Skip to content

Instantly share code, notes, and snippets.

@bannsec
Forked from mattifestation/FileReadPrimitive.ps1
Last active June 12, 2023 16:41
Show Gist options
  • Save bannsec/5ed88da4cafe7aa39e9761db1d718058 to your computer and use it in GitHub Desktop.
Save bannsec/5ed88da4cafe7aa39e9761db1d718058 to your computer and use it in GitHub Desktop.
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
$CimSession = New-CimSession -ComputerName 10.0.0.2
$FilePath = 'C:\Windows\System32\notepad.exe'
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)
$FileLength = [BitConverter]::ToUInt32($FileLengthBytes, 0)
$FileBytes = $FileContents.FileData[4..($FileLength - 1)]
Add-Content -Path ".\new_notepad.exe" -Value $FileBytes -Encoding Byte
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment