From 504ac21aed7f8a2d4d99074c60b48bfdf15b1b68 Mon Sep 17 00:00:00 2001 From: bitform Date: Mon, 7 Jan 2013 18:42:12 -0500 Subject: Added Get-PEB Returns the process environment block (PEB) of a process. --- RE_Tools/Get-PEB.format.ps1xml | 1099 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1099 insertions(+) create mode 100644 RE_Tools/Get-PEB.format.ps1xml (limited to 'RE_Tools/Get-PEB.format.ps1xml') diff --git a/RE_Tools/Get-PEB.format.ps1xml b/RE_Tools/Get-PEB.format.ps1xml new file mode 100644 index 0000000..9c25dc1 --- /dev/null +++ b/RE_Tools/Get-PEB.format.ps1xml @@ -0,0 +1,1099 @@ + + + + + + Both + + + + + + ProcessEnvironmentBlock_VistaView + + PEB.Vista + + + + + + + ProcessName + + + ProcessId + + + InheritedAddressSpace + + + ReadImageFileExecOptions + + + BeingDebugged + + + ImageUsesLargePages + + + IsProtectedProcess + + + IsLegacyProcess + + + IsImageDynamicallyRelocated + + + SkipPatchingUser32Forwarders + + + IsPackagedProcess + + + IsAppContainer + + + + "0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))" + + + Ldr + + + InLoadOrderModuleList + + + InMemoryOrderModuleList + + + InInitializationOrderModuleList + + + + "0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.IFEOKey.ToString("X$([IntPtr]::Size * 2)"))" + + + ProcessInJob + + + ProcessInitializing + + + ProcessUsingVEH + + + ProcessUsingVCH + + + ProcessUsingFTH + + + + "0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))" + + + SystemReserved + 0x{0:X8} + + + AtlThunkSListPtr32 + 0x{0:X8} + + + + "0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))" + + + TlsExpansionCounter + 0x{0:X8} + + + + "0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' + + + + "0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HotpatchInformation.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))" + + + NumberOfProcessors + 0x{0:X8} + + + NtGlobalFlag + 0x{0:X8} + + + CriticalSectionTimeout + 0x{0:X16} + + + + "0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))" + + + NumberOfHeaps + 0x{0:X8} + + + MaximumNumberOfHeaps + 0x{0:X8} + + + + "0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))" + + + GdiDCAttributeList + 0x{0:X8} + + + + "0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))" + + + OSMajorVersion + + + OSMinorVersion + + + OSBuildNumber + + + OSCSDVersion + + + OSPlatformId + + + ImageSubsystem + + + ImageSubsystemMajorVersion + + + ImageSubsystemMinorVersion + + + + "0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ',' + + + + "0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' + + + SessionId + 0x{0:X8} + + + AppCompatFlags + 0x{0:X16} + + + AppCompatFlagsUser + 0x{0:X16} + + + + "0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))" + + + AppCompatInfo + 0x{0:X8} + + + CSDVersion + + + + "0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))" + + + FlsListHead + + + + "0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' + + + FlsHighIndex + 0x{0:X8} + + + + "0x$($_.WerRegistrationData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.WerShipAssertPtr.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.pUnused.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.pImageHeaderHash.ToString("X$([IntPtr]::Size * 2)"))" + + + HeapTracingEnabled + + + CritSecTracingEnabled + + + LibLoaderTracingEnabled + + + CsrServerReadOnlySharedMemoryBase + 0x{0:X16} + + + + + + + + ProcessEnvironmentBlock_Server2003View + + PEB.Server2003 + + + + + + + ProcessName + + + ProcessId + + + + if($_.InheritedAddressSpace -eq 0){$False}else{$True} + + + + if($_.ReadImageFileExecOptions -eq 0){$False}else{$True} + + + + if($_.BeingDebugged -eq 0){$False}else{$True} + + + ImageUsesLargePages + + + + "0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))" + + + Ldr + + + InLoadOrderModuleList + + + InMemoryOrderModuleList + + + InInitializationOrderModuleList + + + + "0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SparePtr2.ToString("X$([IntPtr]::Size * 2)"))" + + + EnvironmentUpdateCount + 0x{0:X8} + + + + "0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))" + + + SystemReserved + 0x{0:X8} + + + AtlThunkSListPtr32 + 0x{0:X8} + + + + "0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))" + + + TlsExpansionCounter + 0x{0:X8} + + + + "0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' + + + + "0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))" + + + NumberOfProcessors + 0x{0:X8} + + + NtGlobalFlag + 0x{0:X8} + + + CriticalSectionTimeout + 0x{0:X16} + + + + "0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))" + + + NumberOfHeaps + 0x{0:X8} + + + MaximumNumberOfHeaps + 