Skip to content
This repository was archived by the owner on Jan 21, 2021. It is now read-only.

Commit 7009f92

Browse files
author
mattifestation
committed
Major update to Capstone disassembly module
* Refactor of C# capstone binding * Now compatible in 32 and 64-bit PowerShell
1 parent 7157507 commit 7009f92

File tree

4 files changed

+13
-16
lines changed

4 files changed

+13
-16
lines changed

Capstone/Capstone.psd1

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,6 @@ PowerShellVersion = '3.0'
2424
# Minimum version of the common language runtime (CLR) required by this module
2525
CLRVersion = '4.0'
2626

27-
# Processor architecture (None, X86, Amd64) required by this module
28-
ProcessorArchitecture = 'Amd64'
29-
3027
# Assemblies that must be loaded prior to importing this module
3128
RequiredAssemblies = 'lib/capstone.dll'
3229

Capstone/Get-CSDisassembly.ps1

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,13 @@ function Get-CSDisassembly
1010
PowerSploit Function: Get-CSDisassembly
1111
Author: Matthew Graeber (@mattifestation)
1212
License: See LICENSE.TXT
13-
Required Dependencies: lib\capstone.dll, lib\libcapstone.dll (64-bit)
13+
Required Dependencies: lib\capstone.dll, lib\[x86|x64]\libcapstone.dll
1414
Optional Dependencies: None
1515
16+
.DESCRIPTION
17+
18+
Get-CSDisassembly is compatible on 32 and 64-bit.
19+
1620
.PARAMETER Architecture
1721
1822
Specifies the architecture of the code to be disassembled.
@@ -43,13 +47,13 @@ function Get-CSDisassembly
4347
4448
.EXAMPLE
4549
46-
C:\PS>$Bytes = [Byte[]] @( 0x8d, 0x4c, 0x32, 0x08, 0x01, 0xd8, 0x81, 0xc6, 0x34, 0x12, 0x00, 0x00 )
47-
C:\PS>Get-CSDisassembly -Architecture X86 -Mode MODE_16 -Code $Bytes -Offset 0x1000
50+
C:\PS>$Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
51+
Get-CSDisassembly -Architecture X86 -Mode Mode16 -Code $Bytes -Offset 0x1000
4852
4953
.EXAMPLE
5054
51-
C:\PS>$Bytes = [Byte[]] @( 0x8d, 0x4c, 0x32, 0x08, 0x01, 0xd8, 0x81, 0xc6, 0x34, 0x12, 0x00, 0x00 )
52-
C:\PS>Get-CSDisassembly -Architecture X86 -Mode MODE_32 -Code $Bytes -Syntax ATT
55+
C:\PS>$Bytes = [Byte[]] @( 0x8D, 0x4C, 0x32, 0x08, 0x01, 0xD8, 0x81, 0xC6, 0x34, 0x12, 0x00, 0x00 )
56+
Get-CSDisassembly -Architecture X86 -Mode Mode32 -Code $Bytes -Syntax ATT
5357
5458
.INPUTS
5559
@@ -62,20 +66,16 @@ function Get-CSDisassembly
6266
Capstone.Instruction[]
6367
6468
Get-CSDisassembly returns an array of Instruction objects.
65-
66-
.NOTES
67-
68-
Get-CSDisassembly must be run from 64-bit PowerShell v3.
6969
#>
7070

7171
[OutputType([Capstone.Instruction])]
7272
[CmdletBinding()] Param (
7373
[Parameter(Mandatory)]
74-
[Capstone.ARCH]
74+
[Capstone.Architecture]
7575
$Architecture,
7676

7777
[Parameter(Mandatory)]
78-
[Capstone.MODE]
78+
[Capstone.Mode]
7979
$Mode,
8080

8181
[Parameter(Mandatory)]
@@ -103,8 +103,8 @@ function Get-CSDisassembly
103103
{
104104
switch ($Syntax)
105105
{
106-
'Intel' { $SyntaxMode = [Capstone.OPT_VALUE]::SYNTAX_INTEL }
107-
'ATT' { $SyntaxMode = [Capstone.OPT_VALUE]::SYNTAX_ATT }
106+
'Intel' { $SyntaxMode = [Capstone.OptionValue]::SyntaxIntel }
107+
'ATT' { $SyntaxMode = [Capstone.OptionValue]::SyntaxATT }
108108
}
109109

110110
$Disassembly.SetSyntax($SyntaxMode)

Capstone/lib/capstone.dll

2 KB
Binary file not shown.

Capstone/lib/libcapstone.dll renamed to Capstone/lib/x86/libcapstone.dll

6.03 MB
Binary file not shown.

0 commit comments

Comments
 (0)