PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is comprised of the following tools: Disassembly Disassemble native and managed code.
Get-CSDisassembly Disassembles a byte array using the Capstone Engine disassembly framework.
Get-ILDisassembly Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
MalwareAnalysis Useful tools when performing malware analysis.
New-FunctionDelegate Provides an executable wrapper for an X86 or X86_64 function.
Invoke-LoadLibrary Loads a DLL into the current PowerShell process.
New-DllExportFunction Creates an executable wrapper delegate around an unmanaged, exported function.
Get-HostsFile Parses a HOSTS file.
New-HostsFileEntry Replace or append an entry to a HOSTS file.
Remove-HostsFileEntry Remove an entry or series of entries from a HOSTS file.
Get-AssemblyStrings Output all strings from a .NET executable.
Get-AssemblyResources Extract managed resources from a .NET assembly
Remove-AssemblySuppressIldasmAttribute Strips a SuppressIldasmAttribute attribute from a .NET assembly.
Get-AssemblyImplementedMethods Returns all methods in an assembly that are implemented in MSIL.
MemoryTools Inspect and analyze process memory
Get-ProcessStrings Outputs all printable strings from the user-mode memory of a process.
Get-VirtualMemoryInfo A wrapper for kernel32!VirtualQueryEx
Get-ProcessMemoryInfo Retrieve virtual memory information for every unique set of pages in user memory. This function is similar to the !vadump WinDbg command.
Get-StructFromMemory Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
Parsers Parse file formats and in-memory structures.
Get-PE An on-disk and in-memory PE parser and process dumper.
Find-ProcessPEs Finds portable executables in memory regardless of whether or not they were loaded in a legitimate fashion.
Get-LibSymbols Displays symbolic information from Windows LIB files.
Get-ObjDump Displays information about Windows object (OBJ) files.
WindowsInternals Obtain and analyze low-level Windows OS information.
Get-NtSystemInformation A utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.
Get-PEB Returns the process environment block (PEB) of a process.
Register-ProcessModuleTrace Starts a trace of loaded process modules
Get-ProcessModuleTrace Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace
Unregister-ProcessModuleTrace Stops the running process module trace
Get-SystemInfo A wrapper for kernel32!GetSystemInfo
Misc Miscellaneous helper functions
Get-Member A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Private' parameter allowing you to display non-public .NET members
Get-Strings Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.
ConvertTo-String Converts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions.
Get-Entropy Calculates the entropy of a file or byte array.
Lib Libraries required by some of the RE functions.
Capstone The Capstone disassembly engine C# binding.
De4dot A powerful .NET deobfuscation and .NET PE parsing library.
PSReflect A module used to easily define in-memory enums, structs, and Win32 functions.
Formatters ps1xml files used to format the output of various PowerShellArsenal functions.
