From 65ebaea880b1470718f609e1946f950e7fff0d81 Mon Sep 17 00:00:00 2001
From: bitform <matt@exploit-monday.com>
Date: Sun, 22 Jul 2012 15:16:22 -0400
Subject: Added Get-PEHeader. PETools is now a module.

Get-PEHeader is a 32 and 64-bit in-memory and on-disk PE parsing
utility.

PETools is now a PowerShell module that can be loaded with
`Import-Module PETools`
---
 PETools/PETools.format.ps1xml | 374 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 374 insertions(+)
 create mode 100644 PETools/PETools.format.ps1xml

(limited to 'PETools/PETools.format.ps1xml')
diff --git a/PETools/PETools.format.ps1xml b/PETools/PETools.format.ps1xml
new file mode 100644
index 0000000..2a1cbdb
--- /dev/null
+++ b/PETools/PETools.format.ps1xml
@@ -0,0 +1,374 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+    <SelectionSets>
+            <SelectionSet>
+                <Name>OptionHeaderTypes</Name>
+                <Types>
+                    <TypeName>PE+_IMAGE_OPTIONAL_HEADER32</TypeName>
+                    <TypeName>PE+_IMAGE_OPTIONAL_HEADER64</TypeName>
+                </Types>
+            </SelectionSet>
+        </SelectionSets>
+    <ViewDefinitions>
+        <View>
+            <Name>PEView</Name>
+            <ViewSelectedBy>
+                <TypeName>PEHeader</TypeName>
+            </ViewSelectedBy>
+            <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <PropertyName>Module</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>DOSHeader</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>FileHeader</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>OptionalHeader</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>SectionHeaders</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>Imports</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>Exports</PropertyName>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
+        <View>
+            <Name>OptionalHeaderView</Name>
+            <ViewSelectedBy>
+                <SelectionSetName>OptionHeaderTypes</SelectionSetName>
+            </ViewSelectedBy>
+            <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <PropertyName>Magic</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>MajorLinkerVersion</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>MinorLinkerVersion</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfCode</Label>
+                                <ScriptBlock>"0x$($_.SizeOfCode.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfInitializedData</Label>
+                                <ScriptBlock>"0x$($_.SizeOfInitializedData.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfUninitializedData</Label>
+                                <ScriptBlock>"0x$($_.SizeOfUninitializedData.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>AddressOfEntryPoint</Label>
+                                <ScriptBlock>"0x$($_.AddressOfEntryPoint.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>BaseOfCode</Label>
+                                <ScriptBlock>"0x$($_.BaseOfCode.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>BaseOfData</Label>
+                                <ScriptBlock>"0x$($_.BaseOfData.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>ImageBase</Label>
+                                <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SectionAlignment</Label>
+                                <ScriptBlock>"0x$($_.SectionAlignment.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>FileAlignment</Label>
+                                <ScriptBlock>"0x$($_.FileAlignment.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>MajorOperatingSystemVersion</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>MinorOperatingSystemVersion</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>MajorSubsystemVersion</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>MinorSubsystemVersion</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>Win32VersionValue</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfImage</Label>
+                                <ScriptBlock>"0x$($_.SizeOfImage.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfHeaders</Label>
+                                <ScriptBlock>"0x$($_.SizeOfHeaders.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>CheckSum</Label>
+                                <ScriptBlock>"0x$($_.CheckSum.ToString('X8'))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>Subsystem</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>DllCharacteristics</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfStackReserve</Label>
+                                <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfStackCommit</Label>
+                                <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfHeapReserve</Label>
+                                <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SizeOfHeapCommit</Label>
+                                <ScriptBlock>if ($_.Magic.ToString() -eq 'PE32') { "0x$($_.ImageBase.ToString('X8'))" } else { "0x$($_.ImageBase.ToString('X16'))" }</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>LoaderFlags</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>NumberOfRvaAndSizes</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>DataDirectory</PropertyName>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
+        <View>
+		    <Name>SectionHeaderView</Name>
+                <ViewSelectedBy>
+		            <TypeName>PE+_IMAGE_SECTION_HEADER</TypeName>
+		        </ViewSelectedBy>
+                <TableControl>
+                    <AutoSize/>
+                    <TableHeaders>
+                        <TableColumnHeader>
+                            <Label>Name</Label>
+                            <Alignment>Right</Alignment>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>VirtualSize</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>VirtualAddress</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>SizeOfRawData</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>PointerToRawData</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>Characteristics</Label>
+                            <Alignment>Left</Alignment>
+                        </TableColumnHeader>
+                    </TableHeaders>
