From ea0dc9a2b8c51c1f861b0174d61fa1fb2aaf5be6 Mon Sep 17 00:00:00 2001
From: Matt Graeber <mattgraeber@gmail.com>
Date: Sun, 12 May 2013 10:27:15 -0400
Subject: Added Get-NtSystemInformation

Get-NtSystemInformation is a wrapper function for
NtQuerySystemInformation. It is a swiss-army knife tool for obtaining
internal OS information. It can currently be used to query the
following: global flags, handles, objects, kernel pool allocations, and
loaded kernel modules
---
 .../Get-NtSystemInformation.format.ps1xml          | 334 +++++++++++++++++++++
 1 file changed, 334 insertions(+)
 create mode 100644 ReverseEngineering/Get-NtSystemInformation.format.ps1xml

(limited to 'ReverseEngineering/Get-NtSystemInformation.format.ps1xml')

diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml
new file mode 100644
index 0000000..5719d67
--- /dev/null
+++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml
@@ -0,0 +1,334 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+    <ViewDefinitions>
+        <View>
+            <Name>SystemModuleView</Name>
+                <ViewSelectedBy>
+		            <TypeName>_SYSTEM_MODULE</TypeName>
+		        </ViewSelectedBy>
+                <TableControl>
+                <AutoSize/>
+                    <TableHeaders>
+                        <TableColumnHeader>
+                            <Label>ImageBaseAddress</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>ImageSize</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>Flags</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>Index</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>Rank</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>LoadCount</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>NameOffset</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>Name</Label>
+                        </TableColumnHeader>
+                    </TableHeaders>
+                    <TableRowEntries>
+                        <TableRowEntry>
+                            <TableColumnItems>
+                                <TableColumnItem>
+                                    <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>ImageSize</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>Flags</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>Index</PropertyName>
+                                    <FormatString>0x{0:X4}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>Rank</PropertyName>
+                                    <FormatString>0x{0:X4}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>LoadCount</PropertyName>
+                                    <FormatString>0x{0:X4}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>NameOffset</PropertyName>
+                                    <FormatString>0x{0:X4}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <ScriptBlock>$_.Name -replace '\\SystemRoot', $Env:SystemRoot</ScriptBlock>
+                                </TableColumnItem>
+                            </TableColumnItems>
+                        </TableRowEntry>
+                    </TableRowEntries>
+                </TableControl>
+        </View>
+        <View>
+            <Name>PoolTagView</Name>
+            <ViewSelectedBy>
+		        <TypeName>_SYSTEM_POOL_TAG_INFORMATION</TypeName>
+		    </ViewSelectedBy>
+                <TableControl>
+                <AutoSize/>
+                    <TableHeaders>
+                        <TableColumnHeader>
+                            <Label>Tag</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>PagedPoolAllocs</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>PagedPoolFrees</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>PagedPoolUsage</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>NonPagedPoolAllocs</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>NonPagedPoolFrees</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>NonPagedPoolUsage</Label>
+                        </TableColumnHeader>
+                    </TableHeaders>
+                    <TableRowEntries>
+                        <TableRowEntry>
+                            <TableColumnItems>
+                                <TableColumnItem>
+                                    <PropertyName>Tag</PropertyName>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>PagedPoolAllocs</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>PagedPoolFrees</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>PagedPoolUsage</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>NonPagedPoolAllocs</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>NonPagedPoolFrees</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>NonPagedPoolUsage</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                            </TableColumnItems>
+                        </TableRowEntry>
+                    </TableRowEntries>
+                </TableControl>
+        </View>
+        <View>
+            <Name>SystemHandleView</Name>
+                <ViewSelectedBy>
+		            <TypeName>_SYSTEM_HANDLE_INFORMATION</TypeName>
+		        </ViewSelectedBy>
+                <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <PropertyName>UniqueProcessId</PropertyName>
+                                <FormatString>0x{0:X4}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>CreatorBackTraceIndex</PropertyName>
+                                <FormatString>0x{0:X4}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>ObjectTypeIndex</PropertyName>
+                                <FormatString>0x{0:X2}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>HandleAttribute</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>HandleValue</PropertyName>
+                                <FormatString>0x{0:X4}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <Label>Object</Label>
+                                <ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>GrantedAccess</PropertyName>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
+        <View>
+            <Name>GenericMappingView</Name>
+                <ViewSelectedBy>
+		            <TypeName>_GENERIC_MAPPING</TypeName>
+		        </ViewSelectedBy>
+                <TableControl>
+                    <AutoSize/>
+                    <TableHeaders>
+                        <TableColumnHeader>
+                            <Label>GenericRead</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>GenericWrite</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>GenericExecute</Label>
+                        </TableColumnHeader>
+                        <TableColumnHeader>
+                            <Label>GenericAll</Label>
+                        </TableColumnHeader>
+                    </TableHeaders>
+                    <TableRowEntries>
+                        <TableRowEntry>
+                            <TableColumnItems>
+                                <TableColumnItem>
+                                    <PropertyName>GenericRead</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>GenericWrite</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>GenericExecute</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                                <TableColumnItem>
+                                    <PropertyName>GenericAll</PropertyName>
+                                    <FormatString>0x{0:X8}</FormatString>
+                                </TableColumnItem>
+                            </TableColumnItems>
+                        </TableRowEntry>
+                    </TableRowEntries>
+                </TableControl>
+        </View>
+        <View>
+            <Name>ObjectTypeView</Name>
+                <ViewSelectedBy>
+		            <TypeName>_SYSTEM_OBJECTTYPE_INFORMATION</TypeName>
+		        </ViewSelectedBy>
+            <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <PropertyName>NumberOfObjects</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>NumberOfHandles</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>TypeIndex</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>InvalidAttributes</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>GenericMapping</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>ValidAccessMask</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>PoolType</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>SecurityRequired</PropertyName>
+                                <FormatString>0x{0:X2}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>WaitableObject</PropertyName>
+                                <FormatString>0x{0:X2}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>TypeName</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>Objects</PropertyName>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
+        <View>
+            <Name>ObjectView</Name>
+                <ViewSelectedBy>
+		            <TypeName>_SYSTEM_OBJECT_INFORMATION</TypeName>
+		        </ViewSelectedBy>
+            <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <Label>Object</Label>
+                                <ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>CreatorUniqueProcess</Label>
+                                <ScriptBlock>"0x$($_.CreatorUniqueProcess.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>CreatorBackTraceIndex</PropertyName>
+                                <FormatString>0x{0:X4}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>Flags</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>PointerCount</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>HandleCount</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>PagedPoolCharge</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>NonPagedPoolCharge</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <Label>ExclusiveProcessId</Label>
+                                <ScriptBlock>"0x$($_.ExclusiveProcessId.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <Label>SecurityDescriptor</Label>
+                                <ScriptBlock>"0x$($_.SecurityDescriptor.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>NameInfo</PropertyName>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
+    </ViewDefinitions>
+</Configuration>
\ No newline at end of file
-- 
cgit v1.2.3