From 59ff1a8b1eb3a8fba4dd9dee036a6c957f8f41ef Mon Sep 17 00:00:00 2001 From: bitform Date: Sat, 19 Jan 2013 20:46:49 -0500 Subject: PETools module doc. consistency improvements * Slight consistency modifications were made to documentation. * Added module manifest for PETools --- PETools/Get-DllLoadPath.ps1 | 67 ++++++++++++++++---------------- PETools/Get-PEArchitecture.ps1 | 54 +++++++++++++++----------- PETools/Get-PEHeader.ps1 | 48 +++++++++++++---------- PETools/PETools.psd1 | 88 ++++++++++++++++++++++++++++++++++++++++++ PETools/PETools.psm1 | 5 +-- 5 files changed, 182 insertions(+), 80 deletions(-) create mode 100644 PETools/PETools.psd1 diff --git a/PETools/Get-DllLoadPath.ps1 b/PETools/Get-DllLoadPath.ps1 index 687f9e9..360c913 100644 --- a/PETools/Get-DllLoadPath.ps1 +++ b/PETools/Get-DllLoadPath.ps1 @@ -1,52 +1,53 @@ function Get-DllLoadPath { <# -.Synopsis +.SYNOPSIS - PowerSploit Module - Get-DllLoadPath - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause +PowerSploit Module - Get-DllLoadPath +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None -.Description +.DESCRIPTION - Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable. - -.Parameter ExecutablePath +Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable. + +.PARAMETER ExecutablePath Path to the executable from which the Dll would be loaded. -.Parameter DllName +.PARAMETER DllName - Name of the Dll in the form 'dllname.dll'. - -.Example +Name of the Dll in the form 'dllname.dll'. - PS> Get-DllLoadPath C:\Windows\System32\cmd.exe kernel32.dll - - Path - ---- - C:\Windows\system32\kernel32.dll - -.Example +.EXAMPLE - PS> Get-DllLoadPath C:\Windows\SysWOW64\calc.exe Comctl32.dll - - Path - ---- - C:\Windows\SysWOW64\Comctl32.dll +C:\PS> Get-DllLoadPath C:\Windows\System32\cmd.exe kernel32.dll -.Outputs +Path +---- +C:\Windows\system32\kernel32.dll - None or System.Management.Automation.PathInfo - -.Notes +.EXAMPLE + +C:\PS> Get-DllLoadPath C:\Windows\SysWOW64\calc.exe Comctl32.dll + +Path +---- +C:\Windows\SysWOW64\Comctl32.dll + +.OUTPUTS + +$null, System.Management.Automation.PathInfo + +.NOTES - This script will not detect if the executable provided intentionally alters the Dll search path via - LoadLibraryEx, SetDllDirectory, or AddDllDirectory. +This script will not detect if the executable provided intentionally alters the Dll search path via LoadLibraryEx, SetDllDirectory, or AddDllDirectory. -.Link +.LINK - My blog: http://www.exploit-monday.com - Dll Search Order Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx +http://www.exploit-monday.com +http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx #> Param ( diff --git a/PETools/Get-PEArchitecture.ps1 b/PETools/Get-PEArchitecture.ps1 index e53c5ff..6272153 100644 --- a/PETools/Get-PEArchitecture.ps1 +++ b/PETools/Get-PEArchitecture.ps1 @@ -1,35 +1,43 @@ function Get-PEArchitecture { <# -.Synopsis +.SYNOPSIS - PowerSploit Module - Get-PEArchitecture - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - -.Description +PowerSploit Module - Get-PEArchitecture +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None - Get-PEArchitecture returns the architecture for which - a Windows portable executable was compiled. - -.Parameter Path +.DESCRIPTION - Path to the executable. - -.Example +Get-PEArchitecture returns the architecture for which a Windows portable executable was compiled. + +.PARAMETER Path + +Path to the executable. - PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe - X86 +.EXAMPLE + +C:\PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe + +X86 -.Example +.EXAMPLE - PS> Get-PEArchitecture C:\Windows\System32\cmd.exe - X64 +C:\PS> Get-PEArchitecture C:\Windows\System32\cmd.exe + +X64 -.Link +.LINK - My blog: http://www.exploit-monday.com +http://www.exploit-monday.com #> - Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path ) + + Param ( + [Parameter(Position = 0, Mandatory = $True)] + [String] + $Path + ) if (!