diff options
Diffstat (limited to 'ReverseEngineering')
| -rw-r--r-- | ReverseEngineering/ConvertTo-String.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.format.ps1xml | 10 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.ps1 | 13 | ||||
| -rw-r--r-- | ReverseEngineering/Get-MethodAddress.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.format.ps1xml | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.ps1 | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.format.ps1xml | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Strings.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-StructFromMemory.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/New-Object.ps1 | bin | 4376 -> 2189 bytes | |||
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.format.ps1xml | 4 | ||||
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psd1 | 2 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psm1 | 2 |
15 files changed, 35 insertions, 26 deletions
diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 index ab46c74..1c030b4 100644 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ b/ReverseEngineering/ConvertTo-String.ps1 @@ -1,4 +1,4 @@ -filter ConvertTo-String +filter ConvertTo-String { <# .SYNOPSIS @@ -67,4 +67,4 @@ http://www.exploit-monday.com $FileStream.Close() Write-Output $BinaryText -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml index f933e1e..21115d6 100644 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -18,6 +18,9 @@ <TableColumnHeader> <Label>Operand</Label> </TableColumnHeader> + <TableColumnHeader> + <Label>MetadataToken</Label> + </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> @@ -31,10 +34,13 @@ <TableColumnItem> <PropertyName>Operand</PropertyName> </TableColumnItem> + <TableColumnItem> + <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock> + </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index 645dc39..f2022e3 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -68,9 +68,9 @@ Disassembles the System.Array.BinarySearch(Array, Object) method .INPUTS
-System.Reflection.MethodInfo
+System.Reflection.MethodInfo, System.Reflection.ConstructorInfo
-The method description containing the raw IL bytecodes.
+A method or constructor description containing the raw IL bytecodes.
.OUTPUTS
@@ -88,7 +88,8 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf Param (
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
- [System.Reflection.MethodInfo]
+ [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]
+ [Object]
$MethodInfo
)
@@ -131,6 +132,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf $Type = $Op.OperandType
$Operand = $null
+ $OpInt = $null
if ($Type -eq 'InlineNone') {
$OperandLength = 0
@@ -191,13 +193,14 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
# Simply print the hex for all operands with immediate values
- $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '')
+ $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
}
$Instruction = @{
Position = $InstructionPostion
Instruction = $Op.Name
Operand = $Operand
+ MetadataToken = $OpInt
}
# Return a custom object containing a position, instruction, and fully-qualified operand
@@ -209,4 +212,4 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf # Adjust the position in the opcode array accordingly
$Position += $OperandLength
}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index 4a488cf..1ab0d41 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -1,4 +1,4 @@ -function Get-MethodAddress +function Get-MethodAddress { <# .SYNOPSIS @@ -117,4 +117,4 @@ http://www.exploit-monday.com/2012/11/Get-MethodAddress.html { Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." } -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 41b5280..fa3ed41 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -437,4 +437,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index bb0871a..2bde8f6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -1,4 +1,4 @@ -function Get-NtSystemInformation +function Get-NtSystemInformation { <# .SYNOPSIS diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 3d075eb..59b5362 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1207,4 +1207,4 @@ </ListControl>
</View>
</ViewDefinitions>
-</Configuration>
\ No newline at end of file +</Configuration>
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 86e064d..7ec5089 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -1,4 +1,4 @@ -function Get-PEB
+function Get-PEB
{
<#
.SYNOPSIS
@@ -1089,4 +1089,4 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx END{}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 7acb9f1..2cb971c 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -1,4 +1,4 @@ -function Get-Strings
+function Get-Strings
{
<#
.SYNOPSIS
@@ -95,4 +95,4 @@ http://www.exploit-monday.com }
}
END {}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index c32c190..68f7651 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -1,4 +1,4 @@ -function Get-StructFromMemory
+function Get-StructFromMemory
{
<#
.SYNOPSIS
@@ -200,4 +200,4 @@ http://www.exploit-monday.com $SafeHandle.Close()
Write-Output $ParsedStruct
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/New-Object.ps1 b/ReverseEngineering/New-Object.ps1 Binary files differindex 77b24f6..52c38c8 100644 --- a/ReverseEngineering/New-Object.ps1 +++ b/ReverseEngineering/New-Object.ps1 diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml index fbad0b9..ffb6761 100644 --- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -33,4 +33,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 index 3eb57a7..85f7105 100644 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -1,4 +1,4 @@ -function Register-ProcessModuleTrace +function Register-ProcessModuleTrace { <# .SYNOPSIS @@ -100,4 +100,4 @@ function Unregister-ProcessModuleTrace #> Unregister-Event -SourceIdentifier 'ModuleLoaded' -}
\ No newline at end of file +} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index b7da355..de364e1 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'ReverseEngineering.psm1'
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 index 5bb81d3..81d3818 100644 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ b/ReverseEngineering/ReverseEngineering.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} |