PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is comprised of the following tools:
Disassembly
Disassemble native and managed code.
Get-CSDisassembly
Disassembles a byte array using the Capstone Engine disassembly framework.
Get-ILDisassembly
Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
MalwareAnalysis
Useful tools when performing malware analysis.
New-FunctionDelegate
Provides an executable wrapper for an X86 or X86_64 function.
Invoke-LoadLibrary
Loads a DLL into the current PowerShell process.
New-DllExportFunction
Creates an executable wrapper delegate around an unmanaged, exported function.
Get-HostsFile
Parses a HOSTS file.
New-HostsFileEntry
Replace or append an entry to a HOSTS file.
Remove-HostsFileEntry
Remove an entry or series of entries from a HOSTS file.
Get-AssemblyStrings
Output all strings from a .NET executable.
Get-AssemblyResources
Extract managed resources from a .NET assembly
Remove-AssemblySuppressIldasmAttribute
Strips a SuppressIldasmAttribute attribute from a .NET assembly.
Get-AssemblyImplementedMethods
Returns all methods in an assembly that are implemented in MSIL.
MemoryTools
Inspect and analyze process memory
Get-ProcessStrings
Outputs all printable strings from the user-mode memory of a process.
Get-VirtualMemoryInfo
A wrapper for kernel32!VirtualQueryEx
Get-ProcessMemoryInfo
Retrieve virtual memory information for every unique set of pages in user memory. This function is similar to the !vadump WinDbg command.
Get-StructFromMemory
Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
Parsers
Parse file formats and in-memory structures.
Get-PE
An on-disk and in-memory PE parser and process dumper.
Find-ProcessPEs
Finds portable executables in memory regardless of whether or not they were loaded in a legitimate fashion.
Get-LibSymbols
Displays symbolic information from Windows LIB files.
Get-ObjDump
Displays information about Windows object (OBJ) files.
WindowsInternals
Obtain and analyze low-level Windows OS information.
Get-NtSystemInformation
A utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.
Get-PEB
Returns the process environment block (PEB) of a process.
Register-ProcessModuleTrace
Starts a trace of loaded process modules
Get-ProcessModuleTrace
Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace
Unregister-ProcessModuleTrace
Stops the running process module trace
Get-SystemInfo
A wrapper for kernel32!GetSystemInfo
Misc
Miscellaneous helper functions
Get-Member
A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Private' parameter allowing you to display non-public .NET members
Get-Strings
Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.
ConvertTo-String
Converts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions.
Get-Entropy
Calculates the entropy of a file or byte array.
Lib
Libraries required by some of the RE functions.
Capstone
The Capstone disassembly engine C# binding.
De4dot
A powerful .NET deobfuscation and .NET PE parsing library.
PSReflect
A module used to easily define in-memory enums, structs, and Win32 functions.
Formatters
ps1xml files used to format the output of various PowerShellArsenal functions.
_https://github.com/mattifestation/PowerShellArsenal
[课程]Android-CTF解题方法汇总!