diff options
Diffstat (limited to 'ReverseEngineering')
| -rw-r--r-- | ReverseEngineering/ConvertTo-String.ps1 | 70 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Entropy.ps1 | 106 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.format.ps1xml | 46 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.ps1 | 215 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Member.ps1 | 369 | ||||
| -rw-r--r-- | ReverseEngineering/Get-MethodAddress.ps1 | 120 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.format.ps1xml | 440 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.ps1 | 1082 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.format.ps1xml | 1210 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.ps1 | 1092 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Strings.ps1 | 98 | ||||
| -rw-r--r-- | ReverseEngineering/Get-StructFromMemory.ps1 | 203 | ||||
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.format.ps1xml | 36 | ||||
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.ps1 | 103 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psd1 | 91 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psm1 | 1 | ||||
| -rw-r--r-- | ReverseEngineering/Usage.md | 12 |
17 files changed, 0 insertions, 5294 deletions
diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 deleted file mode 100644 index 1c030b4..0000000 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ /dev/null @@ -1,70 +0,0 @@ -filter ConvertTo-String -{ -<# -.SYNOPSIS - -Converts the bytes of a file to a string. - -PowerSploit Function: ConvertTo-String -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -ConvertTo-String converts the bytes of a file to a string that has a -1-to-1 mapping back to the file's original bytes. ConvertTo-String is -useful for performing binary regular expressions. - -.PARAMETER Path - -Specifies the path to the file to convert. - -.EXAMPLE - -PS C:\>$BinaryString = ConvertTo-String C:\Windows\SysWow64\kernel32.dll -PS C:\>$HotpatchableRegex = [Regex] '[\xCC\x90]{5}\x8B\xFF' -PS C:\>$HotpatchableRegex.Matches($BinaryString) - -Description ------------ -Converts kernel32.dll into a string. A binary regular expression is -then performed on the string searching for a hotpatchable code -sequence - i.e. 5 nop/int3 followed by a mov edi, edi instruction. - -.NOTES - -The intent of ConvertTo-String is not to replicate the functionality -of strings.exe, rather it is intended to be used when -performing regular expressions on binary data. - -.LINK - -http://www.exploit-monday.com -#> - - [OutputType([String])] - Param ( - [Parameter( Mandatory = $True, - Position = 0, - ValueFromPipeline = $True )] - [ValidateScript({-not (Test-Path $_ -PathType Container)})] - [String] - $Path - ) - - $FileStream = New-Object -TypeName IO.FileStream -ArgumentList (Resolve-Path $Path), 'Open', 'Read' - - # Note: Codepage 28591 returns a 1-to-1 char to byte mapping - $Encoding = [Text.Encoding]::GetEncoding(28591) - - $StreamReader = New-Object IO.StreamReader($FileStream, $Encoding) - - $BinaryText = $StreamReader.ReadToEnd() - - $StreamReader.Close() - $FileStream.Close() - - Write-Output $BinaryText -} diff --git a/ReverseEngineering/Get-Entropy.ps1 b/ReverseEngineering/Get-Entropy.ps1 deleted file mode 100644 index 42e5d28..0000000 --- a/ReverseEngineering/Get-Entropy.ps1 +++ /dev/null @@ -1,106 +0,0 @@ -function Get-Entropy -{ -<# -.SYNOPSIS - - Calculates the entropy of a file or byte array. - - PowerSploit Function: Get-Entropy - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.PARAMETER ByteArray - - Specifies the byte array containing the data from which entropy will be calculated. - -.PARAMETER FilePath - - Specifies the path to the input file from which entropy will be calculated. - -.EXAMPLE - - C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll - -.EXAMPLE - - C:\PS>ls C:\Windows\System32\*.dll | % { Get-Entropy -FilePath $_ } - -.EXAMPLE - - C:\PS>$RandArray = New-Object Byte[](10000) - C:\PS>foreach ($Offset in 0..9999) { $RandArray[$Offset] = [Byte] (Get-Random -Min 0 -Max 256) } - C:\PS>$RandArray | Get-Entropy - - Description - ----------- - Calculates the entropy of a large array containing random bytes. - -.EXAMPLE - - C:\PS> 0..255 | Get-Entropy - - Description - ----------- - Calculates the entropy of 0-255. This should equal exactly 8. - -.OUTPUTS - - System.Double - - Get-Entropy outputs a double representing the entropy of the byte array. - -.LINK - - http://www.exploit-monday.com -#> - - [CmdletBinding()] Param ( - [Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName = 'Bytes')] - [ValidateNotNullOrEmpty()] - [Byte[]] - $ByteArray, - - [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'File')] - [ValidateNotNullOrEmpty()] - [IO.FileInfo] - $FilePath - ) - - BEGIN - { - $FrequencyTable = @{} - $ByteArrayLength = 0 - } - - PROCESS - { - if ($PsCmdlet.ParameterSetName -eq 'File') - { - $ByteArray = [IO.File]::ReadAllBytes($FilePath.FullName) - } - - foreach ($Byte in $ByteArray) - { - $FrequencyTable[$Byte]++ - $ByteArrayLength++ - } - } - - END - { - $Entropy = 0.0 - - foreach ($Byte in 0..255) - { - $ByteProbability = ([Double] $FrequencyTable[[Byte]$Byte]) / $ByteArrayLength - if ($ByteProbability -gt 0) - { - $Entropy += -$ByteProbability * [Math]::Log($ByteProbability, 2) - } - } - - Write-Output $Entropy - } -}
\ No newline at end of file diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml deleted file mode 100644 index 21115d6..0000000 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ /dev/null @@ -1,46 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>ILInstructionView</Name> - <ViewSelectedBy> - <TypeName>IL_INSTRUCTION</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>Position</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Instruction</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Operand</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>MetadataToken</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>Position</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Instruction</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Operand</PropertyName> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 deleted file mode 100644 index 6948919..0000000 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ /dev/null @@ -1,215 +0,0 @@ -function Get-ILDisassembly
-{
-<#
-.SYNOPSIS
-
-A MSIL (Microsoft Intermediate Language) disassembler.
-
-PowerSploit Function: Get-ILDisassembly
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-Get-ILDisassembly disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
-
-The majority of this code was simply translated from C# (with permission) from a code example taken from: "C# 4.0 in a Nutshell", Copyright 2010, Joseph Albahari and Ben Albahari, pg. 728-733
-
-.PARAMETER MethodInfo
-
-A MethodInfo object that describes the implementation of the method and contains the IL for the method.
-
-.EXAMPLE
-
-C:\PS> [Int].GetMethod('Parse', [String]) | Get-ILDisassembly | Format-Table Position, Instruction, Operand -AutoSize
-
-Position Instruction Operand
--------- ----------- -------
-IL_0000 ldarg.0
-IL_0001 ldc.i4.7
-IL_0002 call System.Globalization.NumberFormatInfo.get_CurrentInfo
-IL_0007 call System.Number.ParseInt32
-IL_000C ret
-
-Description
------------
-Disassembles the System.Int32.Parse(String) method
-
-.EXAMPLE
-
-C:\PS> $MethodInfo = [Array].GetMethod('BinarySearch', [Type[]]([Array], [Object]))
-C:\PS> Get-ILDisassembly $MethodInfo | Format-Table Position, Instruction, Operand -AutoSize
-
-Position Instruction Operand
--------- ----------- -------
-IL_0000 ldarg.0
-IL_0001 brtrue.s IL_000E
-IL_0003 ldstr 'array'
-IL_0008 newobj System.ArgumentNullException..ctor
-IL_000D throw
-IL_000E ldarg.0
-IL_000F ldc.i4.0
-IL_0010 callvirt System.Array.GetLowerBound
-IL_0015 stloc.0
-IL_0016 ldarg.0
-IL_0017 ldloc.0
-IL_0018 ldarg.0
-IL_0019 callvirt System.Array.get_Length
-IL_001E ldarg.1
-IL_001F ldnull
-IL_0020 call System.Array.BinarySearch
-IL_0025 ret
-
-Description
------------
-Disassembles the System.Array.BinarySearch(Array, Object) method
-
-.INPUTS
-
-System.Reflection.MethodInfo, System.Reflection.ConstructorInfo
-
-A method or constructor description containing the raw IL bytecodes.
-
-.OUTPUTS
-
-System.Object
-
-Returns a custom object consisting of a position, instruction, and opcode parameter.
-
-.LINK
-
-http://www.exploit-monday.com
-http://www.albahari.com/nutshell/cs4ch18.aspx
-http://msdn.microsoft.com/en-us/library/system.reflection.emit.opcodes.aspx
-http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf
-#>
-
- Param (
- [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
- [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]
- [Object]
- $MethodInfo
- )
-
- if (!($MethodInfo.GetMethodBody())) {
- return
- }
-
- $IL = $MethodInfo.GetMethodBody().GetILAsByteArray()
- $MethodModule = $MethodInfo.DeclaringType.Module
-
- $OpCodeTable = @{}
-
- # Fill OpCodeTable with every OpCode so that it can be referenced by numeric byte value
- [System.Reflection.Emit.OpCodes].GetMembers() |
- ForEach-Object {
- try {
- $OpCode = $_.GetValue($null)
- $OpCodeTable[[Int16] $OpCode.Value] = $OpCode
- } catch {}
- }
-
- $Position = 0
-
- # Disassemble every instruction until the end of the IL bytecode array is reached
- while ($Position -lt $IL.Length) {
-
- # Get current instruction position
- $InstructionPostion = "IL_{0}" -f ($Position.ToString('X4'))
-
- if ($IL[$Position] -eq 0xFE) {
- # You are dealing with a two-byte opcode in this case
- $Op = $OpCodeTable[[Int16] ([BitConverter]::ToInt16($IL[($Position+1)..$Position], 0))]
- $Position++
- } else {
- # Otherwise, it's a one-byte opcode
- $Op = $OpCodeTable[[Int16] $IL[$Position]]
- }
-
- $Position++
-
- $Type = $Op.OperandType
- $Operand = $null
- $OpInt = $null
-
- if ($Type -eq 'InlineNone') {
- $OperandLength = 0
- } elseif (($Type -eq 'ShortInlineBrTarget') -or ($Type -eq 'ShortInlineI') -or ($Type -eq 'ShortInlineVar')) {
- $OperandLength = 1
-
- if ($Type -eq 'ShortInlineBrTarget') { # Short relative jump instruction
- # [SByte]::Parse was used because PowerShell doesn't handle signed bytes well
- $Target = $Position + ([SByte]::Parse($IL[$Position].ToString('X2'), 'AllowHexSpecifier')) + 1
- $Operand = "IL_{0}" -f ($Target.ToString('X4'))
- }
- } elseif ($Type -eq 'InlineVar') {
- $OperandLength = 2
- } elseif (($Type -eq 'InlineI8') -or (($Type -eq 'InlineR'))) {
- $OperandLength = 8
- } elseif ($Type -eq 'InlineSwitch') {
- # This is the only operand type with a variable number of operands
- $TargetCount = [BitConverter]::ToInt32($IL, $Position)
- $OperandLength = 4 * ($TargetCount + 1)
- $Targets = New-Object String[]($TargetCount)
-
- foreach ($i in 0..($TargetCount - 1)) {
- # Get all switch jump targets
- $Target = [BitConverter]::ToInt32($IL, ($Position + ($i + 1) * 4))
- $Targets[$i] = "IL_{0}" -f (($Position + $Target + $OperandLength).ToString('X4'))
- }
-
- $Operand = "({0})" -f ($Targets -join ',')
- } else {
- $OperandLength = 4
- $Operand = $null
-
- $OpInt = [BitConverter]::ToInt32($IL, $Position)
-
- if (($Type -eq 'InlineTok') -or ($Type -eq 'InlineMethod') -or ($Type -eq 'InlineField') -or ($Type -eq 'InlineType')) {
- # Resolve all operands with metadata tokens
- Write-Verbose "OpCode Metadata for member: $OpInt"
- try { $MemberInfo = $MethodModule.ResolveMember($OpInt) } catch { $Operand = $null }
- if (!$MemberInfo) { $Operand = $null }
-
- # Retrieve the actual name of the class and method
- if ($MemberInfo.ReflectedType) {
- $Operand = "{0}.{1}" -f ($MemberInfo.ReflectedType.Fullname), ($MemberInfo.Name)
- } elseif ($MemberInfo -is [Type]) {
- $Operand = $MemberInfo.GetType().FullName
- } else {
- $Operand = $MemberInfo.Name
- }
- } elseif ($Type -eq 'InlineString') {
- # Retrieve the referenced string
- $Operand = "`'{0}`'" -f ($MethodModule.ResolveString($OpInt))
- } elseif ($Type -eq 'InlineBrTarget') {
- $Operand = "IL_{0}" -f (($Position + $OpInt + 4).ToString('X4'))
- } else {
- $Operand = $null
- }
- }
-
- if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
- # Simply print the hex for all operands with immediate values
- $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
- }
-
- $Instruction = @{
- Position = $InstructionPostion
- Instruction = $Op
- Operand = $Operand
- MetadataToken = $OpInt
- }
-
- # Return a custom object containing a position, instruction, and fully-qualified operand
- $InstructionObject = New-Object PSObject -Property $Instruction
- $InstructionObject.PSObject.TypeNames.Insert(0, 'IL_INSTRUCTION')
-
- $InstructionObject
-
- # Adjust the position in the opcode array accordingly
- $Position += $OperandLength
- }
-}
diff --git a/ReverseEngineering/Get-Member.ps1 b/ReverseEngineering/Get-Member.ps1 deleted file mode 100644 index 2f04deb..0000000 --- a/ReverseEngineering/Get-Member.ps1 +++ /dev/null @@ -1,369 +0,0 @@ -function Get-Member
-{
-<#
-.SYNOPSIS
-
-Gets the properties and methods of objects.
-
-PowerSploit Proxy Function: Get-Member
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause (Except for the help documentation derived from the original Get-Member)
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-The Get-Member cmdlet gets the "members" (properties and methods) of objects.
-
-To specify the object, use the InputObject parameter or pipe an object to Get-Member. To retrieve information about static members (members of the class, not of the instance), use the Static parameter. To get only certain types of members, such as NoteProperties, use the MemberType parameter.
-
-.PARAMETER Private
-
-Gets only the non-public members of the object.
-
-These members are typically not exposed and are extracted using reflection.
-
-.PARAMETER Static
-
-Gets only the static properties and methods of the object.
-
-Static properties and methods are defined on the class of objects, not on any particular instance of the class.
-
-If you use the Static parameter with the View parameter, the View parameter is ignored. If you use the Static parameter with the MemberType parameter, Get-Member gets only the members that belong to both sets.
-
-.PARAMETER Force
-
-Adds the intrinsic members (PSBase, PSAdapted, PSObject, PSTypeNames) and the compiler-generated get_, set_, op_, .ctor, and .cctor methods to the display. By default, Get-Member gets these properties in all views other than "Base" and "Adapted," but it does not display them.
-
-The following list describes the properties that are added when you use the Force parameter:
-
--- PSBase: The original properties of the .NET Framework object without extension or adaptation. These are the properties defined for the object class and listed in MSDN.
--- PSAdapted: The properties and methods defined in the Windows PowerShell extended type system.
--- PSExtended: The properties and methods that were added in the Types.ps1xml files or by using the Add-Member cmdlet.
--- PSObject: The adapter that converts the base object to a Windows PowerShell PSObject object.
--- PSTypeNames: A list of object types that describe the object, in order of specificity. When formatting the object, Windows PowerShell searches for the types in the Format.ps1xml files in the Windows PowerShell installation directory ($pshome). It uses the formatting definition for the first type that it finds.
--- get_*: The object's getter methods
--- set_*: The object's setter methods
--- op_*: The object's operator methods
--- .ctor: The object's constructor
--- .cctor: The object's copy constructor
-
-.PARAMETER InputObject
-
-Specifies the object whose members are retrieved.
-
-Using the InputObject parameter is not the same as piping an object to Get-Member. The differences are as follows:
-
--- When you pipe a collection of objects to Get-Member, Get-Member gets the members of the individual objects in the collection, such as the properties of the integers in an array of integers.
-
--- When you use InputObject to submit a collection of objects, Get-Member gets the members of the collection, such as the properties of the array in an array of integers.
-
-.PARAMETER PrivateMemberType
-
-When the 'Private' parameter is specified, only members with the specified member type. The default is All.
-
-The valid values for this parameter are:
-
--- Constructor: A constructor method of the underlying .NET Framework object.
--- Event: Indicates that the object sends a message to indicate an action or a change in state.
--- Field: A private field of the underlying .NET Framework object.
--- Method: A method of the underlying .NET Framework object.
--- Property: A property of the underlying .NET Framework object.
--- TypeInfo: A type of the underlying .NET Framework object.
--- Custom: A custom member type
--- NestedType: A nested type of the underlying .NET Framework object.
-
--- All: Gets all member types.
-
-.PARAMETER MemberType
-
-Gets only members with the specified PowerShell member type. The default is All.
-
-The valid values for this parameter are:
-
--- AliasProperty: A property that defines a new name for an existing property.
--- CodeMethod: A method that references a static method of a .NET Framework class.
--- CodeProperty: A property that references a static property of a .NET Framework class.
--- Event: Indicates that the object sends a message to indicate an action or a change in state.
--- MemberSet: A predefined collection of properties and methods, such as PSBase, PSObject, and PSTypeNames.
--- Method: A method of the underlying .NET Framework object.
--- NoteProperty: A property with a static value.
--- ParameterizedProperty: A property that takes parameters and parameter values.
--- Property: A property of the underlying .NET Framework object.
--- PropertySet: A predefined collection of object properties.
--- ScriptMethod: A method whose value is the output of a script.
--- ScriptProperty: A property whose value is the output of a script.
-
--- All: Gets all member types.
--- Methods: Gets all types of methods of the object (for example, Method, CodeMethod, ScriptMethod).
--- Properties: Gets all types of properties of the object (for example, Property, CodeProperty, AliasProperty, ScriptProperty).
-
-Not all objects have every type of member. If you specify a member type that the object does not have, Windows PowerShell returns a null value.
-
-To get related types of members, such as all extended members, use the View parameter. If you use the MemberType parameter with the Static or View parameters, Get-Member gets the members that belong to both sets.
-
-.PARAMETER Name
-
-Specifies the names of one or more properties or methods of the object. Get-Member gets only the specified properties and methods.
-
-If you use the Name parameter with the MemberType, View, or Static parameters, Get-Member gets only the members that satisfy the criteria of all parameters.
-
-To get a static member by name, use the Static parameter with the Name parameter.
-
-.PARAMETER View
-
-Gets only particular types of members (properties and methods). Specify one or more of the values. The default is "Adapted, Extended".
-
-Valid values are:
--- Base: Gets only the original properties and methods of the .NET Framework object (without extension or adaptation).
--- Adapted: Gets only the properties and methods defined in the Windows PowerShell extended type system.
--- Extended: Gets only the properties and methods that were added in the Types.ps1xml files or by using the Add-Member cmdlet.
--- All: Gets the members in the Base, Adapted, and Extended views.
-
-The View parameter determines the members retrieved, not just the display of those members.
-
-To get particular member types, such as script properties, use the MemberType parameter. If you use the MemberType and View parameters in the same command, Get-Member gets the members that belong to both sets. If you use the Static and View parameters in the same command, the View parameter is ignored.
-
-.EXAMPLE
-
-C:\PS> [String] | Get-Member -Static -Private
-
-Description
------------
-Returns all staic, non-public members of the String class.
