-
-
Save xorrior/938fb475e5b3b15cb1ea6245b1f5cb85 to your computer and use it in GitHub Desktop.
A crude Load(byte[]) method scanner for UMCI bypass research
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| # Load dnlib with Add-Type first | |
| # dnlib can be obtained here: https://github.com/0xd4d/dnlib | |
| # Example: ls C:\ -Recurse | Get-AssemblyLoadReference | |
| filter Get-AssemblyLoadReference { | |
| param ( | |
| [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] | |
| [Alias('FullName')] | |
| [String] | |
| [ValidateNotNullOrEmpty()] | |
| $Path | |
| ) | |
| $FullPath = Resolve-Path $Path | |
| $Module = $null | |
| try { | |
| $Module = [dnlib.DotNet.ModuleDefMD]::Load($FullPath) | |
| } catch { | |
| return | |
| } | |
| $listMemberRefMD = $Module.GetType().GetFields('NonPublic, Instance') | ? { $_.Name -eq 'listMemberRefMD' } | |
| $MemberRefList = $listMemberRefMD.GetValue($Module) | |
| $GenericParamContext = New-Object -TypeName dnlib.DotNet.GenericParamContext | |
| $AssemblyLoadList = New-Object -TypeName 'System.Collections.Generic.List[System.Object]' | |
| for ($i = 0; $i -lt $MemberRefList.Length; $i++) { | |
| $MemberRefDefinition = $MemberRefList.Item($i, $GenericParamContext) | |
| if (($MemberRefDefinition.Name.String -eq 'Load') -and | |
| ($MemberRefDefinition.ReturnType.FullName -eq 'System.Reflection.Assembly') -and | |
| ($MemberRefDefinition.MethodSig.Params.FullName -contains 'System.Byte[]')) { | |
| <# The assembly "imports" a Load method that: | |
| 1) Is called "Load" | |
| 2) Returns a System.Reflection.Assembly instance | |
| 3) Has at least one parameter that accepts an argument of type System.Byte[] | |
| #> | |
| $AssemblyLoadList.Add($MemberRefDefinition) | |
| } | |
| } | |
| if ($AssemblyLoadList.Count) { | |
| [PSCustomObject] @{ | |
| AssemblyPath = $FullPath | |
| LoadMethodImports = $AssemblyLoadList | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment