diff options
Diffstat (limited to 'ReverseEngineering')
| -rw-r--r-- | ReverseEngineering/ConvertTo-String.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.format.ps1xml | 46 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.ps1 | 20 | ||||
| -rw-r--r-- | ReverseEngineering/Get-MethodAddress.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.format.ps1xml | 23 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.ps1 | 46 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.format.ps1xml | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.ps1 | 28 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Strings.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-StructFromMemory.ps1 | 10 | ||||
| -rw-r--r-- | ReverseEngineering/New-Object.ps1 | bin | 4376 -> 2189 bytes | |||
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.format.ps1xml | 36 | ||||
| -rw-r--r-- | ReverseEngineering/ProcessModuleTrace.ps1 | 103 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psd1 | 6 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psm1 | 2 |
15 files changed, 292 insertions, 42 deletions
diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 index ab46c74..1c030b4 100644 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ b/ReverseEngineering/ConvertTo-String.ps1 @@ -1,4 +1,4 @@ -filter ConvertTo-String +filter ConvertTo-String { <# .SYNOPSIS @@ -67,4 +67,4 @@ http://www.exploit-monday.com $FileStream.Close() Write-Output $BinaryText -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml new file mode 100644 index 0000000..21115d6 --- /dev/null +++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="utf-8" ?> +<Configuration> + <ViewDefinitions> + <View> + <Name>ILInstructionView</Name> + <ViewSelectedBy> + <TypeName>IL_INSTRUCTION</TypeName> + </ViewSelectedBy> + <TableControl> + <AutoSize/> + <TableHeaders> + <TableColumnHeader> + <Label>Position</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Instruction</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Operand</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>MetadataToken</Label> + </TableColumnHeader> + </TableHeaders> + <TableRowEntries> + <TableRowEntry> + <TableColumnItems> + <TableColumnItem> + <PropertyName>Position</PropertyName> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Instruction</PropertyName> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Operand</PropertyName> + </TableColumnItem> + <TableColumnItem> + <ScriptBlock>if ($_.MetadataToken) {"0x$($_.MetadataToken.ToString('X8'))"}</ScriptBlock> + </TableColumnItem> + </TableColumnItems> + </TableRowEntry> + </TableRowEntries> + </TableControl> + </View> + </ViewDefinitions> +</Configuration> diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index b3b615e..6948919 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -68,9 +68,9 @@ Disassembles the System.Array.BinarySearch(Array, Object) method .INPUTS
-System.Reflection.MethodInfo
+System.Reflection.MethodInfo, System.Reflection.ConstructorInfo
-The method description containing the raw IL bytecodes.
+A method or constructor description containing the raw IL bytecodes.
.OUTPUTS
@@ -88,7 +88,8 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf Param (
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
- [System.Reflection.MethodInfo]
+ [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]
+ [Object]
$MethodInfo
)
@@ -131,6 +132,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf $Type = $Op.OperandType
$Operand = $null
+ $OpInt = $null
if ($Type -eq 'InlineNone') {
$OperandLength = 0
@@ -191,19 +193,23 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {
# Simply print the hex for all operands with immediate values
- $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '')
+ $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')
}
$Instruction = @{
Position = $InstructionPostion
- Instruction = $Op.Name
+ Instruction = $Op
Operand = $Operand
+ MetadataToken = $OpInt
}
# Return a custom object containing a position, instruction, and fully-qualified operand
- New-Object PSObject -Property $Instruction
+ $InstructionObject = New-Object PSObject -Property $Instruction
+ $InstructionObject.PSObject.TypeNames.Insert(0, 'IL_INSTRUCTION')
+ $InstructionObject
+
# Adjust the position in the opcode array accordingly
$Position += $OperandLength
}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index 4a488cf..1ab0d41 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -1,4 +1,4 @@ -function Get-MethodAddress +function Get-MethodAddress { <# .SYNOPSIS @@ -117,4 +117,4 @@ http://www.exploit-monday.com/2012/11/Get-MethodAddress.html { Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." } -}
