kmahyyg/extract.ps1

## extract.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;
public class Win32Native {
    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);
    [DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
	[return: MarshalAs(UnmanagedType.Bool)]
	public static extern bool FreeLibrary(IntPtr hModule);
    [DllImport("kernel32.dll", BestFitMapping = true, CharSet = CharSet.Auto)]
    public static extern int FormatMessage(int dwFlags, IntPtr lpSource, int dwMessageId, int dwLanguageId, StringBuilder lpBuffer, int nSize, IntPtr va_list_arguments);
}
'@

Add-Type -TypeDefinition $Source

function Get-MSObjsMessage {
    param (
        [Parameter(ValueFromPipeline)]
        [Int[]]
        $MessageIDs
    )

    BEGIN {
        $LOAD_LIBRARY_AS_IMAGE_RESOURCE = 0x20

        $hMSObjs = [Win32Native]::LoadLibraryEx('C:\Windows\System32\msobjs.dll', [IntPtr]::Zero, $LOAD_LIBRARY_AS_IMAGE_RESOURCE)

        $StrBuilder = New-Object -TypeName System.Text.StringBuilder -ArgumentList 0x500

        $FORMAT_MESSAGE_IGNORE_INSERTS = 0x200
        $FORMAT_MESSAGE_FROM_HMODULE = 0x800
        $FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x1000
    }

    PROCESS {
        foreach ($Id in $MessageIDs) {
            $Result = [Win32Native]::FormatMessage(($FORMAT_MESSAGE_IGNORE_INSERTS -bor $FORMAT_MESSAGE_FROM_HMODULE -bor $FORMAT_MESSAGE_ALLOCATE_BUFFER), $hMSObjs, $Id, 0, $StrBuilder, $StrBuilder.Capacity, [IntPtr]::Zero)

            if ($Result) {
            $wrapper = New-Object PSObject -Property @{ MsgId = $Id.ToString(); MsgContent = $StrBuilder.ToString().Trim() }
			Export-Csv -InputObject $wrapper -Path .\MSOBJS-Msg.csv -NoTypeInformation -Append
            }

            $null = $StrBuilder.Clear()
        }
    }

    END {
        $null = [Win32Native]::FreeLibrary($hMSObjs)
    }
}

$ChannelMessageIDs = 0x0..0x10000

$ChannelMessageIDs | Get-MSObjsMessage

# Thanks to https://gist.github.com/mattifestation/43248b6f59d1dd67d4f57318a9a7e565
# This is used to extract message from msobjs.dll resources
	$Source = @'
	using System;
	using System.Runtime.InteropServices;
	using System.Text;
	public class Win32Native {
	[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
	public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);
	[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
	[return: MarshalAs(UnmanagedType.Bool)]
	public static extern bool FreeLibrary(IntPtr hModule);
	[DllImport("kernel32.dll", BestFitMapping = true, CharSet = CharSet.Auto)]
	public static extern int FormatMessage(int dwFlags, IntPtr lpSource, int dwMessageId, int dwLanguageId, StringBuilder lpBuffer, int nSize, IntPtr va_list_arguments);
	}
	'@

	Add-Type -TypeDefinition $Source

	function Get-MSObjsMessage {
	param (
	[Parameter(ValueFromPipeline)]
	[Int[]]
	$MessageIDs
	)

	BEGIN {
	$LOAD_LIBRARY_AS_IMAGE_RESOURCE = 0x20

	$hMSObjs = [Win32Native]::LoadLibraryEx('C:\Windows\System32\msobjs.dll', [IntPtr]::Zero, $LOAD_LIBRARY_AS_IMAGE_RESOURCE)

	$StrBuilder = New-Object -TypeName System.Text.StringBuilder -ArgumentList 0x500

	$FORMAT_MESSAGE_IGNORE_INSERTS = 0x200
	$FORMAT_MESSAGE_FROM_HMODULE = 0x800
	$FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x1000
	}

	PROCESS {
	foreach ($Id in $MessageIDs) {
	$Result = [Win32Native]::FormatMessage(($FORMAT_MESSAGE_IGNORE_INSERTS -bor $FORMAT_MESSAGE_FROM_HMODULE -bor $FORMAT_MESSAGE_ALLOCATE_BUFFER), $hMSObjs, $Id, 0, $StrBuilder, $StrBuilder.Capacity, [IntPtr]::Zero)

	if ($Result) {
	$wrapper = New-Object PSObject -Property @{ MsgId = $Id.ToString(); MsgContent = $StrBuilder.ToString().Trim() }
	Export-Csv -InputObject $wrapper -Path .\MSOBJS-Msg.csv -NoTypeInformation -Append
	}

	$null = $StrBuilder.Clear()
	}
	}

	END {
	$null = [Win32Native]::FreeLibrary($hMSObjs)
	}
	}

	$ChannelMessageIDs = 0x0..0x10000

	$ChannelMessageIDs \| Get-MSObjsMessage

	# Thanks to https://gist.github.com/mattifestation/43248b6f59d1dd67d4f57318a9a7e565
	# This is used to extract message from msobjs.dll resources