diff options
Diffstat (limited to 'ReverseEngineering/Get-NtSystemInformation.ps1')
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.ps1 | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index 98cdd4d..2bde8f6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -1,4 +1,4 @@ -function Get-NtSystemInformation +function Get-NtSystemInformation { <# .SYNOPSIS @@ -49,6 +49,10 @@ Returns information about user-mode objects and their respective kernel pool allocations. +.PARAMETER CodeIntegrityInformation + + Returns user-mode code integrity flags. + .PARAMETER GlobalFlags Returns a list of all enabled global flags. @@ -139,6 +143,10 @@ [Switch] $LockInformation, + [Parameter( ParameterSetName = 'CodeIntegrityInformation' )] + [Switch] + $CodeIntegrityInformation, + [Parameter( ParameterSetName = 'GlobalFlags' )] [Switch] $GlobalFlags @@ -202,6 +210,7 @@ #$EnumBuilder.DefineLiteral('SystemExceptionInformation', [Int32] 0x00000021) | Out-Null #$EnumBuilder.DefineLiteral('SystemRegistryQuotaInformation', [Int32] 0x00000025) | Out-Null #$EnumBuilder.DefineLiteral('SystemLookasideInformation', [Int32] 0x0000002D) | Out-Null + $EnumBuilder.DefineLiteral('SystemCodeIntegrityInformation', [Int32] 0x00000067) | Out-Null $SystemInformationClass = $EnumBuilder.CreateType() } @@ -213,6 +222,15 @@ $NtStatus = $EnumBuilder.CreateType() } + try { $LockdownState = [LOCKDOWN_STATE] } catch [Management.Automation.RuntimeException] + { + $EnumBuilder = $ModuleBuilder.DefineEnum('LOCKDOWN_STATE', 'Public', [Int32]) + $EnumBuilder.DefineLiteral('UMCINONE', [Int32] 0x00000000) | Out-Null + $EnumBuilder.DefineLiteral('UMCIENFORCE', [Int32] 0x00000004) | Out-Null + $EnumBuilder.DefineLiteral('UMCIAUDIT', [Int32] 0xC0000008) | Out-Null + $LockdownState = $EnumBuilder.CreateType() + } + try { $PoolType = [POOL_TYPE] } catch [Management.Automation.RuntimeException] { $EnumBuilder = $ModuleBuilder.DefineEnum('POOL_TYPE', 'Public', [UInt32]) @@ -615,7 +633,7 @@ foreach ($i in 0..($Count-1)) { - [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, $StructType) + [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $StructType) $StructAddress = ([IntPtr]($StructAddress.ToInt64() + $StructSize)) } @@ -940,7 +958,7 @@ # Base address of the _SYSTEM_OBJECTTYPE_INFORMATION struct $ObjectTypeAbsoluteAddress = [IntPtr]($PtrData.ToInt64() + $NextTypeOffset) - $Result = [Runtime.InteropServices.Marshal]::PtrToStructure($ObjectTypeAbsoluteAddress, $ObjectTypeClass) + $Result = [Runtime.InteropServices.Marshal]::PtrToStructure($ObjectTypeAbsoluteAddress, [Type] $ObjectTypeClass) if ($Result.NumberOfObjects -gt 0) { @@ -952,7 +970,7 @@ do { - $ObjectResult = [Runtime.InteropServices.Marshal]::PtrToStructure(( [IntPtr]($ObjectBaseAddr.ToInt64() + $NextObjectOffset) ), $ObjectClass) + $ObjectResult = [Runtime.InteropServices.Marshal]::PtrToStructure(( [IntPtr]($ObjectBaseAddr.ToInt64() + $NextObjectOffset) ), [Type] $ObjectClass) $ResultHashTable2 = @{ Object = $ObjectResult.Object @@ -1019,6 +1037,26 @@ Get-Struct @Arguments } + 'CodeIntegrityInformation' { + $CIStructLength = 8 + $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($CIStructLength) + [Runtime.InteropServices.Marshal]::WriteInt64($PtrData, 0) + [Runtime.InteropServices.Marshal]::WriteByte($PtrData, 8) # The length field in SYSTEM_CODEINTEGRITY_INFORMATION must be set to 8 + $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemCodeIntegrityInformation, $PtrData, $CIStructLength, [Ref] 0) | Out-Null + $CIInfo = [Runtime.InteropServices.Marshal]::ReadInt32(([IntPtr]($PtrData.ToInt64() + 4))) + [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) + + $ResultHashTable = @{ + CodeIntegrityOptions = $CIInfo + LockdownState = ($CIInfo -band 0x1C) -as $LockdownState + } + + $CodeIntegrityType = New-Object PSObject -Property $ResultHashTable + $CodeIntegrityType.PSObject.TypeNames.Insert(0, '_SYSTEM_CODEINTEGRITY_INFORMATION') + + Write-Output $CodeIntegrityType + } + 'GlobalFlags' { $TotalLength = 0 $ReturnedLength = 0 |