diff options
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | RE_Tools/Get-KernelModuleInfo.format.ps1xml | 83 | ||||
| -rw-r--r-- | RE_Tools/Get-KernelModuleInfo.ps1 | 200 |
3 files changed, 287 insertions, 0 deletions
@@ -60,6 +60,10 @@ Get-ILDisassembly: Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
+Get-KernelModuleInfo:
+
+ Returns loaded kernel module information.
+
Get-Member:
A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Private' parameter allowing you to display non-public .NET members
diff --git a/RE_Tools/Get-KernelModuleInfo.format.ps1xml b/RE_Tools/Get-KernelModuleInfo.format.ps1xml new file mode 100644 index 0000000..3e3f347 --- /dev/null +++ b/RE_Tools/Get-KernelModuleInfo.format.ps1xml @@ -0,0 +1,83 @@ +<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+ <DefaultSettings>
+ <EnumerableExpansions>
+ <EnumerableExpansion>
+ <Expand>Both</Expand>
+ </EnumerableExpansion>
+ </EnumerableExpansions>
+ </DefaultSettings>
+ <ViewDefinitions>
+ <View>
+ <Name>SystemModuleView</Name>
+ <ViewSelectedBy>
+ <TypeName>SystemInformation.SYSTEM_MODULE</TypeName>
+ </ViewSelectedBy>
+ <TableControl>
+ <AutoSize/>
+ <TableHeaders>
+ <TableColumnHeader>
+ <Label>ImageBaseAddress</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>ImageSize</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Flags</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Id</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Rank</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>W018</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>NameOffset</Label>
+ </TableColumnHeader>
+ <TableColumnHeader>
+ <Label>Name</Label>
+ </TableColumnHeader>
+ </TableHeaders>
+ <TableRowEntries>
+ <TableRowEntry>
+ <TableColumnItems>
+ <TableColumnItem>
+ <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>ImageSize</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Flags</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Id</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Rank</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>w018</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>NameOffset</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </TableColumnItem>
+ <TableColumnItem>
+ <PropertyName>Name</PropertyName>
+ </TableColumnItem>
+ </TableColumnItems>
+ </TableRowEntry>
+ </TableRowEntries>
+ </TableControl>
+ </View>
+ </ViewDefinitions>
+</Configuration>
\ No newline at end of file diff --git a/RE_Tools/Get-KernelModuleInfo.ps1 b/RE_Tools/Get-KernelModuleInfo.ps1 new file mode 100644 index 0000000..3cdc98a --- /dev/null +++ b/RE_Tools/Get-KernelModuleInfo.ps1 @@ -0,0 +1,200 @@ +function Get-KernelModuleInfo
+{
+<#
+.SYNOPSIS
+
+Returns loaded kernel module information.
+
+PowerSploit Module - Get-KernelModuleInfo
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+
+.DESCRIPTION
+
+Get-KernelModuleInfo wraps NtQuerySystemInformation and returns loaded kernel module information. Get-KernelModuleInfo works on both x86 and x86_64 platforms.
