From 6807da424fca9e1f4b4946e695486aefb7eae1fa Mon Sep 17 00:00:00 2001
From: mattifestation <mattgraeber@gmail.com>
Date: Thu, 29 Aug 2013 19:56:01 +0000
Subject: Added ProcessModuleTrace cmdlets

Added *-ProcessModuleTrace cmdlets to trace details when modules are
loaded into a process. These can be useful for malware analysis.
---
 .../ProcessModuleTrace.format.ps1xml               | 36 ++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 ReverseEngineering/ProcessModuleTrace.format.ps1xml

(limited to 'ReverseEngineering/ProcessModuleTrace.format.ps1xml')

diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml
new file mode 100644
index 0000000..fbad0b9
--- /dev/null
+++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+    <ViewDefinitions>
+        <View>
+            <Name>ProcessModuleTraceView</Name>
+                <ViewSelectedBy>
+		            <TypeName>LOADED_MODULE</TypeName>
+		        </ViewSelectedBy>
+            <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <PropertyName>TimeCreated</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>ProcessId</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>FileName</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <Label>ImageBase</Label>
+                                <ScriptBlock>"0x$($_.ImageBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>ImageSize</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
+    </ViewDefinitions>
+</Configuration>
\ No newline at end of file
-- 
cgit v1.2.3