diff options
Diffstat (limited to 'Capstone')
| -rw-r--r-- | Capstone/Capstone.psd1 | 48 | ||||
| -rw-r--r-- | Capstone/Capstone.psm1 | 173 | ||||
| -rw-r--r-- | Capstone/Get-CSDisassembly.format.ps1xml | 41 | ||||
| -rw-r--r-- | Capstone/LICENSE.TXT | 30 | ||||
| -rw-r--r-- | Capstone/README | 17 | ||||
| -rw-r--r-- | Capstone/lib/capstone.dll | bin | 0 -> 91136 bytes | |||
| -rw-r--r-- | Capstone/lib/place_capstone.dll_here | 0 | ||||
| -rw-r--r-- | Capstone/lib/x64/libcapstone.dll | bin | 0 -> 3629294 bytes | |||
| -rw-r--r-- | Capstone/lib/x64/place_64-bit_libcapstone.dll_here | 0 | ||||
| -rw-r--r-- | Capstone/lib/x86/libcapstone.dll | bin | 0 -> 3622809 bytes | |||
| -rw-r--r-- | Capstone/lib/x86/place_32-bit_libcapstone.dll_here | 0 |
11 files changed, 309 insertions, 0 deletions
diff --git a/Capstone/Capstone.psd1 b/Capstone/Capstone.psd1 new file mode 100644 index 0000000..d85443f --- /dev/null +++ b/Capstone/Capstone.psd1 @@ -0,0 +1,48 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'Capstone.psm1' + +# Version number of this module. +ModuleVersion = '2.0.0.0' + +# ID used to uniquely identify this module +GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b' + +# Author of this module +Author = 'Matthew Graeber' + +# Copyright statement for this module +Copyright = 'see LICENSE.TXT' + +# Description of the functionality provided by this module +Description = 'Capstone Disassembly Framework Binding Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '3.0' + +# Minimum version of the common language runtime (CLR) required by this module +CLRVersion = '4.0' + +# Assemblies that must be loaded prior to importing this module +RequiredAssemblies = 'lib/capstone.dll' + +# Format files (.ps1xml) to be loaded when importing this module +FormatsToProcess = 'Get-CSDisassembly.format.ps1xml' + +# Functions to export from this module +FunctionsToExport = '*' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'}) + +# List of all files packaged with this module +FileList = 'Capstone.psm1', + 'Capstone.psd1', + 'Get-CSDisassembly.format.ps1xml', + 'LICENSE.TXT', + 'README', + 'lib/capstone.dll', + 'lib/x86/libcapstone.dll', + 'lib/x64/libcapstone.dll' +} diff --git a/Capstone/Capstone.psm1 b/Capstone/Capstone.psm1 new file mode 100644 index 0000000..6f55c1e --- /dev/null +++ b/Capstone/Capstone.psm1 @@ -0,0 +1,173 @@ +#Requires -Modules Capstone + +function Get-CSDisassembly +{ +<# +.SYNOPSIS + + Disassembles a byte array using the Capstone Engine disassembly framework. + + PowerSploit Function: Get-CSDisassembly + Author: Matthew Graeber (@mattifestation) + License: See LICENSE.TXT + Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll + Optional Dependencies: None + +.DESCRIPTION + + Get-CSDisassembly is compatible on 32 and 64-bit. + +.PARAMETER Architecture + + Specifies the architecture of the code to be disassembled. + +.PARAMETER Mode + + Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'. + +.PARAMETER Code + + A byte array consisting of the code to be disassembled. + +.PARAMETER Offset + + Specifies the starting address of the disassembly listing. + +.PARAMETER Count + + Specifies the maximum number of instructions to disassemble. + +.PARAMETER Syntax + + Specifies the syntax flavor to be used (INTEL vs. ATT). + +.PARAMETER DetailOn + + Specifies that detailed parsing should be performed - i.e. provide detailed information for each disassembled instruction. + +.PARAMETER Verstion + + Prints the running Capstone Framework version. + +.EXAMPLE + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000 + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT + + $Bytes = [Byte[]] @( 0x55, 0x48, 0x8b, 0x05, 0xb8, 0x13, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode64 -Code $Bytes -DetailOn + + $Bytes = [Byte[]] @( 0xED, 0xFF, 0xFF, 0xEB, 0x04, 0xe0, 0x2d, 0xe5, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x83, 0x22, 0xe5, 0xf1, 0x02, 0x03, 0x0e, 0x00, 0x00, 0xa0, 0xe3, 0x02, 0x30, 0xc1, 0xe7, 0x00, 0x00, 0x53, 0xe3 ) + Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x4f, 0xf0, 0x00, 0x01, 0xbd, 0xe8, 0x00, 0x88, 0xd1, 0xe8, 0x00, 0xf0 ) + Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes + + $Bytes = [Byte[]] @( 0x10, 0xf1, 0x10, 0xe7, 0x11, 0xf2, 0x31, 0xe7, 0xdc, 0xa1, 0x2e, 0xf3, 0xe8, 0x4e, 0x62, 0xf3 ) + Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x70, 0x47, 0xeb, 0x46, 0x83, 0xb0, 0xc9, 0x68 ) + Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes -DetailOn + + $Bytes = [Byte[]] @( 0x21, 0x7c, 0x02, 0x9b, 0x21, 0x7c, 0x00, 0x53, 0x00, 0x40, 0x21, 0x4b, 0xe1, 0x0b, 0x40, 0xb9 ) + Get-CSDisassembly -Architecture Arm64 -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x0C, 0x10, 0x00, 0x97, 0x00, 0x00, 0x00, 0x00, 0x24, 0x02, 0x00, 0x0c, 0x8f, 0xa2, 0x00, 0x00, 0x34, 0x21, 0x34, 0x56 ) + Get-CSDisassembly -Architecture Mips -Mode 'Mode32, BigEndian' -Code $Bytes + + $Bytes = [Byte[]] @( 0x56, 0x34, 0x21, 0x34, 0xc2, 0x17, 0x01, 0x00 ) + Get-CSDisassembly -Architecture Mips -Mode 'Mode64, LittleEndian' -Code $Bytes + + $Bytes = [Byte[]] @( 0x80, 0x20, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x10, 0x43, 0x23, 0x0e, 0xd0, 0x44, 0x00, 0x80, 0x4c, 0x43, 0x22, 0x02, 0x2d, 0x03, 0x00, 0x80, 0x7c, 0x43, 0x20, 0x14, 0x7c, 0x43, 0x20, 0x93, 0x4f, 0x20, 0x00, 0x21, 0x4c, 0xc8, 0x00, 0x21 ) + Get-CSDisassembly -Architecture PPC -Mode BigEndian -Code $Bytes + +.INPUTS + + None + + You cannot pipe objects to Get-CSDisassembly. + +.OUTPUTS + + Capstone.Instruction[] + + Get-CSDisassembly returns an array of Instruction objects. +#> + + [OutputType([Capstone.Instruction])] + [CmdletBinding(DefaultParameterSetName = 'Disassemble')] + Param ( + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [Capstone.Architecture] + $Architecture, + + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [Capstone.Mode] + $Mode, + + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [ValidateNotNullOrEmpty()] + [Byte[]] + $Code, + + [Parameter( ParameterSetName = 'Disassemble' )] + [UInt64] + $Offset = 0, + + [Parameter( ParameterSetName = 'Disassemble' )] + [UInt32] + $Count = 0, + + [Parameter( ParameterSetName = 'Disassemble' )] + [ValidateSet('Intel', 'ATT')] + [String] + $Syntax, + + [Parameter( ParameterSetName = 'Disassemble' )] + [Switch] + $DetailOn, + + [Parameter( ParameterSetName = 'Version' )] + [Switch] + $Version + ) + + if ($PsCmdlet.ParameterSetName -eq 'Version') + { + $Disassembly = New-Object Capstone.Capstone([Capstone.Architecture]::X86, [Capstone.Mode]::Mode16) + $Disassembly.Version + + return + } + + $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode) + + if ($Disassembly.Version -ne [Capstone.Capstone]::BindingVersion) + { + Write-Error "capstone.dll version ($([Capstone.Capstone]::BindingVersion.ToString())) should be the same as libcapstone.dll version. Otherwise, undefined behavior is likely." + } + + if ($Syntax) + { + switch ($Syntax) + { + 'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel } + 'ATT' { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT } + } + + $Disassembly.SetSyntax($SyntaxMode) + } + + if ($DetailOn) + { + $Disassembly.SetDetail($True) + } + + $Disassembly.Disassemble($Code, $Offset, $Count) +}