-
-.EXAMPLE
-
-C:\PS> [Diagnostics.Process] | Get-Member -Private -PrivateMemberType Method
-
-Description
------------
-Returns all non-public instance methods of the Diagnostics.Process class
-
-.EXAMPLE
-
-C:\PS> "Hello, World" | Get-Member -Private -Force
-
-Description
------------
-Returns all instance members including those with special names (like .ctor) of the string instance
-
-.LINK
-
-http://www.exploit-monday.com/2012/08/surgical-net-dissection.html
-
-#>
- [CmdletBinding(DefaultParameterSetName = 'Default')]
- Param (
- [Parameter(ValueFromPipeline=$true, ParameterSetName = 'Default')]
- [Parameter(ValueFromPipeline=$true, ParameterSetName = 'Private')]
- [System.Management.Automation.PSObject]
- $InputObject,
-
- [Parameter(Position=0, ParameterSetName = 'Default')]
- [Parameter(Position=0, ParameterSetName = 'Private')]
- [ValidateNotNullOrEmpty()]
- [System.String[]]
- $Name,
-
- [Parameter(ParameterSetName = 'Default')]
- [Alias('Type')]
- [System.Management.Automation.PSMemberTypes]
- $MemberType,
-
- [Parameter(ParameterSetName = 'Private')]
- [System.Reflection.MemberTypes]
- $PrivateMemberType = [System.Reflection.MemberTypes]::All,
-
- [Parameter(ParameterSetName = 'Default')]
- [System.Management.Automation.PSMemberViewTypes]
- $View,
-
- [Parameter(ParameterSetName = 'Default')]
- [Parameter(ParameterSetName = 'Private')]
- [Switch]
- $Static,
-
- [Parameter(ParameterSetName = 'Default')]
- [Parameter(ParameterSetName = 'Private')]
- [Switch]
- $Force,
-
- [Parameter(ParameterSetName = 'Private')]
- [Switch]
- $Private
- )
-
- BEGIN
- {
- try {
- $outBuffer = $null
- if ($PSBoundParameters.TryGetValue('OutBuffer', [ref]$outBuffer))
- {
- $PSBoundParameters['OutBuffer'] = 1
- }
- $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Microsoft.PowerShell.Utility\Get-Member', [System.Management.Automation.CommandTypes]::Cmdlet)
- # Redirect the output of the command to $out variable
- $null = $PSBoundParameters.Add('OutVariable', 'out')
- # Redirect original output to $null
- if ($PSBoundParameters['Private']) {
- $null = $PSBoundParameters.Remove('Private')
- $Private = $True
- }
- if ($PSBoundParameters['PrivateMemberType']) {
- $PrivateMemberType = $PSBoundParameters['PrivateMemberType']
- $null = $PSBoundParameters.Remove('PrivateMemberType')
- }
- $scriptCmd = {& $wrappedCmd @PSBoundParameters | Out-Null }
- $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin)
- $steppablePipeline.Begin($PSCmdlet)
- } catch {
- }
- }
-
- PROCESS
- {
- try {
- $steppablePipeline.Process($_)
- } catch {
- }
- }
-
- END
- {
- try {
- $steppablePipeline.End()
- if ($Private) {
-
- $Object = $PSBoundParameters['InputObject']
- if ($Object.GetType().FullName -ne 'System.RuntimeType') {
- # If InputObject is an instance of an object, get its type
- # Otherwise, it's assumed that what was passed in was already a type
- $Object = $Object.GetType()
- }
-
- if ($PSBoundParameters['Static']) {
- $Flags = 'Static, NonPublic'
-
- # Retrieve all static, nonpublic members except for constructors
- $Types = foreach ($Val in [Enum]::GetValues([System.Reflection.MemberTypes])) {
- $Object.GetMembers($Flags) | Where-Object { ($_.MemberType -eq ($Val.value__ -band $PrivateMemberType)) -and ($Val -ne [System.Reflection.MemberTypes]::All) -and ($_.MemberType -ne 'Constructor') }
- }
-
- # Retrieve all static constructors (both public and nonpublic)
- # Public constructors are retrieved because the original 'Get-Member -Force' does not retrieve constructors
- $Types += $Object.GetConstructors('Static, NonPublic, Public')
- } else {
- $Flags = 'Instance, NonPublic'
-
- # Retrieve all instance, nonpublic members except for constructors
- $Types = foreach ($Val in [Enum]::GetValues([System.Reflection.MemberTypes])) {
- $Object.GetMembers($Flags) | Where-Object { ($_.MemberType -eq ($Val.value__ -band $PrivateMemberType)) -and ($Val -ne [System.Reflection.MemberTypes]::All) -and ($_.MemberType -ne 'Constructor') }
- }
-
- # Retrieve all instance constructors (both public and nonpublic)
- # Public constructors are retrieved because the original 'Get-Member -Force' does not retrieve constructors
- $Types += $Object.GetConstructors('Instance, NonPublic, Public')
- }
-
- # Filter out types with special names if '-Force' is not specified
- if (!$Force) {
- $Types = $Types | Where-Object { !$_.IsSpecialName }
- }
-
- $TypeTable = @{}
-
- # For each type, build an array of object equivalent to an array of Microsoft.PowerShell.Commands.MemberDefinition objects.
- # An array of custom objects is required because the MemberDefinition object doesn't take System.Reflection.MemberTypes
- # objects in its constructor.
- $Results = $Types | ForEach-Object {
-
- $Type = $_
-
- switch ($Type.MemberType) {
- 'Constructor' {
- $Parameters = ($Type.GetParameters() | % {$_.ParameterType.FullName}) -join ', '
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.Name)($($Parameters))"
- }
- 'Field' {
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.FieldType)"
- }
- 'Method' {
- $Parameters = ($Type.GetParameters() | % {$_.ParameterType.FullName}) -join ', '
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.ReturnType) $($Type.Name)($($Parameters))"
- }
- 'Property' {
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.PropertyType) $($Type.Name) {$(if ($Type.CanRead){'get;'})$(if ($Type.CanWrite){'set;'})}"
- }
- 'NestedType' {
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.FullName) BaseType=$($Type.BaseType)"
- }
- 'Event' {
- $Parameters = ($Type.GetAddMethod().GetParameters() | % {$_.ParameterType.FullName}) -join ', '
- $Definition = "$(if ($Type.IsStatic){'static '})$($Type.EventHandlerType) $($Type.Name)(System.Object, $($Parameters))"
- }
- }
-
- # Identical properties as the Microsoft.PowerShell.Commands.MemberDefinition object
- $InternalMemberType = @{
- TypeName = $Type.DeclaringType.FullName
- Name = $Type.Name
- MemberType = $Type.MemberType
- Definition = $Definition
- }
-
- New-Object PSObject -Property $InternalMemberType
- }
-
- # For members with the same name, compress them into an array that will be stored in a hashtable
- $Results | ForEach-Object {
- $TypeTable["$($_.Name)"] += @($_)
- }
-
- $Results = foreach ($Type in $TypeTable.Keys) {
- $ReturnType = @{
- TypeName = $TypeTable[$Type][0].TypeName
- Name = $TypeTable[$Type][0].Name
- MemberType = $TypeTable[$Type][0].MemberType
- # Append each definition into a single definition.
- # This behavior is indentical to what the unmodified
- # Get-Member does.
- Definition = ($TypeTable[$Type] | ForEach-Object { $_.Definition }) -join ', '
- }
-
- $MemberDef = New-Object PSObject -Property $ReturnType
- <#
- Cool trick. Even though the custom object is actually a Microsoft.PowerShell.Commands.MemberDefinition
- object, you can trick it into thinking it is so that it will display the same way the result of the
- original Get-Member cmdlet would.
- #>
- $MemberDef.PSObject.TypeNames.Insert(0, 'Microsoft.PowerShell.Commands.MemberDefinition')
- $MemberDef
- }
-
- # If '-Name' parameter is specified, only return members matching the name specified
- if ($PSBoundParameters['Name']) {
- $MemberNames = [String[]] $PSBoundParameters['Name']
-
- $Tmp = New-Object PSObject[](0)
-
- foreach ($MemberName in $MemberNames) {
- $Tmp += $Results | Where-Object { $_.Name -eq $MemberName }
- }
-
- $Results = $Tmp
- }
-
- # Return the results if the results are non-null
- if ($Results.Count) {
- $Results | Sort-Object TypeName, MemberType, Name
- }
- } else {
- # If '-Private' is not set, return the results of the original Get-Member cmdlet
- $out | Sort-Object TypeName, MemberType, Name
- }
- } catch {
- }
- }
-}
-
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 deleted file mode 100644 index 1ab0d41..0000000 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ /dev/null @@ -1,120 +0,0 @@ -function Get-MethodAddress -{ -<# -.SYNOPSIS - -Get the unmanaged function address of a .NET method. - -PowerSploit Function: Get-MethodAddress -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Get-MethodAddress aids in the process of reverse engineering and exploitation by returning an unmanaged function pointer to any .NET method. This method is useful for those interested in seeing what JITed MSIL opcodes look like in their assembly language representation. - -For example, here is the MSIL representation of [System.IntPtr].ToPointer: -0x02 ldarg.0 -0x7B,0x53,0x04,0x00,0x04 ldfld void* System.IntPtr::m_value -0x2A ret - -After calling Get-MethodAddress and inspecting it in WinDbg, here is the x86_64 ASM representation: -C:\PS> Get-MethodAddress ([IntPtr].GetMethod('ToPointer')) -0x000007FF35544CC0 - -mscorlib_ni+0xd04cc0: -000007ff`35544cc0 488b01 mov rax,qword ptr [rcx] -000007ff`35544cc3 c3 ret -000007ff`35544cc4 cc int 3 - -This MSIL to ASM translation makes sense because all the assembly instructions are doing is dereferencing the pointer in rcx. - -.PARAMETER MethodInfo - -The method whose unmanaged address will be returned. - -.EXAMPLE - -C:\PS> Get-MethodAddress ([String].GetMethod('Trim', [Type[]]@())) - -Description ------------ -Returns the unmanaged address of [System.Object].Trim() method. - -.EXAMPLE - -C:\PS> [Int].Module.GetTypes().GetMethods() | ForEach-Object {Get-MethodAddress $_ -ErrorAction SilentlyContinue -WarningAction SilentlyContinue} - -Description ------------ -Returns an unmanaged address for every method (in which an address can be returned) in mscorlib. - -.OUTPUTS - -System.String - -A hexadecimal representation of the method address. - -.NOTES - -Not all methods will be able to return an address. For example, methods with implementation flags of AggressiveInlining, Synchronized, or CodeTypeMask will not return an address. Also note that any InternalCall method will return the same pointer every time because the CLR determines its address at runtime. - -Lastly, note that the MSIL opcodes used to implement this cmdlet are unverifiable. This means for example, that this technique won't aid exploiting Silverlight applications. :'( - -.LINK - -http://www.exploit-monday.com/2012/11/Get-MethodAddress.html -#> - - [CmdletBinding()] Param ( - [Parameter(Mandatory = $True, ValueFromPipeline = $True)] - [System.Reflection.MethodInfo] - $MethodInfo - ) - - if ($MethodInfo.MethodImplementationFlags -eq 'InternalCall') - { - Write-Warning "$($MethodInfo.Name) is an InternalCall method. These methods always point to the same address." - } - - if ([IntPtr]::Size -eq 4) - { - $ReturnType = [UInt32] - } - else - { - $ReturnType = [UInt64] - } - - $Domain = [AppDomain]::CurrentDomain - $DynAssembly = New-Object System.Reflection.AssemblyName('MethodLeakAssembly') - # Assemble in memory - $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MethodLeakModule') - $TypeBuilder = $ModuleBuilder.DefineType('MethodLeaker', [System.Reflection.TypeAttributes]::Public) - # Declaration of the LeakMethod method - $MethodBuilder = $TypeBuilder.DefineMethod('LeakMethod', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, $ReturnType, $null) - $Generator = $MethodBuilder.GetILGenerator() - - # Push unmanaged pointer to MethodInfo onto the evaluation stack - $Generator.Emit([System.Reflection.Emit.OpCodes]::Ldftn, $MethodInfo) - $Generator.Emit([System.Reflection.Emit.OpCodes]::Ret) - - # Assemble everything - $Type = $TypeBuilder.CreateType() - $Method = $Type.GetMethod('LeakMethod') - - try - { - # Call the method and return its JITed address - $Address = $Method.Invoke($null, @()) - - Write-Output (New-Object IntPtr -ArgumentList $Address) - } - catch [System.Management.Automation.MethodInvocationException] - { - Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." - } -} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml deleted file mode 100644 index fa3ed41..0000000 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ /dev/null @@ -1,440 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>SystemModuleView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_MODULE</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>ImageBaseAddress</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ImageSize</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Flags</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Index</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Rank</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>LoadCount</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NameOffset</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Name</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ImageSize</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Flags</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Index</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Rank</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>LoadCount</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NameOffset</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>$_.Name -replace '\\SystemRoot', $Env:SystemRoot</ScriptBlock> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>SystemLockView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_LOCK_INFORMATION</TypeName> - </ViewSelectedBy> - <TableControl> - <TableHeaders> - <TableColumnHeader> - <Label>Address</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Type</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ExclusiveOwnerThreadId</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ActiveCount</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ContentionCount</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NumberOfSharedWaiters</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NumberOfExclusiveWaiters</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <ScriptBlock>"0x$($_.Address.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <PropertyName>Type</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ExclusiveOwnerThreadId</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ActiveCount</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ContentionCount</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NumberOfSharedWaiters</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NumberOfExclusiveWaiters</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>PoolTagView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_POOL_TAG_INFORMATION</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>Tag</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>PagedPoolAllocs</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>PagedPoolFrees</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>PagedPoolUsage</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NonPagedPoolAllocs</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NonPagedPoolFrees</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>NonPagedPoolUsage</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>Tag</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>PagedPoolAllocs</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>PagedPoolFrees</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>PagedPoolUsage</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NonPagedPoolAllocs</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NonPagedPoolFrees</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>NonPagedPoolUsage</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>SystemHandleView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_HANDLE_INFORMATION</TypeName> - </ViewSelectedBy> - <TableControl> - <TableHeaders> - <TableColumnHeader> - <Label>UniqueProcessId</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>CreatorBackTraceIndex</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>ObjectType</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>HandleAttribute</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>HandleValue</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>Object</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>GrantedAccess</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>UniqueProcessId</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>CreatorBackTraceIndex</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>ObjectType</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>HandleAttribute</PropertyName> - </TableColumnItem> - <TableColumnItem> - <PropertyName>HandleValue</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </TableColumnItem> - <TableColumnItem> - <ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </TableColumnItem> - <TableColumnItem> - <PropertyName>GrantedAccess</PropertyName> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>GenericMappingView</Name> - <ViewSelectedBy> - <TypeName>_GENERIC_MAPPING</TypeName> - </ViewSelectedBy> - <TableControl> - <AutoSize/> - <TableHeaders> - <TableColumnHeader> - <Label>GenericRead</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>GenericWrite</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>GenericExecute</Label> - </TableColumnHeader> - <TableColumnHeader> - <Label>GenericAll</Label> - </TableColumnHeader> - </TableHeaders> - <TableRowEntries> - <TableRowEntry> - <TableColumnItems> - <TableColumnItem> - <PropertyName>GenericRead</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>GenericWrite</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>GenericExecute</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - <TableColumnItem> - <PropertyName>GenericAll</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </TableColumnItem> - </TableColumnItems> - </TableRowEntry> - </TableRowEntries> - </TableControl> - </View> - <View> - <Name>ObjectTypeView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_OBJECTTYPE_INFORMATION</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>NumberOfObjects</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>NumberOfHandles</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>TypeIndex</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>InvalidAttributes</PropertyName> - </ListItem> - <ListItem> - <PropertyName>GenericMapping</PropertyName> - </ListItem> - <ListItem> - <PropertyName>ValidAccessMask</PropertyName> - </ListItem> - <ListItem> - <PropertyName>PoolType</PropertyName> - </ListItem> - <ListItem> - <PropertyName>SecurityRequired</PropertyName> - <FormatString>0x{0:X2}</FormatString> - </ListItem> - <ListItem> - <PropertyName>WaitableObject</PropertyName> - <FormatString>0x{0:X2}</FormatString> - </ListItem> - <ListItem> - <PropertyName>TypeName</PropertyName> - </ListItem> - <ListItem> - <PropertyName>Objects</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>ObjectView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_OBJECT_INFORMATION</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <Label>Object</Label> - <ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>CreatorUniqueProcess</Label> - <ScriptBlock>"0x$($_.CreatorUniqueProcess.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>CreatorBackTraceIndex</PropertyName> - <FormatString>0x{0:X4}</FormatString> - </ListItem> - <ListItem> - <PropertyName>Flags</PropertyName> - </ListItem> - <ListItem> - <PropertyName>PointerCount</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>HandleCount</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>PagedPoolCharge</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>NonPagedPoolCharge</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <Label>ExclusiveProcessId</Label> - <ScriptBlock>"0x$($_.ExclusiveProcessId.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <Label>SecurityDescriptor</Label> - <ScriptBlock>"0x$($_.SecurityDescriptor.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>NameInfo</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - <View> - <Name>CodeIntegrityTypeView</Name> - <ViewSelectedBy> - <TypeName>_SYSTEM_CODEINTEGRITY_INFORMATION</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>CodeIntegrityOptions</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - <ListItem> - <PropertyName>LockdownState</PropertyName> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 deleted file mode 100644 index 2bde8f6..0000000 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ /dev/null @@ -1,1082 +0,0 @@ -function Get-NtSystemInformation -{ -<# -.SYNOPSIS - - Returns various forms of internal OS information. - - PowerSploit Function: Get-NtSystemInformation - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.DESCRIPTION - - Get-NtSystemInformation is a utility that calls and parses the output of the - ntdll!NtQuerySystemInformation function. This utility can be used to query - internal OS information that is typically not made visible to a user. - -.PARAMETER PoolTagInformation - - Returns information on tagged kernel pool allocations. - -.PARAMETER ModuleInformation - - Returns loaded kernel module information. - -.PARAMETER HandleInformation - - Returns handle information about user-mode handles and their respective - address in the kernel. - -.PARAMETER ObjectType - - Specifies the object type to be returned when listing handles. The following - types are permitted: - - Adapter, ALPC Port, Callback, CompositionSurface, Controller, DebugObject, - Desktop, Device, Directory, Driver, DxgkSharedResource, DxgkSharedSyncObject, - EtwConsumer, EtwRegistration, Event, EventPair, File, FilterCommunicationPort, - FilterConnectionPort, IoCompletion, IoCompletionReserve, IRTimer, Job, Key, - KeyedEvent, Mutant, PcwObject, Port, PowerRequest, Process, Profile, Section, - Semaphore, Session, SymbolicLink, Thread, Timer, TmEn, TmRm, TmTm, TmTx, Token, - TpWorkerFactory, Type, UserApcReserve, WaitablePort, WaitCompletionPacket, - WindowStation, WmiGuid - -.PARAMETER ObjectInformation - - Returns information about user-mode objects and their respective kernel pool - allocations. - -.PARAMETER CodeIntegrityInformation - - Returns user-mode code integrity flags. - -.PARAMETER GlobalFlags - - Returns a list of all enabled global flags. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -PoolTagInformation - - Description - ----------- - Returns information on tagged kernel pool allocations. The output is similar - to that of poolmon.exe. The output is the result of parsing _SYSTEM_POOLTAG - structures. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -ModuleInformation - - Description - ----------- - Returns loaded kernel module information including the base address of - loaded kernel modules. The output is the result of parsing the - undocumented _SYSTEM_MODULE_INFORMATION structure. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -HandleInformation - - Description - ----------- - Returns handle information about user-mode handles and their respective - address in the kernel. The output is similar to that of handle.exe but - doesn't require an elevated prompt. handle.exe also doesn't display the - kernel address of the object that the handle represents. The output is the - result of parsing _SYSTEM_HANDLE_TABLE_ENTRY_INFO structures. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -ObjectInformation - - Description - ----------- - Returns information about user-mode objects and their respective kernel pool - allocations. The output is the result of parsing - _SYSTEM_OBJECTTYPE_INFORMATION and _SYSTEM_OBJECT_INFORMATION structures. - - Note: FLG_MAINTAIN_OBJECT_TYPELIST (0x4000), FLG_ENABLE_HANDLE_TYPE_TAGGING - (0x01000000) global flags must be set in order to retrieve the output of this - command. - -.EXAMPLE - - C:\PS> Get-NtSystemInformation -GlobalFlags - - Description - ----------- - Returns a list of all enabled global flags. This is similar to running - gflags.exe /r - -.LINK - - http://www.exploit-monday.com/ -#> - - [CmdletBinding()] Param ( - [Parameter( ParameterSetName = 'PoolTagInformation' )] - [Switch] - $PoolTagInformation, - - [Parameter( ParameterSetName = 'ModuleInformation' )] - [Switch] - $ModuleInformation, - - [Parameter( ParameterSetName = 'HandleInformation' )] - [Switch] - $HandleInformation, - - [Parameter( ParameterSetName = 'HandleInformation' )] - [ValidateSet('Adapter', 'ALPC Port', 'Callback', 'CompositionSurface', 'Controller', 'DebugObject', 'Desktop', 'Device', 'Directory', 'Driver', 'DxgkSharedResource', 'DxgkSharedSyncObject', 'EtwConsumer', 'EtwRegistration', 'Event', 'EventPair', 'File', 'FilterCommunicationPort', 'FilterConnectionPort', 'IoCompletion', 'IoCompletionReserve', 'IRTimer', 'Job', 'Key', 'KeyedEvent', 'Mutant', 'PcwObject', 'Port', 'PowerRequest', 'Process', 'Profile', 'Section', 'Semaphore', 'Session', 'SymbolicLink', 'Thread', 'Timer', 'TmEn', 'TmRm', 'TmTm', 'TmTx', 'Token', 'TpWorkerFactory', 'Type', 'UserApcReserve', 'WaitablePort', 'WaitCompletionPacket', 'WindowStation', 'WmiGuid')] - [String] - $ObjectType, - - [Parameter( ParameterSetName = 'ObjectInformation' )] - [Switch] - $ObjectInformation, - - [Parameter( ParameterSetName = 'LockInformation' )] - [Switch] - $LockInformation, - - [Parameter( ParameterSetName = 'CodeIntegrityInformation' )] - [Switch] - $CodeIntegrityInformation, - - [Parameter( ParameterSetName = 'GlobalFlags' )] - [Switch] - $GlobalFlags - ) - -#region Define the assembly/module that will hold all of our dynamic types. - try { $ntdll = [ntdll] } catch [Management.Automation.RuntimeException] - { - $DynAssembly = New-Object System.Reflection.AssemblyName('SysUtils') - $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('SysUtils', $False) - - # Define [ntdll]::NtQuerySystemInformation method - $TypeBuilder = $ModuleBuilder.DefineType('ntdll', 'Public, Class') - $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtQuerySystemInformation', 'ntdll.dll', ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) - $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) - $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') - $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('ntdll.dll'), [Reflection.FieldInfo[]]@($SetLastError), @($true)) - $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) - $ntdll = $TypeBuilder.CreateType() - } -#endregion - -#region Define global custom attributes - $LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind]) - $CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet') - $StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor, @([Runtime.InteropServices.LayoutKind]::Explicit), $CharsetField, @([Runtime.InteropServices.CharSet]::Ansi)) - - $FlagsConstructor = [FlagsAttribute].GetConstructor(@()) - $FlagsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($FlagsConstructor, @()) - - $MarshalAsConstructor = [Runtime.InteropServices.MarshalAsAttribute].GetConstructor([Runtime.InteropServices.UnmanagedType]) - $SizeConst = [Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst') - - $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' -#endregion - -#region Define enum types - try { $SystemInformationClass = [SYSTEM_INFORMATION_CLASS] } catch [Management.Automation.RuntimeException] - { - # The entries that are commented out I'll get around to when I feel like it. - - $EnumBuilder = $ModuleBuilder.DefineEnum('SYSTEM_INFORMATION_CLASS', 'Public', [Int32]) - #$EnumBuilder.DefineLiteral('SystemBasicInformation', [Int32] 0x00000000) | Out-Null - #$EnumBuilder.DefineLiteral('SystemProcessorInformation', [Int32] 0x00000001) | Out-Null - #$EnumBuilder.DefineLiteral('SystemPerformanceInformation', [Int32] 0x00000002) | Out-Null - #$EnumBuilder.DefineLiteral('SystemTimeOfDayInformation', [Int32] 0x00000003) | Out-Null - #$EnumBuilder.DefineLiteral('SystemProcessInformation', [Int32] 0x00000005) | Out-Null - #$EnumBuilder.DefineLiteral('SystemCallCounts', [Int32] 0x00000006) | Out-Null - #$EnumBuilder.DefineLiteral('SystemConfigurationInformation', [Int32] 0x00000007) | Out-Null - #$EnumBuilder.DefineLiteral('SystemProcessorPerformanceInformation', [Int32] 0x00000008) | Out-Null - $EnumBuilder.DefineLiteral('SystemGlobalFlag', [Int32] 0x00000009) | Out-Null - $EnumBuilder.DefineLiteral('SystemModuleInformation', [Int32] 0x0000000B) | Out-Null - $EnumBuilder.DefineLiteral('SystemLockInformation', [Int32] 0x0000000C) | Out-Null - $EnumBuilder.DefineLiteral('SystemHandleInformation', [Int32] 0x00000010) | Out-Null - $EnumBuilder.DefineLiteral('SystemObjectInformation', [Int32] 0x00000011) | Out-Null - #$EnumBuilder.DefineLiteral('SystemPagefileInformation', [Int32] 0x00000012) | Out-Null - #$EnumBuilder.DefineLiteral('SystemInstructionEmulationCounts', [Int32] 0x00000013) | Out-Null - $EnumBuilder.DefineLiteral('SystemPoolTagInformation', [Int32] 0x00000016) | Out-Null - #$EnumBuilder.DefineLiteral('SystemInterruptInformation', [Int32] 0x00000017) | Out-Null - #$EnumBuilder.DefineLiteral('SystemExceptionInformation', [Int32] 0x00000021) | Out-Null - #$EnumBuilder.DefineLiteral('SystemRegistryQuotaInformation', [Int32] 0x00000025) | Out-Null - #$EnumBuilder.DefineLiteral('SystemLookasideInformation', [Int32] 0x0000002D) | Out-Null - $EnumBuilder.DefineLiteral('SystemCodeIntegrityInformation', [Int32] 0x00000067) | Out-Null - $SystemInformationClass = $EnumBuilder.CreateType() - } - - try { $NtStatus = [NTSTATUS] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('NTSTATUS', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('STATUS_SUCCESS', [Int32] 0x00000000) | Out-Null - $EnumBuilder.DefineLiteral('STATUS_INFO_LENGTH_MISMATCH', [Int32] 0xC0000004) | Out-Null - $NtStatus = $EnumBuilder.CreateType() - } - - try { $LockdownState = [LOCKDOWN_STATE] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('LOCKDOWN_STATE', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('UMCINONE', [Int32] 0x00000000) | Out-Null - $EnumBuilder.DefineLiteral('UMCIENFORCE', [Int32] 0x00000004) | Out-Null - $EnumBuilder.DefineLiteral('UMCIAUDIT', [Int32] 0xC0000008) | Out-Null - $LockdownState = $EnumBuilder.CreateType() - } - - try { $PoolType = [POOL_TYPE] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('POOL_TYPE', 'Public', [UInt32]) - $EnumBuilder.DefineLiteral('NonPagedPoolExecute', [UInt32] 0x00000000) | Out-Null - $EnumBuilder.DefineLiteral('PagedPool', [UInt32] 0x00000001) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolMustSucceed', [UInt32] 0x00000002) | Out-Null - $EnumBuilder.DefineLiteral('DontUseThisType', [UInt32] 0x00000003) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolCacheAligned', [UInt32] 0x00000004) | Out-Null - $EnumBuilder.DefineLiteral('PagedPoolCacheAligned', [UInt32] 0x00000005) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolCacheAlignedMustS', [UInt32] 0x00000006) | Out-Null - $EnumBuilder.DefineLiteral('MaxPoolType', [UInt32] 0x00000007) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolSession', [UInt32] 0x00000020) | Out-Null - $EnumBuilder.DefineLiteral('PagedPoolSession', [UInt32] 0x00000021) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolMustSucceedSession', [UInt32] 0x00000022) | Out-Null - $EnumBuilder.DefineLiteral('DontUseThisTypeSession', [UInt32] 0x00000023) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolCacheAlignedSession', [UInt32] 0x00000024) | Out-Null - $EnumBuilder.DefineLiteral('PagedPoolCacheAlignedSession', [UInt32] 0x00000025) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolCacheAlignedMustSSession', [UInt32] 0x00000026) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolNx', [UInt32] 0x00000200) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolNxCacheAligned', [UInt32] 0x00000204) | Out-Null - $EnumBuilder.DefineLiteral('NonPagedPoolSessionNx', [UInt32] 0x00000220) | Out-Null - $PoolType = $EnumBuilder.CreateType() - } - - try { $HandleFlags = [HANDLE_FLAGS] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('HANDLE_FLAGS', 'Public', [Byte]) - $EnumBuilder.DefineLiteral('PROTECT_FROM_CLOSE', [Byte] 1) | Out-Null - $EnumBuilder.DefineLiteral('INHERIT', [Byte] 2) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $HandleFlags = $EnumBuilder.CreateType() - } - - try { $ObjectAttributes = [OBJECT_ATTRIBUTES] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('OBJECT_ATTRIBUTES', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('OBJ_INHERIT', [Int32] 0x00000002) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_PERMANENT', [Int32] 0x00000010) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_EXCLUSIVE', [Int32] 0x00000020) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_CASE_INSENSITIVE', [Int32] 0x00000040) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_OPENIF', [Int32] 0x00000080) | Out-Null - $EnumBuilder.DefineLiteral('OBJ_OPENLINK', [Int32] 0x00000100) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $ObjectAttributes = $EnumBuilder.CreateType() - } - - try { $ObjectFlags = [OBJECT_FLAGS] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('OBJECT_FLAGS', 'Public', [UInt16]) - $EnumBuilder.DefineLiteral('SINGLE_HANDLE_ENTRY', [UInt16] 0x0040) | Out-Null - $EnumBuilder.DefineLiteral('DEFAULT_SECURITY_QUOTA', [UInt16] 0x0020) | Out-Null - $EnumBuilder.DefineLiteral('PERMANENT', [UInt16] 0x0010) | Out-Null - $EnumBuilder.DefineLiteral('EXCLUSIVE', [UInt16] 0x0008) | Out-Null - $EnumBuilder.DefineLiteral('CREATOR_INFO', [UInt16] 0x0004) | Out-Null - $EnumBuilder.DefineLiteral('KERNEL_MODE', [UInt16] 0x0002) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $ObjectFlags = $EnumBuilder.CreateType() - } - - try { $AccessMask = [ACCESS_MASK] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('ACCESS_MASK', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('DELETE', [Int32] 0x00010000) | Out-Null - $EnumBuilder.DefineLiteral('READ_CONTROL', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('WRITE_DAC', [Int32] 0x00040000) | Out-Null - $EnumBuilder.DefineLiteral('WRITE_OWNER', [Int32] 0x00080000) | Out-Null - $EnumBuilder.DefineLiteral('SYNCHRONIZE', [Int32] 0x00100000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_REQUIRED', [Int32] 0x000F0000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_READ', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_WRITE', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_EXECUTE', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('STANDARD_RIGHTS_ALL', [Int32] 0x001F0000) | Out-Null - $EnumBuilder.DefineLiteral('ACCESS_SYSTEM_SECURITY', [Int32] 0x01000000) | Out-Null - $EnumBuilder.DefineLiteral('GENERIC_READ', [Int32] 0x80000000) | Out-Null - $EnumBuilder.DefineLiteral('GENERIC_WRITE', [Int32] 0x40000000) | Out-Null - $EnumBuilder.DefineLiteral('GENERIC_EXECUTE', [Int32] 0x20000000) | Out-Null - $EnumBuilder.DefineLiteral('GENERIC_ALL', [Int32] 0x10000000) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $AccessMask = $EnumBuilder.CreateType() - } - - try { $GFlagsEnum = [GLOBAL_FLAGS] } catch [Management.Automation.RuntimeException] - { - $EnumBuilder = $ModuleBuilder.DefineEnum('GLOBAL_FLAGS', 'Public', [Int32]) - $EnumBuilder.DefineLiteral('FLG_DISABLE_DBGPRINT', [Int32] 0x08000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_KERNEL_STACK_TRACE_DB', [Int32] 0x00002000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_USER_STACK_TRACE_DB', [Int32] 0x00001000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DEBUG_INITIAL_COMMAND', [Int32] 0x00000004) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DEBUG_INITIAL_COMMAND_EX', [Int32] 0x04000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_DISABLE_COALESCING', [Int32] 0x00200000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DISABLE_PAGE_KERNEL_STACKS', [Int32] 0x00080000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DISABLE_PROTDLLS', [Int32] 0x80000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_DISABLE_STACK_EXTENSION', [Int32] 0x00010000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_CRITSEC_EVENT_CREATION', [Int32] 0x10000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_APPLICATION_VERIFIER', [Int32] 0x00000100) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_HANDLE_EXCEPTIONS', [Int32] 0x40000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_CLOSE_EXCEPTIONS', [Int32] 0x00400000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_CSRDEBUG', [Int32] 0x00020000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_EXCEPTION_LOGGING', [Int32] 0x00800000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_ENABLE_FREE_CHECK', [Int32] 0x00000020) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_VALIDATE_PARAMETERS', [Int32] 0x00000040) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_ENABLE_TAGGING', [Int32] 0x00000800) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_ENABLE_TAG_BY_DLL', [Int32] 0x00008000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_ENABLE_TAIL_CHECK', [Int32] 0x00000010) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_VALIDATE_ALL', [Int32] 0x00000080) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_KDEBUG_SYMBOL_LOAD', [Int32] 0x00040000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_HANDLE_TYPE_TAGGING', [Int32] 0x01000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_HEAP_PAGE_ALLOCS', [Int32] 0x02000000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_POOL_ENABLE_TAGGING', [Int32] 0x00000400) | Out-Null - $EnumBuilder.DefineLiteral('FLG_ENABLE_SYSTEM_CRIT_BREAKS', [Int32] 0x00100000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_MAINTAIN_OBJECT_TYPELIST', [Int32] 0x00004000) | Out-Null - $EnumBuilder.DefineLiteral('FLG_MONITOR_SILENT_PROCESS_EXIT', [Int32] 0x00000200) | Out-Null - $EnumBuilder.DefineLiteral('FLG_SHOW_LDR_SNAPS', [Int32] 0x00000002) | Out-Null - $EnumBuilder.DefineLiteral('FLG_STOP_ON_EXCEPTION', [Int32] 0x00000001) | Out-Null - $EnumBuilder.DefineLiteral('FLG_STOP_ON_HUNG_GUI', [Int32] 0x00000008) | Out-Null - $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) - $GFlagsEnum = $EnumBuilder.CreateType() - } -#endregion - -#region Define structs for each respective SYSTEM_INFORMATION_CLASS - if ([IntPtr]::Size -eq 8) - { - $Size_SYSTEM_MODULE = 296 - $Size_SYSTEM_POOL_TAG_INFORMATION = 40 - $Size_SYSTEM_HANDLE_INFORMATION = 24 - $Size_SYSTEM_OBJECTTYPE_INFORMATION = 64 - $Size_SYSTEM_OBJECT_INFORMATION = 80 - $Size_SYSTEM_LOCK_INFORMATION = 40 - } - else - { - $Size_SYSTEM_MODULE = 284 - $Size_SYSTEM_POOL_TAG_INFORMATION = 28 - $Size_SYSTEM_HANDLE_INFORMATION = 16 - $Size_SYSTEM_OBJECTTYPE_INFORMATION = 56 - $Size_SYSTEM_OBJECT_INFORMATION = 48 - $Size_SYSTEM_LOCK_INFORMATION = 36 - } - - try { $UnicodeStringClass = [_UNICODE_STRING] } catch [Management.Automation.RuntimeException] - { - $MarshalAsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($MarshalAsConstructor, @([Runtime.InteropServices.UnmanagedType]::LPWStr)) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $StructAttributes, [ValueType], 2, 16) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - $TypeBuilder.DefineField('Length', [UInt16], 'Public').SetOffset(0) - $TypeBuilder.DefineField('MaximumLength', [UInt16], 'Public').SetOffset(2) - $BufferField = $TypeBuilder.DefineField('Buffer', [String], 'Public, HasFieldMarshal') - $BufferField.SetCustomAttribute($MarshalAsCustomAttribute) - $BufferField.SetOffset(8) - } - else - { - $TypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $StructAttributes, [ValueType], 2, 8) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - $TypeBuilder.DefineField('Length', [UInt16], 'Public').SetOffset(0) - $TypeBuilder.DefineField('MaximumLength', [UInt16], 'Public').SetOffset(2) - $BufferField = $TypeBuilder.DefineField('Buffer', [String], 'Public, HasFieldMarshal') - $BufferField.SetCustomAttribute($MarshalAsCustomAttribute) - $BufferField.SetOffset(4) - } - - $UnicodeStringClass = $TypeBuilder.CreateType() - } - - try { $GenericMappingClass = [_GENERIC_MAPPING] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_GENERIC_MAPPING', $StructAttributes, [ValueType], 4, 16) - - $TypeBuilder.DefineField('GenericRead', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('GenericWrite', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('GenericExecute', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('GenericAll', [UInt32], 'Public') | Out-Null - - $GenericMappingClass = $TypeBuilder.CreateType() - } - - try { $HandleInfoClass = [_SYSTEM_HANDLE_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_HANDLE_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_HANDLE_INFORMATION) - - $TypeBuilder.DefineField('UniqueProcessId', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('ObjectTypeIndex', [Byte], 'Public') | Out-Null - $TypeBuilder.DefineField('HandleAttribute', [Byte], 'Public') | Out-Null - $TypeBuilder.DefineField('HandleValue', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Object', [IntPtr], 'Public') | Out-Null - $TypeBuilder.DefineField('GrantedAccess', [UInt32], 'Public') | Out-Null - - $HandleInfoClass = $TypeBuilder.CreateType() - } - - try { $ModuleInfoClass = [_SYSTEM_MODULE] } catch [Management.Automation.RuntimeException] - { - $MarshalAsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($MarshalAsConstructor, @([Runtime.InteropServices.UnmanagedType]::ByValTStr), [Reflection.FieldInfo[]]@($SizeConst), @(256)) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_MODULE', $StructAttributes, [ValueType], 1, $Size_SYSTEM_MODULE) - - $TypeBuilder.DefineField('Reserved1', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('ImageBaseAddress', [UInt64], 'Public') | Out-Null - $TypeBuilder.DefineField('ImageSize', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Index', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Rank', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('LoadCount', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('NameOffset', [UInt16], 'Public') | Out-Null - $NameField = $TypeBuilder.DefineField('Name', [String], 'Public, HasFieldMarshal') - } - else - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_MODULE', $StructAttributes, [ValueType], 1, $Size_SYSTEM_MODULE) - - $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Reserved2', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('ImageBaseAddress', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('ImageSize', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Index', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Rank', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('LoadCount', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('NameOffset', [UInt16], 'Public') | Out-Null - $NameField = $TypeBuilder.DefineField('Name', [String], 'Public, HasFieldMarshal') - } - - $NameField.SetCustomAttribute($MarshalAsCustomAttribute) - $ModuleInfoClass = $TypeBuilder.CreateType() - } - - try { $LockInfoClass = [_SYSTEM_LOCK_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_LOCK_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_LOCK_INFORMATION) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetOffset(0) - $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetOffset(8) - $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetOffset(10) - $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetOffset(16) - $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetOffset(24) - $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetOffset(28) - $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetOffset(32) - $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetOffset(36) - $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetOffset(40) - $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetOffset(44) - } - else - { - $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetOffset(0) - $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetOffset(4) - $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetOffset(6) - $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetOffset(8) - $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetOffset(12) - $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetOffset(16) - $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetOffset(20) - $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetOffset(24) - $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetOffset(28) - $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetOffset(32) - } - - $LockInfoClass = $TypeBuilder.CreateType() - } - - try { $PoolTagInfoClass = [_SYSTEM_POOL_TAG_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_POOL_TAG_INFORMATION', $StructAttributes, [ValueType], 4, $Size_SYSTEM_POOL_TAG_INFORMATION) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder.DefineField('TagValue', [UInt32], 'Public, HasFieldMarshal').SetOffset(0) - $TypeBuilder.DefineField('PagedPoolAllocs', [UInt32], 'Public').SetOffset(4) - $TypeBuilder.DefineField('PagedPoolFrees', [UInt32], 'Public').SetOffset(8) - $TypeBuilder.DefineField('PagedPoolUsage', [UInt32], 'Public').SetOffset(16) - $TypeBuilder.DefineField('NonPagedPoolAllocs', [UInt32], 'Public').SetOffset(24) - $TypeBuilder.DefineField('NonPagedPoolFrees', [UInt32], 'Public').SetOffset(28) - $TypeBuilder.DefineField('NonPagedPoolUsage', [UInt32], 'Public').SetOffset(32) - } - else - { - $TypeBuilder.DefineField('TagValue', [UInt32], 'Public, HasFieldMarshal').SetOffset(0) - $TypeBuilder.DefineField('PagedPoolAllocs', [UInt32], 'Public').SetOffset(4) - $TypeBuilder.DefineField('PagedPoolFrees', [UInt32], 'Public').SetOffset(8) - $TypeBuilder.DefineField('PagedPoolUsage', [UInt32], 