-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathPEFileAnalysis.psm1
More file actions
67 lines (63 loc) · 1.86 KB
/
PEFileAnalysis.psm1
File metadata and controls
67 lines (63 loc) · 1.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# https://yuriygeorgiev.com/2023/12/18/windows-portable-executable-pe-file-format/
function Get-PEHeaderOffset {
param (
[string[]]$Path
)
foreach ($File in $Path) {
$FileObj = Get-Item $File
$LEHex = (Format-Hex -Path $FileObj -Offset 0x3C -Count 4).Bytes
[PSCustomObject]@{
Path = $FileObj
Offset = [System.BitConverter]::ToInt32($LEHex,0)
}
}
}
function Get-PECodeSize {
param (
[string[]]$path
)
foreach ($File in $path) {
$FileObj = Get-Item $File
$PEHeaderOffset = (Get-PEHeaderOffset $File).Offset
$CodeSizeOffset = $PEHeaderOffset + 28
$Hex = (Format-Hex -Path $FileObj -Offset $CodeSizeOffset -Count 4).Bytes
[PSCustomObject]@{
Path = $FileObj
CodeSize = [System.BitConverter]::ToInt32($Hex,0)
}
}
}
function Get-PEInitializedData {
param (
[string[]]$Path
)
foreach ($File in $Path) {
$FileObj = Get-Item $File
$PEHeaderOffset = (Get-PEHeaderOffset $File).Offset
$InitializedDataOffset = $PEHeaderOffset + 32
$Hex = (Format-Hex -Path $FileObj -Offset $InitializedDataOffset -Count 4).Bytes
[PSCustomObject]@{
Path = $FileObj
InitializedDataSize = [System.BitConverter]::ToInt32($Hex,0)
}
}
}
function Get-IsSFX {
param (
[string[]]$Path
)
foreach ($File in $Path) {
$CodeSize = (Get-PECodeSize $File).CodeSize
$InitializedDataSize = (Get-PEInitializedData $File).InitializedDataSize
$isSFX = $false
if ($CodeSize -lt $InitializedDataSize) {
$isSFX = $true
}
[PSCustomObject]@{
Path = $File
IsSFX = $isSFX
CodeSize = $CodeSize
InitializedDataSize = $InitializedDataSize
}
}
}