(Test-Path $Path)) { Write-Warning 'Invalid path or file does not exist.' @@ -67,7 +75,7 @@ function Get-PEArchitecture { $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') $FileStream.Close() - if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) { + if (($Architecture -ne '014C') -and ($Architecture -ne '8664') -and ($Architecture -ne '01C4')) { Write-Warning 'Invalid PE header or unsupported architecture.' return } @@ -76,6 +84,8 @@ function Get-PEArchitecture { return 'X86' } elseif ($Architecture -eq '8664') { return 'X64' + } elseif ($Architecture -eq '01C4') { + return 'ARM' } else { return 'OTHER' } diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 index 8422390..354b675 100644 --- a/PETools/Get-PEHeader.ps1 +++ b/PETools/Get-PEHeader.ps1 @@ -1,34 +1,42 @@ function Get-PEHeader { <# .SYNOPSIS + PowerSploit Module - Get-PEHeader Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: PETools.format.ps1xml .DESCRIPTION -Get-PEHeader retrieves PE headers including imports and exports from either a -file on disk or a module in memory. Get-PEHeader will operate on single PE header -but you can also feed it the output of Get-ChildItem or Get-Process! Get-PEHeader -works on both 32 and 64-bit modules. + +Get-PEHeader retrieves PE headers including imports and exports from either a file on disk or a module in memory. Get-PEHeader will operate on single PE header but you can also feed it the output of Get-ChildItem or Get-Process! Get-PEHeader works on both 32 and 64-bit modules. .OUTPUTS -System.Object. Returns a custom object consisting of the following: compile time, -section headers, module name, DOS header, imports, exports, file header, -optional header, and PE signature + +System.Object + +Returns a custom object consisting of the following: compile time, section headers, module name, DOS header, imports, exports, file header, optional header, and PE signature. .EXAMPLE -PS > Get-Process cmd | Get-PEHeader + +C:\PS> Get-Process cmd | Get-PEHeader + Description ----------- Returns the full PE headers of every loaded module in memory -PS > Get-ChildItem C:\Windows\*.exe | Get-PEHeader +.EXAMPLE + +C:\PS> Get-ChildItem C:\Windows\*.exe | Get-PEHeader + Description ----------- Returns the full PE headers of every exe in C:\Windows\ .EXAMPLE -PS > Get-PEHeader C:\Windows\System32\kernel32.dll + +C:\PS> Get-PEHeader C:\Windows\System32\kernel32.dll Module : C:\Windows\System32\kernel32.dll DOSHeader : PE+_IMAGE_DOS_HEADER @@ -44,11 +52,12 @@ Exports : {@{ForwardedName=; FunctionName=lstrlenW; Ordinal=0x0552; VA=0x dedName=; FunctionName=lstrlenA; Ordinal=0x0551; VA=0x0F026A23}, @{ForwardedName=; FunctionName=lstrlen; Ordinal=0x0550; VA=0x0F026A23}, @{ForwardedName=; FunctionN ame=lstrcpynW; Ordinal=0x054F; VA=0x0F04E54E}...} - + .EXAMPLE -PS > $Proc = Get-Process cmd -PS > $Kernel32Base = ($Proc.Modules | Where-Object {$_.ModuleName -eq 'kernel32.dll'}).BaseAddress -PS > Get-PEHeader -ProcessId $Proc.Id -ModuleBaseAddress $Kernel32Base + +C:\PS> $Proc = Get-Process cmd +C:\PS> $Kernel32Base = ($Proc.Modules | Where-Object {$_.ModuleName -eq 'kernel32.dll'}).BaseAddress +C:\PS> Get-PEHeader -ProcessId $Proc.Id -ModuleBaseAddress $Kernel32Base Module : DOSHeader : PE+_IMAGE_DOS_HEADER @@ -67,18 +76,15 @@ Exports : {@{ForwardedName=; FunctionName=lstrlenW; Ordinal=0x0552; VA=0x Description ----------- -A PE header is returned upon providing the module's base address. This technique would be useful -for dumping the PE header of a rogue module that is invisible to Windows - e.g. a reflectively -loaded meterpreter binary (metsrv.dll). +A PE header is returned upon providing the module's base address. This technique would be useful for dumping the PE header of a rogue module that is invisible to Windows - e.g. a reflectively loaded meterpreter binary (metsrv.dll). .NOTES -Be careful if you decide to specify a module base address. Get-PEHeader does not check for the -existence of an MZ header. An MZ header is not a prerequisite for reflectively loading a module -in memory. If you provide an address that is not an actual PE header, you could crash the process. + +Be careful if you decide to specify a module base address. Get-PEHeader does not check for the existence of an MZ header. An MZ header is not a prerequisite for reflectively loading a module in memory. If you provide an address that is not an actual PE header, you could crash the process. .LINK -http://www.exploit-monday.com/2012/07/get-peheader.html +http://www.exploit-monday.com/2012/07/get-peheader.html #> [CmdletBinding(DefaultParameterSetName = 'OnDisk')] Param ( diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1 new file mode 100644 index 0000000..7f4d7c6 --- /dev/null +++ b/PETools/PETools.psd1 @@ -0,0 +1,88 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'PETools.psm1' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402' + +# Author of this module +Author = 'Matthew Graeber' + +# Company or vendor of this module +CompanyName = '' + +# Copyright statement for this module +Copyright = 'BSD 3-Clause' + +# Description of the functionality provided by this module +Description = 'PowerSploit Portable Executable Analysis Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '2.0' + +# Name of the Windows PowerShell host required by this module +# PowerShellHostName = '' + +# Minimum version of the Windows PowerShell host required by this module +# PowerShellHostVersion = '' + +# Minimum version of the .NET Framework required by this module +# DotNetFrameworkVersion = '' + +# Minimum version of the common language runtime (CLR) required by this module +# CLRVersion = '' + +# Processor architecture (None, X86, Amd64) required by this module +# ProcessorArchitecture = '' + +# Modules that must be imported into the global environment prior to importing this module +# RequiredModules = @() + +# Assemblies that must be loaded prior to importing this module +# RequiredAssemblies = @() + +# Script files (.ps1) that are run in the caller's environment prior to importing this module. +# ScriptsToProcess = '' + +# Type files (.ps1xml) to be loaded when importing this module +# TypesToProcess = @() + +# Format files (.ps1xml) to be loaded when importing this module +FormatsToProcess = 'PETools.format.ps1xml' + +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess +# NestedModules = @() + +# Functions to export from this module +FunctionsToExport = '*' + +# Cmdlets to export from this module +CmdletsToExport = '*' + +# Variables to export from this module +VariablesToExport = '' + +# Aliases to export from this module +AliasesToExport = '' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'}) + +# List of all files packaged with this module +FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoadPath.ps1', + 'Get-PEArchitecture.ps1', 'Get-PEHeader.ps1', 'Usage.txt' + +# Private data to pass to the module specified in RootModule/ModuleToProcess +# PrivateData = '' + +# HelpInfo URI of this module +# HelpInfoURI = '' + +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. +# DefaultCommandPrefix = '' + +} \ No newline at end of file diff --git a/PETools/PETools.psm1 b/PETools/PETools.psm1 index 7f16c2f..e5234fb 100644 --- a/PETools/PETools.psm1 +++ b/PETools/PETools.psm1 @@ -1,4 +1 @@ -# Pull in all of the PE Tools -. (Join-Path $PSScriptRoot Get-PEHeader.ps1) -. (Join-Path $PSScriptRoot Get-DllLoadPath.ps1) -. (Join-Path $PSScriptRoot Get-PEArchitecture.ps1) \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file -- cgit v1.2.3