Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added Get-NtSystemInformation 

Get-NtSystemInformation is a wrapper function for
NtQuerySystemInformation. It is a swiss-army knife tool for obtaining
internal OS information. It can currently be used to query the
following: global flags, handles, objects, kernel pool allocations, and
loaded kernel modules
This commit is contained in:
Matt Graeber 2013-05-12 10:27:15 -04:00
parent 9c95f0bfda
commit ea0dc9a2b8
4 changed files with 3431 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -84,9 +84,9 @@ Returns the process environment block (PEB) of a process.
Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm. Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
#### `Get-KernelModuleInfo` #### `Get-NtSystemInformation`
Returns loaded kernel module information. A utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.
#### `Get-StructFromMemory` #### `Get-StructFromMemory`
@ -100,6 +100,10 @@ A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Pr
Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals. Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.
#### `ConvertTo-String`
Converts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions.
#### `Get-MethodAddress` #### `Get-MethodAddress`
Get the unmanaged function address of a .NET method. Get the unmanaged function address of a .NET method.

334
ReverseEngineering/Get-NtSystemInformation.format.ps1xml Normal file
View File

@ -0,0 +1,334 @@
<?xml version="1.0" encoding="utf-8" ?>
<Configuration>
<ViewDefinitions>
<View>
<Name>SystemModuleView</Name>
<ViewSelectedBy>
<TypeName>_SYSTEM_MODULE</TypeName>
</ViewSelectedBy>
<TableControl>
<AutoSize/>
<TableHeaders>
<TableColumnHeader>
<Label>ImageBaseAddress</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>ImageSize</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>Flags</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>Index</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>Rank</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>LoadCount</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>NameOffset</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>Name</Label>
</TableColumnHeader>
</TableHeaders>
<TableRowEntries>
<TableRowEntry>
<TableColumnItems>
<TableColumnItem>
<ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
</TableColumnItem>
<TableColumnItem>
<PropertyName>ImageSize</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>Flags</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>Index</PropertyName>
<FormatString>0x{0:X4}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>Rank</PropertyName>
<FormatString>0x{0:X4}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>LoadCount</PropertyName>
<FormatString>0x{0:X4}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>NameOffset</PropertyName>
<FormatString>0x{0:X4}</FormatString>
</TableColumnItem>
<TableColumnItem>
<ScriptBlock>$_.Name -replace '\\SystemRoot', $Env:SystemRoot</ScriptBlock>
</TableColumnItem>
</TableColumnItems>
</TableRowEntry>
</TableRowEntries>
</TableControl>
</View>
<View>
<Name>PoolTagView</Name>
<ViewSelectedBy>
<TypeName>_SYSTEM_POOL_TAG_INFORMATION</TypeName>
</ViewSelectedBy>
<TableControl>
<AutoSize/>
<TableHeaders>
<TableColumnHeader>
<Label>Tag</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>PagedPoolAllocs</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>PagedPoolFrees</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>PagedPoolUsage</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>NonPagedPoolAllocs</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>NonPagedPoolFrees</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>NonPagedPoolUsage</Label>
</TableColumnHeader>
</TableHeaders>
<TableRowEntries>
<TableRowEntry>
<TableColumnItems>
<TableColumnItem>
<PropertyName>Tag</PropertyName>
</TableColumnItem>
<TableColumnItem>
<PropertyName>PagedPoolAllocs</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>PagedPoolFrees</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>PagedPoolUsage</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>NonPagedPoolAllocs</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>NonPagedPoolFrees</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>NonPagedPoolUsage</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
</TableColumnItems>
</TableRowEntry>
</TableRowEntries>
</TableControl>
</View>
<View>
<Name>SystemHandleView</Name>
<ViewSelectedBy>
<TypeName>_SYSTEM_HANDLE_INFORMATION</TypeName>
</ViewSelectedBy>
<ListControl>
<ListEntries>
<ListEntry>
<ListItems>
<ListItem>
<PropertyName>UniqueProcessId</PropertyName>
<FormatString>0x{0:X4}</FormatString>
</ListItem>
<ListItem>
<PropertyName>CreatorBackTraceIndex</PropertyName>
<FormatString>0x{0:X4}</FormatString>
</ListItem>
<ListItem>
<PropertyName>ObjectTypeIndex</PropertyName>
<FormatString>0x{0:X2}</FormatString>
</ListItem>
<ListItem>
<PropertyName>HandleAttribute</PropertyName>
</ListItem>
<ListItem>
<PropertyName>HandleValue</PropertyName>
<FormatString>0x{0:X4}</FormatString>
</ListItem>
<ListItem>
