Added Get-NtSystemInformation
Get-NtSystemInformation is a wrapper function for NtQuerySystemInformation. It is a swiss-army knife tool for obtaining internal OS information. It can currently be used to query the following: global flags, handles, objects, kernel pool allocations, and loaded kernel modules
This commit is contained in:
Matt Graeber
parent
9c95f0bfda
commit
ea0dc9a2b8
|
|
@ -84,9 +84,9 @@ Returns the process environment block (PEB) of a process.
|
|||
|
||||
Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
|
||||
|
||||
#### `Get-KernelModuleInfo`
|
||||
#### `Get-NtSystemInformation`
|
||||
|
||||
Returns loaded kernel module information.
|
||||
A utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.
|
||||
|
||||
#### `Get-StructFromMemory`
|
||||
|
||||
|
|
@ -100,6 +100,10 @@ A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Pr
|
|||
|
||||
Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.
|
||||
|
||||
#### `ConvertTo-String`
|
||||
|
||||
Converts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions.
|
||||
|
||||
#### `Get-MethodAddress`
|
||||
|
||||
Get the unmanaged function address of a .NET method.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,334 @@
|
|||
<?xml version="1.0" encoding="utf-8" ?>
|
||||
<Configuration>
|
||||
<ViewDefinitions>
|
||||
<View>
|
||||
<Name>SystemModuleView</Name>
|
||||
<ViewSelectedBy>
|
||||
<TypeName>_SYSTEM_MODULE</TypeName>
|
||||
</ViewSelectedBy>
|
||||
<TableControl>
|
||||
<AutoSize/>
|
||||
<TableHeaders>
|
||||
<TableColumnHeader>
|
||||
<Label>ImageBaseAddress</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>ImageSize</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>Flags</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>Index</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>Rank</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>LoadCount</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>NameOffset</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>Name</Label>
|
||||
</TableColumnHeader>
|
||||
</TableHeaders>
|
||||
<TableRowEntries>
|
||||
<TableRowEntry>
|
||||
<TableColumnItems>
|
||||
<TableColumnItem>
|
||||
<ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>ImageSize</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>Flags</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>Index</PropertyName>
|
||||
<FormatString>0x{0:X4}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>Rank</PropertyName>
|
||||
<FormatString>0x{0:X4}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>LoadCount</PropertyName>
|
||||
<FormatString>0x{0:X4}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>NameOffset</PropertyName>
|
||||
<FormatString>0x{0:X4}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<ScriptBlock>$_.Name -replace '\\SystemRoot', $Env:SystemRoot</ScriptBlock>
|
||||
</TableColumnItem>
|
||||
</TableColumnItems>
|
||||
</TableRowEntry>
|
||||
</TableRowEntries>
|
||||
</TableControl>
|
||||
</View>
|
||||
<View>
|
||||
<Name>PoolTagView</Name>
|
||||
<ViewSelectedBy>
|
||||
<TypeName>_SYSTEM_POOL_TAG_INFORMATION</TypeName>
|
||||
</ViewSelectedBy>
|
||||
<TableControl>
|
||||
<AutoSize/>
|
||||
<TableHeaders>
|
||||
<TableColumnHeader>
|
||||
<Label>Tag</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>PagedPoolAllocs</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>PagedPoolFrees</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>PagedPoolUsage</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>NonPagedPoolAllocs</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>NonPagedPoolFrees</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>NonPagedPoolUsage</Label>
|
||||
</TableColumnHeader>
|
||||
</TableHeaders>
|
||||
<TableRowEntries>
|
||||
<TableRowEntry>
|
||||
<TableColumnItems>
|
||||
<TableColumnItem>
|
||||
<PropertyName>Tag</PropertyName>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>PagedPoolAllocs</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>PagedPoolFrees</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>PagedPoolUsage</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>NonPagedPoolAllocs</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>NonPagedPoolFrees</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>NonPagedPoolUsage</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
</TableColumnItems>
|
||||
</TableRowEntry>
|
||||
</TableRowEntries>
|
||||
</TableControl>
|
||||
</View>
|
||||
<View>
|
||||
<Name>SystemHandleView</Name>
|
||||
<ViewSelectedBy>
|
||||
<TypeName>_SYSTEM_HANDLE_INFORMATION</TypeName>
|
||||
</ViewSelectedBy>
|
||||
<ListControl>
|
||||
<ListEntries>
|
||||
<ListEntry>
|
||||
<ListItems>
|
||||
<ListItem>
|
||||
<PropertyName>UniqueProcessId</PropertyName>
|
||||
<FormatString>0x{0:X4}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>CreatorBackTraceIndex</PropertyName>
|
||||
<FormatString>0x{0:X4}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>ObjectTypeIndex</PropertyName>
|
||||
<FormatString>0x{0:X2}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>HandleAttribute</PropertyName>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>HandleValue</PropertyName>
|
||||
<FormatString>0x{0:X4}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<Label>Object</Label>
|
||||
<ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>GrantedAccess</PropertyName>
|
||||
</ListItem>
|
||||
</ListItems>
|
||||
</ListEntry>
|
||||
</ListEntries>
|
||||
</ListControl>
|
||||
</View>
|
||||
<View>
|
||||
<Name>GenericMappingView</Name>
|
||||
<ViewSelectedBy>
|
||||
<TypeName>_GENERIC_MAPPING</TypeName>
|
||||
</ViewSelectedBy>
|
||||
<TableControl>
|
||||
<AutoSize/>
|
||||
<TableHeaders>
|
||||
<TableColumnHeader>
|
||||
<Label>GenericRead</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>GenericWrite</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>GenericExecute</Label>
|
||||
</TableColumnHeader>
|
||||
<TableColumnHeader>
|
||||
<Label>GenericAll</Label>
|
||||
</TableColumnHeader>
|
||||
</TableHeaders>
|
||||
<TableRowEntries>
|
||||
<TableRowEntry>
|
||||
<TableColumnItems>
|
||||
<TableColumnItem>
|
||||
<PropertyName>GenericRead</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>GenericWrite</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>GenericExecute</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
<TableColumnItem>
|
||||
<PropertyName>GenericAll</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</TableColumnItem>
|
||||
</TableColumnItems>
|
||||
</TableRowEntry>
|
||||
</TableRowEntries>
|
||||
</TableControl>
|
||||
</View>
|
||||
<View>
|
||||
<Name>ObjectTypeView</Name>
|
||||
<ViewSelectedBy>
|
||||
<TypeName>_SYSTEM_OBJECTTYPE_INFORMATION</TypeName>
|
||||
</ViewSelectedBy>
|
||||
<ListControl>
|
||||
<ListEntries>
|
||||
<ListEntry>
|
||||
<ListItems>
|
||||
<ListItem>
|
||||
<PropertyName>NumberOfObjects</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>NumberOfHandles</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>TypeIndex</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>InvalidAttributes</PropertyName>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>GenericMapping</PropertyName>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>ValidAccessMask</PropertyName>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>PoolType</PropertyName>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>SecurityRequired</PropertyName>
|
||||
<FormatString>0x{0:X2}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>WaitableObject</PropertyName>
|
||||
<FormatString>0x{0:X2}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>TypeName</PropertyName>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>Objects</PropertyName>
|
||||
</ListItem>
|
||||
</ListItems>
|
||||
</ListEntry>
|
||||
</ListEntries>
|
||||
</ListControl>
|
||||
</View>
|
||||
<View>
|
||||
<Name>ObjectView</Name>
|
||||
<ViewSelectedBy>
|
||||
<TypeName>_SYSTEM_OBJECT_INFORMATION</TypeName>
|
||||
</ViewSelectedBy>
|
||||
<ListControl>
|
||||
<ListEntries>
|
||||
<ListEntry>
|
||||
<ListItems>
|
||||
<ListItem>
|
||||
<Label>Object</Label>
|
||||
<ScriptBlock>"0x$($_.Object.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<Label>CreatorUniqueProcess</Label>
|
||||
<ScriptBlock>"0x$($_.CreatorUniqueProcess.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>CreatorBackTraceIndex</PropertyName>
|
||||
<FormatString>0x{0:X4}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>Flags</PropertyName>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>PointerCount</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>HandleCount</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>PagedPoolCharge</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>NonPagedPoolCharge</PropertyName>
|
||||
<FormatString>0x{0:X8}</FormatString>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<Label>ExclusiveProcessId</Label>
|
||||
<ScriptBlock>"0x$($_.ExclusiveProcessId.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<Label>SecurityDescriptor</Label>
|
||||
<ScriptBlock>"0x$($_.SecurityDescriptor.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
|
||||
</ListItem>
|
||||
<ListItem>
|
||||
<PropertyName>NameInfo</PropertyName>
|
||||
</ListItem>
|
||||
</ListItems>
|
||||
</ListEntry>
|
||||
</ListEntries>
|
||||
</ListControl>
|
||||
</View>
|
||||
</ViewDefinitions>
|
||||
</Configuration>
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -52,7 +52,7 @@ PowerShellVersion = '2.0'
|
|||
# TypesToProcess = @()
|
||||
|
||||
# Format files (.ps1xml) to be loaded when importing this module
|
||||
FormatsToProcess = 'Get-KernelModuleInfo.format.ps1xml', 'Get-PEB.format.ps1xml'
|
||||
FormatsToProcess = 'Get-PEB.format.ps1xml', 'Get-NtSystemInformation.format.ps1xml'
|
||||
|
||||
# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
|
||||
# NestedModules = @()
|
||||
|
|
@ -73,9 +73,10 @@ AliasesToExport = ''
|
|||
ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'})
|
||||
|
||||
# List of all files packaged with this module
|
||||
FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-KernelModuleInfo.format.ps1xml',
|
||||
'Get-KernelModuleInfo.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
|
||||
'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'Usage.md'
|
||||
FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
|
||||
'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
|
||||
'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
|
||||
'Usage.md'
|
||||
|
||||
# Private data to pass to the module specified in RootModule/ModuleToProcess
|
||||
# PrivateData = ''
|
||||
|
|
|
|||
Loading…
Reference in New Issue