Powershellarsenal - A Powershell Module Dedicated To Opposite Engineering
PowerShellArsenal is a PowerShell module used to assistance a contrary engineer. The module tin last used to disassemble managed in addition to unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats in addition to retentiveness structures, obtain internal organisation information, etc. PowerShellArsenal is comprised of the next tools:
Disassembly
Disassemble native in addition to managed code.
Get-CSDisassemblyDisassembles a byte array using the Capstone Engine disassembly framework.
Get-ILDisassemblyDisassembles a raw MSIL byte array passed inward from a MethodInfo object inward a fashion similar to that of Ildasm.
MalwareAnalysis
Useful tools when performing malware analysis.
New-FunctionDelegateProvides an executable wrapper for an X86 or X86_64 function.
Invoke-LoadLibraryLoads a DLL into the electrical flow PowerShell process.
New-DllExportFunctionCreates an executable wrapper delegate some an unmanaged, exported function.
Get-HostsFileParses a HOSTS file.
New-HostsFileEntryReplace or append an entry to a HOSTS file.
Remove-HostsFileEntryRemove an entry or serial of entries from a HOSTS file.
Get-AssemblyStringsOutput all strings from a .NET executable.
Get-AssemblyResourcesExtract managed resources from a .NET assembly
Remove-AssemblySuppressIldasmAttributeStrips a SuppressIldasmAttribute attribute from a .NET assembly.
Get-AssemblyImplementedMethodsReturns all methods inward an assembly that are implemented inward MSIL.
MemoryTools
Inspect in addition to analyze procedure memory
Get-ProcessStringsOutputs all printable strings from the user-mode retentiveness of a process.
Get-VirtualMemoryInfoInfluenza A virus subtype H5N1 wrapper for kernel32!VirtualQueryEx
Get-ProcessMemoryInfoRetrieve virtual retentiveness information for every unique gear upwards of pages inward user memory. This role is similar to the !vadump WinDbg command.
Get-StructFromMemoryMarshals information from an unmanaged block of retentiveness inward an arbitrary procedure to a newly allocated managed object of the specified type.
Parsers
Parse file formats in addition to in-memory structures.
Get-PEAn on-disk in addition to in-memory PE parser in addition to procedure dumper.
Find-ProcessPEsFinds portable executables inward retentiveness regardless of whether or non they were loaded inward a legitimate fashion.
Get-LibSymbolsDisplays symbolic information from Windows LIB files.
Get-ObjDumpDisplays information most Windows object (OBJ) files.
WindowsInternals
Obtain in addition to analyze low-level Windows OS information.
Get-NtSystemInformationInfluenza A virus subtype H5N1 utility that calls in addition to parses the output of the ntdll!NtQuerySystemInformation function. This utility tin last used to inquiry internal OS information that is typically non made visible to a user.
Get-PEBReturns the procedure environs block (PEB) of a process.
Register-ProcessModuleTraceStarts a draw of loaded procedure modules
Get-ProcessModuleTraceDisplays the procedure modules that convey been loaded since the telephone phone to Register-ProcessModuleTrace
Unregister-ProcessModuleTraceStops the running procedure module trace
Get-SystemInfoInfluenza A virus subtype H5N1 wrapper for kernel32!GetSystemInfo
Misc
Miscellaneous helper functions
Get-MemberInfluenza A virus subtype H5N1 proxy role used to extend the built-in Get-Member cmdlet. It adds the '-Private' parameter allowing y'all to display non-public .NET members
Get-StringsDumps strings from files inward both Unicode in addition to Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.
ConvertTo-StringConverts the bytes of a file to a string that has a 1-to-1 mapping dorsum to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions.
Get-EntropyCalculates the entropy of a file or byte array.
Lib
Libraries required yesteryear some of the RE functions.
CapstoneThe Capstone disassembly engine C# binding.
De4dotInfluenza A virus subtype H5N1 powerful .NET deobfuscation in addition to .NET PE parsing library.
