Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
PSKernel-Primitives/Get-LoadedModules.ps1
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
117 lines (100 sloc)
3.34 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-LoadedModules { | |
| <# | |
| .SYNOPSIS | |
| Use NtQuerySystemInformation::SystemModuleInformation to get a list of | |
| loaded modules, their base address and size (x32/x64). | |
| Note: Low integrity only pre 8.1 | |
| .DESCRIPTION | |
| Author: Ruben Boonen (@FuzzySec) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| .EXAMPLE | |
| C:\PS> $Modules = Get-LoadedModules | |
| C:\PS> $KernelBase = $Modules[0].ImageBase | |
| C:\PS> $KernelType = ($Modules[0].ImageName -split "\\")[-1] | |
| C:\PS> ...... | |
| #> | |
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Principal; | |
| [StructLayout(LayoutKind.Sequential, Pack = 1)] | |
| public struct SYSTEM_MODULE_INFORMATION | |
| { | |
| [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)] | |
| public UIntPtr[] Reserved; | |
| public IntPtr ImageBase; | |
| public UInt32 ImageSize; | |
| public UInt32 Flags; | |
| public UInt16 LoadOrderIndex; | |
| public UInt16 InitOrderIndex; | |
| public UInt16 LoadCount; | |
| public UInt16 ModuleNameOffset; | |
| [MarshalAs(UnmanagedType.ByValArray, SizeConst = 256)] | |
| internal Char[] _ImageName; | |
| public String ImageName { | |
| get { | |
| return new String(_ImageName).Split(new Char[] {'\0'}, 2)[0]; | |
| } | |
| } | |
| } | |
| public static class Ntdll | |
| { | |
| [DllImport("ntdll.dll")] | |
| public static extern int NtQuerySystemInformation( | |
| int SystemInformationClass, | |
| IntPtr SystemInformation, | |
| int SystemInformationLength, | |
| ref int ReturnLength); | |
| } | |
| "@ | |
| [int]$BuffPtr_Size = 0 | |
| while ($true) { | |
| [IntPtr]$BuffPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($BuffPtr_Size) | |
| $SystemInformationLength = New-Object Int | |
| # SystemModuleInformation Class = 11 | |
| $CallResult = [Ntdll]::NtQuerySystemInformation(11, $BuffPtr, $BuffPtr_Size, [ref]$SystemInformationLength) | |
| # STATUS_INFO_LENGTH_MISMATCH | |
| if ($CallResult -eq 0xC0000004) { | |
| [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr) | |
| [int]$BuffPtr_Size = [System.Math]::Max($BuffPtr_Size,$SystemInformationLength) | |
| } | |
| # STATUS_SUCCESS | |
| elseif ($CallResult -eq 0x00000000) { | |
| break | |
| } | |
| # Probably: 0xC0000005 -> STATUS_ACCESS_VIOLATION | |
| else { | |
| [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr) | |
| return | |
| } | |
| } | |
| $SYSTEM_MODULE_INFORMATION = New-Object SYSTEM_MODULE_INFORMATION | |
| $SYSTEM_MODULE_INFORMATION = $SYSTEM_MODULE_INFORMATION.GetType() | |
| if ([System.IntPtr]::Size -eq 4) { | |
| $SYSTEM_MODULE_INFORMATION_Size = 284 | |
| } else { | |
| $SYSTEM_MODULE_INFORMATION_Size = 296 | |
| } | |
| $BuffOffset = $BuffPtr.ToInt64() | |
| $HandleCount = [System.Runtime.InteropServices.Marshal]::ReadInt32($BuffOffset) | |
| $BuffOffset = $BuffOffset + [System.IntPtr]::Size | |
| $SystemModuleArray = @() | |
| for ($i=0; $i -lt $HandleCount; $i++){ | |
| $SystemPointer = New-Object System.Intptr -ArgumentList $BuffOffset | |
| $Cast = [system.runtime.interopservices.marshal]::PtrToStructure($SystemPointer,[type]$SYSTEM_MODULE_INFORMATION) | |
| $HashTable = @{ | |
| ImageName = $Cast.ImageName | |
| ImageBase = if ([System.IntPtr]::Size -eq 4) {$($Cast.ImageBase).ToInt32()} else {$($Cast.ImageBase).ToInt64()} | |
| ImageSize = "0x$('{0:X}' -f $Cast.ImageSize)" | |
| } | |
| $Object = New-Object PSObject -Property $HashTable | |
| $SystemModuleArray += $Object | |
| $BuffOffset = $BuffOffset + $SYSTEM_MODULE_INFORMATION_Size | |
| } | |
| $SystemModuleArray | |
| # Free SystemModuleInformation array | |
| [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr) | |
| } |