\ No newline at end of file diff --git a/Capstone/Get-CSDisassembly.format.ps1xml b/Capstone/Get-CSDisassembly.format.ps1xml new file mode 100644 index 0000000..e9703a2 --- /dev/null +++ b/Capstone/Get-CSDisassembly.format.ps1xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="utf-8" ?> +<Configuration> + <ViewDefinitions> + <View> + <Name>InstructionView</Name> + <ViewSelectedBy> + <TypeName>Capstone.Instruction</TypeName> + </ViewSelectedBy> + <TableControl> + <AutoSize/> + <TableHeaders> + <TableColumnHeader> + <Label>Address</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Mnemonic</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Operands</Label> + </TableColumnHeader> + </TableHeaders> + <TableRowEntries> + <TableRowEntry> + <TableColumnItems> + <TableColumnItem> + <PropertyName>Address</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Mnemonic</PropertyName> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Operands</PropertyName> + </TableColumnItem> + </TableColumnItems> + </TableRowEntry> + </TableRowEntries> + </TableControl> + </View> + </ViewDefinitions> +</Configuration>
\ No newline at end of file diff --git a/Capstone/LICENSE.TXT b/Capstone/LICENSE.TXT new file mode 100644 index 0000000..9edde0b --- /dev/null +++ b/Capstone/LICENSE.TXT @@ -0,0 +1,30 @@ +This is the software license for Capstone disassembly framework. +Capstone has been designed & implemented by Nguyen Anh Quynh <aquynh@gmail.com> +See http://www.capstone-engine.org for further information. + +Copyright (c) 2013, COSEINC. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +* Neither the name of the developer(s) nor the names of its + contributors may be used to endorse or promote products derived from this + software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. diff --git a/Capstone/README b/Capstone/README new file mode 100644 index 0000000..cbab0cb --- /dev/null +++ b/Capstone/README @@ -0,0 +1,17 @@ +This module has three dependencies: +* lib\x86\libcapstone.dll (the 32-bit unmanaged Capstone library) +* lib\x64\libcapstone.dll (the 64-bit unmanaged Capstone library) +* lib\capstone.dll (the managed C# bindings to the Capstone Framework) + +To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module Capstone` + +To see the commands imported, type `Get-Command -Module Capstone` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file diff --git a/Capstone/lib/capstone.dll b/Capstone/lib/capstone.dll Binary files differnew file mode 100644 index 0000000..809932b --- /dev/null +++ b/Capstone/lib/capstone.dll diff --git a/Capstone/lib/place_capstone.dll_here b/Capstone/lib/place_capstone.dll_here new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/Capstone/lib/place_capstone.dll_here diff --git a/Capstone/lib/x64/libcapstone.dll b/Capstone/lib/x64/libcapstone.dll Binary files differnew file mode 100644 index 0000000..8d0a578 --- /dev/null +++ b/Capstone/lib/x64/libcapstone.dll diff --git a/Capstone/lib/x64/place_64-bit_libcapstone.dll_here b/Capstone/lib/x64/place_64-bit_libcapstone.dll_here new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/Capstone/lib/x64/place_64-bit_libcapstone.dll_here diff --git a/Capstone/lib/x86/libcapstone.dll b/Capstone/lib/x86/libcapstone.dll Binary files differnew file mode 100644 index 0000000..bb919a6 --- /dev/null +++ b/Capstone/lib/x86/libcapstone.dll diff --git a/Capstone/lib/x86/place_32-bit_libcapstone.dll_here b/Capstone/lib/x86/place_32-bit_libcapstone.dll_here new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/Capstone/lib/x86/place_32-bit_libcapstone.dll_here |