'Public').SetOffset(12) - $TypeBuilder.DefineField('NonPagedPoolAllocs', [UInt32], 'Public').SetOffset(16) - $TypeBuilder.DefineField('NonPagedPoolFrees', [UInt32], 'Public').SetOffset(20) - $TypeBuilder.DefineField('NonPagedPoolUsage', [UInt32], 'Public').SetOffset(24) - } - - $PoolTagInfoClass = $TypeBuilder.CreateType() - } - - try { $ObjectTypeClass = [_SYSTEM_OBJECTTYPE_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_OBJECTTYPE_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_OBJECTTYPE_INFORMATION) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) - $TypeBuilder.DefineField('NumberOfObjects', [UInt32], 'Public').SetOffset(0x04) - $TypeBuilder.DefineField('NumberOfHandles', [UInt32], 'Public').SetOffset(0x08) - $TypeBuilder.DefineField('TypeIndex', [UInt32], 'Public').SetOffset(0x0C) - $TypeBuilder.DefineField('InvalidAttributes', [UInt32], 'Public').SetOffset(0x10) - $TypeBuilder.DefineField('GenericMapping', $GenericMappingClass, 'Public').SetOffset(0x14) - $TypeBuilder.DefineField('ValidAccessMask', [UInt32], 'Public').SetOffset(0x24) - $TypeBuilder.DefineField('PoolType', $PoolType, 'Public').SetOffset(0x28) - $TypeBuilder.DefineField('SecurityRequired', [Byte], 'Public').SetOffset(0x2C) - $TypeBuilder.DefineField('WaitableObject', [Byte], 'Public').SetOffset(0x2D) - $TypeBuilder.DefineField('TypeName', $UnicodeStringClass, 'Public').SetOffset(0x30) - - $ObjectTypeClass = $TypeBuilder.CreateType() - } - - try { $ObjectTypeClass = [_SYSTEM_OBJECT_INFORMATION] } catch [Management.Automation.RuntimeException] - { - $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_OBJECT_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_OBJECT_INFORMATION) - $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - - if ([IntPtr]::Size -eq 8) - { - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) - $TypeBuilder.DefineField('Object', [IntPtr], 'Public').SetOffset(0x08) - $TypeBuilder.DefineField('CreatorUniqueProcess', [IntPtr], 'Public').SetOffset(0x10) - $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public').SetOffset(0x018) - $TypeBuilder.DefineField('Flags', [UInt16], 'Public').SetOffset(0x1A) - $TypeBuilder.DefineField('PointerCount', [Int32], 'Public').SetOffset(0x1C) - $TypeBuilder.DefineField('HandleCount', [Int32], 'Public').SetOffset(0x20) - $TypeBuilder.DefineField('PagedPoolCharge', [UInt32], 'Public').SetOffset(0x24) - $TypeBuilder.DefineField('NonPagedPoolCharge', [UInt32], 'Public').SetOffset(0x28) - $TypeBuilder.DefineField('ExclusiveProcessId', [IntPtr], 'Public').SetOffset(0x30) - $TypeBuilder.DefineField('SecurityDescriptor', [IntPtr], 'Public').SetOffset(0x38) - $TypeBuilder.DefineField('NameInfo', $UnicodeStringClass, 'Public').SetOffset(0x40) - } - else - { - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) - $TypeBuilder.DefineField('Object', [IntPtr], 'Public').SetOffset(0x04) - $TypeBuilder.DefineField('CreatorUniqueProcess', [IntPtr], 'Public').SetOffset(0x08) - $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public').SetOffset(0x0C) - $TypeBuilder.DefineField('Flags', [UInt16], 'Public').SetOffset(0x0E) - $TypeBuilder.DefineField('PointerCount', [Int32], 'Public').SetOffset(0x10) - $TypeBuilder.DefineField('HandleCount', [Int32], 'Public').SetOffset(0x14) - $TypeBuilder.DefineField('PagedPoolCharge', [UInt32], 'Public').SetOffset(0x18) - $TypeBuilder.DefineField('NonPagedPoolCharge', [UInt32], 'Public').SetOffset(0x1C) - $TypeBuilder.DefineField('ExclusiveProcessId', [IntPtr], 'Public').SetOffset(0x20) - $TypeBuilder.DefineField('SecurityDescriptor', [IntPtr], 'Public').SetOffset(0x24) - $TypeBuilder.DefineField('NameInfo', $UnicodeStringClass, 'Public').SetOffset(0x28) - } - - $ObjectClass = $TypeBuilder.CreateType() - } -#endregion - - # Local helper function for parsing structures returned by NtQuerySystemInformation that begin with a 'Count' field - function Local:Get-Struct($InformationClass, $StructType, $X86Size, $X64Size, $OffsetMultiplier, $ErrorText) - { - $TotalLength = 0 - $ReturnedLength = 0 - - if ([IntPtr]::Size -eq 8) - { - $StructSize = $X64Size - } - else - { - $StructSize = $X86Size - } - - if ((($ntdll::NtQuerySystemInformation($InformationClass, [IntPtr]::Zero, 0, [Ref] $TotalLength) -as $NtStatus) -ne $NtStatus::STATUS_INFO_LENGTH_MISMATCH) -and ($TotalLength -gt 0)) - { - Write-Error "Unable to obtain $($ErrorText) information." - return - } - - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength) - $ntdll::NtQuerySystemInformation($InformationClass, $PtrData, $TotalLength, [Ref] $ReturnedLength) | Out-Null - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - - $PtrData2 = [Runtime.InteropServices.Marshal]::AllocHGlobal($ReturnedLength) - - if (($ntdll::NtQuerySystemInformation($InformationClass, $PtrData2, $ReturnedLength, [Ref] 0) -as $NtStatus) -ne $NtStatus::STATUS_SUCCESS) - { - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData2) - Write-Error "Unable to obtain $($ErrorText) information." - return - } - - # Retrieve the structure count - $Count = [Runtime.InteropServices.Marshal]::ReadInt32($PtrData2) - - # Point to the first structure - $StructAddress = ([IntPtr]($PtrData2.ToInt64() + ([IntPtr]::Size * $OffsetMultiplier))) - - foreach ($i in 0..($Count-1)) - { - [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $StructType) - $StructAddress = ([IntPtr]($StructAddress.ToInt64() + $StructSize)) - } - - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData2) - } - -#region Main program logic - switch ($PsCmdlet.ParameterSetName) - { - 'ModuleInformation' { - $Arguments = @{ - InformationClass = $SystemInformationClass::SystemModuleInformation - StructType = $ModuleInfoClass - X86Size = 284 - X64Size = 296 - OffsetMultiplier = 2 - ErrorText = 'system module' - } - - Get-Struct @Arguments - } - - 'PoolTagInformation' { - $Arguments = @{ - InformationClass = $SystemInformationClass::SystemPoolTagInformation - StructType = $PoolTagInfoClass - X86Size = 28 - X64Size = 40 - OffsetMultiplier = 1 - ErrorText = 'system pool tag' - } - - Get-Struct @Arguments | % { - $Result = @{ - Tag = [Text.Encoding]::ASCII.GetString([BitConverter]::GetBytes($_.TagValue)) - PagedPoolAllocs = $_.PagedPoolAllocs - PagedPoolFrees = $_.PagedPoolFrees - PagedPoolUsage = $_.PagedPoolUsage - NonPagedPoolAllocs = $_.NonPagedPoolAllocs - NonPagedPoolFrees = $_.NonPagedPoolFrees - NonPagedPoolUsage = $_.NonPagedPoolUsage - } - - $PoolTag = New-Object PSObject -Property $Result - $PoolTag.PSObject.TypeNames.Insert(0, '_SYSTEM_POOL_TAG_INFORMATION') - - Write-Output $PoolTag - } - } - - 'HandleInformation' { - # Get OS version info. This will be used to resolve object type index values - $OSVersion = [Version](Get-WmiObject Win32_OperatingSystem).Version - $OSMajorMinor = "$($OSVersion.Major).$($OSVersion.Minor)" - - # Type indexes differ according to OS. These values were obtained via some KD-fu - switch ($OSMajorMinor) - { - '6.2' # Windows 8 and Windows Server 2012 - { - $IndexTable = @{ - 0x02 = 'Type' - 0x03 = 'Directory' - 0x04 = 'SymbolicLink' - 0x05 = 'Token' - 0x06 = 'Job' - 0x07 = 'Process' - 0x08 = 'Thread' - 0x09 = 'UserApcReserve' - 0x0A = 'IoCompletionReserve' - 0x0B = 'DebugObject' - 0x0C = 'Event' - 0x0D = 'EventPair' - 0x0E = 'Mutant' - 0x0F = 'Callback' - 0x10 = 'Semaphore' - 0x11 = 'Timer' - 0x12 = 'IRTimer' - 0x13 = 'Profile' - 0x14 = 'KeyedEvent' - 0x15 = 'WindowStation' - 0x16 = 'Desktop' - 0x17 = 'CompositionSurface' - 0x18 = 'TpWorkerFactory' - 0x19 = 'Adapter' - 0x1A = 'Controller' - 0x1B = 'Device' - 0x1C = 'Driver' - 0x1D = 'IoCompletion' - 0x1E = 'WaitCompletionPacket' - 0x1F = 'File' - 0x20 = 'TmTm' - 0x21 = 'TmTx' - 0x22 = 'TmRm' - 0x23 = 'TmEn' - 0x24 = 'Section' - 0x25 = 'Session' - 0x26 = 'Key' - 0x27 = 'ALPC Port' - 0x28 = 'PowerRequest' - 0x29 = 'WmiGuid' - 0x2A = 'EtwRegistration' - 0x2B = 'EtwConsumer' - 0x2C = 'FilterConnectionPort' - 0x2D = 'FilterCommunicationPort' - 0x2E = 'PcwObject' - 0x2F = 'DxgkSharedResource' - 0x30 = 'DxgkSharedSyncObject' - } - } - - '6.1' # Windows 7 and Window Server 2008 R2 - { - $IndexTable = @{ - 0x02 = 'Type' - 0x03 = 'Directory' - 0x04 = 'SymbolicLink' - 0x05 = 'Token' - 0x06 = 'Job' - 0x07 = 'Process' - 0x08 = 'Thread' - 0x09 = 'UserApcReserve' - 0x0a = 'IoCompletionReserve' - 0x0b = 'DebugObject' - 0x0c = 'Event' - 0x0d = 'EventPair' - 0x0e = 'Mutant' - 0x0f = 'Callback' - 0x10 = 'Semaphore' - 0x11 = 'Timer' - 0x12 = 'Profile' - 0x13 = 'KeyedEvent' - 0x14 = 'WindowStation' - 0x15 = 'Desktop' - 0x16 = 'TpWorkerFactory' - 0x17 = 'Adapter' - 0x18 = 'Controller' - 0x19 = 'Device' - 0x1a = 'Driver' - 0x1b = 'IoCompletion' - 0x1c = 'File' - 0x1d = 'TmTm' - 0x1e = 'TmTx' - 0x1f = 'TmRm' - 0x20 = 'TmEn' - 0x21 = 'Section' - 0x22 = 'Session' - 0x23 = 'Key' - 0x24 = 'ALPC Port' - 0x25 = 'PowerRequest' - 0x26 = 'WmiGuid' - 0x27 = 'EtwRegistration' - 0x28 = 'EtwConsumer' - 0x29 = 'FilterConnectionPort' - 0x2a = 'FilterCommunicationPort' - 0x2b = 'PcwObject' - } - } - - '6.0' # Windows Vista and Windows Server 2008 - { - $IndexTable = @{ - 0x01 = 'Type' - 0x02 = 'Directory' - 0x03 = 'SymbolicLink' - 0x04 = 'Token' - 0x05 = 'Job' - 0x06 = 'Process' - 0x07 = 'Thread' - 0x08 = 'DebugObject' - 0x09 = 'Event' - 0x0a = 'EventPair' - 0x0b = 'Mutant' - 0x0c = 'Callback' - 0x0d = 'Semaphore' - 0x0e = 'Timer' - 0x0f = 'Profile' - 0x10 = 'KeyedEvent' - 0x11 = 'WindowStation' - 0x12 = 'Desktop' - 0x13 = 'TpWorkerFactory' - 0x14 = 'Adapter' - 0x15 = 'Controller' - 0x16 = 'Device' - 0x17 = 'Driver' - 0x18 = 'IoCompletion' - 0x19 = 'File' - 0x1a = 'TmTm' - 0x1b = 'TmTx' - 0x1c = 'TmRm' - 0x1d = 'TmEn' - 0x1e = 'Section' - 0x1f = 'Session' - 0x20 = 'Key' - 0x21 = 'ALPC Port' - 0x22 = 'WmiGuid' - 0x23 = 'EtwRegistration' - 0x24 = 'FilterConnectionPort' - 0x25 = 'FilterCommunicationPort' - } - } - - '5.1' # Windows XP - { - $IndexTable = @{ - 0x01 = 'Type' - 0x02 = 'Directory' - 0x03 = 'SymbolicLink' - 0x04 = 'Token' - 0x05 = 'Process' - 0x06 = 'Thread' - 0x07 = 'Job' - 0x08 = 'DebugObject' - 0x09 = 'Event' - 0x0a = 'EventPair' - 0x0b = 'Mutant' - 0x0c = 'Callback' - 0x0d = 'Semaphore' - 0x0e = 'Timer' - 0x0f = 'Profile' - 0x10 = 'KeyedEvent' - 0x11 = 'WindowStation' - 0x12 = 'Desktop' - 0x13 = 'Section' - 0x14 = 'Key' - 0x15 = 'Port' - 0x16 = 'WaitablePort' - 0x17 = 'Adapter' - 0x18 = 'Controller' - 0x19 = 'Device' - 0x1a = 'Driver' - 0x1b = 'IoCompletion' - 0x1c = 'File' - 0x1d = 'WmiGuid' - 0x1e = 'FilterConnectionPort' - 0x1f = 'FilterCommunicationPort' - } - } - - default # I didn't feel like resolving the values for Server 2003 - { - $IndexTable = @{} - } - } - - $Arguments = @{ - InformationClass = $SystemInformationClass::SystemHandleInformation - StructType = $HandleInfoClass - X86Size = 16 - X64Size = 24 - OffsetMultiplier = 1 - ErrorText = 'system handle' - } - - Get-Struct @Arguments | % { - $Handle = $_.HandleAttribute -as $HandleFlags - if ($Handle -eq 0) {$HandleValue = $null} else {$HandleValue = $Handle} - - $Access = ( ($_.GrantedAccess -band 0xFFFF0000) -as $AccessMask ) - if ($Access -eq 0) {$AccessValue = $null} else {$AccessValue = $Access} - - $Result = @{ - UniqueProcessId = $_.UniqueProcessId - CreatorBackTraceIndex = $_.CreatorBackTraceIndex - ObjectTypeIndex = $_.ObjectTypeIndex - ObjectType = $IndexTable[([Int32]$_.ObjectTypeIndex)] - HandleAttribute = $HandleValue - HandleValue = $_.HandleValue - Object = $_.Object - GrantedAccess = $AccessValue - } - - $Handle = New-Object PSObject -Property $Result - $Handle.PSObject.TypeNames.Insert(0, '_SYSTEM_HANDLE_INFORMATION') - - if ($PSBoundParameters['ObjectType']) - { - if ($Result['ObjectType'] -eq $ObjectType) - { - Write-Output $Handle - } - } - else - { - Write-Output $Handle - } - } - } - - 'ObjectInformation' { - # Get system global flags first to ensure the correct flags are set - $Flags = Get-NtSystemInformation -GlobalFlags - - $RequiredFlags = [GLOBAL_FLAGS] 'FLG_MAINTAIN_OBJECT_TYPELIST, FLG_ENABLE_HANDLE_TYPE_TAGGING' - - if (($Flags -band $RequiredFlags) -ne $RequiredFlags) - { - Write-Error 'Global flags FLG_MAINTAIN_OBJECT_TYPELIST and FLG_ENABLE_HANDLE_TYPE_TAGGING have not been set. They must be set in gflags.exe (i.e. `gflags.exe -r +otl +eot`) or in the registry.' - return - } - - Write-Warning 'It can take over a minute to return object information. Please be patient.' - - $TotalLength = 1 - $ReturnedLength = 0 - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength) - - while ((($ntdll::NtQuerySystemInformation($SystemInformationClass::SystemObjectInformation, $PtrData, $TotalLength, [Ref] $ReturnedLength) -as [NTSTATUS]) -eq [NTSTATUS]::STATUS_INFO_LENGTH_MISMATCH)) - { - if ($TotalLength -ne $ReturnedLength) - { - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - $TotalLength = $ReturnedLength - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength) - } - } - - $NextTypeOffset = 0 - - do - { - # Base address of the _SYSTEM_OBJECTTYPE_INFORMATION struct - $ObjectTypeAbsoluteAddress = [IntPtr]($PtrData.ToInt64() + $NextTypeOffset) - - $Result = [Runtime.InteropServices.Marshal]::PtrToStructure($ObjectTypeAbsoluteAddress, [Type] $ObjectTypeClass) - - if ($Result.NumberOfObjects -gt 0) - { - # Calculate the offset to the first _SYSTEM_OBJECT_INFORMATION structure - $NextObjectOffset = $Size_SYSTEM_OBJECTTYPE_INFORMATION + $Result.TypeName.MaximumLength - $ObjectBaseAddr = $ObjectTypeAbsoluteAddress - - $ObjectArray = @() - - do - { - $ObjectResult = [Runtime.InteropServices.Marshal]::PtrToStructure(( [IntPtr]($ObjectBaseAddr.ToInt64() + $NextObjectOffset) ), [Type] $ObjectClass) - - $ResultHashTable2 = @{ - Object = $ObjectResult.Object - CreatorUniqueProcess = $ObjectResult.CreatorUniqueProcess - CreatorBackTraceIndex = $ObjectResult.CreatorBackTraceIndex - Flags = ($ObjectResult.Flags -as $ObjectFlags) - PointerCount = $ObjectResult.PointerCount - HandleCount = $ObjectResult.HandleCount - PagedPoolCharge = $ObjectResult.PagedPoolCharge - NonPagedPoolCharge = $ObjectResult.NonPagedPoolCharge - ExclusiveProcessId = $ObjectResult.ExclusiveProcessId - SecurityDescriptor = $ObjectResult.SecurityDescriptor - NameInfo = $ObjectResult.NameInfo.Buffer - } - - $Object = New-Object PSObject -Property $ResultHashTable2 - $Object.PSObject.TypeNames.Insert(0, '_SYSTEM_OBJECT_INFORMATION') - - $ObjectArray += $Object - - $NextObjectOffset = $ObjectResult.NextEntryOffset - $ObjectBaseAddr = $PtrData - } while ($ObjectResult.NextEntryOffset -ne 0) - } - - $Access = ( ($_.ValidAccessMask -band 0xFFFF0000) -as $AccessMask ) - if ($Access -eq 0) {$AccessValue = $null} else {$AccessValue = $Access} - - $ResultHashTable = @{ - NumberOfObjects = $Result.NumberOfObjects - NumberOfHandles = $Result.NumberOfHandles - TypeIndex = $Result.TypeIndex - InvalidAttributes = ($Result.InvalidAttributes -as $ObjectAttributes) - GenericMapping = $Result.GenericMapping - ValidAccessMask = $AccessValue - PoolType = $Result.PoolType - SecurityRequired = $Result.SecurityRequired - WaitableObject = $Result.WaitableObject - TypeName = $Result.TypeName.Buffer - Objects = $ObjectArray - } - - $ObjectType = New-Object PSObject -Property $ResultHashTable - $ObjectType.PSObject.TypeNames.Insert(0, '_SYSTEM_OBJECTTYPE_INFORMATION') - - Write-Output $ObjectType - - $NextTypeOffset = $Result.NextEntryOffset - } while ($NextTypeOffset -ne 0) - - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - } - - 'LockInformation' { - $Arguments = @{ - InformationClass = $SystemInformationClass::SystemLockInformation - StructType = $LockInfoClass - X86Size = 36 - X64Size = 48 - OffsetMultiplier = 1 - ErrorText = 'system lock' - } - - Get-Struct @Arguments - } - - 'CodeIntegrityInformation' { - $CIStructLength = 8 - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($CIStructLength) - [Runtime.InteropServices.Marshal]::WriteInt64($PtrData, 0) - [Runtime.InteropServices.Marshal]::WriteByte($PtrData, 8) # The length field in SYSTEM_CODEINTEGRITY_INFORMATION must be set to 8 - $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemCodeIntegrityInformation, $PtrData, $CIStructLength, [Ref] 0) | Out-Null - $CIInfo = [Runtime.InteropServices.Marshal]::ReadInt32(([IntPtr]($PtrData.ToInt64() + 4))) - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - - $ResultHashTable = @{ - CodeIntegrityOptions = $CIInfo - LockdownState = ($CIInfo -band 0x1C) -as $LockdownState - } - - $CodeIntegrityType = New-Object PSObject -Property $ResultHashTable - $CodeIntegrityType.PSObject.TypeNames.Insert(0, '_SYSTEM_CODEINTEGRITY_INFORMATION') - - Write-Output $CodeIntegrityType - } - - 'GlobalFlags' { - $TotalLength = 0 - $ReturnedLength = 0 - - if ((($ntdll::NtQuerySystemInformation($SystemInformationClass::SystemGlobalFlag, [IntPtr]::Zero, 0, [Ref] $TotalLength) -as [NTSTATUS]) -ne [NTSTATUS]::STATUS_INFO_LENGTH_MISMATCH) -and ($TotalLength -gt 0)) - { - Write-Error 'Unable to obtain global flags information information.' - } - else - { - $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($TotalLength) - $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemGlobalFlag, $PtrData, $TotalLength, [Ref] $ReturnedLength) | Out-Null - $Gflags = [Runtime.InteropServices.Marshal]::ReadInt32($PtrData) -as $GFlagsEnum - [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) - - Write-Output $Gflags - } - } - - default { return } - } -} -#endregion diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml deleted file mode 100644 index 59b5362..0000000 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ /dev/null @@ -1,1210 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?>
-<Configuration>
- <DefaultSettings>
- <EnumerableExpansions>
- <EnumerableExpansion>
- <Expand>Both</Expand>
- </EnumerableExpansion>
- </EnumerableExpansions>
- </DefaultSettings>
- <ViewDefinitions>
- <View>
- <Name>ProcessEnvironmentBlock_VistaView</Name>
- <ViewSelectedBy>
- <TypeName>PEB.Vista</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>ProcessName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessId</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InheritedAddressSpace</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ReadImageFileExecOptions</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>BeingDebugged</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageUsesLargePages</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsProtectedProcess</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsLegacyProcess</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsImageDynamicallyRelocated</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>SkipPatchingUser32Forwarders</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsPackagedProcess</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>IsAppContainer</PropertyName>
- </ListItem>
- <ListItem>
- <Label>Mutant</Label>
- <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ImageBaseAddress</Label>
- <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>Ldr</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InLoadOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InMemoryOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InInitializationOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessParameters</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SubSystemData</Label>
- <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessHeap</Label>
- <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebLock</Label>
- <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AtlThunkSListPtr</Label>
- <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>IFEOKey</Label>
- <ScriptBlock>"0x$($_.IFEOKey.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessInJob</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessInitializing</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessUsingVEH</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessUsingVCH</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessUsingFTH</PropertyName>
- </ListItem>
- <ListItem>
- <Label>KernelCallbackTable</Label>
- <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SystemReserved</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AtlThunkSListPtr32</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ApiSetMap</Label>
- <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>TlsExpansionCounter</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>TlsBitmap</Label>
- <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsBitmapBits</Label>
- <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryBase</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HotpatchInformation</Label>
- <ScriptBlock>"0x$($_.HotpatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlyStaticServerData</Label>
- <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AnsiCodePageData</Label>
- <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>OemCodePageData</Label>
- <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>UnicodeCaseTableData</Label>
- <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfProcessors</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>NtGlobalFlag</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CriticalSectionTimeout</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentReserve</Label>
- <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentCommit</Label>
- <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitTotalFreeThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitFreeBlockThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>MaximumNumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ProcessHeaps</Label>
- <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiSharedHandleTable</Label>
- <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessStarterHelper</Label>
- <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>GdiDCAttributeList</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>LoaderLock</Label>
- <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>OSMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSBuildNumber</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSCSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSPlatformId</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystem</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActiveProcessAffinityMask</Label>
- <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiHandleBuffer</Label>
- <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>PostProcessInitRoutine</Label>
- <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmap</Label>
- <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmapBits</Label>
