From 956e4c968a1795d868e35fcb72311704d616cbaf Mon Sep 17 00:00:00 2001 From: mattifestation Date: Sun, 16 Nov 2014 10:26:11 -0500 Subject: Moving all RE functionality to PowerShellArsenal https://github.com/mattifestation/PowerShellArsenal PowerSploit will now stay true to its roots of being a purely offensive PowerShell module. --- ReverseEngineering/Get-PEB.format.ps1xml | 1210 ------------------------------ 1 file changed, 1210 deletions(-) delete mode 100644 ReverseEngineering/Get-PEB.format.ps1xml (limited to 'ReverseEngineering/Get-PEB.format.ps1xml') diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml deleted file mode 100644 index 59b5362..0000000 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ /dev/null @@ -1,1210 +0,0 @@ - - - - - - Both - - - - - - ProcessEnvironmentBlock_VistaView - - PEB.Vista - - - - - - - ProcessName - - - ProcessId - - - InheritedAddressSpace - - - ReadImageFileExecOptions - - - BeingDebugged - - - ImageUsesLargePages - - - IsProtectedProcess - - - IsLegacyProcess - - - IsImageDynamicallyRelocated - - - SkipPatchingUser32Forwarders - - - IsPackagedProcess - - - IsAppContainer - - - - "0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))" - - - Ldr - - - InLoadOrderModuleList - - - InMemoryOrderModuleList - - - InInitializationOrderModuleList - - - ProcessParameters - - - - "0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.IFEOKey.ToString("X$([IntPtr]::Size * 2)"))" - - - ProcessInJob - - - ProcessInitializing - - - ProcessUsingVEH - - - ProcessUsingVCH - - - ProcessUsingFTH - - - - "0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))" - - - SystemReserved - 0x{0:X8} - - - AtlThunkSListPtr32 - 0x{0:X8} - - - - "0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))" - - - TlsExpansionCounter - 0x{0:X8} - - - - "0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' - - - - "0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HotpatchInformation.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))" - - - NumberOfProcessors - 0x{0:X8} - - - NtGlobalFlag - 0x{0:X8} - - - CriticalSectionTimeout - 0x{0:X16} - - - - "0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))" - - - NumberOfHeaps - 0x{0:X8} - - - MaximumNumberOfHeaps - 0x{0:X8} - - - - "0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))" - - - GdiDCAttributeList - 0x{0:X8} - - - - "0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))" - - - OSMajorVersion - - - OSMinorVersion - - - OSBuildNumber - - - OSCSDVersion - - - OSPlatformId - - - ImageSubsystem - - - ImageSubsystemMajorVersion - - - ImageSubsystemMinorVersion - - - - "0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ',' - - - - "0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' - - - SessionId - 0x{0:X8} - - - AppCompatFlags - 0x{0:X16} - - - AppCompatFlagsUser - 0x{0:X16} - - - - "0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))" - - - AppCompatInfo - 0x{0:X8} - - - CSDVersion - - - - "0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))" - - - FlsListHead - - - - "0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' - - - FlsHighIndex - 0x{0:X8} - - - - "0x$($_.WerRegistrationData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.WerShipAssertPtr.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.pUnused.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.pImageHeaderHash.ToString("X$([IntPtr]::Size * 2)"))" - - - HeapTracingEnabled - - - CritSecTracingEnabled - - - LibLoaderTracingEnabled - - - CsrServerReadOnlySharedMemoryBase - 0x{0:X16} - - - - - - - - ProcessEnvironmentBlock_Server2003View - - PEB.Server2003 - - - - - - - ProcessName - - - ProcessId - - - - if($_.InheritedAddressSpace -eq 0){$False}else{$True} - - - - if($_.ReadImageFileExecOptions -eq 0){$False}else{$True} - - - - if($_.BeingDebugged -eq 0){$False}else{$True} - - - ImageUsesLargePages - - - - "0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))" - - - Ldr - - - InLoadOrderModuleList - - - InMemoryOrderModuleList - - - InInitializationOrderModuleList - - - ProcessParameters - - - - "0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.SparePtr2.ToString("X$([IntPtr]::Size * 2)"))" - - - EnvironmentUpdateCount - 0x{0:X8} - - - - "0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))" - - - SystemReserved - 0x{0:X8} - - - AtlThunkSListPtr32 - 0x{0:X8} - - - - "0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))" - - - TlsExpansionCounter - 0x{0:X8} - - - - "0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' - - - - "0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))" - - - NumberOfProcessors - 0x{0:X8} - - - NtGlobalFlag - 0x{0:X8} - - - CriticalSectionTimeout - 0x{0:X16} - - - - "0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))" - - - NumberOfHeaps - 0x{0:X8} - - - MaximumNumberOfHeaps - 0x{0:X8} - - - - "0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))" - - - GdiDCAttributeList - 0x{0:X8} - - - - "0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))" - - - OSMajorVersion - - - OSMinorVersion - - - OSBuildNumber - - - OSCSDVersion - - - OSPlatformId - - - ImageSubsystem - - - ImageSubsystemMajorVersion - - - ImageSubsystemMinorVersion - - - - "0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ',' - - - - "0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' - - - SessionId - 0x{0:X8} - - - AppCompatFlags - 0x{0:X16} - - - AppCompatFlagsUser - 0x{0:X16} - - - - "0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))" - - - AppCompatInfo - 0x{0:X8} - - - CSDVersion - - - - "0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))" - - - FlsListHead - - - - "0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' - - - FlsHighIndex - 0x{0:X8} - - - - - - - - ProcessEnvironmentBlock_XPView - - PEB.XP - - - - - - - ProcessName - - - ProcessId - - - - if($_.InheritedAddressSpace -eq 0){$False}else{$True} - - - - if($_.ReadImageFileExecOptions -eq 0){$False}else{$True} - - - - if($_.BeingDebugged -eq 0){$False}else{$True} - - - - "0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))" - - - Ldr - - - InLoadOrderModuleList - - - InMemoryOrderModuleList - - - InInitializationOrderModuleList - - - ProcessParameters - - - - "0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.FastPebLockRoutine.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.FastPebUnlockRoutine.ToString("X$([IntPtr]::Size * 2)"))" - - - EnvironmentUpdateCount - 0x{0:X8} - - - - "0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))" - - - SystemReserved - 0x{0:X8} - - - AtlThunkSListPtr32 - 0x{0:X8} - - - - "0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))" - - - TlsExpansionCounter - 0x{0:X8} - - - - "0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' - - - - "0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))" - - - NumberOfProcessors - 0x{0:X8} - - - NtGlobalFlag - 0x{0:X8} - - - CriticalSectionTimeout - 0x{0:X16} - - - - "0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))" - - - NumberOfHeaps - 0x{0:X8} - - - MaximumNumberOfHeaps - 0x{0:X8} - - - - "0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))" - - - GdiDCAttributeList - 0x{0:X8} - - - - "0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))" - - - OSMajorVersion - - - OSMinorVersion - - - OSBuildNumber - - - OSCSDVersion - - - OSPlatformId - - - ImageSubsystem - - - ImageSubsystemMajorVersion - - - ImageSubsystemMinorVersion - - - - "0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ',' - - - - "0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))" - - - - ($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ',' - - - SessionId - 0x{0:X8} - - - AppCompatFlags - 0x{0:X16} - - - AppCompatFlagsUser - 0x{0:X16} - - - - "0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))" - - - AppCompatInfo - 0x{0:X8} - - - CSDVersion - - - - "0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))" - - - - - - - - ProcessEnvironmentBlock_ModuleEntryView - - PEB.ModuleEntry - - - - - - - InLoadOrderModuleList - - - InMemoryOrderModuleList - - - InInitializationOrderModuleList - - - - "0x$($_.BaseAddress.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.EntryPoint.ToString("X$([IntPtr]::Size * 2)"))" - - - SizeOfImage - 0x{0:X8} - - - FullDllName - - - BaseDllName - - - PackagedBinary - - - ImageDll - - - LoadNotificationsSent - - - TelemetryEntryProcessed - - - ProcessStaticImport - - - InLegacyLists - - - InIndexes - - - ShimDll - - - InExceptionTable - - - LoadInProgress - - - EntryProcessed - - - DontCallForThreads - - - ProcessAttachCalled - - - ProcessAttachFailed - - - CorDeferredValidate - - - CorImage - - - DontRelocate - - - CorILOnly - - - Redirected - - - CompatDatabaseProcessed - - - ObsoleteLoadCount - 0x{0:X4} - - - TlsIndex - 0x{0:X4} - - - HashLinks - - - TimeDateStamp - - - - "0x$($_.EntryPointActivationContext.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.PatchInformation.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.DdagNode.ToString("X$([IntPtr]::Size * 2)"))" - - - NodeModuleLink - - - - "0x$($_.SnapContext.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.ParentDllBase.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.SwitchBackContext.ToString("X$([IntPtr]::Size * 2)"))" - - - BaseAddressIndexNode - - - MappingInfoIndexNode - - - - "0x$($_.OriginalBase.ToString("X$([IntPtr]::Size * 2)"))" - - - LoadTime - 0x{0:X16} - - - BaseNameHashValue - 0x{0:X8} - - - LoadReason - - - - - - - - ProcessParameters - - PEB.ProcessParameters - - - - - - - MaximumLength - 0x{0:X8} - - - Length - 0x{0:X8} - - - Flags - 0x{0:X8} - - - DebugFlags - 0x{0:X8} - - - - "0x$($_.ConsoleHandle.ToString("X$([IntPtr]::Size * 2)"))" - - - ConsoleFlags - 0x{0:X8} - - - - "0x$($_.StandardInput.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.StandardOutput.ToString("X$([IntPtr]::Size * 2)"))" - - - - "0x$($_.StandardError.ToString("X$([IntPtr]::Size * 2)"))" - - - CurrentDirectory - - - DllPath - - - ImagePathName - - - CommandLine - - - - "0x$($_.Environment.ToString("X$([IntPtr]::Size * 2)"))" - - - StartingX - 0x{0:X8} - - - StartingY - 0x{0:X8} - - - CountX - 0x{0:X8} - - - CountY - 0x{0:X8} - - - CountCharsX - 0x{0:X8} - - - CountCharsY - 0x{0:X8} - - - FillAttribute - 0x{0:X8} - - - WindowFlags - 0x{0:X8} - - - ShowWindowFlags - 0x{0:X8} - - - WindowTitle - - - DesktopInfo - - - ShellInfo - - - RuntimeData - - - - - - - - -- cgit v1.2.3