Added Capstone Engine PowerShell binding

Consider this to be an alpha release until the C# binding is published.

Author: mattifestation

Capstone/Capstone.psd1

@@ -0,0 +1,50 @@
+@{
+
+# Script module or binary module file associated with this manifest.
+ModuleToProcess = 'Capstone.psm1'
+
+# Version number of this module.
+ModuleVersion = '1.0.0.0'
+
+# ID used to uniquely identify this module
+GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'
+
+# Author of this module
+Author = 'Matthew Graeber'
+
+# Copyright statement for this module
+Copyright = 'BSD 3-Clause'
+
+# Description of the functionality provided by this module
+Description = 'Capstone Disassembly Framework Binding Module'
+
+# Minimum version of the Windows PowerShell engine required by this module
+PowerShellVersion = '3.0'
+
+# Minimum version of the common language runtime (CLR) required by this module
+CLRVersion = '4.0'
+
+# Processor architecture (None, X86, Amd64) required by this module
+ProcessorArchitecture = 'Amd64'
+
+# Assemblies that must be loaded prior to importing this module
+RequiredAssemblies = 'lib/capstone.dll'
+
+# Format files (.ps1xml) to be loaded when importing this module
+FormatsToProcess = 'Get-CSDisassembly.format.ps1xml'
+
+# Functions to export from this module
+FunctionsToExport = '*'
+
+# List of all modules packaged with this module.
+ModuleList = @(@{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'})
+
+# List of all files packaged with this module
+FileList = 'Capstone.psm1',
+           'Capstone.psd1',
+           'Get-CSDisassembly.ps1',
+           'Usage.md', 
+           'lib/capstone.dll',
+           'lib/libcapstone.dll'
+
+}

Capstone/Capstone.psm1

@@ -0,0 +1 @@
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}

Capstone/Get-CSDisassembly.format.ps1xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+    <ViewDefinitions>
+        <View>
+            <Name>InstructionView</Name>
+                <ViewSelectedBy>
+		            <TypeName>Capstone.Instruction</TypeName>
+		        </ViewSelectedBy>
+            <TableControl>
+            <AutoSize/>
+                <TableHeaders>
+                    <TableColumnHeader>
+                        <Label>Address</Label>
+                    </TableColumnHeader>
+                    <TableColumnHeader>
+                        <Label>Mnemonic</Label>
+                    </TableColumnHeader>
+                    <TableColumnHeader>
+                        <Label>Operands</Label>
+                    </TableColumnHeader>
+                </TableHeaders>
+                <TableRowEntries>
+                    <TableRowEntry>
+                        <TableColumnItems>
+                            <TableColumnItem>
+                                <PropertyName>Address</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </TableColumnItem>
+                            <TableColumnItem>
+                                <PropertyName>Mnemonic</PropertyName>
+                            </TableColumnItem>
+                            <TableColumnItem>
+                                <PropertyName>Operands</PropertyName>
+                            </TableColumnItem>
+                        </TableColumnItems>
+                    </TableRowEntry>
+                </TableRowEntries>
+            </TableControl>
+        </View>
+    </ViewDefinitions>
+</Configuration>

Capstone/Get-CSDisassembly.ps1

@@ -0,0 +1,119 @@
+#requires -Version 3
+
+function Get-CSDisassembly
+{
+<#
+.SYNOPSIS
+
+    Disassembles a byte array using the Capstone Engine disassembly framework.
+
+    PowerSploit Function: Get-CSDisassembly
+    Author: Matthew Graeber (@mattifestation)
+    License: See LICENSE.TXT
+    Required Dependencies: lib\capstone.dll, lib\libcapstone.dll (64-bit)
+    Optional Dependencies: None
+
+.PARAMETER Architecture
+
+    Specifies the architecture of the code to be disassembled.
+
+.PARAMETER Mode
+
+    Specifies the mode in which to disassemble code. For example, to disassemble Amd64 code, architecture is set to 'X86' and Mode is set to 'MODE_64'.
+
+.PARAMETER Code
+
+    A byte array consisting of the code to be disassembled.
+
+.PARAMETER Offset
+
+    Specifies the starting address of the disassembly listing.
+
+.PARAMETER Count
+
+    Specifies the maximum number of instructions to disassemble.
+
+.PARAMETER Syntax
+
+    Specifies the syntax flavor to be used (INTEL vs. ATT).
+
+.PARAMETER DetailOff
+
+    Specifies that detailed parsing should not be performed - i.e. do not perform additional analysis beyond disassembling.
+      
+.EXAMPLE
+
+    C:\PS>$Bytes = [Byte[]] @( 0x8d, 0x4c, 0x32, 0x08, 0x01, 0xd8, 0x81, 0xc6, 0x34, 0x12, 0x00, 0x00 )
+    C:\PS>Get-CSDisassembly -Architecture X86 -Mode MODE_16 -Code $Bytes -Offset 0x1000
+
+.EXAMPLE
+
+    C:\PS>$Bytes = [Byte[]] @( 0x8d, 0x4c, 0x32, 0x08, 0x01, 0xd8, 0x81, 0xc6, 0x34, 0x12, 0x00, 0x00 )
+    C:\PS>Get-CSDisassembly -Architecture X86 -Mode MODE_32 -Code $Bytes -Syntax ATT
+
+.INPUTS
+
+    None
+
+    You cannot pipe objects to Get-CSDisassembly.
+
+.OUTPUTS
+
+    Capstone.Instruction[]
+
+    Get-CSDisassembly returns an array of Instruction objects.
+
+.NOTES
+
+    Get-CSDisassembly must be run from 64-bit PowerShell v3.
+#>
+
+    [OutputType([Capstone.Instruction])]
+    [CmdletBinding()] Param (
+        [Parameter(Mandatory)]
+        [Capstone.ARCH]
+        $Architecture,
+
+        [Parameter(Mandatory)]
+        [Capstone.MODE]
+        $Mode,
+
+        [Parameter(Mandatory)]
+        [ValidateNotNullOrEmpty()]
+        [Byte[]]
+        $Code,
+
+        [UInt64]
+        $Offset = 0,
+
+        [UInt32]
+        $Count = 0,
+
+        [ValidateSet('Intel', 'ATT')]
+        [String]
+        $Syntax,
+
+        [Switch]
+        $DetailOff
+    )
+
+    $Disassembly = New-Object Capstone.Capstone($Architecture, $Mode)
+
+    if ($Syntax)
+    {
+        switch ($Syntax)
+        {
+            'Intel' { $SyntaxMode = [Capstone.OPT_VALUE]::SYNTAX_INTEL }
+            'ATT'   { $SyntaxMode = [Capstone.OPT_VALUE]::SYNTAX_ATT }
+        }
+
+        $Disassembly.SetSyntax($SyntaxMode)
+    }
+
+    if ($DetailOff)
+    {
+        $Disassembly.SetDetail($False)
+    }
+
+    $Disassembly.Disassemble($Code, $Offset, $Count)
+}

Capstone/LICENSE.TXT

@@ -0,0 +1,30 @@
+This is the software license for Capstone disassembly framework.
+Capstone has been designed & implemented by Nguyen Anh Quynh <[email protected]>
+See http://www.capstone-engine.org for further information.
+
+Copyright (c) 2013, COSEINC.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice,
+  this list of conditions and the following disclaimer.
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+* Neither the name of the developer(s) nor the names of its
+  contributors may be used to endorse or promote products derived from this
+  software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.

Capstone/Usage.md

@@ -0,0 +1,16 @@
+This module has two dependencies:
+* lib\libcapstone.dll (the 64-bit unmanaged Capstone library)
+* lib\capstone.dll (the managed C# bindings to the Capstone Framework)
+
+To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
+
+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
+
+To use the module, type `Import-Module Capstone`
+
+To see the commands imported, type `Get-Command -Module Capstone`
+
+For help on each individual command, Get-Help is your friend.
+
+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.

Capstone/lib/capstone.dll

@@ -79,6 +79,7 @@ ModuleList = @( @{ModuleName = 'PowerSploit'; ModuleVersion = '1.0.0.0'; GUID =
                 @{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'},
                 @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'},
                 @{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'}
+                @{ModuleName = 'Capstone'; ModuleVersion = '1.0.0.0'; GUID = 'bc335667-02fd-46c4-a3d9-0a5113c9c03b'}
                 )
 
 # List of all files packaged with this module

Capstone/lib/libcapstone.dll

@@ -80,6 +80,14 @@ Displays symbolic information from Windows lib files.
 
 Returns the path from which Windows will load a Dll for the given executable.
 
+## Capstone
+
+**A PowerShell binding for the Capstone Engine disassembly framework.**
+
+#### `Get-CSDisassembly`
+
+Disassembles a byte array using the Capstone Engine disassembly framework.
+
 ## ReverseEngineering
 
 **Tools to aid in reverse engineering.**