HashLinks = $Module.HashLinks
- TimeDateStamp = (New-Object DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds($Module.TimeDateStamp)
- EntryPointActivationContext = $Module.EntryPointActivationContext
- PatchInformation = $Module.PatchInformation
- DdagNode = $Module.DdagNode
- NodeModuleLink = $Module.NodeModuleLink
- SnapContext = $Module.SnapContext
- ParentDllBase = $Module.ParentDllBase
- SwitchBackContext = $Module.SwitchBackContext
- BaseAddressIndexNode = $Module.BaseAddressIndexNode
- MappingInfoIndexNode = $Module.MappingInfoIndexNode
- OriginalBase = $Module.OriginalBase
- LoadTime = $Module.LoadTime
- BaseNameHashValue = $Module.BaseNameHashValue
- LoadReason = $Module.LoadReason
- }
-
- $CustomModuleObject = New-Object PSObject -Property $ParsedOrderedModules[$i]
- $CustomModuleObject.PSObject.TypeNames[0] = 'PEB.ModuleEntry'
- $Modules[$i] = $CustomModuleObject
-
- $i++
- }
-
- switch ($j)
- {
- 1 { $CustomPEB['InLoadOrderModuleList'] = $Modules }
- 2 { $CustomPEB['InMemoryOrderModuleList'] = $Modules }
- 3 { $CustomPEB['InInitializationOrderModuleList'] = $Modules }
- }
- }
-
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $CustomPEB['ImageUsesLargePages'] = if(($PEB.BitField -band 1) -eq 0){$False}else{$True}
- $CustomPEB['IsProtectedProcess'] = if(($PEB.BitField -band 2) -eq 0){$False}else{$True}
- $CustomPEB['IsLegacyProcess'] = if(($PEB.BitField -band 4) -eq 0){$False}else{$True}
- $CustomPEB['IsImageDynamicallyRelocated'] = if(($PEB.BitField -band 8) -eq 0){$False}else{$True}
- $CustomPEB['SkipPatchingUser32Forwarders'] = if(($PEB.BitField -band 16) -eq 0){$False}else{$True}
- $CustomPEB['IsPackagedProcess'] = if(($PEB.BitField -band 32) -eq 0){$False}else{$True}
- $CustomPEB['IsAppContainer'] = if(($PEB.BitField -band 64) -eq 0){$False}else{$True}
- $CustomPEB['AtlThunkSListPtr'] = $PEB.AtlThunkSListPtr
- $CustomPEB['IFEOKey'] = $PEB.IFEOKey
- $CustomPEB['ProcessInJob'] = if(($PEB.CrossProcessFlags -band 1) -eq 0){$False}else{$True}
- $CustomPEB['ProcessInitializing'] = if(($PEB.CrossProcessFlags -band 2) -eq 0){$False}else{$True}
- $CustomPEB['ProcessUsingVEH'] = if(($PEB.CrossProcessFlags -band 4) -eq 0){$False}else{$True}
- $CustomPEB['ProcessUsingVCH'] = if(($PEB.CrossProcessFlags -band 8) -eq 0){$False}else{$True}
- $CustomPEB['ProcessUsingFTH'] = if(($PEB.CrossProcessFlags -band 16) -eq 0){$False}else{$True}
- $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
- $CustomPEB['HotpatchInformation'] = $PEB.HotpatchInformation
- $CustomPEB['FlsCallback'] = $PEB.FlsCallback
- $CustomPEB['FlsListHead'] = $PEB.FlsListHead
- $CustomPEB['FlsBitmap'] = $PEB.FlsBitmap
- $CustomPEB['FlsBitmapBits'] = $PEB.FlsBitmapBits
- $CustomPEB['FlsHighIndex'] = $PEB.FlsHighIndex
- $CustomPEB['WerRegistrationData'] = $PEB.WerRegistrationData
- $CustomPEB['WerShipAssertPtr'] = $PEB.WerShipAssertPtr
- $CustomPEB['pUnused'] = $PEB.pUnused
- $CustomPEB['pImageHeaderHash'] = $PEB.pImageHeaderHash
- $CustomPEB['HeapTracingEnabled'] = if(($PEB.TracingFlags -band 1) -eq 0){$False}else{$True}
- $CustomPEB['CritSecTracingEnabled'] = if(($PEB.TracingFlags -band 2) -eq 0){$False}else{$True}
- $CustomPEB['LibLoaderTracingEnabled'] = if(($PEB.TracingFlags -band 4) -eq 0){$False}else{$True}
- $CustomPEB['CsrServerReadOnlySharedMemoryBase'] = $PEB.CsrServerReadOnlySharedMemoryBase
- }
- elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
- {
- $CustomPEB['ImageUsesLargePages'] = if(($PEB.BitField -band 1) -eq 0){$False}else{$True}
- $CustomPEB['AtlThunkSListPtr'] = $PEB.AtlThunkSListPtr
- $CustomPEB['SparePtr2'] = $PEB.SparePtr2
- $CustomPEB['EnvironmentUpdateCount'] = $PEB.EnvironmentUpdateCount
- $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
- $CustomPEB['ReadOnlySharedMemoryHeap'] = $PEB.ReadOnlySharedMemoryHeap
- $CustomPEB['FlsCallback'] = $PEB.FlsCallback
- $CustomPEB['FlsListHead'] = $PEB.FlsListHead
- $CustomPEB['FlsBitmap'] = $PEB.FlsBitmap
- $CustomPEB['FlsBitmapBits'] = $PEB.FlsBitmapBits
- $CustomPEB['FlsHighIndex'] = $PEB.FlsHighIndex
- }
- else
- {
- $CustomPEB['FastPebLockRoutine'] = $PEB.FastPebLockRoutine
- $CustomPEB['FastPebUnlockRoutine'] = $PEB.FastPebUnlockRoutine
- $CustomPEB['EnvironmentUpdateCount'] = $PEB.EnvironmentUpdateCount
- $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
- $CustomPEB['ReadOnlySharedMemoryHeap'] = $PEB.ReadOnlySharedMemoryHeap
- }
-
- $NewPEB = New-Object PSObject -Property $CustomPEB
-
- # _PEB will be interpreted by PowerShell depending upon the detected OS. This only applies if Get-PEB.format.ps1xml was loaded
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $NewPEB.PSObject.TypeNames[0] = 'PEB.Vista'
- }
- elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
- {
- $NewPEB.PSObject.TypeNames[0] = 'PEB.Server2003'
- }
- else
- {
- $NewPEB.PSObject.TypeNames[0] = 'PEB.XP'
- }
-
- $Handle = $null
-
- Write-Output $NewPEB
- }
- }
- }
-
- END{}
-
-}
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 deleted file mode 100644 index 2cb971c..0000000 --- a/ReverseEngineering/Get-Strings.ps1 +++ /dev/null @@ -1,98 +0,0 @@ -function Get-Strings
-{
-<#
-.SYNOPSIS
-
-Gets strings from a file.
-
-PowerSploit Function: Get-Strings
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-The Get-Strings cmdlet returns strings (Unicode and/or Ascii) from a file. This cmdlet is useful for dumping strings from binary file and was designed to replicate the functionality of strings.exe from Sysinternals.
-
-.PARAMETER Path
-
-Specifies the path to an item.
-
-.PARAMETER Encoding
-
-Specifies the file encoding. The default value returns both Unicode and Ascii.
-
-.PARAMETER MinimumLength
-
-Specifies the minimum length string to return. The default string length is 3.
-
-.EXAMPLE
-
-C:\PS> Get-Strings C:\Windows\System32\calc.exe
-
-Description
------------
-Dump Unicode and Ascii strings of calc.exe.
-
-.EXAMPLE
-
-C:\PS> Get-ChildItem C:\Windows\System32\*.dll | Get-Strings -MinimumLength 12 -Encoding Ascii
-
-Description
------------
-Dumps Ascii strings of at least length 12 of every dll located in C:\Windows\System32.
-
-.NOTES
-
-This cmdlet was designed to intentionally use only PowerShell cmdlets (no .NET methods) in order to be compatible with PowerShell on Windows RT (or any ConstrainedLanguage runspace).
-
-.LINK
-
-http://www.exploit-monday.com
-#>
-
- Param
- (
- [Parameter(Position = 1, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
- [ValidateNotNullOrEmpty()]
- [ValidateScript({Test-Path $_ -PathType 'Leaf'})]
- [String[]]
- [Alias('PSPath')]
- $Path,
-
- [ValidateSet('Default','Ascii','Unicode')]
- [String]
- $Encoding = 'Default',
-
- [UInt32]
- $MinimumLength = 3
- )
-
- BEGIN
- {
- $FileContents = ''
- }
- PROCESS
- {
- foreach ($File in $Path)
- {
- if ($Encoding -eq 'Unicode' -or $Encoding -eq 'Default')
- {
- $UnicodeFileContents = Get-Content -Encoding 'Unicode' $File
- $UnicodeRegex = [Regex] "[\u0020-\u007E]{$MinimumLength,}"
- $Results += $UnicodeRegex.Matches($UnicodeFileContents)
- }
-
- if ($Encoding -eq 'Ascii' -or $Encoding -eq 'Default')
- {
- $AsciiFileContents = Get-Content -Encoding 'UTF7' $File
- $AsciiRegex = [Regex] "[\x20-\x7E]{$MinimumLength,}"
- $Results = $AsciiRegex.Matches($AsciiFileContents)
- }
-
- $Results | ForEach-Object { Write-Output $_.Value }
- }
- }
- END {}
-}
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 deleted file mode 100644 index 68f7651..0000000 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ /dev/null @@ -1,203 +0,0 @@ -function Get-StructFromMemory
-{
-<#
-.SYNOPSIS
-
-Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
-
-PowerSploit Function: Get-StructFromMemory
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-Get-StructFromMemory is similar to the Marshal.PtrToStructure method but will parse and return a structure from any process.
-
-.PARAMETER Id
-
-Process ID of the process whose virtual memory space you want to access.
-
-.PARAMETER MemoryAddress
-
-The address containing the structure to be parsed.
-
-.PARAMETER StructType
-
-The type (System.Type) of the desired structure to be parsed.
-
-.EXAMPLE
-
-C:\PS> Get-Process | ForEach-Object { Get-StructFromMemory -Id $_.Id -MemoryAddress $_.MainModule.BaseAddress -StructType ([PE+_IMAGE_DOS_HEADER]) }
-
-Description
------------
-Parses the DOS headers of every loaded process. Note: In this example, this assumes that [PE+_IMAGE_DOS_HEADER] is defined. You can get the code to define [PE+_IMAGE_DOS_HEADER] here: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
-
-.NOTES
-
-Be sure to enclose the StructType parameter with parenthesis in order to force PowerShell to cast it as a Type object.
-
-Get-StructFromMemory does a good job with error handling however it will crash if the structure contains fields that attempt to marshal pointers. For example, if a field has a custom attribute of UnmanagedType.LPStr, when the structure is parsed, it will attempt to dererence a string pointer for virtual memory in another process and access violate.
-
-.LINK
-
-http://www.exploit-monday.com
-#>
-
- [CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True)]
- [Alias('ProcessId')]
- [Alias('PID')]
- [UInt16]
- $Id,
-
- [Parameter(Position = 1, Mandatory = $True)]
- [IntPtr]
- $MemoryAddress,
-
- [Parameter(Position = 2, Mandatory = $True)]
- [Alias('Type')]
- [Type]
- $StructType
- )
-
- Set-StrictMode -Version 2
-
- $PROCESS_VM_READ = 0x0010 # The process permissions we'l ask for when getting a handle to the process
-
- # Get a reference to the private GetProcessHandle method is System.Diagnostics.Process
- $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
-
- try
- {
- # Make sure user didn't pass in a non-existent PID
- $Process = Get-Process -Id $Id -ErrorVariable GetProcessError
- # Get the default process handle
- $Handle = $Process.Handle
- }
- catch [Exception]
- {
- throw $GetProcessError
- }
-
- if ($Handle -eq $null)
- {
- throw "Unable to obtain a handle for PID $Id. You will likely need to run this script elevated."
- }
-
- # Get a reference to MEMORY_BASIC_INFORMATION. I don't feel like making the structure myself
- $mscorlib = [AppDomain]::CurrentDomain.GetAssemblies() | ? { $_.FullName.Split(',')[0].ToLower() -eq 'mscorlib' }
- $Win32Native = $mscorlib.GetTypes() | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native' }
- $MEMORY_BASIC_INFORMATION = $Win32Native.GetNestedType('MEMORY_BASIC_INFORMATION', [Reflection.BindingFlags] 'NonPublic')
-
- if ($MEMORY_BASIC_INFORMATION -eq $null)
- {
- throw 'Unable to get a reference to the MEMORY_BASIC_INFORMATION structure.'
