From 5b4b9924d5a016af996ffac91a975b9822651451 Mon Sep 17 00:00:00 2001 From: mattifestation Date: Thu, 7 Nov 2013 07:28:53 -0500 Subject: Get-ILDisassembly now displays metadata tokens. * Having metadata tokens displayed in output helps with reverse engineering because you can pass metadata tokens to System.Reflection.Module.ResolveMember and then easily interact with the member in question. * I also fixed a bug when displaying integer constants. I wasn't doing an endian swap. --- ReverseEngineering/Get-ILDisassembly.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'ReverseEngineering/Get-ILDisassembly.ps1') diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index 645dc39..b7293e0 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -131,6 +131,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf $Type = $Op.OperandType $Operand = $null + $OpInt = $null if ($Type -eq 'InlineNone') { $OperandLength = 0 @@ -191,13 +192,14 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) { # Simply print the hex for all operands with immediate values - $Operand = "0x{0}" -f (($IL[$Position..($Position+$OperandLength-1)] | ForEach-Object { $_.ToString('X2') }) -join '') + $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '') } $Instruction = @{ Position = $InstructionPostion Instruction = $Op.Name Operand = $Operand + MetadataToken = $OpInt } # Return a custom object containing a position, instruction, and fully-qualified operand -- cgit v1.2.3 From 306a84fe81ef6a1d252eec4e0a9422480c6c52df Mon Sep 17 00:00:00 2001 From: mattifestation Date: Thu, 7 Nov 2013 08:04:16 -0500 Subject: Get-ILDisassembly now accepts ConstructorInfo objects --- ReverseEngineering/Get-ILDisassembly.ps1 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'ReverseEngineering/Get-ILDisassembly.ps1') diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index b7293e0..af0c2a1 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -68,9 +68,9 @@ Disassembles the System.Array.BinarySearch(Array, Object) method .INPUTS -System.Reflection.MethodInfo +System.Reflection.MethodInfo, System.Reflection.ConstructorInfo -The method description containing the raw IL bytecodes. +A method or constructor description containing the raw IL bytecodes. .OUTPUTS @@ -88,7 +88,8 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf Param ( [Parameter(Mandatory = $True, ValueFromPipeline = $True)] - [System.Reflection.MethodInfo] + [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})] + [Object] $MethodInfo ) -- cgit v1.2.3 From 237d362acff8ef134f0ccc9150e6b6ab8a25e768 Mon Sep 17 00:00:00 2001 From: mattifestation Date: Wed, 13 Nov 2013 21:01:02 -0500 Subject: Normalized all scripts to ASCII encoding --- AntivirusBypass/AntivirusBypass.psd1 | 4 ++-- AntivirusBypass/AntivirusBypass.psm1 | 2 +- AntivirusBypass/Find-AVSignature.ps1 | 2 +- CodeExecution/CodeExecution.psd1 | 4 ++-- CodeExecution/CodeExecution.psm1 | 2 +- CodeExecution/Invoke-DllInjection.ps1 | 2 +- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 2 +- CodeExecution/Invoke-ShellcodeMSIL.ps1 | 4 ++-- CodeExecution/Watch-BlueScreen.ps1 | 6 +++--- Exfiltration/Exfiltration.psd1 | 4 ++-- Exfiltration/Exfiltration.psm1 | 2 +- Exfiltration/Get-GPPPassword.ps1 | 2 +- Exfiltration/Get-Keystrokes.ps1 | 4 ++-- Exfiltration/Get-TimedScreenshot.ps1 | 2 +- Exfiltration/Invoke-Mimikatz.ps1 | 2 +- Exfiltration/Invoke-NinjaCopy.ps1 | 2 +- Exfiltration/Invoke-TokenManipulation.ps1 | 2 +- Exfiltration/Out-Minidump.ps1 | 4 ++-- PETools/Get-LibSymbols.format.ps1xml | 4 ++-- PETools/Get-LibSymbols.ps1 | 4 ++-- PETools/Get-ObjDump.format.ps1xml | 4 ++-- PETools/Get-ObjDump.ps1 | 4 ++-- PETools/Get-PEHeader.ps1 | 2 +- PETools/PETools.format.ps1xml | 2 +- PETools/PETools.psd1 | 4 ++-- PETools/PETools.psm1 | 2 +- Persistence/Add-Persistence.ps1 | 4 ++-- Persistence/New-ElevatedPersistenceOptions.ps1 | 4 ++-- Persistence/New-UserPersistenceOptions.ps1 | 4 ++-- Persistence/Persistence.psd1 | 4 ++-- Persistence/Persistence.psm1 | 4 ++-- PowerSploit.psd1 | 4 ++-- PowerSploit.psm1 | 2 +- Recon/Get-HttpStatus.ps1 | 2 +- Recon/Invoke-Portscan.ps1 | 2 +- Recon/Recon.psd1 | 8 ++++---- Recon/Recon.psm1 | 2 +- ReverseEngineering/ConvertTo-String.ps1 | 4 ++-- ReverseEngineering/Get-ILDisassembly.format.ps1xml | 4 ++-- ReverseEngineering/Get-ILDisassembly.ps1 | 2 +- ReverseEngineering/Get-MethodAddress.ps1 | 4 ++-- .../Get-NtSystemInformation.format.ps1xml | 2 +- ReverseEngineering/Get-NtSystemInformation.ps1 | 2 +- ReverseEngineering/Get-PEB.format.ps1xml | 2 +- ReverseEngineering/Get-PEB.ps1 | 4 ++-- ReverseEngineering/Get-Strings.ps1 | 4 ++-- ReverseEngineering/Get-StructFromMemory.ps1 | 4 ++-- ReverseEngineering/New-Object.ps1 | Bin 4376 -> 2189 bytes ReverseEngineering/ProcessModuleTrace.format.ps1xml | 4 ++-- ReverseEngineering/ProcessModuleTrace.ps1 | 4 ++-- ReverseEngineering/ReverseEngineering.psd1 | 2 +- ReverseEngineering/ReverseEngineering.psm1 | 2 +- ScriptModification/Out-CompressedDll.ps1 | 4 ++-- ScriptModification/Out-EncodedCommand.ps1 | 4 ++-- ScriptModification/Out-EncryptedScript.ps1 | 2 +- ScriptModification/Remove-Comments.ps1 | 4 ++-- ScriptModification/ScriptModification.psd1 | 4 ++-- ScriptModification/ScriptModification.psm1 | 2 +- 58 files changed, 91 insertions(+), 91 deletions(-) (limited to 'ReverseEngineering/Get-ILDisassembly.ps1') diff --git a/AntivirusBypass/AntivirusBypass.psd1 b/AntivirusBypass/AntivirusBypass.psd1 index ab2918b..29949c1 100644 --- a/AntivirusBypass/AntivirusBypass.psd1 +++ b/AntivirusBypass/AntivirusBypass.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'AntivirusBypass.psm1' @@ -84,4 +84,4 @@ FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/AntivirusBypass/AntivirusBypass.psm1 b/AntivirusBypass/AntivirusBypass.psm1 index e5234fb..81d3818 100644 --- a/AntivirusBypass/AntivirusBypass.psm1 +++ b/AntivirusBypass/AntivirusBypass.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 index 80e2b1f..d2487b3 100644 --- a/AntivirusBypass/Find-AVSignature.ps1 +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -183,4 +183,4 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 #During testing using large binaries, memory usage was excessive so lets fix that [System.GC]::Collect() Write-Verbose "Completed!" -} \ No newline at end of file +} diff --git a/CodeExecution/CodeExecution.psd1 b/CodeExecution/CodeExecution.psd1 index 394c7de..07963fc 100644 --- a/CodeExecution/CodeExecution.psd1 +++ b/CodeExecution/CodeExecution.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'CodeExecution.psm1' @@ -85,4 +85,4 @@ FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', ' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/CodeExecution/CodeExecution.psm1 b/CodeExecution/CodeExecution.psm1 index e5234fb..81d3818 100644 --- a/CodeExecution/CodeExecution.psm1 +++ b/CodeExecution/CodeExecution.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index 572a911..8395ab8 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -325,4 +325,4 @@ http://www.exploit-monday.com } Write-Verbose "Injected DLL information:$($DllInfo)" -} \ No newline at end of file +} diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index ccc1dd6..599212b 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -2840,4 +2840,4 @@ Function Main } Main -} \ No newline at end of file +} diff --git a/CodeExecution/Invoke-ShellcodeMSIL.ps1 b/CodeExecution/Invoke-ShellcodeMSIL.ps1 index 4123d06..158a643 100644 --- a/CodeExecution/Invoke-ShellcodeMSIL.ps1 +++ b/CodeExecution/Invoke-ShellcodeMSIL.ps1 @@ -1,4 +1,4 @@ -function Invoke-ShellcodeMSIL +function Invoke-ShellcodeMSIL { <# .SYNOPSIS @@ -264,4 +264,4 @@ { Write-Verbose 'Shellcode executed successfully!' } -} \ No newline at end of file +} diff --git a/CodeExecution/Watch-BlueScreen.ps1 b/CodeExecution/Watch-BlueScreen.ps1 index 2fa317e..0a12a91 100644 --- a/CodeExecution/Watch-BlueScreen.ps1 +++ b/CodeExecution/Watch-BlueScreen.ps1 @@ -1,4 +1,4 @@ -function Watch-BlueScreen +function Watch-BlueScreen { <# .SYNOPSIS @@ -15,7 +15,7 @@ .NOTES Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov - ‏tweeted this technique on 5/13/2013. + ?tweeted this technique on 5/13/2013. .LINK @@ -75,4 +75,4 @@ $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null } -} \ No newline at end of file +} diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index 5268eb2..89359ef 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'Exfiltration.psm1' @@ -86,4 +86,4 @@ FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/Exfiltration/Exfiltration.psm1 b/Exfiltration/Exfiltration.psm1 index e5234fb..81d3818 100644 --- a/Exfiltration/Exfiltration.psm1 +++ b/Exfiltration/Exfiltration.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 7dbd23d..12d2785 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -1,4 +1,4 @@ -function Get-GPPPassword { +function Get-GPPPassword { <# .SYNOPSIS diff --git a/Exfiltration/Get-Keystrokes.ps1 b/Exfiltration/Get-Keystrokes.ps1 index 48b7df6..75400a1 100644 --- a/Exfiltration/Get-Keystrokes.ps1 +++ b/Exfiltration/Get-Keystrokes.ps1 @@ -1,4 +1,4 @@ -function Get-Keystrokes { +function Get-Keystrokes { <# .SYNOPSIS @@ -246,4 +246,4 @@ } | Out-Null } -} \ No newline at end of file +} diff --git a/Exfiltration/Get-TimedScreenshot.ps1 b/Exfiltration/Get-TimedScreenshot.ps1 index c14c723..e1ca823 100644 --- a/Exfiltration/Get-TimedScreenshot.ps1 +++ b/Exfiltration/Get-TimedScreenshot.ps1 @@ -1,4 +1,4 @@ -function Get-TimedScreenshot +function Get-TimedScreenshot { <# .SYNOPSIS diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1 index 289652c..6eff83c 100644 --- a/Exfiltration/Invoke-Mimikatz.ps1 +++ b/Exfiltration/Invoke-Mimikatz.ps1 @@ -2710,4 +2710,4 @@ Function Main } Main -} \ No newline at end of file +} diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index cfa763f..7ff5bfa 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -2845,4 +2845,4 @@ Main [GC]::Collect() [GC]::Collect() -} \ No newline at end of file +} diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index c692299..7e56ef0 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -1,4 +1,4 @@ -function Invoke-TokenManipulation +function Invoke-TokenManipulation { <# .SYNOPSIS diff --git a/Exfiltration/Out-Minidump.ps1 b/Exfiltration/Out-Minidump.ps1 index afb7dc9..a43ee0f 100644 --- a/Exfiltration/Out-Minidump.ps1 +++ b/Exfiltration/Out-Minidump.ps1 @@ -1,4 +1,4 @@ -function Out-Minidump +function Out-Minidump { <# .SYNOPSIS @@ -127,4 +127,4 @@ } END {} -} \ No newline at end of file +} diff --git a/PETools/Get-LibSymbols.format.ps1xml b/PETools/Get-LibSymbols.format.ps1xml index 41747cb..5d4d848 100644 --- a/PETools/Get-LibSymbols.format.ps1xml +++ b/PETools/Get-LibSymbols.format.ps1xml @@ -1,4 +1,4 @@ - + @@ -28,4 +28,4 @@ - \ No newline at end of file + diff --git a/PETools/Get-LibSymbols.ps1 b/PETools/Get-LibSymbols.ps1 index 414454f..9864676 100644 --- a/PETools/Get-LibSymbols.ps1 +++ b/PETools/Get-LibSymbols.ps1 @@ -1,4 +1,4 @@ -function Get-LibSymbols +function Get-LibSymbols { <# .SYNOPSIS @@ -279,4 +279,4 @@ } END {} -} \ No newline at end of file +} diff --git a/PETools/Get-ObjDump.format.ps1xml b/PETools/Get-ObjDump.format.ps1xml index d44ade0..25e13b8 100644 --- a/PETools/Get-ObjDump.format.ps1xml +++ b/PETools/Get-ObjDump.format.ps1xml @@ -1,4 +1,4 @@ - + @@ -289,4 +289,4 @@ - \ No newline at end of file + diff --git a/PETools/Get-ObjDump.ps1 b/PETools/Get-ObjDump.ps1 index 3df8235..2a8ebcb 100644 --- a/PETools/Get-ObjDump.ps1 +++ b/PETools/Get-ObjDump.ps1 @@ -1,4 +1,4 @@ -function Get-ObjDump +function Get-ObjDump { <# .SYNOPSIS @@ -705,4 +705,4 @@ } END {} -} \ No newline at end of file +} diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 index 2f35292..0021377 100644 --- a/PETools/Get-PEHeader.ps1 +++ b/PETools/Get-PEHeader.ps1 @@ -957,4 +957,4 @@ PROCESS { } -} \ No newline at end of file +} diff --git a/PETools/PETools.format.ps1xml b/PETools/PETools.format.ps1xml index 17d2c56..c510281 100644 --- a/PETools/PETools.format.ps1xml +++ b/PETools/PETools.format.ps1xml @@ -371,4 +371,4 @@ - \ No newline at end of file + diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1 index 28a60b9..ef470a7 100644 --- a/PETools/PETools.psd1 +++ b/PETools/PETools.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'PETools.psm1' @@ -86,4 +86,4 @@ FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoad # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/PETools/PETools.psm1 b/PETools/PETools.psm1 index e5234fb..81d3818 100644 --- a/PETools/PETools.psm1 +++ b/PETools/PETools.