PowerSploit

1.0.0.0

ReverseEngineering/Get-ILDisassembly.ps1

                                function Get-ILDisassembly

{

<#

.SYNOPSIS

A MSIL (Microsoft Intermediate Language) disassembler.

PowerSploit Function: Get-ILDisassembly

Author: Matthew Graeber (@mattifestation)

License: BSD 3-Clause

Required Dependencies: None

Optional Dependencies: None

.DESCRIPTION

Get-ILDisassembly disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.

The majority of this code was simply translated from C# (with permission) from a code example taken from: "C# 4.0 in a Nutshell", Copyright 2010, Joseph Albahari and Ben Albahari, pg. 728-733

.PARAMETER MethodInfo

A MethodInfo object that describes the implementation of the method and contains the IL for the method.

.EXAMPLE

C:\PS> [Int].GetMethod('Parse', [String]) | Get-ILDisassembly | Format-Table Position, Instruction, Operand -AutoSize

Position Instruction Operand

-------- ----------- -------

IL_0000  ldarg.0

IL_0001  ldc.i4.7

IL_0002  call        System.Globalization.NumberFormatInfo.get_CurrentInfo

IL_0007  call        System.Number.ParseInt32

IL_000C  ret

Description

-----------

Disassembles the System.Int32.Parse(String) method

.EXAMPLE

C:\PS> $MethodInfo = [Array].GetMethod('BinarySearch', [Type[]]([Array], [Object]))

C:\PS> Get-ILDisassembly $MethodInfo | Format-Table Position, Instruction, Operand -AutoSize

Position Instruction Operand

-------- ----------- -------

IL_0000  ldarg.0

IL_0001  brtrue.s    IL_000E

IL_0003  ldstr       'array'

IL_0008  newobj      System.ArgumentNullException..ctor

IL_000D  throw

IL_000E  ldarg.0

IL_000F  ldc.i4.0

IL_0010  callvirt    System.Array.GetLowerBound

IL_0015  stloc.0

IL_0016  ldarg.0

IL_0017  ldloc.0

IL_0018  ldarg.0

IL_0019  callvirt    System.Array.get_Length

IL_001E  ldarg.1

IL_001F  ldnull

IL_0020  call        System.Array.BinarySearch

IL_0025  ret

Description

-----------

Disassembles the System.Array.BinarySearch(Array, Object) method

.INPUTS

System.Reflection.MethodInfo, System.Reflection.ConstructorInfo

A method or constructor description containing the raw IL bytecodes.

.OUTPUTS

System.Object

Returns a custom object consisting of a position, instruction, and opcode parameter.

.LINK

http://www.exploit-monday.com

http://www.albahari.com/nutshell/cs4ch18.aspx

http://msdn.microsoft.com/en-us/library/system.reflection.emit.opcodes.aspx

http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf

#>

    Param (

        [Parameter(Mandatory = $True, ValueFromPipeline = $True)]

        [ValidateScript({$_ -is [Reflection.MethodInfo] -or $_ -is [Reflection.ConstructorInfo]})]

        [Object]

        $MethodInfo

    )

    if (!($MethodInfo.GetMethodBody())) {

        return

    }

    $IL = $MethodInfo.GetMethodBody().GetILAsByteArray()

    $MethodModule = $MethodInfo.DeclaringType.Module

    $OpCodeTable = @{}

    # Fill OpCodeTable with every OpCode so that it can be referenced by numeric byte value

    [System.Reflection.Emit.OpCodes].GetMembers() |

        ForEach-Object {

            try {

                $OpCode = $_.GetValue($null)

                $OpCodeTable[[Int16] $OpCode.Value] = $OpCode

            } catch {}

        }

    $Position = 0

    # Disassemble every instruction until the end of the IL bytecode array is reached

    while ($Position -lt $IL.Length) {

        # Get current instruction position

        $InstructionPostion = "IL_{0}" -f ($Position.ToString('X4'))

        if ($IL[$Position] -eq 0xFE) {

            # You are dealing with a two-byte opcode in this case

            $Op = $OpCodeTable[[Int16] ([BitConverter]::ToInt16($IL[($Position+1)..$Position], 0))]

