{"id":13704925,"url":"https://github.com/mattifestation/PowerShellArsenal","last_synced_at":"2025-05-05T12:32:42.524Z","repository":{"id":23357019,"uuid":"26717990","full_name":"mattifestation/PowerShellArsenal","owner":"mattifestation","description":"A PowerShell Module Dedicated to Reverse Engineering","archived":false,"fork":false,"pushed_at":"2021-08-20T08:41:50.000Z","size":1735,"stargazers_count":858,"open_issues_count":5,"forks_count":204,"subscribers_count":66,"default_branch":"master","last_synced_at":"2024-11-13T12:41:02.099Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mattifestation.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-11-16T15:20:17.000Z","updated_at":"2024-10-22T07:22:13.000Z","dependencies_parsed_at":"2022-07-20T23:32:56.992Z","dependency_job_id":null,"html_url":"https://github.com/mattifestation/PowerShellArsenal","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mattifestation%2FPowerShellArsenal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mattifestation%2FPowerShellArsenal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mattifestation%2FPowerShellArsenal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mattifestation%2FPowerShellArsenal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mattifestation","download_url":"https://codeload.github.com/mattifestation/PowerShellArsenal/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252497690,"owners_count":21757662,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T22:00:26.367Z","updated_at":"2025-05-05T12:32:41.841Z","avatar_url":"https://github.com/mattifestation.png","language":"PowerShell","funding_links":[],"categories":["🛡️ Security","[↑](#table-of-contents) Misc","PowerShell","VPS","Security"],"sub_categories":["Exploit Development","Windows \u003ca id=\"vps-windows\"/\u003e"],"readme":"### PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is comprised of the following tools:\n\n## Disassembly\n\n**Disassemble native and managed code.**\n\n#### `Get-CSDisassembly`\n\nDisassembles a byte array using the Capstone Engine disassembly framework.\n\n#### `Get-ILDisassembly`\n\nDisassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.\n\n## MalwareAnalysis\n\n**Useful tools when performing malware analysis.**\n\n#### `New-FunctionDelegate`\n\nProvides an executable wrapper for an X86 or X86_64 function.\n\n#### `Invoke-LoadLibrary`\n\nLoads a DLL into the current PowerShell process.\n\n#### `New-DllExportFunction`\n\nCreates an executable wrapper delegate around an unmanaged, exported function.\n\n#### `Get-HostsFile`\n\nParses a HOSTS file.\n\n#### `New-HostsFileEntry`\n\nReplace or append an entry to a HOSTS file.\n\n#### `Remove-HostsFileEntry`\n\nRemove an entry or series of entries from a HOSTS file.\n\n#### `Get-AssemblyStrings`\n\nOutput all strings from a .NET executable.\n\n#### `Get-AssemblyResources`\n\nExtract managed resources from a .NET assembly\n\n#### `Remove-AssemblySuppressIldasmAttribute`\n\nStrips a SuppressIldasmAttribute attribute from a .NET assembly.\n\n#### `Get-AssemblyImplementedMethods`\n\nReturns all methods in an assembly that are implemented in MSIL.\n\n## MemoryTools\n\n**Inspect and analyze process memory**\n\n#### `Get-ProcessStrings`\n\nOutputs all printable strings from the user-mode memory of a process.\n\n#### `Get-VirtualMemoryInfo`\n\nA wrapper for kernel32!VirtualQueryEx\n\n#### `Get-ProcessMemoryInfo`\n\nRetrieve virtual memory information for every unique set of pages in user memory. This function is similar to the !vadump WinDbg command.\n\n#### `Get-StructFromMemory`\n\nMarshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.\n\n## Parsers\n\n**Parse file formats and in-memory structures.**\n\n#### `Get-PE`\n\nAn on-disk and in-memory PE parser and process dumper.\n\n#### `Find-ProcessPEs`\n\nFinds portable executables in memory regardless of whether or not they were loaded in a legitimate fashion.\n\n#### `Get-LibSymbols`\n\nDisplays symbolic information from Windows LIB files.\n\n#### `Get-ObjDump`\n\nDisplays information about Windows object (OBJ) files.\n\n## WindowsInternals\n\n**Obtain and analyze low-level Windows OS information.**\n\n#### `Get-NtSystemInformation`\n\nA utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.\n\n#### `Get-PEB`\n\nReturns the process environment block (PEB) of a process.