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Persistence/Add-Persistence.ps1 b/Persistence/Add-Persistence.ps1 index cd04fbf..27d7ba7 100644 --- a/Persistence/Add-Persistence.ps1 +++ b/Persistence/Add-Persistence.ps1 @@ -1,4 +1,4 @@ -function Add-Persistence +function Add-Persistence { <# .SYNOPSIS @@ -397,4 +397,4 @@ $UserTriggerRemoval } #endregion -} \ No newline at end of file +} diff --git a/Persistence/New-ElevatedPersistenceOptions.ps1 b/Persistence/New-ElevatedPersistenceOptions.ps1 index 4e11dee..5e04286 100644 --- a/Persistence/New-ElevatedPersistenceOptions.ps1 +++ b/Persistence/New-ElevatedPersistenceOptions.ps1 @@ -1,4 +1,4 @@ -function New-ElevatedPersistenceOptions +function New-ElevatedPersistenceOptions { <# .SYNOPSIS @@ -167,4 +167,4 @@ $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOptions' Write-Output $PersistenceOptions -} \ No newline at end of file +} diff --git a/Persistence/New-UserPersistenceOptions.ps1 b/Persistence/New-UserPersistenceOptions.ps1 index 9672c2e..3b33ffa 100644 --- a/Persistence/New-UserPersistenceOptions.ps1 +++ b/Persistence/New-UserPersistenceOptions.ps1 @@ -1,4 +1,4 @@ -function New-UserPersistenceOptions +function New-UserPersistenceOptions { <# .SYNOPSIS @@ -125,4 +125,4 @@ $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOptions' Write-Output $PersistenceOptions -} \ No newline at end of file +} diff --git a/Persistence/Persistence.psd1 b/Persistence/Persistence.psd1 index 21a7871..de97697 100644 --- a/Persistence/Persistence.psd1 +++ b/Persistence/Persistence.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'Persistence.psm1' @@ -34,4 +34,4 @@ ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = ' FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOptions.ps1', 'New-UserPersistenceOptions.ps1', 'Usage.md' -} \ No newline at end of file +} diff --git a/Persistence/Persistence.psm1 b/Persistence/Persistence.psm1 index 4478ee1..04f36be 100644 --- a/Persistence/Persistence.psm1 +++ b/Persistence/Persistence.psm1 @@ -1,3 +1,3 @@ -. (Join-Path $PSScriptRoot New-ElevatedPersistenceOptions.ps1) +. (Join-Path $PSScriptRoot New-ElevatedPersistenceOptions.ps1) . (Join-Path $PSScriptRoot New-UserPersistenceOptions.ps1) -. (Join-Path $PSScriptRoot Add-Persistence.ps1) \ No newline at end of file +. (Join-Path $PSScriptRoot Add-Persistence.ps1) diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 8c7f939..54156d2 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'PowerSploit.psm1' @@ -93,4 +93,4 @@ FileList = 'PowerSploit.psd1', 'PowerSploit.psm1' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/PowerSploit.psm1 b/PowerSploit.psm1 index 430c1b8..5ea3b62 100644 --- a/PowerSploit.psm1 +++ b/PowerSploit.psm1 @@ -1 +1 @@ -Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName } \ No newline at end of file +Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName } diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index fde3d26..8b60306 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -137,4 +137,4 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Write-Output $ScanObject } -} \ No newline at end of file +} diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index ab03734..99bbb89 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -1,4 +1,4 @@ -function Invoke-Portscan +function Invoke-Portscan { <# .SYNOPSIS diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 43ba3a1..88287ef 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'Recon.psm1' @@ -72,9 +72,9 @@ AliasesToExport = '' # List of all modules packaged with this module. ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'}) -# List of all files packaged with this module +# List of all files packaged with this module FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1', - 'Invoke-Portscan.ps1', 'Usage.md' + 'Invoke-Portscan.ps1', 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' @@ -85,4 +85,4 @@ FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsL # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/Recon/Recon.psm1 b/Recon/Recon.psm1 index e5234fb..81d3818 100644 --- a/Recon/Recon.psm1 +++ b/Recon/Recon.