- }
-
- # Get references to private fields in MEMORY_BASIC_INFORMATION
- $ProtectField = $MEMORY_BASIC_INFORMATION.GetField('Protect', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBaseField = $MEMORY_BASIC_INFORMATION.GetField('BaseAddress', [Reflection.BindingFlags] 'NonPublic, Instance')
- $RegionSizeField = $MEMORY_BASIC_INFORMATION.GetField('RegionSize', [Reflection.BindingFlags] 'NonPublic, Instance')
-
- try { $NativeUtils = [NativeUtils] } catch [Management.Automation.RuntimeException] # Only build the assembly if it hasn't already been defined
- {
- # Build dynamic assembly in order to use P/Invoke for interacting with the following Win32 functions: ReadProcessMemory, VirtualQueryEx
- $DynAssembly = New-Object Reflection.AssemblyName('MemHacker')
- $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MemHacker', $False)
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('NativeUtils', $Attributes, [ValueType])
- $TypeBuilder.DefinePInvokeMethod('ReadProcessMemory', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- $TypeBuilder.DefinePInvokeMethod('VirtualQueryEx', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [IntPtr], $MEMORY_BASIC_INFORMATION.MakeByRefType(), [UInt32]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
-
- $NativeUtils = $TypeBuilder.CreateType()
- }
-
- # Request a handle to the process in interest
- try
- {
- $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
- $Handle = $SafeHandle.DangerousGetHandle()
- }
- catch
- {
- throw $Error[0]
- }
-
- # Create an instance of MEMORY_BASIC_INFORMATION
- $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
-
- # Confirm you can actually read the address you're interested in
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type] $MEMORY_BASIC_INFORMATION)) | Out-Null
-
- $PAGE_EXECUTE_READ = 0x20
- $PAGE_EXECUTE_READWRITE = 0x40
- $PAGE_READONLY = 2
- $PAGE_READWRITE = 4
-
- $Protection = $ProtectField.GetValue($MemoryBasicInformation)
- $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
- $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
- $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
-
- Write-Verbose "Protection: $Protection"
- Write-Verbose "AllocationBase: $AllocationBase"
- Write-Verbose "RegionSize: $RegionSize"
-
- if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
- {
- $SafeHandle.Close()
- throw 'The address specified does not have read access.'
- }
-
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type] $StructType)
- $EndOfAllocation = $AllocationBase + $RegionSize
- $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
-
- if ($EndOfStruct -gt $EndOfAllocation)
- {
- $SafeHandle.Close()
- throw 'You are attempting to read beyond what was allocated.'
- }
-
- try
- {
- # Allocate unmanaged memory. This will be used to store the memory read from ReadProcessMemory
- $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
- }
- catch [OutOfMemoryException]
- {
- throw Error[0]
- }
-
- Write-Verbose "Memory allocated at 0x$($LocalStructPtr.ToString("X$([IntPtr]::Size * 2)"))"
-
- # Zero out the memory that was just allocated. According to MSDN documentation:
- # "When AllocHGlobal calls LocalAlloc, it passes a LMEM_FIXED flag, which causes the allocated memory to be locked in place. Also, the allocated memory is not zero-filled."
- # http://msdn.microsoft.com/en-us/library/s69bkh17.aspx
- $ZeroBytes = New-Object Byte[]($StructSize)
- [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
-
- $BytesRead = [UInt32] 0
-
- if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
- {
- $SafeHandle.Close()
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- throw ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- }
-
- Write-Verbose "Struct Size: $StructSize"
- Write-Verbose "Bytes read: $BytesRead"
-
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType)
-
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- $SafeHandle.Close()
-
- Write-Output $ParsedStruct
-}
diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml deleted file mode 100644 index ffb6761..0000000 --- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml +++ /dev/null @@ -1,36 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>ProcessModuleTraceView</Name> - <ViewSelectedBy> - <TypeName>LOADED_MODULE</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>TimeCreated</PropertyName> - </ListItem> - <ListItem> - <PropertyName>ProcessId</PropertyName> - </ListItem> - <ListItem> - <PropertyName>FileName</PropertyName> - </ListItem> - <ListItem> - <Label>ImageBase</Label> - <ScriptBlock>"0x$($_.ImageBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>ImageSize</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 deleted file mode 100644 index 85f7105..0000000 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ /dev/null @@ -1,103 +0,0 @@ -function Register-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Starts a trace of loaded process modules - - PowerSploit Function: Register-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.OUTPUTS - - System.Management.Automation.PSEventJob - - If desired, you can manipulate the event returned with the *-Event cmdlets. - -.LINK - - http://www.exploit-monday.com/ -#> - - [CmdletBinding()] Param () - - if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) - { - throw 'You must run this