From 91bd44f0f08259c541088c278467ed9b597985e3 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Fri, 24 May 2013 21:16:43 -0400 Subject: Get-PEB now parses _RTL_USER_PROCESS_PARAMETERS --- ReverseEngineering/Get-PEB.format.ps1xml | 114 +++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) (limited to 'ReverseEngineering/Get-PEB.format.ps1xml') diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 9c25dc1..88eee6a 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1095,5 +1095,119 @@ + + ProcessParameters + + PEB.ProcessParameters + + + + + + + MaximumLength + 0x{0:X8} + + + Length + 0x{0:X8} + + + Flags + 0x{0:X8} + + + DebugFlags + 0x{0:X8} + + + + "0x$($_.ConsoleHandle.ToString("X$([IntPtr]::Size * 2)"))" + + + ConsoleFlags + 0x{0:X8} + + + + "0x$($_.StandardInput.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.StandardOutput.ToString("X$([IntPtr]::Size * 2)"))" + + + + "0x$($_.StandardError.ToString("X$([IntPtr]::Size * 2)"))" + + + CurrentDirectory + + + DllPath + + + ImagePathName + + + CommandLine + + + + "0x$($_.Environment.ToString("X$([IntPtr]::Size * 2)"))" + + + StartingX + 0x{0:X8} + + + StartingY + 0x{0:X8} + + + CountX + 0x{0:X8} + + + CountY + 0x{0:X8} + + + CountCharsX + 0x{0:X8} + + + CountCharsY + 0x{0:X8} + + + FillAttribute + 0x{0:X8} + + + WindowFlags + 0x{0:X8} + + + ShowWindowFlags + 0x{0:X8} + + + WindowTitle + + + DesktopInfo + + + ShellInfo + + + RuntimeData + + + + + + \ No newline at end of file -- cgit v1.2.3