            $Position++

        } else {

            # Otherwise, it's a one-byte opcode

            $Op = $OpCodeTable[[Int16] $IL[$Position]]

        }

        $Position++

        $Type = $Op.OperandType

        $Operand = $null

        $OpInt = $null

        if ($Type -eq 'InlineNone') {

            $OperandLength = 0

        } elseif (($Type -eq 'ShortInlineBrTarget') -or ($Type -eq 'ShortInlineI') -or ($Type -eq 'ShortInlineVar')) {

            $OperandLength = 1

            if ($Type -eq 'ShortInlineBrTarget') { # Short relative jump instruction

                # [SByte]::Parse was used because PowerShell doesn't handle signed bytes well

                $Target = $Position + ([SByte]::Parse($IL[$Position].ToString('X2'), 'AllowHexSpecifier')) + 1

                $Operand = "IL_{0}" -f ($Target.ToString('X4'))

            }

        } elseif ($Type -eq 'InlineVar') {

            $OperandLength = 2

        } elseif (($Type -eq 'InlineI8') -or (($Type -eq 'InlineR'))) {

            $OperandLength = 8

        } elseif ($Type -eq 'InlineSwitch') {

            # This is the only operand type with a variable number of operands

            $TargetCount = [BitConverter]::ToInt32($IL, $Position)

            $OperandLength = 4 * ($TargetCount + 1)

            $Targets = New-Object String[]($TargetCount)

            foreach ($i in 0..($TargetCount - 1)) {

                # Get all switch jump targets

                $Target = [BitConverter]::ToInt32($IL, ($Position + ($i + 1) * 4))

                $Targets[$i] = "IL_{0}" -f (($Position + $Target + $OperandLength).ToString('X4'))

            }

            $Operand = "({0})" -f ($Targets -join ',')

        } else {

            $OperandLength = 4

            $Operand = $null

            $OpInt = [BitConverter]::ToInt32($IL, $Position)

            if (($Type -eq 'InlineTok') -or ($Type -eq 'InlineMethod') -or ($Type -eq 'InlineField') -or ($Type -eq 'InlineType')) {

                # Resolve all operands with metadata tokens

                Write-Verbose "OpCode Metadata for member: $OpInt"

                try { $MemberInfo = $MethodModule.ResolveMember($OpInt) } catch { $Operand = $null }

                if (!$MemberInfo) { $Operand = $null }

                # Retrieve the actual name of the class and method

                if ($MemberInfo.ReflectedType) {

                    $Operand = "{0}.{1}" -f ($MemberInfo.ReflectedType.Fullname), ($MemberInfo.Name)

                } elseif ($MemberInfo -is [Type]) {

                    $Operand = $MemberInfo.GetType().FullName

                } else {

                    $Operand = $MemberInfo.Name

                }

            } elseif ($Type -eq 'InlineString') {

                # Retrieve the referenced string

                $Operand = "`'{0}`'" -f ($MethodModule.ResolveString($OpInt))

            } elseif ($Type -eq 'InlineBrTarget') {

                $Operand = "IL_{0}" -f (($Position + $OpInt + 4).ToString('X4'))

            } else {

                $Operand = $null

            }

        }

        if (($OperandLength -gt 0) -and ($OperandLength -ne 4) -and ($Type -ne 'InlineSwitch') -and ($Type -ne 'ShortInlineBrTarget')) {

            # Simply print the hex for all operands with immediate values

            $Operand = "0x{0}" -f (($IL[($Position+$OperandLength-1)..$Position] | ForEach-Object { $_.ToString('X2') }) -join '')

        }

        $Instruction = @{

            Position = $InstructionPostion

            Instruction = $Op

            Operand = $Operand

            MetadataToken = $OpInt

        }

        # Return a custom object containing a position, instruction, and fully-qualified operand

        $InstructionObject = New-Object PSObject -Property $Instruction

        $InstructionObject.PSObject.TypeNames.Insert(0, 'IL_INSTRUCTION')

        $InstructionObject

        # Adjust the position in the opcode array accordingly

        $Position += $OperandLength

    }

}