\ No newline at end of file +} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 10d16d4..fa3ed41 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -415,5 +415,26 @@ </ListEntries> </ListControl> </View> + <View> + <Name>CodeIntegrityTypeView</Name> + <ViewSelectedBy> + <TypeName>_SYSTEM_CODEINTEGRITY_INFORMATION</TypeName> + </ViewSelectedBy> + <ListControl> + <ListEntries> + <ListEntry> + <ListItems> + <ListItem> + <PropertyName>CodeIntegrityOptions</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </ListItem> + <ListItem> + <PropertyName>LockdownState</PropertyName> + </ListItem> + </ListItems> + </ListEntry> + </ListEntries> + </ListControl> + </View> </ViewDefinitions> -</Configuration>
\ No newline at end of file +</Configuration> diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index 98cdd4d..2bde8f6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -1,4 +1,4 @@ -function Get-NtSystemInformation +function Get-NtSystemInformation { <# .SYNOPSIS @@ -49,6 +49,10 @@ Returns information about user-mode objects and their respective kernel pool allocations. +.PARAMETER CodeIntegrityInformation + + Returns user-mode code integrity flags. + .PARAMETER GlobalFlags Returns a list of all enabled global flags. @@ -139,6 +143,10 @@ [Switch] $LockInformation, + [Parameter( ParameterSetName = 'CodeIntegrityInformation' )] + [Switch] + $CodeIntegrityInformation, + [Parameter( ParameterSetName = 'GlobalFlags' )] [Switch] $GlobalFlags @@ -202,6 +210,7 @@ #$EnumBuilder.DefineLiteral('SystemExceptionInformation', [Int32] 0x00000021) | Out-Null #$EnumBuilder.DefineLiteral('SystemRegistryQuotaInformation', [Int32] 0x00000025) | Out-Null #$EnumBuilder.DefineLiteral('SystemLookasideInformation', [Int32] 0x0000002D) | Out-Null + $EnumBuilder.DefineLiteral('SystemCodeIntegrityInformation', [Int32] 0x00000067) | Out-Null $SystemInformationClass = $EnumBuilder.CreateType() } @@ -213,6 +222,15 @@ $NtStatus = $EnumBuilder.CreateType() } + try { $LockdownState = [LOCKDOWN_STATE] } catch [Management.Automation.RuntimeException] + { + $EnumBuilder = $ModuleBuilder.DefineEnum('LOCKDOWN_STATE', 'Public', [Int32]) + $EnumBuilder.DefineLiteral('UMCINONE', [Int32] 0x00000000) | Out-Null + $EnumBuilder.DefineLiteral('UMCIENFORCE', [Int32] 0x00000004) | Out-Null + $EnumBuilder.DefineLiteral('UMCIAUDIT', [Int32] 0xC0000008) | Out-Null + $LockdownState = $EnumBuilder.CreateType() + } + try { $PoolType = [POOL_TYPE] } catch [Management.Automation.RuntimeException] { $EnumBuilder = $ModuleBuilder.DefineEnum('POOL_TYPE', 'Public', [UInt32]) @@ -615,7 +633,7 @@ foreach ($i in 0..($Count-1)) { - [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, $StructType) + [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $StructType) $StructAddress = ([IntPtr]($StructAddress.ToInt64() + $StructSize)) } @@ -940,7 +958,7 @@ # Base address of the _SYSTEM_OBJECTTYPE_INFORMATION struct $ObjectTypeAbsoluteAddress = [IntPtr]($PtrData.ToInt64() + $NextTypeOffset) - $Result = [Runtime.InteropServices.Marshal]::PtrToStructure($ObjectTypeAbsoluteAddress, $ObjectTypeClass) + $Result = [Runtime.InteropServices.Marshal]::PtrToStructure($ObjectTypeAbsoluteAddress, [Type] $ObjectTypeClass) if ($Result.NumberOfObjects -gt 0) { @@ -952,7 +970,7 @@ do { - $ObjectResult = [Runtime.InteropServices.Marshal]::PtrToStructure(( [IntPtr]($ObjectBaseAddr.ToInt64() + $NextObjectOffset) ), $ObjectClass) + $ObjectResult = [Runtime.InteropServices.Marshal]::PtrToStructure(( [IntPtr]($ObjectBaseAddr.ToInt64() + $NextObjectOffset) ), [Type] $ObjectClass) $ResultHashTable2 = @{ Object = $ObjectResult.Object @@ -1019,6 +1037,26 @@ Get-Struct @Arguments } + 'CodeIntegrityInformation' { + $CIStructLength = 8 + $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($CIStructLength) + [Runtime.InteropServices.Marshal]::WriteInt64($PtrData, 0) + [Runtime.InteropServices.Marshal]::WriteByte($PtrData, 8) # The length field in SYSTEM_CODEINTEGRITY_INFORMATION must be set to 8 + $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemCodeIntegrityInformation, $PtrData, $CIStructLength, [Ref] 0) | Out-Null + $CIInfo = [Runtime.InteropServices.Marshal]::ReadInt32(([IntPtr]($PtrData.ToInt64() + 4))) + [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) + + $ResultHashTable = @{ + CodeIntegrityOptions = $CIInfo + LockdownState = ($CIInfo -band 0x1C) -as $LockdownState + } + + $CodeIntegrityType = New-Object PSObject -Property $ResultHashTable + $CodeIntegrityType.PSObject.TypeNames.Insert(0, '_SYSTEM_CODEINTEGRITY_INFORMATION') + + Write-Output $CodeIntegrityType + } + 'GlobalFlags' { $TotalLength = 0 $ReturnedLength = 0 diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 3d075eb..59b5362 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1207,4 +1207,4 @@ </ListControl>
</View>
</ViewDefinitions>
-</Configuration>
\ No newline at end of file +</Configuration>
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 1a196ac..7ec5089 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -1,4 +1,4 @@ -function Get-PEB
+function Get-PEB
{
<#
.SYNOPSIS
@@ -482,7 +482,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx $PEBStruct = $TypeBuilder.CreateType()
}
- $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf($PEBStruct)
+ $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$PEBStruct)
#endregion
function Local:Get-StructFromMemory
@@ -562,7 +562,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx do
{
$MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+ $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
$Protection = $ProtectField.GetValue($MemoryBasicInformation)
$AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
@@ -577,7 +577,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return
}
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($LdrModuleStruct)
+ $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$LdrModuleStruct)
$EndOfAllocation = $AllocationBase + $RegionSize
$EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
@@ -611,15 +611,15 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return
}
- $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $LdrModuleStruct)
+ $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $LdrModuleStruct)
[Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
switch ($LoadOrder)
{
'InLoadOrderModuleList' { $Flink = $ParsedLdrModule.InLoadOrderModuleList.Flink }
- 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct)) }
- 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct))) }
+ 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)) }
+ 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) }
}
$SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ))
@@ -636,7 +636,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx elseif ($StructType -eq [String] -and $UnicodeStringSize)
{
$MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+ $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
$Protection = $ProtectField.GetValue($MemoryBasicInformation)
$AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
@@ -695,7 +695,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx else
{
$MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+ $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null
$Protection = $ProtectField.GetValue($MemoryBasicInformation)
$AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation)
@@ -710,7 +710,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return
}
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($StructType)
+ $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$StructType)
$EndOfAllocation = $AllocationBase + $RegionSize
$EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
@@ -744,7 +744,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return
}
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $StructType)
+ $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType)
[Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
$SafeHandle.Close()
@@ -935,8 +935,8 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx switch ($j)
{
1 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($CustomPEB['Ldr'].InLoadOrderModuleList.Flink) -StructType ($LdrModuleStruct) -LoadOrder 'InLoadOrderModuleList' }
- 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' }
- 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' }
+ 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' }
+ 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' }
}
$ParsedOrderedModules = New-Object Hashtable[]($OrderedModules.Length)
@@ -1089,4 +1089,4 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx END{}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 7acb9f1..2cb971c 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -1,4 +1,4 @@ -function Get-Strings
+function Get-Strings
{
<#
.SYNOPSIS
@@ -95,4 +95,4 @@ http://www.exploit-monday.com }
}
END {}
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index ccf6d5b..68f7651 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -1,4 +1,4 @@ -function Get-StructFromMemory
+function Get-StructFromMemory
{
<#
.SYNOPSIS
@@ -131,7 +131,7 @@ http://www.exploit-monday.com $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION)
# Confirm you can actually read the address you're interested in
- $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null
+ $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type] $MEMORY_BASIC_INFORMATION)) | Out-Null
$PAGE_EXECUTE_READ = 0x20
$PAGE_EXECUTE_READWRITE = 0x40
@@ -154,7 +154,7 @@ http://www.exploit-monday.com throw 'The address specified does not have read access.'
