1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
function Get-DllLoadPath {
<#
.SYNOPSIS
PowerSploit Module - Get-DllLoadPath
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable.
.PARAMETER ExecutablePath
Path to the executable from which the Dll would be loaded.
.PARAMETER DllName
Name of the Dll in the form 'dllname.dll'.
.EXAMPLE
C:\PS> Get-DllLoadPath C:\Windows\System32\cmd.exe kernel32.dll
Path
----
C:\Windows\system32\kernel32.dll
.EXAMPLE
C:\PS> Get-DllLoadPath C:\Windows\SysWOW64\calc.exe Comctl32.dll
Path
----
C:\Windows\SysWOW64\Comctl32.dll
.OUTPUTS
$null, System.Management.Automation.PathInfo
.NOTES
This script will not detect if the executable provided intentionally alters the Dll search path via LoadLibraryEx, SetDllDirectory, or AddDllDirectory.
.LINK
http://www.exploit-monday.com
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
#>
Param (
[Parameter(Position = 0, Mandatory = $True)] [String] $ExecutablePath,
[Parameter(Position = 1, Mandatory = $True)] [String] $DllName
)
if (!(Test-Path $ExecutablePath)) {
Write-Warning 'Invalid path or file does not exist.'
return
} else {
$ExecutablePath = Resolve-Path $ExecutablePath
$ExecutableDirectory = Split-Path $ExecutablePath
}
if ($DllName.Contains('.dll')) {
$DllNameShort = $DllName.Split('.')[0]
} else {
Write-Warning 'You must provide a proper dll name (i.e. kernel32.dll)'
return
}
function Get-PEArchitecture {
Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path )
# Parse PE header to see if binary was compiled 32 or 64-bit
$FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
[Byte[]] $MZHeader = New-Object Byte[](2)
$FileStream.Read($MZHeader,0,2) | Out-Null
$Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
if ($Header -ne 'MZ') {
Write-Warning 'Invalid PE header.'
$FileStream.Close()
return
}
# Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)
$FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null
[Byte[]] $lfanew = New-Object Byte[](4)
# Read offset to the PE Header (will be read in reverse)
$FileStream.Read($lfanew,0,4) | Out-Null
$PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))
# Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
$FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
[Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)
# Read compiled architecture
$FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
$Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
$FileStream.Close()
if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) {
Write-Warning 'Invalid PE header or unsupported architecture.'
return
}
if ($Architecture -eq '014C') {
return 'X86'
} elseif ($Architecture -eq '8664') {
return 'X64'
} else {
return 'OTHER'
}
}
# Check if SafeDllSearch is disabled. Note: The logic of this check will fail in XP SP0/1
$UnsafeSearch = $False
$SearchMode = (Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager').SafeDllSearchMode
if ($SearchMode -eq 0) { $UnsafeSearch = $True }
$OSArch = (Get-WmiObject Win32_OperatingSystem -Property OSArchitecture).OSArchitecture
$PEArch = Get-PEArchitecture $ExecutablePath
$KnownDlls = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs'
if ($OSArch -eq '32-bit') {
$DllDirectory = Resolve-Path $KnownDlls.DllDirectory
} else {
if ($PEArch -eq 'X86') {
$DllDirectory = Resolve-Path $KnownDlls.DllDirectory32
} else {
$DllDirectory = Resolve-Path $KnownDlls.DllDirectory
}
}
if ($KnownDlls | Get-Member -MemberType NoteProperty | Where-Object { $_.Name -eq $DllNameShort }) {
$Expression = '$KnownDlls.' + "$DllNameShort"
$Filename = Invoke-Expression $Expression
return Resolve-Path (Join-Path $DllDirectory $Filename)
}
$FoundInAppDirectory = Get-ChildItem (Join-Path $ExecutableDirectory $DllName) -ErrorAction SilentlyContinue
if ($FoundInAppDirectory) { return Resolve-Path $FoundInAppDirectory.FullName }
if ($UnsafeSearch) {
$FoundInWorkingDirectory = Get-ChildItem (Join-Path (Get-Location) $DllName) -ErrorAction SilentlyContinue
if ($FoundInWorkingDirectory) { return Resolve-Path $FoundInWorkingDirectory.FullName }
}
$FoundInSystemDirectory = Get-ChildItem (Join-Path $DllDirectory $DllName) -ErrorAction SilentlyContinue
if ($FoundInSystemDirectory) { return Resolve-Path $FoundInSystemDirectory.FullName }
$FoundIn16BitSystemDir = Get-ChildItem "$($Env:windir)\System\$DllName" -ErrorAction SilentlyContinue
if ($FoundIn16BitSystemDir) { return Resolve-Path $FoundIn16BitSystemDir.FullName }
$FoundInWindowsDirectory = Get-ChildItem "$($Env:windir)\$DllName" -ErrorAction SilentlyContinue
if ($FoundInWindowsDirectory) { return Resolve-Path $FoundInWindowsDirectory.FullName }
if (!$UnsafeSearch) {
$FoundInWorkingDirectory = Get-ChildItem (Join-Path (Get-Location) $DllName) -ErrorAction SilentlyContinue
if ($FoundInWorkingDirectory) { return Resolve-Path $FoundInWorkingDirectory.FullName }
}
$Env:Path.Split(';') | ForEach-Object {
if ($_ -match '%(.{1,})%') {
$TempPath = $_.Replace($Matches[0], [Environment]::GetEnvironmentVariable($Matches[1]))
} else {
$TempPath = $_
}
$FoundInPathEnvVar = Get-ChildItem (Join-Path $TempPath $DllName) -ErrorAction SilentlyContinue
if ($FoundInPathEnvVar) { return Resolve-Path $FoundInPathEnvVar.FullName }
}
}
|