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 index ab46c74..1c030b4 100644 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ b/ReverseEngineering/ConvertTo-String.ps1 @@ -1,4 +1,4 @@ -filter ConvertTo-String +filter ConvertTo-String { <# .SYNOPSIS @@ -67,4 +67,4 @@ http://www.exploit-monday.com $FileStream.Close() Write-Output $BinaryText -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml index 3c610cc..21115d6 100644 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml @@ -1,4 +1,4 @@ - + @@ -43,4 +43,4 @@ - \ No newline at end of file + diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index af0c2a1..f2022e3 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -212,4 +212,4 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf # Adjust the position in the opcode array accordingly $Position += $OperandLength } -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index 4a488cf..1ab0d41 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -1,4 +1,4 @@ -function Get-MethodAddress +function Get-MethodAddress { <# .SYNOPSIS @@ -117,4 +117,4 @@ http://www.exploit-monday.com/2012/11/Get-MethodAddress.html { Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." } -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 41b5280..fa3ed41 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -437,4 +437,4 @@ - \ No newline at end of file + diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index bb0871a..2bde8f6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -1,4 +1,4 @@ -function Get-NtSystemInformation +function Get-NtSystemInformation { <# .SYNOPSIS diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 3d075eb..59b5362 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1207,4 +1207,4 @@ - \ No newline at end of file + diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 86e064d..7ec5089 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -1,4 +1,4 @@ -function Get-PEB +function Get-PEB { <# .SYNOPSIS @@ -1089,4 +1089,4 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx END{} -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 7acb9f1..2cb971c 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -1,4 +1,4 @@ -function Get-Strings +function Get-Strings { <# .SYNOPSIS @@ -95,4 +95,4 @@ http://www.exploit-monday.com } } END {} -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index c32c190..68f7651 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -1,4 +1,4 @@ -function Get-StructFromMemory +function Get-StructFromMemory { <# .SYNOPSIS @@ -200,4 +200,4 @@ http://www.exploit-monday.com $SafeHandle.Close() Write-Output $ParsedStruct -} \ No newline at end of file +} diff --git a/ReverseEngineering/New-Object.ps1 b/ReverseEngineering/New-Object.ps1 index 77b24f6..52c38c8 100644 Binary files a/ReverseEngineering/New-Object.ps1 and b/ReverseEngineering/New-Object.ps1 differ diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml index fbad0b9..ffb6761 100644 --- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -1,4 +1,4 @@ - + @@ -33,4 +33,4 @@ - \ No newline at end of file + diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 index 3eb57a7..85f7105 100644 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -1,4 +1,4 @@ -function Register-ProcessModuleTrace +function Register-ProcessModuleTrace { <# .SYNOPSIS @@ -100,4 +100,4 @@ function Unregister-ProcessModuleTrace #> Unregister-Event -SourceIdentifier 'ModuleLoaded' -} \ No newline at end of file +} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index b7da355..de364e1 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'ReverseEngineering.psm1' diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 index 5bb81d3..81d3818 100644 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ b/ReverseEngineering/ReverseEngineering.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 index 3aa5c2b..5e6897d 100644 --- a/ScriptModification/Out-CompressedDll.ps1 +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -1,4 +1,4 @@ -function Out-CompressedDll +function Out-CompressedDll { <# .SYNOPSIS @@ -78,4 +78,4 @@ $EncodedCompressedFile "@ Write-Output $Output -} \ No newline at end of file +} diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1 index cae4715..04e8c12 100644 --- a/ScriptModification/Out-EncodedCommand.ps1 +++ b/ScriptModification/Out-EncodedCommand.ps1 @@ -1,4 +1,4 @@ -function Out-EncodedCommand +function Out-EncodedCommand { <# .SYNOPSIS @@ -181,4 +181,4 @@ http://www.exploit-monday.com } Write-Output $CommandLineOutput -} \ No newline at end of file +} diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1 index 3f09020..4fc69cf 100644 --- a/ScriptModification/Out-EncryptedScript.ps1 +++ b/ScriptModification/Out-EncryptedScript.ps1 @@ -126,4 +126,4 @@ return $encoding.GetString($h,0,$h.Length); Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)" -} \ No newline at end of file +} diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comments.ps1 index ec75927..45a9746 100644 --- a/ScriptModification/Remove-Comments.ps1 +++ b/ScriptModification/Remove-Comments.ps1 @@ -1,4 +1,4 @@ -function Remove-Comments +function Remove-Comments { <# .SYNOPSIS @@ -153,4 +153,4 @@ http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/ } Write-Output ([ScriptBlock]::Create($StringBuilder.ToString())) -} \ No newline at end of file +} diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1 index 7393c29..d326c12 100644 --- a/ScriptModification/ScriptModification.psd1 +++ b/ScriptModification/ScriptModification.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'ScriptModification.psm1' @@ -85,4 +85,4 @@ FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-Compressed # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/ScriptModification/ScriptModification.psm1 b/ScriptModification/ScriptModification.psm1 index 5bb81d3..81d3818 100644 --- a/ScriptModification/ScriptModification.psm1 +++ b/ScriptModification/ScriptModification.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} -- cgit v1.2.3 From 5fede76351dd5a182f4ff88d4db4b7eeaeacbb98 Mon Sep 17 00:00:00 2001 From: mattifestation Date: Sun, 19 Jan 2014 13:56:32 -0500 Subject: Capstone module now incorporates framework 2.0RC1 * I also moved the contents of Get-CSDisassembly.ps1 into Capstone.psm1 --- Capstone/Capstone.psd1 | 13 +- Capstone/Capstone.psm1 | 169 ++++++++++++++++++++- Capstone/Get-CSDisassembly.ps1 | 119 --------------- Capstone/lib/capstone.dll | Bin 80384 -> 90624 bytes Capstone/lib/place_capstone.dll_here | 0 Capstone/lib/x64/libcapstone.dll | Bin 6326103 -> 3628019 bytes Capstone/lib/x64/place_64-bit_libcapstone.dll_here | 0 Capstone/lib/x86/libcapstone.dll | Bin 6327686 -> 3621531 bytes Capstone/lib/x86/place_32-bit_libcapstone.dll_here | 0 ReverseEngineering/Get-ILDisassembly.ps1 | 2 +- 10 files changed, 176 insertions(+), 127 deletions(-) delete mode 100644 Capstone/Get-CSDisassembly.ps1 create mode 100644 Capstone/lib/place_capstone.dll_here create mode 100644 Capstone/lib/x64/place_64-bit_libcapstone.dll_here create mode 100644 Capstone/lib/x86/place_32-bit_libcapstone.dll_here (limited to 'ReverseEngineering/Get-ILDisassembly.ps1') diff --git a/Capstone/Capstone.psd1 b/Capstone/Capstone.psd1 index 5da5a94..d85443f 100644 --- a/Capstone/Capstone.psd1 +++ b/Capstone/Capstone.psd1 @@ -4,7 +4,7 @@ ModuleToProcess = 'Capstone.psm1' # Version number of this module. -ModuleVersion = '1.0.0.0' +ModuleVersion = '2.0.0.0' # ID used to uniquely identify this module GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b' @@ -13,7 +13,7 @@ GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b' Author = 'Matthew Graeber' # Copyright statement for this module -Copyright = 'BSD 3-Clause' +Copyright = 'see LICENSE.TXT' # Description of the functionality provided by this module Description = 'Capstone Disassembly Framework Binding Module' @@ -39,9 +39,10 @@ ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc3 # List of all files packaged with this module FileList = 'Capstone.psm1', 'Capstone.psd1', - 'Get-CSDisassembly.ps1', - 'Usage.md', + 'Get-CSDisassembly.format.ps1xml', + 'LICENSE.TXT', + 'README', 'lib/capstone.dll', - 'lib/libcapstone.dll' - + 'lib/x86/libcapstone.dll', + 'lib/x64/libcapstone.dll' } diff --git a/Capstone/Capstone.psm1 b/Capstone/Capstone.psm1 index 81d3818..b9829e7 100644 --- a/Capstone/Capstone.psm1 +++ b/Capstone/Capstone.psm1 @@ -1 +1,168 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} +#Requires -Modules Capstone + +function Get-CSDisassembly +{ +<# +.SYNOPSIS + + Disassembles a byte array using the Capstone Engine disassembly framework. + + PowerSploit Function: Get-CSDisassembly + Author: Matthew Graeber (@mattifestation) + License: See LICENSE.TXT + Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll + Optional Dependencies: None + +.DESCRIPTION + + Get-CSDisassembly is compatible on 32 and 64-bit. + +.PARAMETER Architecture + + Specifies the architecture of the code to be disassembled. + +.PARAMETER Mode + + Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'. + +.PARAMETER Code + + A byte array consisting of the code to be disassembled. + +.PARAMETER Offset + + Specifies the starting address of the disassembly listing. + +.PARAMETER Count + + Specifies the maximum number of instructions to disassemble. + +.PARAMETER Syntax + + Specifies the syntax flavor to be used (INTEL vs. ATT). + +.PARAMETER DetailOn + + Specifies that detailed parsing should be performed - i.e. provide detailed information for each disassembled instruction. + +.PARAMETER Verstion + + Prints the running Capstone Framework version. + +.EXAMPLE + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000 + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes + + $Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT + + $Bytes = [Byte[]] @( 0x55, 0x48, 0x8b, 0x05, 0xb8, 0x13, 0x00, 0x00 ) + Get-CSDisassembly -Architecture X86 -Mode Mode64 -Code $Bytes -DetailOn + + $Bytes = [Byte[]] @( 0xED, 0xFF, 0xFF, 0xEB, 0x04, 0xe0, 0x2d, 0xe5, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x83, 0x22, 0xe5, 0xf1, 0x02, 0x03, 0x0e, 0x00, 0x00, 0xa0, 0xe3, 0x02, 0x30, 0xc1, 0xe7, 0x00, 0x00, 0x53, 0xe3 ) + Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x4f, 0xf0, 0x00, 0x01, 0xbd, 0xe8, 0x00, 0x88, 0xd1, 0xe8, 0x00, 0xf0 ) + Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes + + $Bytes = [Byte[]] @( 0x10, 0xf1, 0x10, 0xe7, 0x11, 0xf2, 0x31, 0xe7, 0xdc, 0xa1, 0x2e, 0xf3, 0xe8, 0x4e, 0x62, 0xf3 ) + Get-CSDisassembly -Architecture Arm -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x70, 0x47, 0xeb, 0x46, 0x83, 0xb0, 0xc9, 0x68 ) + Get-CSDisassembly -Architecture Arm -Mode Thumb -Code $Bytes -DetailOn + + $Bytes = [Byte[]] @( 0x21, 0x7c, 0x02, 0x9b, 0x21, 0x7c, 0x00, 0x53, 0x00, 0x40, 0x21, 0x4b, 0xe1, 0x0b, 0x40, 0xb9 ) + Get-CSDisassembly -Architecture Arm64 -Mode Arm -Code $Bytes + + $Bytes = [Byte[]] @( 0x0C, 0x10, 0x00, 0x97, 0x00, 0x00, 0x00, 0x00, 0x24, 0x02, 0x00, 0x0c, 0x8f, 0xa2, 0x00, 0x00, 0x34, 0x21, 0x34, 0x56 ) + Get-CSDisassembly -Architecture Mips -Mode 'Mode32, BigEndian' -Code $Bytes + + $Bytes = [Byte[]] @( 0x56, 0x34, 0x21, 0x34, 0xc2, 0x17, 0x01, 0x00 ) + Get-CSDisassembly -Architecture Mips -Mode 'Mode64, LittleEndian' -Code $Bytes + + $Bytes = [Byte[]] @( 0x80, 0x20, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x10, 0x43, 0x23, 0x0e, 0xd0, 0x44, 0x00, 0x80, 0x4c, 0x43, 0x22, 0x02, 0x2d, 0x03, 0x00, 0x80, 0x7c, 0x43, 0x20, 0x14, 0x7c, 0x43, 0x20, 0x93, 0x4f, 0x20, 0x00, 0x21, 0x4c, 0xc8, 0x00, 0x21 ) + Get-CSDisassembly -Architecture PPC -Mode BigEndian -Code $Bytes + +.INPUTS + + None + + You cannot pipe objects to Get-CSDisassembly. + +.OUTPUTS + + Capstone.Instruction[] + + Get-CSDisassembly returns an array of Instruction objects. +#> + + [OutputType([Capstone.Instruction])] + [CmdletBinding(DefaultParameterSetName = 'Disassemble')] + Param ( + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [Capstone.Architecture] + $Architecture, + + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [Capstone.Mode] + $Mode, + + [Parameter(Mandatory, ParameterSetName = 'Disassemble')] + [ValidateNotNullOrEmpty()] + [Byte[]] + $Code, + + [Parameter( ParameterSetName = 'Disassemble' )] + [UInt64] + $Offset = 0, + + [Parameter( ParameterSetName = 'Disassemble' )] + [UInt32] + $Count = 0, + + [Parameter( ParameterSetName = 'Disassemble' )] + [ValidateSet('Intel', 'ATT')] + [String] + $Syntax, + + [Parameter( ParameterSetName = 'Disassemble' )] + [Switch] + $DetailOn, + + [Parameter( ParameterSetName = 'Version' )] + [Switch] + $Version + ) + + if ($PsCmdlet.ParameterSetName -eq 'Version') + { + $Disassembly = New-Object Capstone.Capstone([Capstone.Architecture]::X86, [Capstone.Mode]::Mode16) + $Disassembly.Version + + return + } + + $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode) + + if ($Syntax) + { + switch ($Syntax) + { + 'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel } + 'ATT' { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT } + } + + $Disassembly.SetSyntax($SyntaxMode) + } + + if ($DetailOn) + { + $Disassembly.SetDetail($True) + } + + $Disassembly.Disassemble($Code, $Offset, $Count) +} \ No newline at end of file diff --git a/Capstone/Get-CSDisassembly.ps1 b/Capstone/Get-CSDisassembly.ps1 deleted file mode 100644 index 257ba96..0000000 --- a/Capstone/Get-CSDisassembly.ps1 +++ /dev/null @@ -1,119 +0,0 @@ -#requires -Version 3 - -function Get-CSDisassembly -{ -<# -.SYNOPSIS - - Disassembles a byte array using the Capstone Engine disassembly framework. - - PowerSploit Function: Get-CSDisassembly - Author: Matthew Graeber (@mattifestation) - License: See LICENSE.TXT - Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll - Optional Dependencies: None - -.DESCRIPTION - - Get-CSDisassembly is compatible on 32 and 64-bit. - -.PARAMETER Architecture - - Specifies the architecture of the code to be disassembled. - -.PARAMETER Mode - - Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'. - -.PARAMETER Code - - A byte array consisting of the code to be disassembled. - -.PARAMETER Offset - - Specifies the starting address of the disassembly listing. - -.PARAMETER Count - - Specifies the maximum number of instructions to disassemble. - -.PARAMETER Syntax - - Specifies the syntax flavor to be used (INTEL vs. ATT). - -.PARAMETER DetailOff - - Specifies that detailed parsing should not be performed - i.e. do not perform additional analysis beyond disassembling. - -.EXAMPLE - - C:\PS>$Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) - Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000 - -.EXAMPLE - - C:\PS>$Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 ) - Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT - -.INPUTS - - None - - You cannot pipe objects to Get-CSDisassembly. - -.OUTPUTS - - Capstone.Instruction[] - - Get-CSDisassembly returns an array of Instruction objects. -#> - - [OutputType([Capstone.Instruction])] - [CmdletBinding()] Param ( - [Parameter(Mandatory)] - [Capstone.Architecture] - $Architecture, - - [Parameter(Mandatory)] - [Capstone.Mode] - $Mode, - - [Parameter(Mandatory)] - [ValidateNotNullOrEmpty()] - [Byte[]] - $Code, - - [UInt64] - $Offset = 0, - - [UInt32] - $Count = 0, - - [ValidateSet('Intel', 'ATT')] - [String] - $Syntax, - - [Switch] - $DetailOff - ) - - $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode) - - if ($Syntax) - { - switch ($Syntax) - { - 'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel } - 'ATT' { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT } - } - - $Disassembly.SetSyntax($SyntaxMode) - } - - if ($DetailOff) - { - $Disassembly.SetDetail($False) - } - - $Disassembly.Disassemble($Code, $Offset, $Count) -} \ No newline at end of file diff --git a/Capstone/lib/capstone.dll b/Capstone/lib/capstone.dll index 1727436..914fd1e 100644 Binary files a/Capstone/lib/capstone.dll and b/Capstone/lib/capstone.dll differ diff --git a/Capstone/lib/place_capstone.dll_here b/Capstone/lib/place_capstone.dll_here new file mode 100644 index 0000000..e69de29 diff --git a/Capstone/lib/x64/libcapstone.dll b/Capstone/lib/x64/libcapstone.dll index e4f5e33..f7e7fda 100644 Binary files a/Capstone/lib/x64/libcapstone.dll and b/Capstone/lib/x64/libcapstone.dll differ diff --git a/Capstone/lib/x64/place_64-bit_libcapstone.dll_here b/Capstone/lib/x64/place_64-bit_libcapstone.dll_here new file mode 100644 index 0000000..e69de29 diff --git a/Capstone/lib/x86/libcapstone.dll b/Capstone/lib/x86/libcapstone.dll index 242ad7e..515c869 100644 Binary files a/Capstone/lib/x86/libcapstone.dll and b/Capstone/lib/x86/libcapstone.dll differ diff --git a/Capstone/lib/x86/place_32-bit_libcapstone.dll_here b/Capstone/lib/x86/place_32-bit_libcapstone.dll_here new file mode 100644 index 0000000..e69de29 diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index f2022e3..6948919 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -198,7 +198,7 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf $Instruction = @{ Position = $InstructionPostion - Instruction = $Op.Name + Instruction = $Op Operand = $Operand MetadataToken = $OpInt } -- cgit v1.2.3