mattifestation / powershellarsenal Goto Github PK
View Code? Open in Web Editor NEWA PowerShell Module Dedicated to Reverse Engineering
powershellarsenal's Issues
Get-ILDisassembly -MethodInfo should accept ConstructorInfo
It make sense to change expected object from MethodInfo to MethodBase to enable ctor disassembling.
[Get-PEB] argument transformation on parameter 'Id'
Taken from .EXAMPLE
$NotepadPEB = Get-PEB -Id (ps notepad)
Get-PEB : Cannot process argument transformation on parameter 'Id'. Cannot convert the "System.Diagnostics.Process (notepad)" value of type "System.Diagnostics.Process" to type "System.UInt16[]".
At line:1 char:27
+ $NotepadPEB = Get-PEB -Id (ps notepad)
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-PEB], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-PEB
my ps version:
| Major | Minor | Build | Revision |
|---|---|---|---|
| 5 | 1 | 17763 | 316 |
Error undecorating symbols in Get-LibSymbols.ps1
In Line 241 of Get-LibSymbols.ps1 the call:
[COFF.Functions]::UnDecorateSymbolName( ....
should be (?):
[COFF2.Functions]::UnDecorateSymbolName( ....
(use COFF2 instead of COFF).
Btw, thanks for making the project available.
Get-Entropy
Works slow with huge files. Fastest way (pwsh is required):
using namespace System.Reflection.Emit
Set-Alias -Name ent -Value Get-Entropy
function Get-Entropy {
[CmdletBinding()]
param(
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[Byte[]]$Bytes
)
process {
if (!($e = $ExecutionContext.SessionState.PSVariable.Get('PSEntropy').Value)) {
$dm = [DynamicMethod]::new('Entropy', [Double], [Type[]]([Byte[]]))
$il = $dm.GetILGenerator()
# variables
$i = $il.DeclareLocal([Int32])
$rng = $il.DeclareLocal([Type]::GetType('System.Int32*'))
$pi = $il.DeclareLocal([Type]::GetType('System.Int32*'))
$ent = $il.DeclareLocal([Double])
$src = $il.DeclareLocal([Double])
# labels (four totally)
$labels = (0..3).ForEach{ $il.DefineLabel() }
# function body
$il.Emit([OpCodes]::ldc_i4, 0x100)
$il.Emit([OpCodes]::conv_u)
$il.Emit([OpCodes]::ldc_i4_4)
$il.Emit([OpCodes]::mul_ovf_un)
$il.Emit([OpCodes]::localloc)
$il.Emit([OpCodes]::stloc_1)
$il.Emit([OpCodes]::ldloc_1)
$il.Emit([OpCodes]::ldc_i4, 0x400)
$il.Emit([OpCodes]::conv_i)
$il.Emit([OpCodes]::add)
$il.Emit([OpCodes]::stloc_2)
$il.Emit([OpCodes]::ldc_r8, 0.0)
$il.Emit([OpCodes]::stloc_3)
$il.Emit([OpCodes]::ldarg_0)
$il.Emit([OpCodes]::ldlen)
$il.Emit([OpCodes]::conv_i4)
$il.Emit([OpCodes]::dup)
$il.Emit([OpCodes]::stloc_0)
$il.Emit([OpCodes]::conv_r8)
$il.Emit([OpCodes]::stloc_s, $src)
$il.Emit([OpCodes]::br_s, $labels[0])
$il.MarkLabel($labels[1]) # 0x28
$il.Emit([OpCodes]::ldloc_1)
$il.Emit([OpCodes]::ldarg_0)
$il.Emit([OpCodes]::ldloc_0)
$il.Emit([OpCodes]::ldelem_u1)
$il.Emit([OpCodes]::conv_i)
$il.Emit([OpCodes]::ldc_i4_4)
$il.Emit([OpCodes]::mul)
$il.Emit([OpCodes]::add)
$il.Emit([OpCodes]::dup)
$il.Emit([OpCodes]::ldind_i4)
$il.Emit([OpCodes]::ldc_i4_1)
$il.Emit([OpCodes]::add)
$il.Emit([OpCodes]::stind_i4)
$il.MarkLabel($labels[0]) # 0x35
$il.Emit([OpCodes]::ldloc_0)
$il.Emit([OpCodes]::ldc_i4_1)
$il.Emit([OpCodes]::sub)
$il.Emit([OpCodes]::dup)
$il.Emit([OpCodes]::stloc_0)
$il.Emit([OpCodes]::ldc_i4_0)
$il.Emit([OpCodes]::bge_s, $labels[1])
$il.Emit([OpCodes]::br_s, $labels[2])
$il.MarkLabel($labels[3]) # 0x3f
$il.Emit([OpCodes]::ldloc_2)
$il.Emit([OpCodes]::ldind_i4)
$il.Emit([OpCodes]::ldc_i4_0)
$il.Emit([OpCodes]::ble_s, $labels[2])
$il.Emit([OpCodes]::ldloc_3)
$il.Emit([OpCodes]::ldloc_2)
$il.Emit([OpCodes]::ldind_i4)
$il.Emit([OpCodes]::conv_r8)
$il.Emit([OpCodes]::ldloc_2)
$il.Emit([OpCodes]::ldind_i4)
$il.Emit([OpCodes]::conv_r8)
$il.Emit([OpCodes]::ldloc_s, $src)
$il.Emit([OpCodes]::div)
$il.Emit([OpCodes]::ldc_r8, 2.)
$il.Emit([OpCodes]::call, [Math].GetMethod('Log', [Type[]]([Double], [Double])))
$il.Emit([OpCodes]::mul)
$il.Emit([OpCodes]::add)
$il.Emit([OpCodes]::stloc_3)
$il.MarkLabel($labels[2]) # 0x5f
$il.Emit([OpCodes]::ldloc_2)
$il.Emit([OpCodes]::ldc_i4_4)
$il.Emit([OpCodes]::conv_i)
$il.Emit([OpCodes]::sub)
$il.Emit([OpCodes]::dup)
$il.Emit([OpCodes]::stloc_2)
$il.Emit([OpCodes]::ldloc_1)
$il.Emit([OpCodes]::bge_un_s, $labels[3])
$il.Emit([OpCodes]::ldloc_3)
$il.Emit([OpCodes]::neg)
$il.Emit([OpCodes]::ldloc_s, $src)
$il.Emit([OpCodes]::div)
$il.Emit([OpCodes]::ret)
Set-Variable -Name PSEntropy -Value (
$e = $dm.CreateDelegate([Func[[Byte[]], Double]])
) -Option Constant -Scope Global -Visibility Private
}
'{0:F3}' -f $e.Invoke($Bytes)
}
}You will likely need to run this script elevated
Hi! I execute command with Administrator privileges, thanks for all!
My PowerShell Version : 5.0.10586.122 in Windows 10 64bits
**PS C:\WINDOWS\system32> $AllPEBs = Get-Process | Get-PEB
Get-PEB : Unable to obtain a handle for PID 10844. You will likely need to run this script elevated.
At line:1 char:26
- $AllPEBs = Get-Process | Get-PEB
-
~~~~~~~- CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
- FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-PEB**
Get-PEB: getting current directory works for cmd.exe, but not for powershell.exe
On my Windows 10 box I opened a Powershell session and a Cmd session in both of which I changed the current working directory with "cd Desktop". Now I do this:
PS C:\Users\XXX\Desktop> (Get-PEB -Id (ps powershell).Id).ProcessParameters.CurrentDirectory
C:\Users\XXX\
PS C:\Users\XXX\Desktop> (Get-PEB -Id (ps cmd).Id).ProcessParameters.CurrentDirectory
C:\Users\XXX\Desktop\
As you can see, the output is correct for Cmd, but wrong for Powershell. Is this a known problem?
Update: SysInternals Process Explorer shows the same discrepancy, so at least the two of them behave in the same way - but still unexpectedly.
Update 2: In the command line help there is a little bug in an example:
C:\PS>$NotepadPEB = Get-PEB -Id (ps notepad)
C:\PS> $NotepadPEB.InInitializationOrderModuleList
You forgot .Id. So in the first line it sould be: Get-PEB -Id (ps notepad).Id.
Support for -MethodInfo in Get-CSDisassembly
First of all, thank you for a great module!
I currently interested only in a small part: Disassembling.
I found this super convenient:
(Get-ILDisassembly -MethodInfo ([string].GetMethod("GetHashCode"))).Instructions
Is it possible to support same scenario for Get-CSDisassembly ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.