\n\n#### `Register-ProcessModuleTrace`\n\nStarts a trace of loaded process modules\n\n#### `Get-ProcessModuleTrace`\n\nDisplays the process modules that have been loaded since the call to Register-ProcessModuleTrace\n\n#### `Unregister-ProcessModuleTrace`\n\nStops the running process module trace\n\n#### `Get-SystemInfo`\n\nA wrapper for kernel32!GetSystemInfo\n\n## Misc\n\n**Miscellaneous helper functions**\n\n#### `Get-Member`\n\nA proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Private' parameter allowing you to display non-public .NET members\n\n#### `Get-Strings`\n\nDumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.\n\n#### `ConvertTo-String`\n\nConverts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions.\n\n#### `Get-Entropy`\n\nCalculates the entropy of a file or byte array.\n\n## Lib\n\n**Libraries required by some of the RE functions.**\n\n#### `Capstone`\n\nThe Capstone disassembly engine C# binding.\n\n#### `De4dot`\n\nA powerful .NET deobfuscation and .NET PE parsing library.\n\n#### `PSReflect`\n\nA module used to easily define in-memory enums, structs, and Win32 functions.\n\n#### `Formatters`\n\nps1xml files used to format the output of various PowerShellArsenal functions.\n\n## License\n\nThe PowerShellArsenal module and all individual scripts are under the [BSD 3-Clause license](https://raw.github.com/mattifestation/PowerSploit/master/LICENSE) unless explicitly noted otherwise.\n\n## Usage\n\nRefer to the comment-based help in each individual script for detailed usage information.\n\nTo install this module, drop the entire PowerShellArsenal folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.\n\nThe default per-user module path is: \"$Env:HomeDrive$Env:HOMEPATH\\Documents\\WindowsPowerShell\\Modules\"\nThe default computer-level module path is: \"$Env:windir\\System32\\WindowsPowerShell\\v1.0\\Modules\"\n\nTo use the module, type `Import-Module PowerShellArsenal`\n\nTo see the commands imported, type `Get-Command -Module PowerShellArsenal`\n\nIf you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerShellArsenal into your module path, run the following one-liner:\n`$Env:PSModulePath.Split(';') |\n % { if ( Test-Path (Join-Path $_ PowerShellArsenal) )\n {Get-ChildItem $_ -Recurse | Unblock-File} }`\n\nFor help on each individual command, Get-Help is your friend.\n\nNote: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.\n\n## Script Style Guide\n\n**For all contributors and future contributors to PowerShellArsenal, I ask that you follow this style guide when writing your scripts/modules.**\n\n* Avoid Write-Host **at all costs**. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles:\n   * \u003chttp://blogs.technet.com/b/heyscriptingguy/archive/2011/05/19/create-custom-objects-in-your-powershell-script.aspx\u003e\n   * \u003chttp://technet.microsoft.com/en-us/library/ff730946.aspx\u003e\n\n* If you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on '-Verbose'.\n\n* Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license).\n\n* Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis.\n\n* I prefer that variable names be capitalized and be as descriptive as possible.\n\n* Provide logical spacing in between your code. Indent your code to make it more readable.\n\n* If you find yourself repeating code, write a function.\n\n* Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error.\n\n* If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible.\n\n* Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to.\n\n* PowerShell v2 compatibility is highly desired.\n\n* Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following:\n   * `[Parameter(Position = 0, Mandatory = $True)]`\n\n* Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias.\n\n* Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break.\n\n* Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader.\n\n* Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement.\n\n* Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters.\n\n* Explicitly state all required and optional dependencies in the comment-based help for your function. All library dependencies should reside in the 'Lib' folder.\n\n* If a script creates complex custom objects, include a ps1xml file that will properly format the object's output. ps1xml files are stored in Lib\\Formatters.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmattifestation%2FPowerShellArsenal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmattifestation%2FPowerShellArsenal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmattifestation%2FPowerShellArsenal/lists"}