- <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SessionId</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlags</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlagsUser</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>pShimData</Label>
- <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatInfo</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActivationContextData</Label>
- <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemDefaultActivationContextData</Label>
- <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>MinimumStackCommit</Label>
- <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FlsCallback</Label>
- <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>FlsListHead</PropertyName>
- </ListItem>
- <ListItem>
- <Label>FlsBitmap</Label>
- <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FlsBitmapBits</Label>
- <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>FlsHighIndex</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>WerRegistrationData</Label>
- <ScriptBlock>"0x$($_.WerRegistrationData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>WerShipAssertPtr</Label>
- <ScriptBlock>"0x$($_.WerShipAssertPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>pUnused</Label>
- <ScriptBlock>"0x$($_.pUnused.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>pImageHeaderHash</Label>
- <ScriptBlock>"0x$($_.pImageHeaderHash.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>HeapTracingEnabled</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CritSecTracingEnabled</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>LibLoaderTracingEnabled</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CsrServerReadOnlySharedMemoryBase</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>ProcessEnvironmentBlock_Server2003View</Name>
- <ViewSelectedBy>
- <TypeName>PEB.Server2003</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>ProcessName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessId</PropertyName>
- </ListItem>
- <ListItem>
- <Label>InheritedAddressSpace</Label>
- <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadImageFileExecOptions</Label>
- <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>BeingDebugged</Label>
- <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>ImageUsesLargePages</PropertyName>
- </ListItem>
- <ListItem>
- <Label>Mutant</Label>
- <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ImageBaseAddress</Label>
- <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>Ldr</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InLoadOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InMemoryOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InInitializationOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessParameters</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SubSystemData</Label>
- <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessHeap</Label>
- <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebLock</Label>
- <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AtlThunkSListPtr</Label>
- <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SparePtr2</Label>
- <ScriptBlock>"0x$($_.SparePtr2.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>EnvironmentUpdateCount</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>KernelCallbackTable</Label>
- <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SystemReserved</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AtlThunkSListPtr32</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ApiSetMap</Label>
- <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>TlsExpansionCounter</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>TlsBitmap</Label>
- <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsBitmapBits</Label>
- <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryBase</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryHeap</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlyStaticServerData</Label>
- <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AnsiCodePageData</Label>
- <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>OemCodePageData</Label>
- <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>UnicodeCaseTableData</Label>
- <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfProcessors</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>NtGlobalFlag</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CriticalSectionTimeout</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentReserve</Label>
- <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentCommit</Label>
- <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitTotalFreeThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitFreeBlockThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>MaximumNumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ProcessHeaps</Label>
- <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiSharedHandleTable</Label>
- <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessStarterHelper</Label>
- <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>GdiDCAttributeList</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>LoaderLock</Label>
- <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>OSMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSBuildNumber</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSCSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSPlatformId</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystem</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActiveProcessAffinityMask</Label>
- <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiHandleBuffer</Label>
- <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>PostProcessInitRoutine</Label>
- <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmap</Label>
- <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmapBits</Label>
- <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SessionId</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlags</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlagsUser</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>pShimData</Label>
- <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatInfo</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActivationContextData</Label>
- <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemDefaultActivationContextData</Label>
- <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>MinimumStackCommit</Label>
- <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FlsCallback</Label>
- <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>FlsListHead</PropertyName>
- </ListItem>
- <ListItem>
- <Label>FlsBitmap</Label>
- <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FlsBitmapBits</Label>
- <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>FlsHighIndex</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>ProcessEnvironmentBlock_XPView</Name>
- <ViewSelectedBy>
- <TypeName>PEB.XP</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>ProcessName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessId</PropertyName>
- </ListItem>
- <ListItem>
- <Label>InheritedAddressSpace</Label>
- <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadImageFileExecOptions</Label>
- <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>BeingDebugged</Label>
- <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>Mutant</Label>
- <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ImageBaseAddress</Label>
- <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>Ldr</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InLoadOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InMemoryOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InInitializationOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessParameters</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SubSystemData</Label>
- <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessHeap</Label>
- <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebLock</Label>
- <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebLockRoutine</Label>
- <ScriptBlock>"0x$($_.FastPebLockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>FastPebUnlockRoutine</Label>
- <ScriptBlock>"0x$($_.FastPebUnlockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>EnvironmentUpdateCount</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>KernelCallbackTable</Label>
- <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SystemReserved</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AtlThunkSListPtr32</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ApiSetMap</Label>
- <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>TlsExpansionCounter</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>TlsBitmap</Label>
- <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsBitmapBits</Label>
- <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryBase</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlySharedMemoryHeap</Label>
- <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ReadOnlyStaticServerData</Label>
- <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>AnsiCodePageData</Label>
- <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>OemCodePageData</Label>
- <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>UnicodeCaseTableData</Label>
- <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfProcessors</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>NtGlobalFlag</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CriticalSectionTimeout</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentReserve</Label>
- <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapSegmentCommit</Label>
- <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitTotalFreeThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>HeapDeCommitFreeBlockThreshold</Label>
- <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>MaximumNumberOfHeaps</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ProcessHeaps</Label>
- <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiSharedHandleTable</Label>
- <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessStarterHelper</Label>
- <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>GdiDCAttributeList</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>LoaderLock</Label>
- <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>OSMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSBuildNumber</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSCSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>OSPlatformId</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystem</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMajorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageSubsystemMinorVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActiveProcessAffinityMask</Label>
- <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>GdiHandleBuffer</Label>
- <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>PostProcessInitRoutine</Label>
- <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmap</Label>
- <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>TlsExpansionBitmapBits</Label>
- <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SessionId</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlags</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatFlagsUser</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <Label>pShimData</Label>
- <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>AppCompatInfo</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CSDVersion</PropertyName>
- </ListItem>
- <ListItem>
- <Label>ActivationContextData</Label>
- <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ProcessAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemDefaultActivationContextData</Label>
- <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SystemAssemblyStorageMap</Label>
- <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>MinimumStackCommit</Label>
- <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>ProcessEnvironmentBlock_ModuleEntryView</Name>
- <ViewSelectedBy>
- <TypeName>PEB.ModuleEntry</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>InLoadOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InMemoryOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InInitializationOrderModuleList</PropertyName>
- </ListItem>
- <ListItem>
- <Label>BaseAddress</Label>
- <ScriptBlock>"0x$($_.BaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>EntryPoint</Label>
- <ScriptBlock>"0x$($_.EntryPoint.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>SizeOfImage</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>FullDllName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>BaseDllName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>PackagedBinary</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImageDll</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>LoadNotificationsSent</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>TelemetryEntryProcessed</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessStaticImport</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InLegacyLists</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InIndexes</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ShimDll</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>InExceptionTable</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>LoadInProgress</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>EntryProcessed</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DontCallForThreads</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessAttachCalled</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ProcessAttachFailed</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CorDeferredValidate</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CorImage</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DontRelocate</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CorILOnly</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>Redirected</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CompatDatabaseProcessed</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ObsoleteLoadCount</PropertyName>
- <FormatString>0x{0:X4}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>TlsIndex</PropertyName>
- <FormatString>0x{0:X4}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>HashLinks</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>TimeDateStamp</PropertyName>
- </ListItem>
- <ListItem>
- <Label>EntryPointActivationContext</Label>
- <ScriptBlock>"0x$($_.EntryPointActivationContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>PatchInformation</Label>
- <ScriptBlock>"0x$($_.PatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>DdagNode</Label>
- <ScriptBlock>"0x$($_.DdagNode.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>NodeModuleLink</PropertyName>
- </ListItem>
- <ListItem>
- <Label>SnapContext</Label>
- <ScriptBlock>"0x$($_.SnapContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>ParentDllBase</Label>
- <ScriptBlock>"0x$($_.ParentDllBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>SwitchBackContext</Label>
- <ScriptBlock>"0x$($_.SwitchBackContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>BaseAddressIndexNode</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>MappingInfoIndexNode</PropertyName>
- </ListItem>
- <ListItem>
- <Label>OriginalBase</Label>
- <ScriptBlock>"0x$($_.OriginalBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>LoadTime</PropertyName>
- <FormatString>0x{0:X16}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>BaseNameHashValue</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>LoadReason</PropertyName>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- <View>
- <Name>ProcessParameters</Name>
- <ViewSelectedBy>
- <TypeName>PEB.ProcessParameters</TypeName>
- </ViewSelectedBy>
- <ListControl>
- <ListEntries>
- <ListEntry>
- <ListItems>
- <ListItem>
- <PropertyName>MaximumLength</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>Length</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>Flags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>DebugFlags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>ConsoleHandle</Label>
- <ScriptBlock>"0x$($_.ConsoleHandle.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>ConsoleFlags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <Label>StandardInput</Label>
- <ScriptBlock>"0x$($_.StandardInput.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>StandardOutput</Label>
- <ScriptBlock>"0x$($_.StandardOutput.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <Label>StandardError</Label>
- <ScriptBlock>"0x$($_.StandardError.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>CurrentDirectory</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DllPath</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ImagePathName</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>CommandLine</PropertyName>
- </ListItem>
- <ListItem>
- <Label>Environment</Label>
- <ScriptBlock>"0x$($_.Environment.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
- </ListItem>
- <ListItem>
- <PropertyName>StartingX</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>StartingY</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CountX</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CountY</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CountCharsX</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>CountCharsY</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>FillAttribute</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>WindowFlags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>ShowWindowFlags</PropertyName>
- <FormatString>0x{0:X8}</FormatString>
- </ListItem>
- <ListItem>
- <PropertyName>WindowTitle</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>DesktopInfo</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>ShellInfo</PropertyName>
- </ListItem>
- <ListItem>
- <PropertyName>RuntimeData</PropertyName>
- </ListItem>
- </ListItems>
- </ListEntry>
- </ListEntries>
- </ListControl>
- </View>
- </ViewDefinitions>
-</Configuration>
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 deleted file mode 100644 index 7ec5089..0000000 --- a/ReverseEngineering/Get-PEB.ps1 +++ /dev/null @@ -1,1092 +0,0 @@ -function Get-PEB
-{
-<#
-.SYNOPSIS
-
-Returns the process environment block (PEB) of a process.
-
-PowerSploit Function: Get-PEB
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: Get-PEB.format.ps1xml
-
-.DESCRIPTION
-
-Get-PEB returns a fully parsed process environment block (PEB) of any process. Because the PEB and its underlying structure differ according to OS version and architecture, Get-PEB builds the PEB dynamically at runtime. Get-PEB is designed to work in Windows XP - Windows 8 32/64-bit. It will also return the PEB of Wow64 processes.
-
-.PARAMETER Id
-
-The process ID of the process whose PEB will be retrieved.
-
-.EXAMPLE
-
-C:\PS> $AllPEBs = Get-Process | Get-PEB
-
-Description
------------
-Get the PEB of every process. Note: To get the PEBs for all processes, run this command from an elevated instance of PowerShell
-
-.EXAMPLE
-
-C:\PS> $NotepadPEB = Get-PEB -Id (ps notepad)
-C:\PS> $NotepadPEB.InInitializationOrderModuleList
-
-Description
------------
-Display all loaded modules of the notepad process in initialization order.
-
-.NOTES
-
-Some processes will not issue a handle unless you are running Get-PEB from an elevated instance of PowerShell.
-
-.LINK
-
-http://www.exploit-monday.com/2013/01/Get-PEB.html
-http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx
-#>
-
- [CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
- [Alias('PID')]
- [UInt16[]]
- $Id
- )
-
- BEGIN
- {
- Set-StrictMode -Version 2
-
- $mscorlib = [AppDomain]::CurrentDomain.GetAssemblies() | ? { $_.FullName.Split(',')[0].ToLower() -eq 'mscorlib' }
- $Win32Native = $mscorlib.GetTypes() | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native' }
-
- if ($Win32Native -eq $null)
- {
- throw 'Unable to get a reference to type: Microsoft.Win32.Win32Native'
- }
-
- function Local:Get-NTStatusException
- {
- [CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
- [Int32[]]
- $ErrorCode
- )
-
- BEGIN
- {
- $LsaNtStatusToWinError = $Win32Native.GetMethod('LsaNtStatusToWinError', [Reflection.BindingFlags] 'NonPublic, Static')
- $GetMessage = $Win32Native.GetMethod('GetMessage', [Reflection.BindingFlags] 'NonPublic, Static')
- }
- PROCESS
- {
- foreach ($Error in $ErrorCode)
- {
- $WinErrorCode = $LsaNtStatusToWinError.Invoke($null, @($ErrorCode))
-
- Write-Output $GetMessage.Invoke($null, @($WinErrorCode))
- }
- }
- END{}
- }
-
- # The return value from Get-WindowsNTDDIVersion will be compared against these values to determine the structure of the PEB.
- $NTDDI_VISTA = 0x06000000
- $NTDDI_WS03 = 0x05020000
- $NTDDI_WINXP = 0x05010000
-
- function Local:Get-WindowsNTDDIVersion
- {
- # Return Windows version information as NTDDI_VERSION as defined in SdkDdkVer.h
- # This will aid in determining version specific PEB fields to return
- # Could this be accomplished with `Get-WmiObject Win32_OperatingSystem`? Yes, but I prefer not rely upon services that might be turned off.
- $OSVersionInfoEx = $Win32Native.GetNestedTypes('NonPublic') | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native+OSVERSIONINFOEX' }
-
- if ($OSVersionInfoEx -eq $null)
- {
- Write-Error "Unable to get a reference to kernel32!OSVersionInfoEx."
- return
- }
-
- $MajorVersion = $OSVersionInfoEx.GetField('MajorVersion', [Reflection.BindingFlags] 'NonPublic, Instance')
- $MinorVersion = $OSVersionInfoEx.GetField('MinorVersion', [Reflection.BindingFlags] 'NonPublic, Instance')
- $ServicePackMajor = $OSVersionInfoEx.GetField('ServicePackMajor', [Reflection.BindingFlags] 'NonPublic, Instance')
- $ServicePackMinor = $OSVersionInfoEx.GetField('ServicePackMinor', [Reflection.BindingFlags] 'NonPublic, Instance')
- $ProductTypeField = $OSVersionInfoEx.GetField('ProductType', [Reflection.BindingFlags] 'NonPublic, Instance')
-
- $OSVersionInfoContructor = $OSVersionInfoEx.GetConstructors()[0]
- $OSVersionEx = $OSVersionInfoContructor.Invoke($null)
- # This version is present in .NET 2
- $GetVersionEx = $Win32Native.GetMethod('GetVersionEx', [Reflection.BindingFlags] 'NonPublic, Static', $null, @($OSVersionInfoEx), $null)
- if ($GetVersionEx -eq $null)
- {
- # This version is present in .NET 4
- $GetVersionEx = [Environment].GetMethod('GetVersionEx', [Reflection.BindingFlags] 'NonPublic, Static', $null, @($OSVersionInfoEx), $null)
- }
- if ($GetVersionEx -eq $null)
- {
- Write-Error "Unable to get a reference to GetVersionEx method."