+
+.EXAMPLE
+
+C:\PS> Get-KernelModuleInfo
+
+ImageBaseAddress ImageSize Flags Id Rank W018 NameOffset Name
+---------------- --------- ----- -- ---- ---- ---------- ----
+0xFFFFF800FF200000 0x00749000 0x08804000 0x0000 0x0000 0x0083 0x0015 C:\Windows\system32\ntoskrnl.exe
+0xFFFFF800FF949000 0x0006C000 0x08804000 0x0001 0x0000 0x0027 0x0015 C:\Windows\system32\hal.dll
+0xFFFFF88000C93000 0x0005F000 0x09104000 0x0003 0x0000 0x0001 0x0015 C:\Windows\system32\mcupdate_GenuineIntel.dll
+0xFFFFF88000D71000 0x00015000 0x0D104000 0x0006 0x0000 0x0003 0x0015 C:\Windows\system32\PSHED.dll
+0xFFFFF8800101A000 0x000C2000 0x09104000 0x000A 0x0000 0x0001 0x001D C:\Windows\system32\drivers\Wdf01000.sys
+0xFFFFF8800117B000 0x0000A000 0x0D104000 0x000F 0x0000 0x0011 0x001D C:\Windows\System32\drivers\WMILIB.SYS
+0xFFFFF88000F5C000 0x00017000 0x09104000 0x0015 0x0000 0x0001 0x001D C:\Windows\system32\drivers\pdc.sys
+0xFFFFF880011CC000 0x0001A000 0x09104000 0x001C 0x0000 0x0001 0x001D C:\Windows\System32\drivers\mountmgr.sys
+0xFFFFF88001600000 0x0001B000 0x09104000 0x0024 0x0000 0x0015 0x001D C:\Windows\System32\Drivers\ksecdd.sys
+0xFFFFF88001C00000 0x00076000 0x09104000 0x002D 0x0000 0x0001 0x001D C:\Windows\System32\DRIVERS\fvevol.sys
+0xFFFFF88003CCD000 0x0000E000 0x4D104000 0x0042 0x0000 0x0007 0x001D C:\Windows\system32\DRIVERS\TDI.SYS
+0xFFFFF88004200000 0x0001E000 0x49104000 0x005B 0x0000 0x0001 0x001D C:\Windows\system32\DRIVERS\rassstp.sys
+0xFFFFF88005400000 0x0007B000 0x4D104000 0x0069 0x0000 0x0001 0x001D C:\Windows\System32\drivers\USBPORT.SYS
+0xFFFFF88006598000 0x0000A000 0x49104000 0x0078 0x0000 0x0001 0x001D C:\Windows\System32\drivers\wmiacpi.sys
+0xFFFFF880069EB000 0x0000D000 0x49104000 0x0088 0x0000 0x0002 0x001D C:\Windows\System32\Drivers\dump_diskdump.sys
+0xFFFFF88019542000 0x0004B000 0x49104000 0x0099 0x0000 0x0001 0x001D C:\Windows\system32\DRIVERS\mrxsmb10.sys
+0xFFFFF880194C7000 0x0000B000 0x49104000 0x00AB 0x0000 0x0001 0x001D C:\Windows\System32\drivers\WpdUpFltr.sys
+
+.NOTES
+
+To display the output as seen in the example, ensure that Get-KernelModuleInfo.format.ps1xml resides in the same directory as Get-KernelModuleInfo.ps1.
+
+.LINK
+
+http://www.exploit-monday.com/
+#>
+
+ # Load custom object formatting views
+ $FormatPath = Join-Path $PSScriptRoot Get-KernelModuleInfo.format.ps1xml
+ # Don't load format ps1xml if it doesn't live in the same folder as this script
+ if (Test-Path $FormatPath)
+ {
+ Update-FormatData -PrependPath (Join-Path $PSScriptRoot Get-KernelModuleInfo.format.ps1xml)
+ }
+
+ $PinvokeCode = @"
+ using System;
+ using System.Runtime.InteropServices;
+
+ public class Ntdll
+ {
+ [Flags]
+ public enum _SYSTEM_INFORMATION_CLASS : uint
+ {
+ SystemModuleInformation = 11,
+ SystemHandleInformation = 16
+ }
+
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _SYSTEM_MODULE32
+ {
+ public ushort Reserved1;
+ public ushort Reserved2;
+ public uint ImageBaseAddress;
+ public uint ImageSize;
+ public uint Flags;
+ public ushort Id;
+ public ushort Rank;
+ public ushort w018;
+ public ushort NameOffset;
+ [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=256)]
+ public byte[] Name;
+ }
+
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _SYSTEM_MODULE64
+ {
+ public uint Reserved1;
+ public uint Reserved2;
+ public ulong ImageBaseAddress;
+ public uint ImageSize;
+ public uint Flags;
+ public ushort Id;
+ public ushort Rank;
+ public ushort w018;
+ public ushort NameOffset;
+ [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst=256)]
+ public byte[] Name;
+ }
+
+ [StructLayout(LayoutKind.Sequential, Pack=1)]
+ public struct _SYSTEM_MODULE_INFORMATION
+ {
+ public uint ModulesCount;
+ }
+
+ [DllImport("ntdll.dll", CharSet=CharSet.Auto, SetLastError=true)]
+ public static extern uint NtQuerySystemInformation(uint InfoType, IntPtr lpStructure, uint StructSize, ref uint returnLength);
+ }
+"@
+
+ # Returns a string from a byte array
+ function Local:Get-String([Byte[]] $Bytes)
+ {
+ $Char = $Bytes[0]
+ $StringArray = New-Object Byte[](0)
+
+ for ($i = 0; $Char -ne 0; $i++)
+ {
+ $StringArray += $Char; $Char = $Bytes[$i]
+ }
+
+ Write-Output (($StringArray | % {[Char] $_}) -join '')
+ }
+
+ $CompilerParams = New-Object System.CodeDom.Compiler.CompilerParameters
+ $CompilerParams.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
+ $CompilerParams.GenerateInMemory = $True
+ try { Add-Type -TypeDefinition $PinvokeCode -CompilerParameters $CompilerParams -PassThru | Out-Null } catch {}
+
+ # $TotalLength represents the total size of the returned structures. This will be used to allocate sufficient memory to store each returned structure.
