diff options
Diffstat (limited to 'PETools')
| -rw-r--r-- | PETools/Get-PEHeader.ps1 | 52 | 
1 files changed, 45 insertions, 7 deletions
| diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 index 1a8575f..551aac0 100644 --- a/PETools/Get-PEHeader.ps1 +++ b/PETools/Get-PEHeader.ps1 @@ -15,6 +15,26 @@ Optional Dependencies: PETools.format.ps1xml  Get-PEHeader retrieves PE headers including imports and exports from either a file on disk or a module in memory. Get-PEHeader will operate on single PE header but you can also feed it the output of Get-ChildItem or Get-Process! Get-PEHeader works on both 32 and 64-bit modules. +.PARAMETER FilePath + +Specifies the path to the portable executable file on disk + +.PARAMETER ProcessID + +Specifies the process ID. + +.PARAMETER Module + +The name of the module. This parameter is typically only used in pipeline expressions + +.PARAMETER ModuleBaseAddress + +The base address of the module + +.PARAMETER GetSectionData + +Retrieves raw section data. +  .OUTPUTS  System.Object @@ -91,14 +111,11 @@ http://www.exploit-monday.com/2012/07/get-peheader.html  #>      [CmdletBinding(DefaultParameterSetName = 'OnDisk')] Param ( -        # Path to the portable executable file on disk          [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'OnDisk', ValueFromPipelineByPropertyName = $True)] [Alias('FullName')] [String[]] $FilePath, -        # The process ID          [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'InMemory', ValueFromPipelineByPropertyName = $True)] [Alias('Id')] [Int] $ProcessID, -        # The name of the module. This parameter is typically only used in pipeline expressions          [Parameter(Position = 2, ParameterSetName = 'InMemory', ValueFromPipelineByPropertyName = $True)] [Alias('MainModule')] [Alias('Modules')] [System.Diagnostics.ProcessModule[]] $Module, -        # The base address of the module -        [Parameter(Position = 1, ParameterSetName = 'InMemory')] [IntPtr] $ModuleBaseAddress +        [Parameter(Position = 1, ParameterSetName = 'InMemory')] [IntPtr] $ModuleBaseAddress, +        [Parameter()] [Switch] $GetSectionData      )  PROCESS { @@ -628,7 +645,7 @@ PROCESS {          Write-Verbose "Architecture: $Architecture"          Write-Verbose 'Proceeding with parsing a 64-bit binary.' -    } elseif ($Architecture -eq 'I386' -or $Architecture -eq 'ARMNT') { +    } elseif ($Architecture -eq 'I386' -or $Architecture -eq 'ARMNT' -or $Architecture -eq 'THUMB') {          $PEStruct = @{              IMAGE_OPTIONAL_HEADER = [PE+_IMAGE_OPTIONAL_HEADER32] @@ -653,7 +670,7 @@ PROCESS {      $NumSections = $NtHeader.FileHeader.NumberOfSections      $NumRva = $NtHeader.OptionalHeader.NumberOfRvaAndSizes      $PointerSectionHeader = [IntPtr] ($PointerNtHeader.ToInt64() + [System.Runtime.InteropServices.Marshal]::SizeOf([Type] $PEStruct['NT_HEADER'])) -    $SectionHeaders = New-Object PE+_IMAGE_SECTION_HEADER[]($NumSections) +    $SectionHeaders = New-Object PSObject[]($NumSections)      foreach ($i in 0..($NumSections - 1))      {          $SectionHeaders[$i] = [System.Runtime.InteropServices.Marshal]::PtrToStructure(([IntPtr] ($PointerSectionHeader.ToInt64() + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type] [PE+_IMAGE_SECTION_HEADER])))), [Type] [PE+_IMAGE_SECTION_HEADER]) @@ -686,6 +703,27 @@ PROCESS {          $CloseHandle.Invoke($hProcess) | Out-Null      } + +    if ($PSBoundParameters['GetSectionData']) +    { +        foreach ($i in 0..($NumSections - 1)) +        { +            $RawBytes = $null + +            if ($OnDisk) +            { +                $RawBytes = New-Object Byte[]($SectionHeaders[$i].SizeOfRawData) +                [Runtime.InteropServices.Marshal]::Copy([IntPtr] ($PEBaseAddr.ToInt64() + $SectionHeaders[$i].PointerToRawData), $RawBytes, 0, $SectionHeaders[$i].SizeOfRawData) +            } +            else +            { +                $RawBytes = New-Object Byte[]($SectionHeaders[$i].VirtualSize) +                [Runtime.InteropServices.Marshal]::Copy([IntPtr] ($PEBaseAddr.ToInt64() + $SectionHeaders[$i].VirtualAddress), $RawBytes, 0, $SectionHeaders[$i].VirtualSize) +            } + +            $SectionHeaders[$i] = Add-Member -InputObject ($SectionHeaders[$i]) -MemberType NoteProperty -Name RawData -Value $RawBytes -PassThru -Force +        } +    }      function Get-Exports()      { |