0x{0:X8} + + + + "0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))" + + + GdiDCAttributeList + 0x{0:X8} + + + + "0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))" + + + OSMajorVersion + + + OSMinorVersion + + + OSBuildNumber + + + OSCSDVersion + + + OSPlatformId + + + ImageSubsystem + + + ImageSubsystemMajorVersion + + + ImageSubsystemMinorVersion + + + + "0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ',' + + + + "0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' + + + SessionId + 0x{0:X8} + + + AppCompatFlags + 0x{0:X16} + + + AppCompatFlagsUser + 0x{0:X16} + + + + "0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))" + + + AppCompatInfo + 0x{0:X8} + + + CSDVersion + + + + "0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))" + + + FlsListHead + + + + "0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' + + + FlsHighIndex + 0x{0:X8} + + + + + + + + ProcessEnvironmentBlock_XPView + + PEB.XP + + + + + + + ProcessName + + + ProcessId + + + + if($_.InheritedAddressSpace -eq 0){$False}else{$True} + + + + if($_.ReadImageFileExecOptions -eq 0){$False}else{$True} + + + + if($_.BeingDebugged -eq 0){$False}else{$True} + + + + "0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))" + + + Ldr + + + InLoadOrderModuleList + + + InMemoryOrderModuleList + + + InInitializationOrderModuleList + + + + "0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.FastPebLockRoutine.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.FastPebUnlockRoutine.ToString("X$([IntPtr]::Size * 2)"))" + + + EnvironmentUpdateCount + 0x{0:X8} + + + + "0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))" + + + SystemReserved + 0x{0:X8} + + + AtlThunkSListPtr32 + 0x{0:X8} + + + + "0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))" + + + TlsExpansionCounter + 0x{0:X8} + + + + "0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' + + + + "0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))" + + + NumberOfProcessors + 0x{0:X8} + + + NtGlobalFlag + 0x{0:X8} + + + CriticalSectionTimeout + 0x{0:X16} + + + + "0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))" + + + NumberOfHeaps + 0x{0:X8} + + + MaximumNumberOfHeaps + 0x{0:X8} + + + + "0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))" + + + GdiDCAttributeList + 0x{0:X8} + + + + "0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))" + + + OSMajorVersion + + + OSMinorVersion + + + OSBuildNumber + + + OSCSDVersion + + + OSPlatformId + + + ImageSubsystem + + + ImageSubsystemMajorVersion + + + ImageSubsystemMinorVersion + + + + "0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ',' + + + + "0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))" + + + + ($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' + + + SessionId + 0x{0:X8} + + + AppCompatFlags + 0x{0:X16} + + + AppCompatFlagsUser + 0x{0:X16} + + + + "0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))" + + + AppCompatInfo + 0x{0:X8} + + + CSDVersion + + + + "0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))" + + + + + + + + ProcessEnvironmentBlock_ModuleEntryView + + PEB.ModuleEntry + + + + + + + InLoadOrderModuleList + + + InMemoryOrderModuleList + + + InInitializationOrderModuleList + + + + "0x$($_.BaseAddress.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.EntryPoint.ToString("X$([IntPtr]::Size * 2)"))" + + + SizeOfImage + 0x{0:X8} + + + FullDllName + + + BaseDllName + + + PackagedBinary + + + ImageDll + + + LoadNotificationsSent + + + TelemetryEntryProcessed + + + ProcessStaticImport + + + InLegacyLists + + + InIndexes + + + ShimDll + + + InExceptionTable + + + LoadInProgress + + + EntryProcessed + + + DontCallForThreads + + + ProcessAttachCalled + + + ProcessAttachFailed + + + CorDeferredValidate + + + CorImage + + + DontRelocate + + + CorILOnly + + + Redirected + + + CompatDatabaseProcessed + + + ObsoleteLoadCount + 0x{0:X4} + + + TlsIndex + 0x{0:X4} + + + HashLinks + + + TimeDateStamp + + + + "0x$($_.EntryPointActivationContext.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.PatchInformation.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.DdagNode.ToString("X$([IntPtr]::Size * 2)"))" + + + NodeModuleLink + + + + "0x$($_.SnapContext.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.ParentDllBase.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.SwitchBackContext.ToString("X$([IntPtr]::Size * 2)"))" + + + BaseAddressIndexNode + + + MappingInfoIndexNode + + + + "0x$($_.OriginalBase.ToString("X$([IntPtr]::Size * 2)"))" + + + LoadTime + 0x{0:X16} + + + BaseNameHashValue + 0x{0:X8} + + + LoadReason + + + + + + + + \ No newline at end of file -- cgit v1.2.3