From 9bb31fc9b9b3524d4a4b45b8e92bc5fba6da6645 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Sat, 17 Aug 2013 17:16:38 -0400 Subject: Removing Get-PEArchitecture This functionality is present and maintained in Get-PEHeader. --- PETools/Get-PEArchitecture.ps1 | 94 ------------------------------------------ PETools/PETools.psd1 | 3 +- README.md | 4 -- 3 files changed, 1 insertion(+), 100 deletions(-) delete mode 100644 PETools/Get-PEArchitecture.ps1 diff --git a/PETools/Get-PEArchitecture.ps1 b/PETools/Get-PEArchitecture.ps1 deleted file mode 100644 index efc80be..0000000 --- a/PETools/Get-PEArchitecture.ps1 +++ /dev/null @@ -1,94 +0,0 @@ -function Get-PEArchitecture -{ -<# -.SYNOPSIS - -Outputs the architecture for which a binary was compiled. - -PowerSploit Function: Get-PEArchitecture -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Get-PEArchitecture returns the architecture for which a Windows portable executable was compiled. - -.PARAMETER Path - -Path to the executable. - -.EXAMPLE - -C:\PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe -X86 - -.EXAMPLE - -C:\PS> Get-PEArchitecture C:\Windows\System32\cmd.exe -X64 - -.LINK - -http://www.exploit-monday.com -#> - - Param ( - [Parameter(Position = 0, Mandatory = $True)] - [String] - $Path - ) - - if (!(Test-Path $Path)) { - Write-Warning 'Invalid path or file does not exist.' - return - } - - # Parse PE header to see if binary was compiled 32 or 64-bit - $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) - - [Byte[]] $MZHeader = New-Object Byte[](2) - $FileStream.Read($MZHeader,0,2) | Out-Null - - $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader) - if ($Header -ne 'MZ') { - Write-Warning 'Invalid PE header.' - $FileStream.Close() - return - } - - # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header) - $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null - - [Byte[]] $lfanew = New-Object Byte[](4) - - # Read offset to the PE Header (will be read in reverse) - $FileStream.Read($lfanew,0,4) | Out-Null - $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join '')) - - # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE - $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null - [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2) - - # Read compiled architecture - $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null - $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') - $FileStream.Close() - - if (($Architecture -ne '014C') -and ($Architecture -ne '8664') -and ($Architecture -ne '01C4')) { - Write-Warning 'Invalid PE header or unsupported architecture.' - return - } - - if ($Architecture -eq '014C') { - return 'X86' - } elseif ($Architecture -eq '8664') { - return 'X64' - } elseif ($Architecture -eq '01C4') { - return 'ARM' - } else { - return 'OTHER' - } - -} diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1 index 696eb57..d414365 100644 --- a/PETools/PETools.psd1 +++ b/PETools/PETools.psd1 @@ -74,8 +74,7 @@ ModuleList = @(@{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd150 # List of all files packaged with this module FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoadPath.ps1', - 'Get-PEArchitecture.ps1', 'Get-PEHeader.ps1', 'Get-ObjDump.ps1', 'Get-ObjDump.format.ps1xml', - 'Usage.md' + 'Get-PEHeader.ps1', 'Get-ObjDump.ps1', 'Get-ObjDump.format.ps1xml', 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' diff --git a/README.md b/README.md index d29d227..6bdda8d 100644 --- a/README.md +++ b/README.md @@ -72,10 +72,6 @@ An in-memory and on-disk PE parsing utility. Displays information about one or more Windows object files. -#### `Get-PEArchitecture` - -Returns the architecture for which an executable was compiled. - #### `Get-DllLoadPath` Returns the path from which Windows will load a Dll for the given executable. -- cgit v1.2.3