From 6807da424fca9e1f4b4946e695486aefb7eae1fa Mon Sep 17 00:00:00 2001 From: mattifestation Date: Thu, 29 Aug 2013 19:56:01 +0000 Subject: Added ProcessModuleTrace cmdlets Added *-ProcessModuleTrace cmdlets to trace details when modules are loaded into a process. These can be useful for malware analysis. --- .../ProcessModuleTrace.format.ps1xml | 36 +++++++ ReverseEngineering/ProcessModuleTrace.ps1 | 103 +++++++++++++++++++++ ReverseEngineering/ReverseEngineering.psd1 | 4 +- 3 files changed, 141 insertions(+), 2 deletions(-) create mode 100644 ReverseEngineering/ProcessModuleTrace.format.ps1xml create mode 100644 ReverseEngineering/ProcessModuleTrace.ps1 (limited to 'ReverseEngineering') diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml new file mode 100644 index 0000000..fbad0b9 --- /dev/null +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -0,0 +1,36 @@ + + + + + ProcessModuleTraceView + + LOADED_MODULE + + + + + + + TimeCreated + + + ProcessId + + + FileName + + + + "0x$($_.ImageBase.ToString("X$([IntPtr]::Size * 2)"))" + + + ImageSize + 0x{0:X8} + + + + + + + + \ No newline at end of file diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 new file mode 100644 index 0000000..3eb57a7 --- /dev/null +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -0,0 +1,103 @@ +function Register-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Starts a trace of loaded process modules + + PowerSploit Function: Register-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.OUTPUTS + + System.Management.Automation.PSEventJob + + If desired, you can manipulate the event returned with the *-Event cmdlets. + +.LINK + + http://www.exploit-monday.com/ +#> + + [CmdletBinding()] Param () + + if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) + { + throw 'You must run this cmdlet from an elevated PowerShell session.' + } + + $ModuleLoadedAction = { + $Event = $EventArgs.NewEvent + + $ModuleInfo = @{ + TimeCreated = [DateTime]::FromFileTime($Event.TIME_CREATED) + ProcessId = $Event.ProcessId + FileName = $Event.FileName + ImageBase = $Event.ImageBase + ImageSize = $Event.ImageSize + } + + $ModuleObject = New-Object PSObject -Property $ModuleInfo + $ModuleObject.PSObject.TypeNames[0] = 'LOADED_MODULE' + + $ModuleObject + } + + Register-WmiEvent 'Win32_ModuleLoadTrace' -SourceIdentifier 'ModuleLoaded' -Action $ModuleLoadedAction +} + +function Get-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace + + PowerSploit Function: Get-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: Register-ProcessModuleTrace + Optional Dependencies: None + +.OUTPUTS + + PSObject + +.LINK + + http://www.exploit-monday.com/ +#> + + $Events = Get-EventSubscriber -SourceIdentifier 'ModuleLoaded' -ErrorVariable NoEventRegistered -ErrorAction SilentlyContinue + + if ($NoEventRegistered) + { + throw 'You must execute Register-ProcessModuleTrace before you can retrieve a loaded module list' + } + + $Events.Action.Output +} + +function Unregister-ProcessModuleTrace +{ +<# +.SYNOPSIS + + Stops the running process module trace + + PowerSploit Function: Unregister-ProcessModuleTrace + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: Register-ProcessModuleTrace + Optional Dependencies: None + +.LINK + + http://www.exploit-monday.com/ +#> + + Unregister-Event -SourceIdentifier 'ModuleLoaded' +} \ No newline at end of file diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index 0f643b7..b7da355 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -52,7 +52,7 @@ PowerShellVersion = '2.0' # TypesToProcess = @() # Format files (.ps1xml) to be loaded when importing this module -FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml', 'Get-ILDisassembly.format.ps1xml' +FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.format.ps1xml' # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess # NestedModules = @() @@ -76,7 +76,7 @@ ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; G FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml', 'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml', 'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1', - 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'Usage.md' + 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' -- cgit v1.2.3