+                    <TableRowEntries>
+                        <TableRowEntry>
+                            <TableColumnItems>
+                                <TableColumnItem>
+                                    <Alignment>Right</Alignment>
+                                    <PropertyName>Name</PropertyName>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <ScriptBlock>"0x$($_.VirtualSize.ToString('X8'))"</ScriptBlock>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <ScriptBlock>"0x$($_.SizeOfRawData.ToString('X8'))"</ScriptBlock>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <ScriptBlock>"0x$($_.PointerToRawData.ToString('X8'))"</ScriptBlock>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>Characteristics</PropertyName>
+                                </TableColumnItem>
+                            </TableColumnItems>
+                        </TableRowEntry>
+                    </TableRowEntries>
+                </TableControl>
+        </View>
+        <View>
+            <Name>FileHeaderView</Name>
+            <ViewSelectedBy>
+                <TypeName>PE+_IMAGE_FILE_HEADER</TypeName>
+            </ViewSelectedBy>
+            <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <PropertyName>Machine</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>NumberOfSections</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <Label>TimeDateStamp</Label>
+                                <!-- GMT compile time -->
+                                <ScriptBlock>(New-Object DateTime(1970, 1, 1, 0, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock>
+                                <!-- Compile time assuming it was compiled in Redmond, Washington (PST - GMT-8) -->
+                                <!-- <ScriptBlock>(New-Object DateTime(1969, 12, 31, 16, 0, 0)).AddSeconds($_.TimeDateStamp)</ScriptBlock> -->
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>PointerToSymbolTable</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>NumberOfSymbols</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>SizeOfOptionalHeader</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>Characteristics</PropertyName>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
+        <View>
+            <Name>DataDirectoryView</Name>
+                <ViewSelectedBy>
+		            <TypeName>PE+_IMAGE_DATA_DIRECTORY</TypeName>
+		        </ViewSelectedBy>
+                <TableControl>
+                    <AutoSize/>
+                    <TableHeaders>
+                        <TableColumnHeader>
+                            <Label>VirtualAddress</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>Size</Label>
+                        </TableColumnHeader>
+                    </TableHeaders>
+                    <TableRowEntries>
+                        <TableRowEntry>
+                            <TableColumnItems>
+                                <TableColumnItem>
+                                    <ScriptBlock>"0x$($_.VirtualAddress.ToString('X8'))"</ScriptBlock>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <ScriptBlock>"0x$($_.Size.ToString('X8'))"</ScriptBlock>
+                                </TableColumnItem>
+                            </TableColumnItems>
+                        </TableRowEntry>
+                    </TableRowEntries>
+                </TableControl>
+        </View>
+        <View>
+            <Name>ImportView</Name>
+                <ViewSelectedBy>
+		            <TypeName>Import</TypeName>
+		        </ViewSelectedBy>
+                <TableControl>
+                    <AutoSize/>
+                    <TableHeaders>
+                        <TableColumnHeader>
+                            <Label>ModuleName</Label>
+                            <Alignment>Right</Alignment>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>VirtualAddress</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>Ordinal</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>FunctionName</Label>
+                        </TableColumnHeader>
+                    </TableHeaders>
+                    <TableRowEntries>
+                        <TableRowEntry>
+                            <TableColumnItems>
+                                <TableColumnItem>
+                                    <Alignment>Right</Alignment>
+                                    <PropertyName>ModuleName</PropertyName>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>VA</PropertyName>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>Ordinal</PropertyName>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>FunctionName</PropertyName>
+                                </TableColumnItem>
+                            </TableColumnItems>
+                        </TableRowEntry>
+                    </TableRowEntries>
+                </TableControl>
+        </View>
+        <View>
+            <Name>ExportView</Name>
+                <ViewSelectedBy>
+		            <TypeName>Export</TypeName>
+		        </ViewSelectedBy>
+                <TableControl>
+                    <AutoSize/>
+                    <TableHeaders>
+                        <TableColumnHeader>
+                            <Label>VirtualAddress</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>Ordinal</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>FunctionName</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>ForwardedName</Label>
+                        </TableColumnHeader>
+                    </TableHeaders>
+                    <TableRowEntries>
+                        <TableRowEntry>
+                            <TableColumnItems>
+                                <TableColumnItem>
+                                    <PropertyName>VA</PropertyName>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>Ordinal</PropertyName>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>FunctionName</PropertyName>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>ForwardedName</PropertyName>
+                                </TableColumnItem>
+                            </TableColumnItems>
+                        </TableRowEntry>
+                    </TableRowEntries>
+                </TableControl>
+        </View>
+    </ViewDefinitions>
+</Configuration>
\ No newline at end of file
-- 
cgit v1.2.3

