PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is comprised of the following tools:
Disassembly
Disassemble native and managed code.

Get-CSDisassembly
Disassembles a byte array using the Capstone Engine disassembly framework.

Get-ILDisassembly
Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.

MalwareAnalysis
Useful tools when performing malware analysis.

New-FunctionDelegate
Provides an executable wrapper for an X86 or X86_64 function.

Invoke-LoadLibrary
Loads a DLL into the current PowerShell process.

New-DllExportFunction
Creates an executable wrapper delegate around an unmanaged, exported function.

Get-HostsFile
Parses a HOSTS file.

New-HostsFileEntry
Replace or append an entry to a HOSTS file.

Remove-HostsFileEntry
Remove an entry or series of entries from a HOSTS file.

Get-AssemblyStrings
Output all strings from a .NET executable.

Get-AssemblyResources
Extract managed resources from a .NET assembly

Remove-AssemblySuppressIldasmAttribute
Strips a SuppressIldasmAttribute attribute from a .NET assembly.

Get-AssemblyImplementedMethods
Returns all methods in an assembly that are implemented in MSIL.

MemoryTools
Inspect and analyze process memory

Get-ProcessStrings
Outputs all printable strings from the user-mode memory of a process.

Get-VirtualMemoryInfo
A wrapper for kernel32!VirtualQueryEx

Get-ProcessMemoryInfo
Retrieve virtual memory information for every unique set of pages in user memory. This function is similar to the !vadump WinDbg command.

Get-StructFromMemory
Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.

Parsers
Parse file formats and in-memory structures.

Get-PE
An on-disk and in-memory PE parser and process dumper.

Find-ProcessPEs
Finds portable executables in memory regardless of whether or not they were loaded in a legitimate fashion.

Get-LibSymbols
Displays symbolic information from Windows LIB files.

Get-ObjDump
Displays information about Windows object (OBJ) files.

WindowsInternals
Obtain and analyze low-level Windows OS information.

Get-NtSystemInformation
A utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.

Get-PEB
Returns the process environment block (PEB) of a process.

Register-ProcessModuleTrace
Starts a trace of loaded process modules

Get-ProcessModuleTrace
Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace

Unregister-ProcessModuleTrace
Stops the running process module trace

Get-SystemInfo
A wrapper for kernel32!GetSystemInfo

Misc
Miscellaneous helper functions

Get-Member
A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Private' parameter allowing you to display non-public .NET members

Get-Strings
Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.

ConvertTo-String
Converts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions.

Get-Entropy
Calculates the entropy of a file or byte array.

Lib
Libraries required by some of the RE functions.

Capstone
The Capstone disassembly engine C# binding.

De4dot
A powerful .NET deobfuscation and .NET PE parsing library.

PSReflect
A module used to easily define in-memory enums, structs, and Win32 functions.

Formatters
ps1xml files used to format the output of various PowerShellArsenal functions.

[课程]Android-CTF解题方法汇总！