<Label>Object</Label>
<ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
</ListItem>
<ListItem>
<PropertyName>GrantedAccess</PropertyName>
</ListItem>
</ListItems>
</ListEntry>
</ListEntries>
</ListControl>
</View>
<View>
<Name>GenericMappingView</Name>
<ViewSelectedBy>
<TypeName>_GENERIC_MAPPING</TypeName>
</ViewSelectedBy>
<TableControl>
<AutoSize/>
<TableHeaders>
<TableColumnHeader>
<Label>GenericRead</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>GenericWrite</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>GenericExecute</Label>
</TableColumnHeader>
<TableColumnHeader>
<Label>GenericAll</Label>
</TableColumnHeader>
</TableHeaders>
<TableRowEntries>
<TableRowEntry>
<TableColumnItems>
<TableColumnItem>
<PropertyName>GenericRead</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>GenericWrite</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>GenericExecute</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
<TableColumnItem>
<PropertyName>GenericAll</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</TableColumnItem>
</TableColumnItems>
</TableRowEntry>
</TableRowEntries>
</TableControl>
</View>
<View>
<Name>ObjectTypeView</Name>
<ViewSelectedBy>
<TypeName>_SYSTEM_OBJECTTYPE_INFORMATION</TypeName>
</ViewSelectedBy>
<ListControl>
<ListEntries>
<ListEntry>
<ListItems>
<ListItem>
<PropertyName>NumberOfObjects</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</ListItem>
<ListItem>
<PropertyName>NumberOfHandles</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</ListItem>
<ListItem>
<PropertyName>TypeIndex</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</ListItem>
<ListItem>
<PropertyName>InvalidAttributes</PropertyName>
</ListItem>
<ListItem>
<PropertyName>GenericMapping</PropertyName>
</ListItem>
<ListItem>
<PropertyName>ValidAccessMask</PropertyName>
</ListItem>
<ListItem>
<PropertyName>PoolType</PropertyName>
</ListItem>
<ListItem>
<PropertyName>SecurityRequired</PropertyName>
<FormatString>0x{0:X2}</FormatString>
</ListItem>
<ListItem>
<PropertyName>WaitableObject</PropertyName>
<FormatString>0x{0:X2}</FormatString>
</ListItem>
<ListItem>
<PropertyName>TypeName</PropertyName>
</ListItem>
<ListItem>
<PropertyName>Objects</PropertyName>
</ListItem>
</ListItems>
</ListEntry>
</ListEntries>
</ListControl>
</View>
<View>
<Name>ObjectView</Name>
<ViewSelectedBy>
<TypeName>_SYSTEM_OBJECT_INFORMATION</TypeName>
</ViewSelectedBy>
<ListControl>
<ListEntries>
<ListEntry>
<ListItems>
<ListItem>
<Label>Object</Label>
<ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
</ListItem>
<ListItem>
<Label>CreatorUniqueProcess</Label>
<ScriptBlock>"0x$($_.CreatorUniqueProcess.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
</ListItem>
<ListItem>
<PropertyName>CreatorBackTraceIndex</PropertyName>
<FormatString>0x{0:X4}</FormatString>
</ListItem>
<ListItem>
<PropertyName>Flags</PropertyName>
</ListItem>
<ListItem>
<PropertyName>PointerCount</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</ListItem>
<ListItem>
<PropertyName>HandleCount</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</ListItem>
<ListItem>
<PropertyName>PagedPoolCharge</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</ListItem>
<ListItem>
<PropertyName>NonPagedPoolCharge</PropertyName>
<FormatString>0x{0:X8}</FormatString>
</ListItem>
<ListItem>
<Label>ExclusiveProcessId</Label>
<ScriptBlock>"0x$($_.ExclusiveProcessId.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
</ListItem>
<ListItem>
<Label>SecurityDescriptor</Label>
<ScriptBlock>"0x$($_.SecurityDescriptor.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
</ListItem>
<ListItem>
<PropertyName>NameInfo</PropertyName>
</ListItem>
</ListItems>
</ListEntry>
</ListEntries>
</ListControl>
</View>
</ViewDefinitions>
</Configuration>

3086
ReverseEngineering/Get-NtSystemInformation.ps1 Normal file
View File

File diff suppressed because it is too large Load Diff

9
ReverseEngineering/ReverseEngineering.psd1
View File

@ -52,7 +52,7 @@ PowerShellVersion = '2.0'
# TypesToProcess = @() # TypesToProcess = @()
# Format files (.ps1xml) to be loaded when importing this module # Format files (.ps1xml) to be loaded when importing this module
FormatsToProcess = 'Get-KernelModuleInfo.format.ps1xml', 'Get-PEB.format.ps1xml' FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml'
# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
# NestedModules = @() # NestedModules = @()
@ -73,9 +73,10 @@ AliasesToExport = ''
ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'}) ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'})
# List of all files packaged with this module # List of all files packaged with this module
FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-KernelModuleInfo.format.ps1xml', FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
'Get-KernelModuleInfo.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'Usage.md' 'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
'Usage.md'
# Private data to pass to the module specified in RootModule/ModuleToProcess # Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = '' # PrivateData = ''