PSReflectInfluenza A virus subtype H5N1 module used to easily define in-memory enums, structs, in addition to Win32 functions.
Formattersps1xml files used to format the output of diverse PowerShellArsenal functions.
License
The PowerShellArsenal module in addition to all private scripts are nether the BSD 3-Clause license unless explicitly noted otherwise.
Usage
Refer to the comment-based assist inward each private script for detailed usage information.
To install this module, driblet the entire PowerShellArsenal folder into 1 of your module directories. The default PowerShell module paths are listed inward the $Env:PSModulePath environs variable.
The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
To utilisation the module, type
Import-Module PowerShellArsenalTo encounter the commands imported, type
Get-Command -Module PowerShellArsenalIf you're running PowerShell v3 in addition to y'all wishing to withdraw the annoying 'Do y'all actually wishing to run scripts downloaded from the Internet' warning, 1 time you've placed PowerShellArsenal into your module path, run the next one-liner:
$Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerShellArsenal) ) {Get-ChildItem $_ -Recurse | Unblock-File} }For assist on each private command, Get-Help is your friend.
Note: The tools contained inside this module were all designed such that they tin last run individually. Including them inward a module exactly lends itself to increased portability.
Script Style Guide
For all contributors in addition to time to come contributors to PowerShellArsenal, I inquire that y'all follow this trend guide when writing your scripts/modules.
- Avoid Write-Host at all costs. PowerShell functions/cmdlets are non command-line utilities! Pull requests containing code that uses Write-Host volition non last considered. You should output custom objects instead. For to a greater extent than information on creating custom objects, read these articles:
- If y'all wishing to display relevant debugging information to the screen, utilisation Write-Verbose. The user tin ever exactly tack on '-Verbose'.
- Always render descriptive, comment-based assist for every script. Also, last for certain to include your advert in addition to a BSD 3-Clause license (unless at that topographic point are extenuating circumstances that preclude the application of the BSD license).
- Make for certain all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to listing the default verbs used yesteryear PowerShell. Exceptions to supported verbs volition last considered on a case-by-case basis.
- I prefer that variable names last capitalized in addition to last every bit descriptive every bit possible.
- Provide logical spacing inward betwixt your code. Indent your code to become far to a greater extent than readable.
- If y'all abide by yourself repeating code, write a function.
- Catch all anticipated errors in addition to render meaningful output. If y'all convey an mistake that should halt execution of the script, utilisation 'Throw'. If y'all convey an mistake that doesn't necessitate to halt execution, utilisation Write-Error.
- If y'all are writing a script that interfaces alongside the Win32 API, endeavour to avoid compiling C# inline alongside Add-Type. Try to utilisation the PSReflect module, if possible.
- Do non utilisation hardcoded paths. Influenza A virus subtype H5N1 script should last useable correct out of the box. No 1 should convey to alter the code unless they wishing to.
- PowerShell v2 compatibility is highly desired.
- Use positional parameters in addition to brand parameters mandatory when it makes feel to practise so. For example, I'm looking for something similar the following:
[Parameter(Position = 0, Mandatory = $True)]
- Don't utilisation whatsoever aliases unless it makes feel for receiving pipeline input. They brand code to a greater extent than hard to read for people who are unfamiliar alongside a especial alias.
- Try non to allow commands run on for also long. For example, a pipeline is a natural house for a job break.
- Don't become overboard alongside inline comments. Only utilisation them when for certain aspects of the code mightiness last confusing to a reader.
- Rather than using Out-Null to suppress unwanted/irrelevant output, relieve the unwanted output to $null. Doing in addition to therefore provides a slight performance enhancement.
- Use default values for your parameters when it makes sense. Ideally, y'all wishing a script that volition piece of work without requiring whatsoever parameters.
- Explicitly terra firma all required in addition to optional dependencies inward the comment-based assist for your function. All library dependencies should reside inward the 'Lib' folder.
- If a script creates complex custom objects, include a ps1xml file that volition properly format the object's output. ps1xml files are stored inward Lib\Formatters.