cmdlet from an elevated PowerShell session.' - } - - $ModuleLoadedAction = { - $Event = $EventArgs.NewEvent - - $ModuleInfo = @{ - TimeCreated = [DateTime]::FromFileTime($Event.TIME_CREATED) - ProcessId = $Event.ProcessId - FileName = $Event.FileName - ImageBase = $Event.ImageBase - ImageSize = $Event.ImageSize - } - - $ModuleObject = New-Object PSObject -Property $ModuleInfo - $ModuleObject.PSObject.TypeNames[0] = 'LOADED_MODULE' - - $ModuleObject - } - - Register-WmiEvent 'Win32_ModuleLoadTrace' -SourceIdentifier 'ModuleLoaded' -Action $ModuleLoadedAction -} - -function Get-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace - - PowerSploit Function: Get-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: Register-ProcessModuleTrace - Optional Dependencies: None - -.OUTPUTS - - PSObject - -.LINK - - http://www.exploit-monday.com/ -#> - - $Events = Get-EventSubscriber -SourceIdentifier 'ModuleLoaded' -ErrorVariable NoEventRegistered -ErrorAction SilentlyContinue - - if ($NoEventRegistered) - { - throw 'You must execute Register-ProcessModuleTrace before you can retrieve a loaded module list' - } - - $Events.Action.Output -} - -function Unregister-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Stops the running process module trace - - PowerSploit Function: Unregister-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: Register-ProcessModuleTrace - Optional Dependencies: None - -.LINK - - http://www.exploit-monday.com/ -#> - - Unregister-Event -SourceIdentifier 'ModuleLoaded' -} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 deleted file mode 100644 index 90eec8e..0000000 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ /dev/null @@ -1,91 +0,0 @@ -@{
-
-# Script module or binary module file associated with this manifest.
-ModuleToProcess = 'ReverseEngineering.psm1'
-
-# Version number of this module.
-ModuleVersion = '1.0.0.0'
-
-# ID used to uniquely identify this module
-GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'
-
-# Author of this module
-Author = 'Matthew Graeber'
-
-# Company or vendor of this module
-CompanyName = ''
-
-# Copyright statement for this module
-Copyright = 'BSD 3-Clause'
-
-# Description of the functionality provided by this module
-Description = 'PowerSploit Reverse Engineering Module'
-
-# Minimum version of the Windows PowerShell engine required by this module
-PowerShellVersion = '2.0'
-
-# Name of the Windows PowerShell host required by this module
-# PowerShellHostName = ''
-
-# Minimum version of the Windows PowerShell host required by this module
-# PowerShellHostVersion = ''
-
-# Minimum version of the .NET Framework required by this module
-# DotNetFrameworkVersion = ''
-
-# Minimum version of the common language runtime (CLR) required by this module
-# CLRVersion = ''
-
-# Processor architecture (None, X86, Amd64) required by this module
-# ProcessorArchitecture = ''
-
-# Modules that must be imported into the global environment prior to importing this module
-# RequiredModules = @()
-
-# Assemblies that must be loaded prior to importing this module
-# RequiredAssemblies = @()
-
-# Script files (.ps1) that are run in the caller's environment prior to importing this module.
-# ScriptsToProcess = ''
-
-# Type files (.ps1xml) to be loaded when importing this module
-# TypesToProcess = @()
-
-# Format files (.ps1xml) to be loaded when importing this module
-FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.format.ps1xml'
-
-# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-# NestedModules = @()
-
-# Functions to export from this module
-FunctionsToExport = '*'
-
-# Cmdlets to export from this module
-CmdletsToExport = '*'
-
-# Variables to export from this module
-VariablesToExport = ''
-
-# Aliases to export from this module
-AliasesToExport = ''
-
-# List of all modules packaged with this module.
-ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'})
-
-# List of all files packaged with this module
-FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
- 'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
- 'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
- 'Get-Entropy.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
-
-# Private data to pass to the module specified in RootModule/ModuleToProcess
-# PrivateData = ''
-
-# HelpInfo URI of this module
-# HelpInfoURI = ''
-
-# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
-# DefaultCommandPrefix = ''
-
-}
-
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 deleted file mode 100644 index 81d3818..0000000 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ /dev/null @@ -1 +0,0 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ReverseEngineering/Usage.md b/ReverseEngineering/Usage.md deleted file mode 100644 index 33b4ac4..0000000 --- a/ReverseEngineering/Usage.md +++ /dev/null @@ -1,12 +0,0 @@ -To install this module, drop the entire ReverseEngineering folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
-
-The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
-The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
-
-To use the module, type `Import-Module ReverseEngineering`
-
-To see the commands imported, type `Get-Command -Module ReverseEngineering`
-
-For help on each individual command, Get-Help is your friend.
-
-Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file |