From 05c58324583c4b47cd09c18a73026ebd09d44ebb Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Thu, 11 Jul 2013 18:20:05 -0400 Subject: Latest version of .NET Framework broke Get-PEB To fix this, I needed to explicitly cast types in the SizeOf and PtrToStructure methods. --- ReverseEngineering/Get-PEB.ps1 | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 1a196ac..86e064d 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -482,7 +482,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx $PEBStruct = $TypeBuilder.CreateType() } - $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf($PEBStruct) + $PEBSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$PEBStruct) #endregion function Local:Get-StructFromMemory @@ -562,7 +562,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx do { $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION) - $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null + $NativeUtils::VirtualQueryEx($Handle, $Flink, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null $Protection = $ProtectField.GetValue($MemoryBasicInformation) $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation) @@ -577,7 +577,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return } - $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($LdrModuleStruct) + $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$LdrModuleStruct) $EndOfAllocation = $AllocationBase + $RegionSize $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize @@ -611,15 +611,15 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return } - $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $LdrModuleStruct) + $ParsedLdrModule = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $LdrModuleStruct) [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr) switch ($LoadOrder) { 'InLoadOrderModuleList' { $Flink = $ParsedLdrModule.InLoadOrderModuleList.Flink } - 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct)) } - 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct))) } + 'InMemoryOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)) } + 'InInitializationOrderModuleList' { $Flink = [IntPtr] ($ParsedLdrModule.InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) } } $SafeHandle = $GetProcessHandle.Invoke($Process, @($PROCESS_VM_READ)) @@ -636,7 +636,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx elseif ($StructType -eq [String] -and $UnicodeStringSize) { $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION) - $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null + $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null $Protection = $ProtectField.GetValue($MemoryBasicInformation) $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation) @@ -695,7 +695,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx else { $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION) - $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null + $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type]$MEMORY_BASIC_INFORMATION)) | Out-Null $Protection = $ProtectField.GetValue($MemoryBasicInformation) $AllocationBaseOriginal = $AllocationBaseField.GetValue($MemoryBasicInformation) @@ -710,7 +710,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return } - $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($StructType) + $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type]$StructType) $EndOfAllocation = $AllocationBase + $RegionSize $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize @@ -744,7 +744,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx return } - $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $StructType) + $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType) [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr) $SafeHandle.Close() @@ -935,8 +935,8 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx switch ($j) { 1 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($CustomPEB['Ldr'].InLoadOrderModuleList.Flink) -StructType ($LdrModuleStruct) -LoadOrder 'InLoadOrderModuleList' } - 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' } - 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf($ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' } + 2 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InMemoryOrderModuleList.Flink.ToInt64() - [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct))) -StructType ($LdrModuleStruct) -LoadOrder 'InMemoryOrderModuleList' } + 3 { $OrderedModules = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ([IntPtr] ($CustomPEB['Ldr'].InInitializationOrderModuleList.Flink.ToInt64() - (2 * [Runtime.InteropServices.Marshal]::SizeOf([Type]$ListEntryStruct)))) -StructType ($LdrModuleStruct) -LoadOrder 'InInitializationOrderModuleList' } } $ParsedOrderedModules = New-Object Hashtable[]($OrderedModules.Length) -- cgit v1.2.3