+ $TotalLength = 0
+
+ # Call NtQuerySystemInformation first to get the total size of the structures to be returned.
+ [Ntdll]::NtQuerySystemInformation([Ntdll+_SYSTEM_INFORMATION_CLASS]::SystemModuleInformation, [IntPtr]::Zero, 0, [Ref] $TotalLength) | Out-Null
+
+ $PtrSystemInformation = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength)
+
+ $Result = [Ntdll]::NtQuerySystemInformation([Ntdll+_SYSTEM_INFORMATION_CLASS]::SystemModuleInformation, $PtrSystemInformation, $TotalLength, [Ref] 0)
+
+ if ($Result -ne 0)
+ {
+ Throw "An error occured. (NTSTATUS: 0x$($Result.ToString('X8')))"
+ }
+
+ if ([IntPtr]::Size -eq 8)
+ {
+ $SystemModuleType = [Ntdll+_SYSTEM_MODULE64]
+ $StructSize = 296
+ $PtrModule = [IntPtr]($PtrSystemInformation.ToInt64() + 16)
+ }
+ else
+ {
+ $SystemModuleType = [Ntdll+_SYSTEM_MODULE32]
+ $StructSize = 284
+ $PtrModule = [IntPtr]($PtrSystemInformation.ToInt64() + 8)
+ }
+
+ $i = 0
+ $AnotherModule = $True
+
+ # Loop through all the returned _SYSTEM_MODULE structs
+ while ($AnotherModule) {
+ # Move pointer to the next structure
+ $PtrModule = [IntPtr] ($PtrModule.ToInt64() + ($i * $StructSize))
+ # Cast the next struct in memory to type _SYSTEM_MODULE[32|64]
+ $SystemModule = [Runtime.InteropServices.Marshal]::PtrToStructure($PtrModule, [Type] $SystemModuleType)
+
+ if ($SystemModule.Name[0] -ne 0)
+ {
+ $ModuleInfo = @{
+ ImageBaseAddress = $SystemModule.ImageBaseAddress
+ ImageSize = $SystemModule.ImageSize
+ Flags = $SystemModule.Flags
+ Id = $SystemModule.Id
+ Rank = $SystemModule.Rank
+ w018 = $SystemModule.w018
+ NameOffset = $SystemModule.NameOffset
+ # Get the full path to the driver and expand SystemRoot in the path
+ Name = (Get-String $SystemModule.Name) -replace '\\\\SystemRoot', $Env:SystemRoot
+ }
+
+ $Module = New-Object PSObject -Property $ModuleInfo
+ $Module.PSObject.TypeNames[0] = 'SystemInformation.SYSTEM_MODULE'
+
+ Write-Output $Module
+ }
+ else
+ {
+ # No more modules to iterate through
+ $AnotherModule = $False
+ }
+
+ $i++
+ }
+
+ # Free the unmanaged memory used to store the structures
+ [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrSystemInformation)
+}
\ No newline at end of file |