- return
- }
- $Success = $GetVersionEx.Invoke($null, @($OSVersionEx))
-
- if (-not $Success)
- {
- Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- return
- }
-
- # Build the version string
- $Version = [Int32] "0x$($MajorVersion.GetValue($OSVersionEx).ToString('D2'))$($MinorVersion.GetValue($OSVersionEx).ToString('D2'))$($ServicePackMajor.GetValue($OSVersionEx).ToString('D2'))$($ServicePackMinor.GetValue($OSVersionEx).ToString('D2'))"
- $ProductType = $ProductTypeField.GetValue($OSVersionEx)
-
- if ($Version -lt $NTDDI_WINXP)
- {
- throw 'Could not determine the correct Windows version! Windows ME, Windows 3.1, and OS/2 Warp are not supported. :P'
- }
-
- Write-Output $Version
- }
-
- $NTDDI_VERSION = Get-WindowsNTDDIVersion
-
- try { $NativeMethods = @([AppDomain]::CurrentDomain.GetAssemblies() | % { $_.GetTypes() } | ? { $_.FullName -eq 'Microsoft.Win32.NativeMethods' })[0] } catch {}
- $NtProcessBasicInfo = $NativeMethods.GetNestedType('NtProcessBasicInfo', [Reflection.BindingFlags]::NonPublic)
- $NtProcessBasicInfoConstructor = $NtProcessBasicInfo.GetConstructors()[0]
- $ProcessBasicInfo = $NtProcessBasicInfoConstructor.Invoke($null)
-
- $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
- $PROCESS_QUERY_INFORMATION = 0x400
- $PROCESS_VM_READ = 0x0010
-
- # Sanity check to make sure that we can proceed. Without proper references, a call to NtQueryInformationProcess will crash PowerShell.
- if ($ProcessBasicInfo -eq $null)
- {
- Write-Error "Unable to get a reference to ProcessBasicInfo."
- return
- }
-
- $MEMORY_BASIC_INFORMATION = $Win32Native.GetNestedType('MEMORY_BASIC_INFORMATION', [Reflection.BindingFlags] 'NonPublic')
-
- if ($MEMORY_BASIC_INFORMATION -eq $null)
- {
- Write-Error 'Unable to get a reference to the MEMORY_BASIC_INFORMATION structure.'
- return
- }
-
- $OSArchitecture = [Int](Get-WmiObject Win32_OperatingSystem).OSArchitecture.Split('-')[0]
-
- try { $NativeUtils = [NativeUtils] } catch [Management.Automation.RuntimeException] # Only build the assembly if it hasn't already been defined
- {
- $DynAssembly = New-Object Reflection.AssemblyName('MemHacker')
- $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MemHacker', $False)
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('NativeUtils', $Attributes, [ValueType])
- $TypeBuilder.DefinePInvokeMethod('ReadProcessMemory', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- $TypeBuilder.DefinePInvokeMethod('VirtualQueryEx', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [IntPtr], $MEMORY_BASIC_INFORMATION.MakeByRefType(), [UInt32]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- if ($OSArchitecture -eq 64)
- {
- $TypeBuilder.DefinePInvokeMethod('IsWow64Process', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [Bool].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- }
- $TypeBuilder.DefinePInvokeMethod('NtQueryInformationProcess', 'ntdll.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [Int], $NtProcessBasicInfo, [Int], [IntPtr]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- $NativeUtils = $TypeBuilder.CreateType()
- }
-
- #region Determine OS/Process/PowerShell bitness
-
- # Get PowerShell's bit-ness accordingly to [IntPtr]::Size. The bitness of PowerShell is used as the basis for determining
- # the bitness of the processes you're interested in. For example, calling Get-Process from 32-bit PowerShell will only
- # return 32-bit processes. Get-Process on 64-bit PowerShell however will return 64-bit and Wow64 processes.
- if ([IntPtr]::Size -eq 4)
- {
- $PowerShellArchitecture = 32
- }
- else
- {
- $PowerShellArchitecture = 64
- }
- #endregion
-
- #region Build PEB structure dynamically
- try
- {
- $PEBStruct = [_PEB]
- $UnicodeStringStruct = [_UNICODE_STRING]
- $ProcessParametersStruct = [_RTL_USER_PROCESS_PARAMETERS]
- $ListEntryStruct = [_LIST_ENTRY]
- $LdrDataStruct = [_PEB_LDR_DATA]
- $BalancedNodeStruct = [_RTL_BALANCED_NODE]
- $LoadReasonEnum = [_LDR_DLL_LOAD_REASON]
- $LdrModuleStruct = [_LDR_DATA_TABLE_ENTRY]
- }
- catch
- {
- # Note: Once this strcuture is built, it cannot be rebuilt or unloaded without restarting PowerShell
- $DynAssembly = New-Object Reflection.AssemblyName('PEBTools')
- $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('PEBModule', $False)
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('_PEB', $Attributes, [ValueType])
-
- $ConstructorInfo = [Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
- $ConstructorValue = [Runtime.InteropServices.UnmanagedType]::ByValArray
- $FieldArray = @([Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
-
- # Build type for _UNICODE_STRING
- $UnicodeTypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $Attributes, [ValueType])
- $UnicodeTypeBuilder.DefineField('Length', [UInt16], 'Public') | Out-Null
- $UnicodeTypeBuilder.DefineField('MaximumLength', [UInt16], 'Public') | Out-Null
- $UnicodeTypeBuilder.DefineField('Buffer', [IntPtr], 'Public') | Out-Null
- $UnicodeStringStruct = $UnicodeTypeBuilder.CreateType()
-
- # Build type for _RTL_USER_PROCESS_PARAMETERS
- $ProcParamTypeBuilder = $ModuleBuilder.DefineType('_RTL_USER_PROCESS_PARAMETERS', $Attributes, [ValueType], 4)
- $ProcParamTypeBuilder.DefineField('MaximumLength', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('Length', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('DebugFlags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ConsoleHandle', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ConsoleFlags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StandardInput', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StandardOutput', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StandardError', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CurrentDirectory', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CurrentDirectoryHandle', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('DllPath', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ImagePathName', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CommandLine', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('Environment', [IntPtr], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StartingX', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('StartingY', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CountX', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CountY', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CountCharsX', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('CountCharsY', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('FillAttribute', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('WindowFlags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ShowWindowFlags', [UInt32], 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('WindowTitle', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('DesktopInfo', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('ShellInfo', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcParamTypeBuilder.DefineField('RuntimeData', $UnicodeStringStruct, 'Public') | Out-Null
- $ProcessParametersStruct = $ProcParamTypeBuilder.CreateType()
-
- # Build type for _LIST_ENTRY
- $ListEntryTypeBuilder = $ModuleBuilder.DefineType('_LIST_ENTRY', $Attributes, [System.ValueType])
- $ListEntryTypeBuilder.DefineField('Flink', [IntPtr], 'Public') | Out-Null
- $ListEntryTypeBuilder.DefineField('Blink', [IntPtr], 'Public') | Out-Null
- $ListEntryStruct = $ListEntryTypeBuilder.CreateType()
-
- # Build type for _PEB_LDR_DATA
- $PEBLdrDataTypeBuilder = $ModuleBuilder.DefineType('_PEB_LDR_DATA', $Attributes, [System.ValueType])
- $PEBLdrDataTypeBuilder.DefineField('Length', [UInt32], 'Public') | Out-Null
- $InitializedField = $PEBLdrDataTypeBuilder.DefineField('Initialized', [Byte[]], 'Public')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
- $InitializedField.SetCustomAttribute($AttribBuilder)
- $PEBLdrDataTypeBuilder.DefineField('SsHandle', [IntPtr], 'Public') | Out-Null
- $PEBLdrDataTypeBuilder.DefineField('InLoadOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrDataTypeBuilder.DefineField('InMemoryOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrDataTypeBuilder.DefineField('InInitializationOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrDataTypeBuilder.DefineField('EntryInProgress', [IntPtr], 'Public') | Out-Null
- $ShutdownInProgressField = $PEBLdrDataTypeBuilder.DefineField('ShutdownInProgress', [Byte[]], 'Public')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 2))
- $ShutdownInProgressField.SetCustomAttribute($AttribBuilder)
- $PEBLdrDataTypeBuilder.DefineField('ShutdownThreadId', [IntPtr], 'Public') | Out-Null
- $LdrDataStruct = $PEBLdrDataTypeBuilder.CreateType()
-
- # Build type for _RTL_BALANCED_NODE
- $BalancedNodeTypeBuilder = $ModuleBuilder.DefineType('_RTL_BALANCED_NODE', $Attributes, [System.ValueType])
- $BalancedNodeTypeBuilder.DefineField('Left', [IntPtr], 'Public') | Out-Null
- $BalancedNodeTypeBuilder.DefineField('Right', [IntPtr], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $BalancedNodeTypeBuilder.DefineField('ParentValue', [UInt64], 'Public') | Out-Null }
- else { $BalancedNodeTypeBuilder.DefineField('ParentValue', [UInt32], 'Public') | Out-Null }
- $BalancedNodeStruct = $BalancedNodeTypeBuilder.CreateType()
-
- # Build type for _LDR_DLL_LOAD_REASON enum
- $EnumBuilder = $ModuleBuilder.DefineEnum('_LDR_DLL_LOAD_REASON', 'Public', [Int32])
- # Define values of the enum
- $EnumBuilder.DefineLiteral('StaticDependency', [Int32] 0) | Out-Null
- $EnumBuilder.DefineLiteral('StaticForwarderDependency', [Int32] 1) | Out-Null
- $EnumBuilder.DefineLiteral('DynamicForwarderDependency', [Int32] 2) | Out-Null
- $EnumBuilder.DefineLiteral('DelayloadDependency', [Int32] 3) | Out-Null
- $EnumBuilder.DefineLiteral('DynamicLoad', [Int32] 4) | Out-Null
- $EnumBuilder.DefineLiteral('AsImageLoad', [Int32] 5) | Out-Null
- $EnumBuilder.DefineLiteral('AsDataLoad', [Int32] 6) | Out-Null
- $EnumBuilder.DefineLiteral('Unknown', [Int32] -1) | Out-Null
- $LoadReasonEnum = $EnumBuilder.CreateType()
-
- # Build type for _LDR_DATA_TABLE_ENTRY
- $PEBLdrModuleTypeBuilder = $ModuleBuilder.DefineType('_LDR_DATA_TABLE_ENTRY', $Attributes, [System.ValueType])
- $PEBLdrModuleTypeBuilder.DefineField('InLoadOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('InMemoryOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('InInitializationOrderModuleList', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('BaseAddress', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('EntryPoint', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('FullDllName', [_UNICODE_STRING], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('BaseDllName', [_UNICODE_STRING], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('ObsoleteLoadCount', [UInt16], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('TlsIndex', [UInt16], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('HashLinks', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('EntryPointActivationContext', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('PatchInformation', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('DdagNode', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('NodeModuleLink', [_LIST_ENTRY], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('SnapContext', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('ParentDllBase', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('SwitchBackContext', [IntPtr], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('BaseAddressIndexNode', [_RTL_BALANCED_NODE], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('MappingInfoIndexNode', [_RTL_BALANCED_NODE], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $PEBLdrModuleTypeBuilder.DefineField('OriginalBase', [UInt64], 'Public') | Out-Null }
- else { $PEBLdrModuleTypeBuilder.DefineField('OriginalBase', [UInt32], 'Public') | Out-Null }
- $PEBLdrModuleTypeBuilder.DefineField('LoadTime', [UInt64], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('BaseNameHashValue', [UInt32], 'Public') | Out-Null
- $PEBLdrModuleTypeBuilder.DefineField('LoadReason', [_LDR_DLL_LOAD_REASON], 'Public') | Out-Null
- $LdrModuleStruct = $PEBLdrModuleTypeBuilder.CreateType()
-
- $TypeBuilder.DefineField('InheritedAddressSpace', [Byte], 'Public') | Out-Null
- $TypeBuilder.DefineField('ReadImageFileExecOptions', [Byte], 'Public') | Out-Null
- $TypeBuilder.DefineField('BeingDebugged', [Byte], 'Public') | Out-Null
- $TypeBuilder.DefineField('BitField', [Byte], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public, HasFieldMarshal') | Out-Null }
- $TypeBuilder.DefineField('Mutant', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ImageBaseAddress', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('Ldr', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessParameters', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('SubSystemData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessHeap', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('FastPebLock', [IntPtr], 'Public') | Out-Null
-
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $TypeBuilder.DefineField('AtlThunkSListPtr', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('IFEOKey', [IntPtr], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('CrossProcessFlags', [UInt64], 'Public') | Out-Null
- } else { $TypeBuilder.DefineField('CrossProcessFlags', [UInt32], 'Public') | Out-Null }
- $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
- }
- elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
- {
- $TypeBuilder.DefineField('AtlThunkSListPtr', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('SparePtr2', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('EnvironmentUpdateCount', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
- }
- else
- {
- $TypeBuilder.DefineField('FastPebLockRoutine', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('FastPebUnlockRoutine', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('EnvironmentUpdateCount', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('KernelCallbackTable', [IntPtr], 'Public') | Out-Null
- }
- $TypeBuilder.DefineField('SystemReserved', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('AtlThunkSListPtr32', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ApiSetMap', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('TlsExpansionCounter', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('TlsBitmap', [IntPtr], 'Public') | Out-Null
- $TlsBitmapBitsField = $TypeBuilder.DefineField('TlsBitmapBits', [UInt32[]], 'Public, HasFieldMarshal')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 2))
- $TlsBitmapBitsField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('ReadOnlySharedMemoryBase', [IntPtr], 'Public') | Out-Null
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $TypeBuilder.DefineField('HotpatchInformation', [IntPtr], 'Public') | Out-Null
- }
- else
- {
- $TypeBuilder.DefineField('ReadOnlySharedMemoryHeap', [IntPtr], 'Public') | Out-Null
- }
- $TypeBuilder.DefineField('ReadOnlyStaticServerData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('AnsiCodePageData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('OemCodePageData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('UnicodeCaseTableData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfProcessors', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('NtGlobalFlag', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('CriticalSectionTimeout', [Int64], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64)
- {
- $TypeBuilder.DefineField('HeapSegmentReserve', [UInt64], 'Public') | Out-Null
- $TypeBuilder.DefineField('HeapSegmentCommit', [UInt64], 'Public') | Out-Null
- }
- else
- {
- $TypeBuilder.DefineField('HeapSegmentReserve', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('HeapSegmentCommit', [UInt32], 'Public') | Out-Null
- }
- $TypeBuilder.DefineField('HeapDeCommitTotalFreeThreshold', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('HeapDeCommitFreeBlockThreshold', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('NumberOfHeaps', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('MaximumNumberOfHeaps', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessHeaps', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('GdiSharedHandleTable', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessStarterHelper', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('GdiDCAttributeList', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('LoaderLock', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSMajorVersion', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSMinorVersion', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSBuildNumber', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSCSDVersion', [UInt16], 'Public') | Out-Null
- $TypeBuilder.DefineField('OSPlatformId', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ImageSubsystem', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ImageSubsystemMajorVersion', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ImageSubsystemMinorVersion', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('ActiveProcessAffinityMask', [IntPtr], 'Public') | Out-Null
- $GdiHandleBufferField = $TypeBuilder.DefineField('GdiHandleBuffer', [UInt32[]], 'Public, HasFieldMarshal')
- if ($PowerShellArchitecture -eq 64) { $GDI_HANDLE_BUFFER_SIZE = 60 } else { $GDI_HANDLE_BUFFER_SIZE = 34 }
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] $GDI_HANDLE_BUFFER_SIZE))
- $GdiHandleBufferField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('PostProcessInitRoutine', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('TlsExpansionBitmap', [IntPtr], 'Public') | Out-Null
- $TlsExpansionBitmapBitsField = $TypeBuilder.DefineField('TlsExpansionBitmapBits', [UInt32[]], 'Public, HasFieldMarshal')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 32))
- $TlsExpansionBitmapBitsField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('SessionId', [UInt32], 'Public') | Out-Null
-
- if ($NTDDI_VERSION -ge $NTDDI_WINXP)
- {
- $TypeBuilder.DefineField('AppCompatFlags', [UInt64], 'Public') | Out-Null
- $TypeBuilder.DefineField('AppCompatFlagsUser', [UInt64], 'Public') | Out-Null
- $TypeBuilder.DefineField('pShimData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('AppCompatInfo', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('CSDVersion', [_UNICODE_STRING], 'Public') | Out-Null
- $TypeBuilder.DefineField('ActivationContextData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('ProcessAssemblyStorageMap', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('SystemDefaultActivationContextData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('SystemAssemblyStorageMap', [IntPtr], 'Public') | Out-Null
- if ($PowerShellArchitecture -eq 64) { $TypeBuilder.DefineField('MinimumStackCommit', [UInt64], 'Public') | Out-Null
- } else { $TypeBuilder.DefineField('MinimumStackCommit', [UInt32], 'Public') | Out-Null }
- }
- if ($NTDDI_VERSION -ge $NTDDI_WS03)
- {
- $TypeBuilder.DefineField('FlsCallback', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('FlsListHead', [_LIST_ENTRY], 'Public') | Out-Null
- $TypeBuilder.DefineField('FlsBitmap', [IntPtr], 'Public') | Out-Null
- $FlsBitmapBitsField = $TypeBuilder.DefineField('FlsBitmapBits', [UInt32[]], 'Public')
- $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4))
- $FlsBitmapBitsField.SetCustomAttribute($AttribBuilder)
- $TypeBuilder.DefineField('FlsHighIndex', [UInt32], 'Public') | Out-Null
- }
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $TypeBuilder.DefineField('WerRegistrationData', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('WerShipAssertPtr', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('pUnused', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('pImageHeaderHash', [IntPtr], 'Public') | Out-Null
- $TypeBuilder.DefineField('TracingFlags', [UInt32], 'Public') | Out-Null
- $TypeBuilder.DefineField('CsrServerReadOnlySharedMemoryBase', [UInt64], 'Public') | Out-Null
- }
-
- $PEBStruct = $TypeBuilder.CreateType()
- }
-
- $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$PEBStruct)
- #endregion
-
- function Local:Get-StructFromMemory
- {
- [CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True)]
- [Alias('ProcessId')]
- [UInt16]
- $ProcId,
-
- [Parameter(Position = 1, Mandatory = $True)]
- [IntPtr]
- $MemoryAddress,
-
- [Parameter(Position = 2, Mandatory = $True)]
- [Alias('Type')]
- [Type]
- $StructType,
-
- [ValidateSet('InLoadOrderModuleList','InMemoryOrderModuleList','InInitializationOrderModuleList')]
- [String]
- $LoadOrder,
-
- [UInt16]
- $UnicodeStringSize
- )
-
- if (($StructType -eq [String]) -and ($MemoryAddress -eq 0)) { Write-Output ''; return }
- elseif ($MemoryAddress -eq 0) { Write-Output $null; return }
-
- $PROCESS_VM_READ = 0x0010 # The process permissions we'l ask for when getting a handle to the process
-
- $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
-
- try
- {
- $Process = Get-Process -Id $ProcId -ErrorVariable GetProcessError
- $Handle = $Process.Handle
- }
- catch [Exception]
- {
- Write-Error $GetProcessError
- return
- }
-
- if ($Handle -eq $null)
- {
- Write-Error "Unable to obtain a handle for PID $ProcId. You will likely need to run this script elevated."
- return
- }
-
- $ProtectField = $MEMORY_BASIC_INFORMATION.GetField('Protect', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBaseField = $MEMORY_BASIC_INFORMATION.GetField('BaseAddress', [Reflection.BindingFlags] 'NonPublic, Instance')
- $RegionSizeField = $MEMORY_BASIC_INFORMATION.GetField('RegionSize', [Reflection.BindingFlags] 'NonPublic, Instance')
-
- try
- {
- $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
- $Handle = $SafeHandle.DangerousGetHandle()
- }
- catch
- {
- Write-Error $Error[0]
- return
- }
-
- $PAGE_EXECUTE_READ = 0x20
- $PAGE_EXECUTE_READWRITE = 0x40
- $PAGE_READONLY = 2
- $PAGE_READWRITE = 4
-
- if ($StructType -eq $LdrModuleStruct -and $LoadOrder)
- {
- $OriginalFlink = $MemoryAddress
- $Flink = $OriginalFlink
-
- do
- {
- $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
-
- $Protection = $ProtectField.GetValue($MemoryBasicInformation)
- $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
- $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
- $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
-
- if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
- {
- $SafeHandle.Close()
- Write-Error 'The address specified does not have read access.'
