A crude Load(byte[]) method scanner for UMCI bypass research
# Author: Matthew Graeber (@mattifestation) | |
# Load dnlib with Add-Type first | |
# dnlib can be obtained here: https://github.com/0xd4d/dnlib | |
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference | |
filter Get-AssemblyLoadReference { | |
param ( | |
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] | |
[Alias('FullName')] | |
[String] | |
[ValidateNotNullOrEmpty()] | |
$Path | |
) | |
$FullPath = Resolve-Path $Path | |
$Module = $null | |
try { | |
$Module = [dnlib.DotNet.ModuleDefMD]::Load($FullPath) | |
} catch { | |
return | |
} | |
$listMemberRefMD = $Module.GetType().GetFields('NonPublic, Instance') | ? { $_.Name -eq 'listMemberRefMD' } | |
$MemberRefList = $listMemberRefMD.GetValue($Module) | |
$GenericParamContext = New-Object -TypeName dnlib.DotNet.GenericParamContext | |
$AssemblyLoadList = New-Object -TypeName 'System.Collections.Generic.List[System.Object]' | |
for ($i = 0; $i -lt $MemberRefList.Length; $i++) { | |
$MemberRefDefinition = $MemberRefList.Item($i, $GenericParamContext) | |
if (($MemberRefDefinition.Name.String -eq 'Load') -and | |
($MemberRefDefinition.ReturnType.FullName -eq 'System.Reflection.Assembly') -and | |
($MemberRefDefinition.MethodSig.Params.FullName -contains 'System.Byte[]')) { | |
<# The assembly "imports" a Load method that: | |
1) Is called "Load" | |
2) Returns a System.Reflection.Assembly instance | |
3) Has at least one parameter that accepts an argument of type System.Byte[] | |
#> | |
$AssemblyLoadList.Add($MemberRefDefinition) | |
} | |
} | |
if ($AssemblyLoadList.Count) { | |
[PSCustomObject] @{ | |
AssemblyPath = $FullPath | |
LoadMethodImports = $AssemblyLoadList | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment