Virtualization
/
capstone
mirror of https://gitlab.com/qemu-project/capstone.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

PowerShell.Binding-Rework 

A rework of the pull request based on feedback for the same pull
request in Keystone
This commit is contained in:
FuzzySecurity 2016-11-05 03:53:37 +01:00
parent cebf2d6b21
commit a880dbe193
3 changed files with 36 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
bindings/powershell/Invoke-Capstone.ps1
View File

File diff suppressed because one or more lines are too long

58
bindings/powershell/Out-UnmanagedDll.ps1
View File

@ -1,58 +0,0 @@
function Out-UnmanagedDll
{
[CmdletBinding()] Param (
[Parameter(Mandatory = $True)]
[String]
$FilePath
)
$Path = Resolve-Path $FilePath
if (! [IO.File]::Exists($Path))
{
Throw "$Path does not exist."
}
$FileBytes = [System.IO.File]::ReadAllBytes($Path)
if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ')
{
Throw "$Path is not a valid executable."
}
# Encode
$Length = $FileBytes.Length
$CompressedStream = New-Object IO.MemoryStream
$DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
$DeflateStream.Write($FileBytes, 0, $FileBytes.Length)
$DeflateStream.Dispose()
$CompressedFileBytes = $CompressedStream.ToArray()
$CompressedStream.Dispose()
$EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes)
# Decode
$Output = @"
`$EncodedCompressedFile = @'
$EncodedCompressedFile
'@
`$Stream = new-object -TypeName System.IO.MemoryStream
`$DeflateStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
`$buffer = New-Object Byte[]($Length)
`$count = 0
do
{
`$count = `$DeflateStream.Read(`$buffer, 0, 1024)
if (`$count -gt 0)
{
`$Stream.Write(`$buffer, 0, `$count)
}
}
While (`$count -gt 0)
`$array = `$stream.ToArray()
`$DeflateStream.Close()
`$Stream.Close()
Set-Content -value `$array -encoding byte -path `$DllPath
"@
Write-Output $Output
}

24
bindings/powershell/README
View File

@ -1,7 +1,14 @@
Usage Usage
Invoke-Capstone is ready for use, there are two options to access the capstone Invoke-Capstone requires an architecture appropriate (x32/64) compiled Capstone DLL.
library from PowerShell: A pre-compiled version can be found on the Capstone download page at the following
URL:
* http://www.capstone-engine.org/download.html
Once downloaded, the DLL should be placed in a directory which is part of the SafeDllSearchMode search order. In practice, any folder which is part of the Windows PATH environment variable will work.
The Invoke-Capstone function itself can be initialized using one of the following methods:
* Script dot sourcing: * Script dot sourcing:
@ -14,16 +21,3 @@ library from PowerShell:
# User PSModulePath path # User PSModulePath path
%UserProfile%\Documents\WindowsPowerShell\Modules %UserProfile%\Documents\WindowsPowerShell\Modules
Notes
* Invoke-Capstone drops the Capstone DLL, x32/64 respectively, to the user's
temporary folder the first time it runs. Further runs will use this cached DLL.
* The "Out-UnmanagedDll" script can be used to generate a compressed DLL which
allows for easy integration with Invoke-Capstone. This script is based on
@mattifestations post here
http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html.
# Redirect script output to file
PS C:\> Out-UnmanagedDll -FilePath C:\Some\Path\capstone.dll