diff options
Diffstat (limited to 'ReverseEngineering/Get-NtSystemInformation.ps1')
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.ps1 | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index 98cdd4d..707dae6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -139,6 +139,10 @@ [Switch] $LockInformation, + [Parameter( ParameterSetName = 'CodeIntegrityInformation' )] + [Switch] + $CodeIntegrityInformation, + [Parameter( ParameterSetName = 'GlobalFlags' )] [Switch] $GlobalFlags @@ -202,6 +206,7 @@ #$EnumBuilder.DefineLiteral('SystemExceptionInformation', [Int32] 0x00000021) | Out-Null #$EnumBuilder.DefineLiteral('SystemRegistryQuotaInformation', [Int32] 0x00000025) | Out-Null #$EnumBuilder.DefineLiteral('SystemLookasideInformation', [Int32] 0x0000002D) | Out-Null + $EnumBuilder.DefineLiteral('SystemCodeIntegrityInformation', [Int32] 0x00000067) | Out-Null $SystemInformationClass = $EnumBuilder.CreateType() } @@ -213,6 +218,15 @@ $NtStatus = $EnumBuilder.CreateType() } + try { $LockdownState = [LOCKDOWN_STATE] } catch [Management.Automation.RuntimeException] + { + $EnumBuilder = $ModuleBuilder.DefineEnum('LOCKDOWN_STATE', 'Public', [Int32]) + $EnumBuilder.DefineLiteral('UMCINONE', [Int32] 0x00000000) | Out-Null + $EnumBuilder.DefineLiteral('UMCIENFORCE', [Int32] 0x00000004) | Out-Null + $EnumBuilder.DefineLiteral('UMCIAUDIT', [Int32] 0xC0000008) | Out-Null + $LockdownState = $EnumBuilder.CreateType() + } + try { $PoolType = [POOL_TYPE] } catch [Management.Automation.RuntimeException] { $EnumBuilder = $ModuleBuilder.DefineEnum('POOL_TYPE', 'Public', [UInt32]) @@ -1019,6 +1033,26 @@ Get-Struct @Arguments } + 'CodeIntegrityInformation' { + $CIStructLength = 8 + $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($CIStructLength) + [Runtime.InteropServices.Marshal]::WriteInt64($PtrData, 0) + [Runtime.InteropServices.Marshal]::WriteByte($PtrData, 8) # The length field in SYSTEM_CODEINTEGRITY_INFORMATION must be set to 8 + $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemCodeIntegrityInformation, $PtrData, $CIStructLength, [Ref] 0) | Out-Null + $CIInfo = [Runtime.InteropServices.Marshal]::ReadInt32(([IntPtr]($PtrData.ToInt64() + 4))) + [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) + + $ResultHashTable = @{ + CodeIntegrityOptions = $CIInfo + LockdownState = ($CIInfo -band 0x1C) -as $LockdownState + } + + $CodeIntegrityType = New-Object PSObject -Property $ResultHashTable + $CodeIntegrityType.PSObject.TypeNames.Insert(0, '_SYSTEM_CODEINTEGRITY_INFORMATION') + + Write-Output $CodeIntegrityType + } + 'GlobalFlags' { $TotalLength = 0 $ReturnedLength = 0 |