Skip to content
This repository was archived by the owner on Jan 21, 2021. It is now read-only.

Commit 98be62a

Browse files
ICanHazDonutsICanHazDonuts
committed
Get-PEHeader can now return raw section data
1 parent 4eca7b0 commit 98be62a

File tree

1 file changed

+45
-7
lines changed

1 file changed

+45
-7
lines changed

PETools/Get-PEHeader.ps1

Lines changed: 45 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,26 @@ Optional Dependencies: PETools.format.ps1xml
1515
1616
Get-PEHeader retrieves PE headers including imports and exports from either a file on disk or a module in memory. Get-PEHeader will operate on single PE header but you can also feed it the output of Get-ChildItem or Get-Process! Get-PEHeader works on both 32 and 64-bit modules.
1717
18+
.PARAMETER FilePath
19+
20+
Specifies the path to the portable executable file on disk
21+
22+
.PARAMETER ProcessID
23+
24+
Specifies the process ID.
25+
26+
.PARAMETER Module
27+
28+
The name of the module. This parameter is typically only used in pipeline expressions
29+
30+
.PARAMETER ModuleBaseAddress
31+
32+
The base address of the module
33+
34+
.PARAMETER GetSectionData
35+
36+
Retrieves raw section data.
37+
1838
.OUTPUTS
1939
2040
System.Object
@@ -91,14 +111,11 @@ http://www.exploit-monday.com/2012/07/get-peheader.html
91111
#>
92112

93113
[CmdletBinding(DefaultParameterSetName = 'OnDisk')] Param (
94-
# Path to the portable executable file on disk
95114
[Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'OnDisk', ValueFromPipelineByPropertyName = $True)] [Alias('FullName')] [String[]] $FilePath,
96-
# The process ID
97115
[Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'InMemory', ValueFromPipelineByPropertyName = $True)] [Alias('Id')] [Int] $ProcessID,
98-
# The name of the module. This parameter is typically only used in pipeline expressions
99116
[Parameter(Position = 2, ParameterSetName = 'InMemory', ValueFromPipelineByPropertyName = $True)] [Alias('MainModule')] [Alias('Modules')] [System.Diagnostics.ProcessModule[]] $Module,
100-
# The base address of the module
101-
[Parameter(Position = 1, ParameterSetName = 'InMemory')] [IntPtr] $ModuleBaseAddress
117+
[Parameter(Position = 1, ParameterSetName = 'InMemory')] [IntPtr] $ModuleBaseAddress,
118+
[Parameter()] [Switch] $GetSectionData
102119
)
103120

104121
PROCESS {
@@ -628,7 +645,7 @@ PROCESS {
628645
Write-Verbose "Architecture: $Architecture"
629646
Write-Verbose 'Proceeding with parsing a 64-bit binary.'
630647

631-
} elseif ($Architecture -eq 'I386' -or $Architecture -eq 'ARMNT') {
648+
} elseif ($Architecture -eq 'I386' -or $Architecture -eq 'ARMNT' -or $Architecture -eq 'THUMB') {
632649

633650
$PEStruct = @{
634651
IMAGE_OPTIONAL_HEADER = [PE+_IMAGE_OPTIONAL_HEADER32]
@@ -653,7 +670,7 @@ PROCESS {
653670
$NumSections = $NtHeader.FileHeader.NumberOfSections
654671
$NumRva = $NtHeader.OptionalHeader.NumberOfRvaAndSizes
655672
$PointerSectionHeader = [IntPtr] ($PointerNtHeader.ToInt64() + [System.Runtime.InteropServices.Marshal]::SizeOf([Type] $PEStruct['NT_HEADER']))
656-
$SectionHeaders = New-Object PE+_IMAGE_SECTION_HEADER[]($NumSections)
673+
$SectionHeaders = New-Object PSObject[]($NumSections)
657674
foreach ($i in 0..($NumSections - 1))
658675
{
659676
$SectionHeaders[$i] = [System.Runtime.InteropServices.Marshal]::PtrToStructure(([IntPtr] ($PointerSectionHeader.ToInt64() + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type] [PE+_IMAGE_SECTION_HEADER])))), [Type] [PE+_IMAGE_SECTION_HEADER])
@@ -686,6 +703,27 @@ PROCESS {
686703
$CloseHandle.Invoke($hProcess) | Out-Null
687704

688705
}
706+
707+
if ($PSBoundParameters['GetSectionData'])
708+
{
709+
foreach ($i in 0..($NumSections - 1))
710+
{
711+
$RawBytes = $null
712+
713+
if ($OnDisk)
714+
{
715+
$RawBytes = New-Object Byte[]($SectionHeaders[$i].SizeOfRawData)
716+
[Runtime.InteropServices.Marshal]::Copy([IntPtr] ($PEBaseAddr.ToInt64() + $SectionHeaders[$i].PointerToRawData), $RawBytes, 0, $SectionHeaders[$i].SizeOfRawData)
717+
}
718+
else
719+
{
720+
$RawBytes = New-Object Byte[]($SectionHeaders[$i].VirtualSize)
721+
[Runtime.InteropServices.Marshal]::Copy([IntPtr] ($PEBaseAddr.ToInt64() + $SectionHeaders[$i].VirtualAddress), $RawBytes, 0, $SectionHeaders[$i].VirtualSize)
722+
}
723+
724+
$SectionHeaders[$i] = Add-Member -InputObject ($SectionHeaders[$i]) -MemberType NoteProperty -Name RawData -Value $RawBytes -PassThru -Force
725+
}
726+
}
689727

690728
function Get-Exports()
691729
{

0 commit comments

Comments
 (0)