- return
- }
-
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$LdrModuleStruct)
- $EndOfAllocation = $AllocationBase + $RegionSize
- $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
-
- if ($EndOfStruct -gt $EndOfAllocation)
- {
- $SafeHandle.Close()
- Write-Error 'You are attempting to read beyond what was allocated.'
- return
- }
-
- try
- {
- $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
- }
- catch [OutOfMemoryException]
- {
- Write-Error $Error[0]
- return
- }
-
- $ZeroBytes = New-Object Byte[]($StructSize)
- [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
-
- $BytesRead = [UInt32] 0
-
- if ($NativeUtils::ReadProcessMemory($Handle, $Flink, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
- {
- $SafeHandle.Close()
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- return
- }
-
- $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $LdrModuleStruct)
-
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
-
- switch ($LoadOrder)
- {
- 'InLoadOrderModuleList' { $Flink = $ParsedLdrModule.InLoadOrderModuleList.Flink }
- 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)) }
- 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) }
- }
-
- $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
- $Handle = $SafeHandle.DangerousGetHandle()
-
- if ($ParsedLdrModule.SizeOfImage)
- {
- Write-Output $ParsedLdrModule
- }
- } while (($Flink -ne 0) -and ($Flink -ne $OriginalFlink))
-
- $SafeHandle.Close()
- }
- elseif ($StructType -eq [String] -and $UnicodeStringSize)
- {
- $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
-
- $Protection = $ProtectField.GetValue($MemoryBasicInformation)
- $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
- $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
- $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
-
- if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
- {
- $SafeHandle.Close()
- Write-Error 'The address specified does not have read access.'
- return
- }
-
- $StructSize = $UnicodeStringSize
- $EndOfAllocation = $AllocationBase + $RegionSize
- $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
-
- if ($EndOfStruct -gt $EndOfAllocation)
- {
- $SafeHandle.Close()
- Write-Error 'You are attempting to read beyond what was allocated.'
- return
- }
-
- try
- {
- $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
- }
- catch [OutOfMemoryException]
- {
- Write-Error $Error[0]
- return
- }
-
- $ZeroBytes = New-Object Byte[]($StructSize)
- [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
-
- $BytesRead = [UInt32] 0
-
- if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
- {
- $SafeHandle.Close()
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- return
- }
-
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStringUni($LocalStructPtr)
-
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- $SafeHandle.Close()
-
- Write-Output $ParsedStruct
- }
- else
- {
- $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
-
- $Protection = $ProtectField.GetValue($MemoryBasicInformation)
- $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
- $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
- $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
-
- if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
- {
- $SafeHandle.Close()
- Write-Error 'The address specified does not have read access.'
- return
- }
-
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$StructType)
- $EndOfAllocation = $AllocationBase + $RegionSize
- $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
-
- if ($EndOfStruct -gt $EndOfAllocation)
- {
- $SafeHandle.Close()
- Write-Error 'You are attempting to read beyond what was allocated.'
- return
- }
-
- try
- {
- $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
- }
- catch [OutOfMemoryException]
- {
- Write-Error $Error[0]
- return
- }
-
- $ZeroBytes = New-Object Byte[]($StructSize)
- [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
-
- $BytesRead = [UInt32] 0
-
- if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
- {
- $SafeHandle.Close()
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- Write-Error ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- return
- }
-
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType)
-
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- $SafeHandle.Close()
-
- Write-Output $ParsedStruct
- }
- }
- }
-
- PROCESS
- {
- foreach ($ProcessId in $Id)
- {
- $Handle = $null
-
- try
- {
- $Process = Get-Process -Id $ProcessId -ErrorVariable GetProcessError
- # Get the process handle
- $Handle = $Process.Handle
- }
- catch { }
-
- if ($Handle -eq $null)
- {
- Write-Error "Unable to obtain a handle for PID $ProcessId. You will likely need to run this script elevated."
- }
- else
- {
- $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_QUERY_INFORMATION -bor $PROCESS_VM_READ))
- $Handle = $SafeHandle.DangerousGetHandle()
-
- Write-Verbose "ProcessName: $($Process.ProcessName)"
- Write-Verbose "Handle: $Handle"
-
- if ($OSArchitecture -eq 64)
- {
- $IsWow64 = $False
- $NativeUtils::IsWow64Process($Handle, [Ref] $IsWow64) | Out-Null
-
- if ($PowerShellArchitecture -eq 32 -and (-not $IsWow64))
- {
- $SafeHandle.Close()
- Write-Error 'Cannot get the PEB of a 64-bit process from a Wow64 process. Use 64-bit PowerShell and try again.'
- return
- }
- }
-
- $ProcessBasicInfo = $NtProcessBasicInfoConstructor.Invoke($null)
-
- $Status = $NativeUtils::NtQueryInformationProcess($Handle, 0, $ProcessBasicInfo, [Runtime.InteropServices.Marshal]::SizeOf($ProcessBasicInfo), [IntPtr]::Zero)
-
- Write-Verbose 'ProcessBasicInfo:'
- Write-Verbose ($ProcessBasicInfo | Out-String)
-
- if ($Status -ne 0)
- {
- $SafeHandle.Close()
- Write-Error (Get-NTStatusException $Status)
- return
- }
-
- $SafeHandle.Close()
-
- $PEB = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessBasicInfo.PebBaseAddress) -StructType ($PEBStruct)
-
- $ProcessParams = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.ProcessParameters) -StructType ($ProcessParametersStruct)
-
- $CurrentDirectory = ''
- $DllPath = ''
- $ImagePathName = ''
- $CommandLine = ''
- $WindowTitle = ''
- $DesktopInfo = ''
- $ShellInfo = ''
- $RuntimeData = ''
-
- if ($ProcessParams.CurrentDirectory.Buffer) { $CurrentDirectory = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.CurrentDirectory.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.CurrentDirectory.MaximumLength) }
- if ($ProcessParams.DllPath.Buffer) { $DllPath = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.DllPath.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.DllPath.MaximumLength) } else { $DllPath = '' }
- if ($ProcessParams.ImagePathName.Buffer) { $ImagePathName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.ImagePathName.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.ImagePathName.MaximumLength) }
- if ($ProcessParams.CommandLine.Buffer) { $CommandLine = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.CommandLine.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.CommandLine.MaximumLength) }
- if ($ProcessParams.WindowTitle.Buffer) { $WindowTitle = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.WindowTitle.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.WindowTitle.MaximumLength) }
- if ($ProcessParams.DesktopInfo.Buffer) { $DesktopInfo = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.DesktopInfo.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.DesktopInfo.MaximumLength) }
- if ($ProcessParams.ShellInfo.Buffer) { $ShellInfo = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.ShellInfo.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.ShellInfo.MaximumLength) }
- if ($ProcessParams.RuntimeData.Buffer) { $RuntimeData = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.RuntimeData.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.RuntimeData.MaximumLength) }
-
- $ProcessParameters = @{
- MaximumLength = $ProcessParams.MaximumLength
- Length = $ProcessParams.Length
- Flags = $ProcessParams.Flags
- DebugFlags = $ProcessParams.DebugFlags
- ConsoleHandle = $ProcessParams.ConsoleHandle
- ConsoleFlags = $ProcessParams.ConsoleFlags
- StandardInput = $ProcessParams.StandardInput
- StandardOutput = $ProcessParams.StandardOutput
- StandardError = $ProcessParams.StandardError
- CurrentDirectory = $CurrentDirectory
- DllPath = $DllPath
- ImagePathName = $ImagePathName
- CommandLine = $CommandLine
- Environment = $ProcessParams.Environment
- StartingX = $ProcessParams.StartingX
- StartingY = $ProcessParams.StartingY
- CountX = $ProcessParams.CountX
- CountY = $ProcessParams.CountY
- CountCharsX = $ProcessParams.CountCharsX
- CountCharsY = $ProcessParams.CountCharsY
- FillAttribute = $ProcessParams.FillAttribute
- WindowFlags = $ProcessParams.WindowFlags
- ShowWindowFlags = $ProcessParams.ShowWindowFlags
- WindowTitle = $WindowTitle
- DesktopInfo = $DesktopInfo
- ShellInfo = $ShellInfo
- RuntimeData = $RuntimeData
- }
-
- $ProcessParamsParsed = New-Object PSObject -Property $ProcessParameters
- $ProcessParamsParsed.PSObject.TypeNames[0] = 'PEB.ProcessParameters'
-
- # Get custom objects for the PEB based upon OS version
- # First, build up the custom object with fields common amongst all versions of the PEB
- $CustomPEB = @{
- ProcessName = $Process.ProcessName
- ProcessId = $ProcessId
- InheritedAddressSpace = if($PEB.InheritedAddressSpace -eq 0){$False}else{$True}
- ReadImageFileExecOptions = if($PEB.ReadImageFileExecOptions -eq 0){$False}else{$True}
- BeingDebugged = if($PEB.BeingDebugged -eq 0){$False}else{$True}
- Mutant = $PEB.Mutant
- ImageBaseAddress = $PEB.ImageBaseAddress
- Ldr = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.Ldr) -StructType ($LdrDataStruct)
- ProcessParameters = $ProcessParamsParsed
- SubSystemData = $PEB.SubSystemData
- ProcessHeap = $PEB.ProcessHeap
- FastPebLock = $PEB.FastPebLock
- SystemReserved = $PEB.SystemReserved
- AtlThunkSListPtr32 = $PEB.AtlThunkSListPtr32
- ApiSetMap = $PEB.ApiSetMap
- TlsExpansionCounter = $PEB.TlsExpansionCounter
- TlsBitmap = $PEB.TlsBitmap
- TlsBitmapBits = $PEB.TlsBitmapBits
- ReadOnlySharedMemoryBase = $PEB.ReadOnlySharedMemoryBase
- ReadOnlyStaticServerData = $PEB.ReadOnlyStaticServerData
- AnsiCodePageData = $PEB.AnsiCodePageData
- OemCodePageData = $PEB.OemCodePageData
- UnicodeCaseTableData = $PEB.UnicodeCaseTableData
- NumberOfProcessors = $PEB.NumberOfProcessors
- NtGlobalFlag = $PEB.NtGlobalFlag
- CriticalSectionTimeout = $PEB.CriticalSectionTimeout
- HeapSegmentReserve = $PEB.HeapSegmentReserve
- HeapSegmentCommit = $PEB.HeapSegmentCommit
- HeapDeCommitTotalFreeThreshold = $PEB.HeapDeCommitTotalFreeThreshold
- HeapDeCommitFreeBlockThreshold = $PEB.HeapDeCommitFreeBlockThreshold
- NumberOfHeaps = $PEB.NumberOfHeaps
- MaximumNumberOfHeaps = $PEB.MaximumNumberOfHeaps
- ProcessHeaps = $PEB.ProcessHeaps
- GdiSharedHandleTable = $PEB.GdiSharedHandleTable
- ProcessStarterHelper = $PEB.ProcessStarterHelper
- GdiDCAttributeList = $PEB.GdiDCAttributeList
- LoaderLock = $PEB.LoaderLock
- OSMajorVersion = $PEB.OSMajorVersion
- OSMinorVersion = $PEB.OSMinorVersion
- OSBuildNumber = $PEB.OSBuildNumber
- OSCSDVersion = $PEB.OSCSDVersion
- OSPlatformId = $PEB.OSPlatformId
- ImageSubsystem = $PEB.ImageSubsystem
- ImageSubsystemMajorVersion = $PEB.ImageSubsystemMajorVersion
- ImageSubsystemMinorVersion = $PEB.ImageSubsystemMinorVersion
- ActiveProcessAffinityMask = $PEB.ActiveProcessAffinityMask
- GdiHandleBuffer = $PEB.GdiHandleBuffer
- PostProcessInitRoutine = $PEB.PostProcessInitRoutine
- TlsExpansionBitmap = $PEB.TlsExpansionBitmap
- TlsExpansionBitmapBits = $PEB.TlsExpansionBitmapBits
- SessionId = $PEB.SessionId
- AppCompatFlags = $PEB.AppCompatFlags
- AppCompatFlagsUser = $PEB.AppCompatFlagsUser
- pShimData = $PEB.pShimData
- AppCompatInfo = $PEB.AppCompatInfo
- CSDVersion = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.CSDVersion.Buffer) -StructType ([String]) -UnicodeStringSize ($PEB.CSDVersion.MaximumLength)
- ActivationContextData = $PEB.ActivationContextData
- ProcessAssemblyStorageMap = $PEB.ProcessAssemblyStorageMap
- SystemDefaultActivationContextData = $PEB.SystemDefaultActivationContextData
- SystemAssemblyStorageMap = $PEB.SystemAssemblyStorageMap
- MinimumStackCommit = $PEB.MinimumStackCommit
- }
-
- foreach ($j in 1..3)
- {
- switch ($j)
- {
- 1 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($CustomPEB['Ldr'].InLoadOrderModuleList.Flink) -StructType ($LdrModuleStruct) -LoadOrder 'InLoadOrderModuleList' }
- 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' }
- 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' }
- }
-
- $ParsedOrderedModules = New-Object Hashtable[]($OrderedModules.Length)
- $Modules = New-Object PSObject[]($OrderedModules.Length)
-
- $i = 0
- foreach ($Module in $OrderedModules)
- {
- $ParsedOrderedModules[$i] = @{
- InLoadOrderModuleList = $Module.InLoadOrderModuleList
- InMemoryOrderModuleList = $Module.InMemoryOrderModuleList
- InInitializationOrderModuleList = $Module.InInitializationOrderModuleList
- BaseAddress = $Module.BaseAddress
- EntryPoint = $Module.EntryPoint
- SizeOfImage = $Module.SizeOfImage
- FullDllName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($Module.FullDllName.Buffer) -StructType ([String]) -UnicodeStringSize ($Module.FullDllName.MaximumLength)
- BaseDllName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($Module.BaseDllName.Buffer) -StructType ([String]) -UnicodeStringSize ($Module.BaseDllName.MaximumLength)
- PackagedBinary = if(($Module.Flags -band 1) -eq 0){$False}else{$True}
- MarkedForRemoval = if(($Module.Flags -band 2) -eq 0){$False}else{$True}
- ImageDll = if(($Module.Flags -band 4) -eq 0){$False}else{$True}
- LoadNotificationsSent = if(($Module.Flags -band 8) -eq 0){$False}else{$True}
- TelemetryEntryProcessed = if(($Module.Flags -band 16) -eq 0){$False}else{$True}
- ProcessStaticImport = if(($Module.Flags -band 32) -eq 0){$False}else{$True}
- InLegacyLists = if(($Module.Flags -band 64) -eq 0){$False}else{$True}
- InIndexes = if(($Module.Flags -band 128) -eq 0){$False}else{$True}
- ShimDll = if(($Module.Flags -band 256) -eq 0){$False}else{$True}
- InExceptionTable = if(($Module.Flags -band 512) -eq 0){$False}else{$True}
- LoadInProgress = if(($Module.Flags -band 4096) -eq 0){$False}else{$True}
- EntryProcessed = if(($Module.Flags -band 16384) -eq 0){$False}else{$True}
- DontCallForThreads = if(($Module.Flags -band 262144) -eq 0){$False}else{$True}
- ProcessAttachCalled = if(($Module.Flags -band 524288) -eq 0){$False}else{$True}
- ProcessAttachFailed = if(($Module.Flags -band 1048576) -eq 0){$False}else{$True}
- CorDeferredValidate = if(($Module.Flags -band 2097152) -eq 0){$False}else{$True}
- CorImage = if(($Module.Flags -band 4194304) -eq 0){$False}else{$True}
- DontRelocate = if(($Module.Flags -band 8388608) -eq 0){$False}else{$True}
- CorILOnly = if(($Module.Flags -band 16777216) -eq 0){$False}else{$True}
- Redirected = if(($Module.Flags -band 268435456) -eq 0){$False}else{$True}
- CompatDatabaseProcessed = if(($Module.Flags -band 2147483648) -eq 0){$False}else{$True}
- ObsoleteLoadCount = $Module.ObsoleteLoadCount
- TlsIndex = $Module.TlsIndex
- HashLinks = $Module.HashLinks
- TimeDateStamp = (New-Object DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds($Module.TimeDateStamp)
- EntryPointActivationContext = $Module.EntryPointActivationContext
- PatchInformation = $Module.PatchInformation
- DdagNode = $Module.DdagNode
- NodeModuleLink = $Module.NodeModuleLink
- SnapContext = $Module.SnapContext
- ParentDllBase = $Module.ParentDllBase
- SwitchBackContext = $Module.SwitchBackContext
- BaseAddressIndexNode = $Module.BaseAddressIndexNode
- MappingInfoIndexNode = $Module.MappingInfoIndexNode
- OriginalBase = $Module.OriginalBase
- LoadTime = $Module.LoadTime
- BaseNameHashValue = $Module.BaseNameHashValue
- LoadReason = $Module.LoadReason
- }
-
- $CustomModuleObject = New-Object PSObject -Property $ParsedOrderedModules[$i]
- $CustomModuleObject.PSObject.TypeNames[0] = 'PEB.ModuleEntry'
- $Modules[$i] = $CustomModuleObject
-
- $i++
- }
-
- switch ($j)
- {
- 1 { $CustomPEB['InLoadOrderModuleList'] = $Modules }
- 2 { $CustomPEB['InMemoryOrderModuleList'] = $Modules }
- 3 { $CustomPEB['InInitializationOrderModuleList'] = $Modules }
- }
- }
-
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $CustomPEB['ImageUsesLargePages'] = if(($PEB.BitField -band 1) -eq 0){$False}else{$True}
- $CustomPEB['IsProtectedProcess'] = if(($PEB.BitField -band 2) -eq 0){$False}else{$True}
- $CustomPEB['IsLegacyProcess'] = if(($PEB.BitField -band 4) -eq 0){$False}else{$True}
- $CustomPEB['IsImageDynamicallyRelocated'] = if(($PEB.BitField -band 8) -eq 0){$False}else{$True}
- $CustomPEB['SkipPatchingUser32Forwarders'] = if(($PEB.BitField -band 16) -eq 0){$False}else{$True}
- $CustomPEB['IsPackagedProcess'] = if(($PEB.BitField -band 32) -eq 0){$False}else{$True}
- $CustomPEB['IsAppContainer'] = if(($PEB.BitField -band 64) -eq 0){$False}else{$True}
- $CustomPEB['AtlThunkSListPtr'] = $PEB.AtlThunkSListPtr
- $CustomPEB['IFEOKey'] = $PEB.IFEOKey
- $CustomPEB['ProcessInJob'] = if(($PEB.CrossProcessFlags -band 1) -eq 0){$False}else{$True}
- $CustomPEB['ProcessInitializing'] = if(($PEB.CrossProcessFlags -band 2) -eq 0){$False}else{$True}
- $CustomPEB['ProcessUsingVEH'] = if(($PEB.CrossProcessFlags -band 4) -eq 0){$False}else{$True}
- $CustomPEB['ProcessUsingVCH'] = if(($PEB.CrossProcessFlags -band 8) -eq 0){$False}else{$True}
- $CustomPEB['ProcessUsingFTH'] = if(($PEB.CrossProcessFlags -band 16) -eq 0){$False}else{$True}
- $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
- $CustomPEB['HotpatchInformation'] = $PEB.HotpatchInformation
- $CustomPEB['FlsCallback'] = $PEB.FlsCallback
- $CustomPEB['FlsListHead'] = $PEB.FlsListHead
- $CustomPEB['FlsBitmap'] = $PEB.FlsBitmap
- $CustomPEB['FlsBitmapBits'] = $PEB.FlsBitmapBits
- $CustomPEB['FlsHighIndex'] = $PEB.FlsHighIndex
- $CustomPEB['WerRegistrationData'] = $PEB.WerRegistrationData
- $CustomPEB['WerShipAssertPtr'] = $PEB.WerShipAssertPtr
- $CustomPEB['pUnused'] = $PEB.pUnused
- $CustomPEB['pImageHeaderHash'] = $PEB.pImageHeaderHash
- $CustomPEB['HeapTracingEnabled'] = if(($PEB.TracingFlags -band 1) -eq 0){$False}else{$True}
- $CustomPEB['CritSecTracingEnabled'] = if(($PEB.TracingFlags -band 2) -eq 0){$False}else{$True}
- $CustomPEB['LibLoaderTracingEnabled'] = if(($PEB.TracingFlags -band 4) -eq 0){$False}else{$True}
- $CustomPEB['CsrServerReadOnlySharedMemoryBase'] = $PEB.CsrServerReadOnlySharedMemoryBase
- }
- elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
- {
- $CustomPEB['ImageUsesLargePages'] = if(($PEB.BitField -band 1) -eq 0){$False}else{$True}
- $CustomPEB['AtlThunkSListPtr'] = $PEB.AtlThunkSListPtr
- $CustomPEB['SparePtr2'] = $PEB.SparePtr2
- $CustomPEB['EnvironmentUpdateCount'] = $PEB.EnvironmentUpdateCount
- $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
- $CustomPEB['ReadOnlySharedMemoryHeap'] = $PEB.ReadOnlySharedMemoryHeap
- $CustomPEB['FlsCallback'] = $PEB.FlsCallback
- $CustomPEB['FlsListHead'] = $PEB.FlsListHead
- $CustomPEB['FlsBitmap'] = $PEB.FlsBitmap
- $CustomPEB['FlsBitmapBits'] = $PEB.FlsBitmapBits
- $CustomPEB['FlsHighIndex'] = $PEB.FlsHighIndex
- }
- else
- {
- $CustomPEB['FastPebLockRoutine'] = $PEB.FastPebLockRoutine
- $CustomPEB['FastPebUnlockRoutine'] = $PEB.FastPebUnlockRoutine
- $CustomPEB['EnvironmentUpdateCount'] = $PEB.EnvironmentUpdateCount
- $CustomPEB['KernelCallbackTable'] = $PEB.KernelCallbackTable
- $CustomPEB['ReadOnlySharedMemoryHeap'] = $PEB.ReadOnlySharedMemoryHeap
- }
-
- $NewPEB = New-Object PSObject -Property $CustomPEB
-
- # _PEB will be interpreted by PowerShell depending upon the detected OS. This only applies if Get-PEB.format.ps1xml was loaded
- if ($NTDDI_VERSION -ge $NTDDI_VISTA)
- {
- $NewPEB.PSObject.TypeNames[0] = 'PEB.Vista'
- }
- elseif ($NTDDI_VERSION -ge $NTDDI_WS03)
- {
- $NewPEB.PSObject.TypeNames[0] = 'PEB.Server2003'
- }
- else
- {
- $NewPEB.PSObject.TypeNames[0] = 'PEB.XP'
- }
-
- $Handle = $null
-
- Write-Output $NewPEB
- }
- }
- }
-
- END{}
-
-}
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 deleted file mode 100644 index 2cb971c..0000000 --- a/ReverseEngineering/Get-Strings.ps1 +++ /dev/null @@ -1,98 +0,0 @@ -function Get-Strings
-{
-<#
-.SYNOPSIS
-
-Gets strings from a file.