}
- $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($StructType)
+ $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type] $StructType)
$EndOfAllocation = $AllocationBase + $RegionSize
$EndOfStruct = $MemoryAddress.ToInt64() + $StructSize
@@ -194,10 +194,10 @@ http://www.exploit-monday.com Write-Verbose "Struct Size: $StructSize"
Write-Verbose "Bytes read: $BytesRead"
- $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $StructType)
+ $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType)
[Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr)
$SafeHandle.Close()
Write-Output $ParsedStruct
-}
\ No newline at end of file +}
diff --git a/ReverseEngineering/New-Object.ps1 b/ReverseEngineering/New-Object.ps1 Binary files differindex 77b24f6..52c38c8 100644 --- a/ReverseEngineering/New-Object.ps1 +++ b/ReverseEngineering/New-Object.ps1 diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml new file mode 100644 index 0000000..ffb6761 --- /dev/null +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="utf-8" ?> +<Configuration> + <ViewDefinitions> + <View> + <Name>ProcessModuleTraceView</Name> + <ViewSelectedBy> + <TypeName>LOADED_MODULE</TypeName> + </ViewSelectedBy> + <ListControl> + <ListEntries> + <ListEntry> + <ListItems> + <ListItem> + <PropertyName>TimeCreated</PropertyName> + </ListItem> + <ListItem> + <PropertyName>ProcessId</PropertyName> + </ListItem> + <ListItem> + <PropertyName>FileName</PropertyName> + </ListItem> + <ListItem> + <Label>ImageBase</Label> + <ScriptBlock>"0x$($_.ImageBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> + </ListItem> + <ListItem> + <PropertyName>ImageSize</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </ListItem> + </ListItems> + </ListEntry> + </ListEntries> + </ListControl> + </View> + </ViewDefinitions> +</Configuration> diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 new file mode 100644 index 0000000..85f7105 --- /dev/null +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -0,0 +1,103 @@ +function Register-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Starts a trace of loaded process modules + + PowerSploit Function: Register-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.OUTPUTS + + System.Management.Automation.PSEventJob + + If desired, you can manipulate the event returned with the *-Event cmdlets. + +.LINK + + http://www.exploit-monday.com/ +#> + + [CmdletBinding()] Param () + + if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) + { + throw 'You must run this cmdlet from an elevated PowerShell session.' + } + + $ModuleLoadedAction = { + $Event = $EventArgs.NewEvent + + $ModuleInfo = @{ + TimeCreated = [DateTime]::FromFileTime($Event.TIME_CREATED) + ProcessId = $Event.ProcessId + FileName = $Event.FileName + ImageBase = $Event.ImageBase + ImageSize = $Event.ImageSize + } + + $ModuleObject = New-Object PSObject -Property $ModuleInfo + $ModuleObject.PSObject.TypeNames[0] = 'LOADED_MODULE' + + $ModuleObject + } + + Register-WmiEvent 'Win32_ModuleLoadTrace' -SourceIdentifier 'ModuleLoaded' -Action $ModuleLoadedAction +} + +function Get-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace + + PowerSploit Function: Get-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: Register-ProcessModuleTrace + Optional Dependencies: None + +.OUTPUTS + + PSObject + +.LINK + + http://www.exploit-monday.com/ +#> + + $Events = Get-EventSubscriber -SourceIdentifier 'ModuleLoaded' -ErrorVariable NoEventRegistered -ErrorAction SilentlyContinue + + if ($NoEventRegistered) + { + throw 'You must execute Register-ProcessModuleTrace before you can retrieve a loaded module list' + } + + $Events.Action.Output +} + +function Unregister-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Stops the running process module trace + + PowerSploit Function: Unregister-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: Register-ProcessModuleTrace + Optional Dependencies: None + +.LINK + + http://www.exploit-monday.com/ +#> + + Unregister-Event -SourceIdentifier 'ModuleLoaded' +} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index 1e179ea..de364e1 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -1,4 +1,4 @@ -@{
+@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'ReverseEngineering.psm1'
@@ -52,7 +52,7 @@ PowerShellVersion = '2.0' # TypesToProcess = @()
# Format files (.ps1xml) to be loaded when importing this module
-FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml'
+FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.format.ps1xml'
# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
# NestedModules = @()
@@ -76,7 +76,7 @@ ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; G FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
- 'New-Object.ps1', 'Usage.md'
+ 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 index 5bb81d3..81d3818 100644 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ b/ReverseEngineering/ReverseEngineering.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} |