diff options
Diffstat (limited to 'ReverseEngineering')
| -rw-r--r-- | ReverseEngineering/ConvertTo-String.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Entropy.ps1 | 106 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.format.ps1xml | 10 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.ps1 | 15 | ||||
| -rw-r--r-- | ReverseEngineering/Get-MethodAddress.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.format.ps1xml | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.ps1 | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.format.ps1xml | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Strings.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-StructFromMemory.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/New-Object.ps1 | bin | 4376 -> 2189 bytes | |||
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.format.ps1xml | 4 | ||||
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psd1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psm1 | 2 |
16 files changed, 143 insertions, 28 deletions
diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 index ab46c74..1c030b4 100644 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ b/ReverseEngineering/ConvertTo-String.ps1 @@ -1,4 +1,4 @@ -filter ConvertTo-String +filter ConvertTo-String { <# .SYNOPSIS @@ -67,4 +67,4 @@ http://www.exploit-monday.com $FileStream.Close() Write-Output $BinaryText -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-Entropy.ps1 b/ReverseEngineering/Get-Entropy.ps1 new file mode 100644 index 0000000..42e5d28 --- /dev/null +++ b/ReverseEngineering/Get-Entropy.ps1 @@ -0,0 +1,106 @@ +function Get-Entropy +{ +<# +.SYNOPSIS + + Calculates the entropy of a file or byte array. + + PowerSploit Function: Get-Entropy + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.PARAMETER ByteArray + + Specifies the byte array containing the data from which entropy will be calculated. + +.PARAMETER FilePath + + Specifies the path to the input file from which entropy will be calculated. + +.EXAMPLE + + C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll + +.EXAMPLE + + C:\PS>ls C:\Windows\System32\*.dll | % { Get-Entropy -FilePath $_ } + +.EXAMPLE + + C:\PS>$RandArray = New-Object Byte[](10000) + C:\PS>foreach ($Offset in 0..9999) { $RandArray[$Offset] = [Byte] (Get-Random -Min 0 -Max 256) } + C:\PS>$RandArray | Get-Entropy + + Description + ----------- + Calculates the entropy of a large array containing random bytes. + +.EXAMPLE + + C:\PS> 0..255 | Get-Entropy + + Description + ----------- + Calculates the entropy of 0-255. This should equal exactly 8. + +.OUTPUTS + + System.Double + + Get-Entropy outputs a double representing the entropy of the byte array. + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName = 'Bytes')] + [ValidateNotNullOrEmpty()] + [Byte[]] + $ByteArray, + + [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'File')] + [ValidateNotNullOrEmpty()] + [IO.FileInfo] + $FilePath + ) + + BEGIN + { + $FrequencyTable = @{} + $ByteArrayLength = 0 + } + + PROCESS + { + if ($PsCmdlet.ParameterSetName -eq 'File') + { + $ByteArray = [IO.File]::ReadAllBytes($FilePath.FullName) + } + + foreach ($Byte in $ByteArray) + { + $FrequencyTable[$Byte]++ + $ByteArrayLength++ + } + } + + END + { + $Entropy = 0.0 + + foreach ($Byte in 0..255) + { + $ByteProbability = ([Double] $FrequencyTable[[Byte]$Byte]) / $ByteArrayLength + if ($ByteProbability -gt 0) + { + $Entropy += -$ByteProbability * [Math]::Log($ByteProbability, 2) + } + } + + Write-Output $Entropy + } +}
\ No newline at end of file diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml index f933e1e..21115d6 100644 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -18,6 +18,9 @@ <TableColumnHeader> <Label>Operand</Label> </TableColumnHeader> + <TableColumnHeader> + <Label>MetadataToken</Label> + </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> @@ -31,10 +34,13 @@ <TableColumnItem> <PropertyName>Operand</PropertyName> </TableColumnItem> + <TableColumnItem> + <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock> + </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index 645dc39..6948919 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -68,9 +68,9 @@ Disassembles the System.Array.BinarySearch(Array, Object) method .INPUTS
-System.Reflection.MethodInfo
+System.Reflection.MethodInfo, System.Reflection.ConstructorInfo
-The method description containing the raw IL bytecodes.
+A method or constructor description containing the raw IL bytecodes.
.OUTPUTS
@@ -88,7 +88,8 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf Param (
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
- [System.Reflection.MethodInfo]
+ [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]
+ [Object]
$MethodInfo
)
@@ -131,6 +132,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf $Type = $Op.OperandType
$Operand = $null
+ $OpInt = $null
if ($Type -eq 'InlineNone') {
$OperandLength = 0
@@ -191,13 +193,14 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
# Simply print the hex for all operands with immediate values
- $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '')
+ $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
}
$Instruction = @{
Position = $InstructionPostion
- Instruction = $Op.Name
+ Instruction = $Op
Operand = $Operand
+ MetadataToken = $OpInt
}
# Return a custom object containing a position, instruction, and fully-qualified operand
@@ -209,4 +212,4 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf # Adjust the position in the opcode array accordingly
$Position += $OperandLength
}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index 4a488cf..1ab0d41 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -1,4 +1,4 @@ -function Get-MethodAddress +function Get-MethodAddress { <# .SYNOPSIS @@ -117,4 +117,4 @@ http://www.exploit-monday.com/2012/11/Get-MethodAddress.html { Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." } -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 41b5280..fa3ed41 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -437,4 +437,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index bb0871a..2bde8f6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -1,4 +1,4 @@ -function Get-NtSystemInformation +function Get-NtSystemInformation { <# .SYNOPSIS diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 3d075eb..59b5362 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1207,4 +1207,4 @@ </ListControl>
</View>
</ViewDefinitions>
-</Configuration>
\ No newline at end of file +</Configuration>
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 86e064d..7ec5089 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -1,4 +1,4 @@ -function Get-PEB
+function Get-PEB
{
<#
.SYNOPSIS
@@ -1089,4 +1089,4 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx END{}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 7acb9f1..2cb971c 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -1,4 +1,4 @@ -function Get-Strings
+function Get-Strings
{
<#
.SYNOPSIS
@@ -95,4 +95,4 @@ http://www.exploit-monday.com }
}
END {}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index c32c190..68f7651 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -1,4 +1,4 @@ -function Get-StructFromMemory
+function Get-StructFromMemory
{
<#
.SYNOPSIS
@@ -200,4 +200,4 @@ http://www.exploit-monday.com $SafeHandle.Close()
Write-Output $ParsedStruct
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/New-Object.ps1 b/ReverseEngineering/New-Object.ps1 Binary files differindex 77b24f6..52c38c8 100644 --- a/ReverseEngineering/New-Object.ps1 +++ b/ReverseEngineering/New-Object.ps1 diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml index fbad0b9..ffb6761 100644 --- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8" ?> +<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> @@ -33,4 +33,4 @@ </ListControl> </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 index 3eb57a7..85f7105 100644 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -1,4 +1,4 @@ -function Register-ProcessModuleTrace +function Register-ProcessModuleTrace { <# .SYNOPSIS @@ -100,4 +100,4 @@ function Unregister-ProcessModuleTrace #> Unregister-Event -SourceIdentifier 'ModuleLoaded' -}
\ No newline at end of file +} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index b7da355..d9c733f 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'ReverseEngineering.psm1'
@@ -76,7 +76,7 @@ ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; G FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
- 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
+ 'Get-Entropy.ps1', 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 index 5bb81d3..81d3818 100644 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ b/ReverseEngineering/ReverseEngineering.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} |