From 91bd44f0f08259c541088c278467ed9b597985e3 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Fri, 24 May 2013 21:16:43 -0400 Subject: Get-PEB now parses _RTL_USER_PROCESS_PARAMETERS --- ReverseEngineering/Get-PEB.format.ps1xml | 114 +++++++++++++++++++++++++++++++ ReverseEngineering/Get-PEB.ps1 | 88 +++++++++++++++++++++++- 2 files changed, 201 insertions(+), 1 deletion(-) diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 9c25dc1..88eee6a 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1095,5 +1095,119 @@ + + ProcessParameters + + PEB.ProcessParameters + + + + + + + MaximumLength + 0x{0:X8} + + + Length + 0x{0:X8} + + + Flags + 0x{0:X8} + + + DebugFlags + 0x{0:X8} + + + + "0x$($_.ConsoleHandle.ToString("X$([IntPtr]::Size * 2)"))" + + + ConsoleFlags + 0x{0:X8} + + + + "0x$($_.StandardInput.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.StandardOutput.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.StandardError.ToString("X$([IntPtr]::Size * 2)"))" + + + CurrentDirectory + + + DllPath + + + ImagePathName + + + CommandLine + + + + "0x$($_.Environment.ToString("X$([IntPtr]::Size * 2)"))" + + + StartingX + 0x{0:X8} + + + StartingY + 0x{0:X8} + + + CountX + 0x{0:X8} + + + CountY + 0x{0:X8} + + + CountCharsX + 0x{0:X8} + + + CountCharsY + 0x{0:X8} + + + FillAttribute + 0x{0:X8} + + + WindowFlags + 0x{0:X8} + + + ShowWindowFlags + 0x{0:X8} + + + WindowTitle + + + DesktopInfo + + + ShellInfo + + + RuntimeData + + + + + + \ No newline at end of file diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 4985da5..7f3a2a2 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -213,6 +213,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx { $PEBStruct = [_PEB] $UnicodeStringStruct = [_UNICODE_STRING] + $ProcessParametersStruct = [_RTL_USER_PROCESS_PARAMETERS] $ListEntryStruct = [_LIST_ENTRY] $LdrDataStruct = [_PEB_LDR_DATA] $BalancedNodeStruct = [_RTL_BALANCED_NODE] @@ -239,6 +240,38 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx $UnicodeTypeBuilder.DefineField('Buffer', [IntPtr], 'Public') | Out-Null $UnicodeStringStruct = $UnicodeTypeBuilder.CreateType() + # Build type for _RTL_USER_PROCESS_PARAMETERS + $ProcParamTypeBuilder = $ModuleBuilder.DefineType('_RTL_USER_PROCESS_PARAMETERS', $Attributes, [ValueType], 4) + $ProcParamTypeBuilder.DefineField('MaximumLength', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('Length', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('Flags', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('DebugFlags', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('ConsoleHandle', [IntPtr], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('ConsoleFlags', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('StandardInput', [IntPtr], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('StandardOutput', [IntPtr], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('StandardError', [IntPtr], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('CurrentDirectory', $UnicodeStringStruct, 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('CurrentDirectoryHandle', [IntPtr], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('DllPath', $UnicodeStringStruct, 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('ImagePathName', $UnicodeStringStruct, 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('CommandLine', $UnicodeStringStruct, 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('Environment', [IntPtr], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('StartingX', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('StartingY', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('CountX', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('CountY', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('CountCharsX', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('CountCharsY', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('FillAttribute', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('WindowFlags', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('ShowWindowFlags', [UInt32], 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('WindowTitle', $UnicodeStringStruct, 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('DesktopInfo', $UnicodeStringStruct, 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('ShellInfo', $UnicodeStringStruct, 'Public') | Out-Null + $ProcParamTypeBuilder.DefineField('RuntimeData', $UnicodeStringStruct, 'Public') | Out-Null + $ProcessParametersStruct = $ProcParamTypeBuilder.CreateType() + # Build type for _LIST_ENTRY $ListEntryTypeBuilder = $ModuleBuilder.DefineType('_LIST_ENTRY', $Attributes, [System.ValueType]) $ListEntryTypeBuilder.DefineField('Flink', [IntPtr], 'Public') | Out-Null @@ -778,6 +811,59 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx $PEB = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessBasicInfo.PebBaseAddress) -StructType ($PEBStruct) + $ProcessParams = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.ProcessParameters) -StructType ($ProcessParametersStruct) + + $CurrentDirectory = '' + $DllPath = '' + $ImagePathName = '' + $CommandLine = '' + $WindowTitle = '' + $DesktopInfo = '' + $ShellInfo = '' + $RuntimeData = '' + + if ($ProcessParams.CurrentDirectory.Buffer) { $CurrentDirectory = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.CurrentDirectory.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.CurrentDirectory.MaximumLength) } + if ($ProcessParams.DllPath.Buffer) { $DllPath = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.DllPath.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.DllPath.MaximumLength) } else { $DllPath = '' } + if ($ProcessParams.ImagePathName.Buffer) { $ImagePathName = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.ImagePathName.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.ImagePathName.MaximumLength) } + if ($ProcessParams.CommandLine.Buffer) { $CommandLine = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.CommandLine.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.CommandLine.MaximumLength) } + if ($ProcessParams.WindowTitle.Buffer) { $WindowTitle = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.WindowTitle.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.WindowTitle.MaximumLength) } + if ($ProcessParams.DesktopInfo.Buffer) { $DesktopInfo = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.DesktopInfo.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.DesktopInfo.MaximumLength) } + if ($ProcessParams.ShellInfo.Buffer) { $ShellInfo = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.ShellInfo.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.ShellInfo.MaximumLength) } + if ($ProcessParams.RuntimeData.Buffer) { $RuntimeData = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($ProcessParams.RuntimeData.Buffer) -StructType ([String]) -UnicodeStringSize ($ProcessParams.RuntimeData.MaximumLength) } + + $ProcessParameters = @{ + MaximumLength = $ProcessParams.MaximumLength + Length = $ProcessParams.Length + Flags = $ProcessParams.Flags + DebugFlags = $ProcessParams.DebugFlags + ConsoleHandle = $ProcessParams.ConsoleHandle + ConsoleFlags = $ProcessParams.ConsoleFlags + StandardInput = $ProcessParams.StandardInput + StandardOutput = $ProcessParams.StandardOutput + StandardError = $ProcessParams.StandardError + CurrentDirectory = $CurrentDirectory + DllPath = $DllPath + ImagePathName = $ImagePathName + CommandLine = $CommandLine + Environment = $ProcessParams.Environment + StartingX = $ProcessParams.StartingX + StartingY = $ProcessParams.StartingY + CountX = $ProcessParams.CountX + CountY = $ProcessParams.CountY + CountCharsX = $ProcessParams.CountCharsX + CountCharsY = $ProcessParams.CountCharsY + FillAttribute = $ProcessParams.FillAttribute + WindowFlags = $ProcessParams.WindowFlags + ShowWindowFlags = $ProcessParams.ShowWindowFlags + WindowTitle = $WindowTitle + DesktopInfo = $DesktopInfo + ShellInfo = $ShellInfo + RuntimeData = $RuntimeData + } + + $ProcessParamsParsed = New-Object PSObject -Property $ProcessParameters + $ProcessParamsParsed.PSObject.TypeNames[0] = 'PEB.ProcessParameters' + # Get custom objects for the PEB based upon OS version # First, build up the custom object with fields common amongst all versions of the PEB $CustomPEB = @{ @@ -789,7 +875,7 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx Mutant = $PEB.Mutant ImageBaseAddress = $PEB.ImageBaseAddress Ldr = Get-StructFromMemory -ProcId $ProcessId -MemoryAddress ($PEB.Ldr) -StructType ($LdrDataStruct) - ProcessParameters = $PEB.ProcessParameters + ProcessParameters = $ProcessParamsParsed SubSystemData = $PEB.SubSystemData ProcessHeap = $PEB.ProcessHeap FastPebLock = $PEB.FastPebLock -- cgit v1.2.3