-
-PowerSploit Function: Get-Strings
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-The Get-Strings cmdlet returns strings (Unicode and/or Ascii) from a file. This cmdlet is useful for dumping strings from binary file and was designed to replicate the functionality of strings.exe from Sysinternals.
-
-.PARAMETER Path
-
-Specifies the path to an item.
-
-.PARAMETER Encoding
-
-Specifies the file encoding. The default value returns both Unicode and Ascii.
-
-.PARAMETER MinimumLength
-
-Specifies the minimum length string to return. The default string length is 3.
-
-.EXAMPLE
-
-C:\PS> Get-Strings C:\Windows\System32\calc.exe
-
-Description
------------
-Dump Unicode and Ascii strings of calc.exe.
-
-.EXAMPLE
-
-C:\PS> Get-ChildItem C:\Windows\System32\*.dll | Get-Strings -MinimumLength 12 -Encoding Ascii
-
-Description
------------
-Dumps Ascii strings of at least length 12 of every dll located in C:\Windows\System32.
-
-.NOTES
-
-This cmdlet was designed to intentionally use only PowerShell cmdlets (no .NET methods) in order to be compatible with PowerShell on Windows RT (or any ConstrainedLanguage runspace).
-
-.LINK
-
-http://www.exploit-monday.com
-#>
-
- Param
- (
- [Parameter(Position = 1, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
- [ValidateNotNullOrEmpty()]
- [ValidateScript({Test-Path $_ -PathType 'Leaf'})]
- [String[]]
- [Alias('PSPath')]
- $Path,
-
- [ValidateSet('Default','Ascii','Unicode')]
- [String]
- $Encoding = 'Default',
-
- [UInt32]
- $MinimumLength = 3
- )
-
- BEGIN
- {
- $FileContents = ''
- }
- PROCESS
- {
- foreach ($File in $Path)
- {
- if ($Encoding -eq 'Unicode' -or $Encoding -eq 'Default')
- {
- $UnicodeFileContents = Get-Content -Encoding 'Unicode' $File
- $UnicodeRegex = [Regex] "[\u0020-\u007E]{$MinimumLength,}"
- $Results += $UnicodeRegex.Matches($UnicodeFileContents)
- }
-
- if ($Encoding -eq 'Ascii' -or $Encoding -eq 'Default')
- {
- $AsciiFileContents = Get-Content -Encoding 'UTF7' $File
- $AsciiRegex = [Regex] "[\x20-\x7E]{$MinimumLength,}"
- $Results = $AsciiRegex.Matches($AsciiFileContents)
- }
-
- $Results | ForEach-Object { Write-Output $_.Value }
- }
- }
- END {}
-}
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 deleted file mode 100644 index 68f7651..0000000 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ /dev/null @@ -1,203 +0,0 @@ -function Get-StructFromMemory
-{
-<#
-.SYNOPSIS
-
-Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
-
-PowerSploit Function: Get-StructFromMemory
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-.DESCRIPTION
-
-Get-StructFromMemory is similar to the Marshal.PtrToStructure method but will parse and return a structure from any process.
-
-.PARAMETER Id
-
-Process ID of the process whose virtual memory space you want to access.
-
-.PARAMETER MemoryAddress
-
-The address containing the structure to be parsed.
-
-.PARAMETER StructType
-
-The type (System.Type) of the desired structure to be parsed.
-
-.EXAMPLE
-
-C:\PS> Get-Process | ForEach-Object { Get-StructFromMemory -Id $_.Id -MemoryAddress $_.MainModule.BaseAddress -StructType ([PE+_IMAGE_DOS_HEADER]) }
-
-Description
------------
-Parses the DOS headers of every loaded process. Note: In this example, this assumes that [PE+_IMAGE_DOS_HEADER] is defined. You can get the code to define [PE+_IMAGE_DOS_HEADER] here: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
-
-.NOTES
-
-Be sure to enclose the StructType parameter with parenthesis in order to force PowerShell to cast it as a Type object.
-
-Get-StructFromMemory does a good job with error handling however it will crash if the structure contains fields that attempt to marshal pointers. For example, if a field has a custom attribute of UnmanagedType.LPStr, when the structure is parsed, it will attempt to dererence a string pointer for virtual memory in another process and access violate.
-
-.LINK
-
-http://www.exploit-monday.com
-#>
-
- [CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True)]
- [Alias('ProcessId')]
- [Alias('PID')]
- [UInt16]
- $Id,
-
- [Parameter(Position = 1, Mandatory = $True)]
- [IntPtr]
- $MemoryAddress,
-
- [Parameter(Position = 2, Mandatory = $True)]
- [Alias('Type')]
- [Type]
- $StructType
- )
-
- Set-StrictMode -Version 2
-
- $PROCESS_VM_READ = 0x0010 # The process permissions we'l ask for when getting a handle to the process
-
- # Get a reference to the private GetProcessHandle method is System.Diagnostics.Process
- $GetProcessHandle = [Diagnostics.Process].GetMethod('GetProcessHandle', [Reflection.BindingFlags] 'NonPublic, Instance', $null, @([Int]), $null)
-
- try
- {
- # Make sure user didn't pass in a non-existent PID
- $Process = Get-Process -Id $Id -ErrorVariable GetProcessError
- # Get the default process handle
- $Handle = $Process.Handle
- }
- catch [Exception]
- {
- throw $GetProcessError
- }
-
- if ($Handle -eq $null)
- {
- throw "Unable to obtain a handle for PID $Id. You will likely need to run this script elevated."
- }
-
- # Get a reference to MEMORY_BASIC_INFORMATION. I don't feel like making the structure myself
- $mscorlib = [AppDomain]::CurrentDomain.GetAssemblies() | ? { $_.FullName.Split(',')[0].ToLower() -eq 'mscorlib' }
- $Win32Native = $mscorlib.GetTypes() | ? { $_.FullName -eq 'Microsoft.Win32.Win32Native' }
- $MEMORY_BASIC_INFORMATION = $Win32Native.GetNestedType('MEMORY_BASIC_INFORMATION', [Reflection.BindingFlags] 'NonPublic')
-
- if ($MEMORY_BASIC_INFORMATION -eq $null)
- {
- throw 'Unable to get a reference to the MEMORY_BASIC_INFORMATION structure.'
- }
-
- # Get references to private fields in MEMORY_BASIC_INFORMATION
- $ProtectField = $MEMORY_BASIC_INFORMATION.GetField('Protect', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBaseField = $MEMORY_BASIC_INFORMATION.GetField('BaseAddress', [Reflection.BindingFlags] 'NonPublic, Instance')
- $RegionSizeField = $MEMORY_BASIC_INFORMATION.GetField('RegionSize', [Reflection.BindingFlags] 'NonPublic, Instance')
-
- try { $NativeUtils = [NativeUtils] } catch [Management.Automation.RuntimeException] # Only build the assembly if it hasn't already been defined
- {
- # Build dynamic assembly in order to use P/Invoke for interacting with the following Win32 functions: ReadProcessMemory, VirtualQueryEx
- $DynAssembly = New-Object Reflection.AssemblyName('MemHacker')
- $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
- $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('MemHacker', $False)
- $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
- $TypeBuilder = $ModuleBuilder.DefineType('NativeUtils', $Attributes, [ValueType])
- $TypeBuilder.DefinePInvokeMethod('ReadProcessMemory', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [Bool], @([IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
- $TypeBuilder.DefinePInvokeMethod('VirtualQueryEx', 'kernel32.dll', [Reflection.MethodAttributes] 'Public, Static', [Reflection.CallingConventions]::Standard, [UInt32], @([IntPtr], [IntPtr], $MEMORY_BASIC_INFORMATION.MakeByRefType(), [UInt32]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto') | Out-Null
-
- $NativeUtils = $TypeBuilder.CreateType()
- }
-
- # Request a handle to the process in interest
- try
- {
- $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
- $Handle = $SafeHandle.DangerousGetHandle()
- }
- catch
- {
- throw $Error[0]
- }
-
- # Create an instance of MEMORY_BASIC_INFORMATION
- $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
-
- # Confirm you can actually read the address you're interested in
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type] $MEMORY_BASIC_INFORMATION)) | Out-Null
-
- $PAGE_EXECUTE_READ = 0x20
- $PAGE_EXECUTE_READWRITE = 0x40
- $PAGE_READONLY = 2
- $PAGE_READWRITE = 4
-
- $Protection = $ProtectField.GetValue($MemoryBasicInformation)
- $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
- $GetPointerValue = $AllocationBaseOriginal.GetType().GetMethod('GetPointerValue', [Reflection.BindingFlags] 'NonPublic, Instance')
- $AllocationBase = $GetPointerValue.Invoke($AllocationBaseOriginal, $null).ToInt64()
- $RegionSize = $RegionSizeField.GetValue($MemoryBasicInformation).ToUInt64()
-
- Write-Verbose "Protection: $Protection"
- Write-Verbose "AllocationBase: $AllocationBase"
- Write-Verbose "RegionSize: $RegionSize"
-
- if (($Protection -ne $PAGE_READONLY) -and ($Protection -ne $PAGE_READWRITE) -and ($Protection -ne $PAGE_EXECUTE_READ) -and ($Protection -ne $PAGE_EXECUTE_READWRITE))
- {
- $SafeHandle.Close()
- throw 'The address specified does not have read access.'
- }
-
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type] $StructType)
- $EndOfAllocation = $AllocationBase + $RegionSize
- $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
-
- if ($EndOfStruct -gt $EndOfAllocation)
- {
- $SafeHandle.Close()
- throw 'You are attempting to read beyond what was allocated.'
- }
-
- try
- {
- # Allocate unmanaged memory. This will be used to store the memory read from ReadProcessMemory
- $LocalStructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
- }
- catch [OutOfMemoryException]
- {
- throw Error[0]
- }
-
- Write-Verbose "Memory allocated at 0x$($LocalStructPtr.ToString("X$([IntPtr]::Size * 2)"))"
-
- # Zero out the memory that was just allocated. According to MSDN documentation:
- # "When AllocHGlobal calls LocalAlloc, it passes a LMEM_FIXED flag, which causes the allocated memory to be locked in place. Also, the allocated memory is not zero-filled."
- # http://msdn.microsoft.com/en-us/library/s69bkh17.aspx
- $ZeroBytes = New-Object Byte[]($StructSize)
- [Runtime.InteropServices.Marshal]::Copy($ZeroBytes, 0, $LocalStructPtr, $StructSize)
-
- $BytesRead = [UInt32] 0
-
- if ($NativeUtils::ReadProcessMemory($Handle, $MemoryAddress, $LocalStructPtr, $StructSize, [Ref] $BytesRead))
- {
- $SafeHandle.Close()
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- throw ([ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error())
- }
-
- Write-Verbose "Struct Size: $StructSize"
- Write-Verbose "Bytes read: $BytesRead"
-
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType)
-
- [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
- $SafeHandle.Close()
-
- Write-Output $ParsedStruct
-}
diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml deleted file mode 100644 index ffb6761..0000000 --- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml +++ /dev/null @@ -1,36 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<Configuration> - <ViewDefinitions> - <View> - <Name>ProcessModuleTraceView</Name> - <ViewSelectedBy> - <TypeName>LOADED_MODULE</TypeName> - </ViewSelectedBy> - <ListControl> - <ListEntries> - <ListEntry> - <ListItems> - <ListItem> - <PropertyName>TimeCreated</PropertyName> - </ListItem> - <ListItem> - <PropertyName>ProcessId</PropertyName> - </ListItem> - <ListItem> - <PropertyName>FileName</PropertyName> - </ListItem> - <ListItem> - <Label>ImageBase</Label> - <ScriptBlock>"0x$($_.ImageBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> - </ListItem> - <ListItem> - <PropertyName>ImageSize</PropertyName> - <FormatString>0x{0:X8}</FormatString> - </ListItem> - </ListItems> - </ListEntry> - </ListEntries> - </ListControl> - </View> - </ViewDefinitions> -</Configuration> diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 deleted file mode 100644 index 85f7105..0000000 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ /dev/null @@ -1,103 +0,0 @@ -function Register-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Starts a trace of loaded process modules - - PowerSploit Function: Register-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.OUTPUTS - - System.Management.Automation.PSEventJob - - If desired, you can manipulate the event returned with the *-Event cmdlets. - -.LINK - - http://www.exploit-monday.com/ -#> - - [CmdletBinding()] Param () - - if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) - { - throw 'You must run this cmdlet from an elevated PowerShell session.' - } - - $ModuleLoadedAction = { - $Event = $EventArgs.NewEvent - - $ModuleInfo = @{ - TimeCreated = [DateTime]::FromFileTime($Event.TIME_CREATED) - ProcessId = $Event.ProcessId - FileName = $Event.FileName - ImageBase = $Event.ImageBase - ImageSize = $Event.ImageSize - } - - $ModuleObject = New-Object PSObject -Property $ModuleInfo - $ModuleObject.PSObject.TypeNames[0] = 'LOADED_MODULE' - - $ModuleObject - } - - Register-WmiEvent 'Win32_ModuleLoadTrace' -SourceIdentifier 'ModuleLoaded' -Action $ModuleLoadedAction -} - -function Get-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace - - PowerSploit Function: Get-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: Register-ProcessModuleTrace - Optional Dependencies: None - -.OUTPUTS - - PSObject - -.LINK - - http://www.exploit-monday.com/ -#> - - $Events = Get-EventSubscriber -SourceIdentifier 'ModuleLoaded' -ErrorVariable NoEventRegistered -ErrorAction SilentlyContinue - - if ($NoEventRegistered) - { - throw 'You must execute Register-ProcessModuleTrace before you can retrieve a loaded module list' - } - - $Events.Action.Output -} - -function Unregister-ProcessModuleTrace -{ -<# -.SYNOPSIS - - Stops the running process module trace - - PowerSploit Function: Unregister-ProcessModuleTrace - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: Register-ProcessModuleTrace - Optional Dependencies: None - -.LINK - - http://www.exploit-monday.com/ -#> - - Unregister-Event -SourceIdentifier 'ModuleLoaded' -} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 deleted file mode 100644 index 90eec8e..0000000 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ /dev/null @@ -1,91 +0,0 @@ -@{
-
-# Script module or binary module file associated with this manifest.
-ModuleToProcess = 'ReverseEngineering.psm1'
-
-# Version number of this module.
-ModuleVersion = '1.0.0.0'
-
-# ID used to uniquely identify this module
-GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'
-
-# Author of this module
-Author = 'Matthew Graeber'
-
-# Company or vendor of this module
-CompanyName = ''
-
-# Copyright statement for this module
-Copyright = 'BSD 3-Clause'
-
-# Description of the functionality provided by this module
-Description = 'PowerSploit Reverse Engineering Module'
-
-# Minimum version of the Windows PowerShell engine required by this module
-PowerShellVersion = '2.0'
-
-# Name of the Windows PowerShell host required by this module
-# PowerShellHostName = ''
-
-# Minimum version of the Windows PowerShell host required by this module
-# PowerShellHostVersion = ''
-
-# Minimum version of the .NET Framework required by this module
-# DotNetFrameworkVersion = ''
-
-# Minimum version of the common language runtime (CLR) required by this module
-# CLRVersion = ''
-
-# Processor architecture (None, X86, Amd64) required by this module
-# ProcessorArchitecture = ''
-
-# Modules that must be imported into the global environment prior to importing this module
-# RequiredModules = @()
-
-# Assemblies that must be loaded prior to importing this module
-# RequiredAssemblies = @()
-
-# Script files (.ps1) that are run in the caller's environment prior to importing this module.
-# ScriptsToProcess = ''
-
-# Type files (.ps1xml) to be loaded when importing this module
-# TypesToProcess = @()
-
-# Format files (.ps1xml) to be loaded when importing this module
-FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.format.ps1xml'
-
-# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-# NestedModules = @()
-
-# Functions to export from this module
-FunctionsToExport = '*'
-
-# Cmdlets to export from this module
-CmdletsToExport = '*'
-
-# Variables to export from this module
-VariablesToExport = ''
-
-# Aliases to export from this module
-AliasesToExport = ''
-
-# List of all modules packaged with this module.
-ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'})
-
-# List of all files packaged with this module
-FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
- 'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
- 'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
- 'Get-Entropy.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
-
-# Private data to pass to the module specified in RootModule/ModuleToProcess
-# PrivateData = ''
-
-# HelpInfo URI of this module
-# HelpInfoURI = ''
-
-# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
-# DefaultCommandPrefix = ''
-
-}
-
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 deleted file mode 100644 index 81d3818..0000000 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ /dev/null @@ -1 +0,0 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ReverseEngineering/Usage.md b/ReverseEngineering/Usage.md deleted file mode 100644 index 33b4ac4..0000000 --- a/ReverseEngineering/Usage.md +++ /dev/null @@ -1,12 +0,0 @@ -To install this module, drop the entire ReverseEngineering folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
-
-The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
-The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
-
-To use the module, type `Import-Module ReverseEngineering`
-
-To see the commands imported, type `Get-Command -Module ReverseEngineering`
-
-For help on each individual command, Get-Help is your friend.
-
-Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file |