smgorelik/ListOfLoadableExecutables.cs

## ListOfLoadableExecutables.cs
#Function written by Michael Gorelik, Twitter: @smgoreli
function ListOfLoadableExecutables
{
	Param
	(
	    [Parameter( Position = 0, Mandatory = $True )]
	    [String]
	    $DirLocation,

	    [Parameter( Position = 1, Mandatory = $True )]
	    [String]
	    $outputLog
	)

    #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
    Function Get-ProcAddress
    {
	    Param
	    (
	        [OutputType([IntPtr])]

	        [Parameter( Position = 0, Mandatory = $True )]
	        [String]
	        $Module,

	        [Parameter( Position = 1, Mandatory = $True )]
	        [String]
	        $Procedure
	    )

	    # Get a reference to System.dll in the GAC
	    $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
	        Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
	    $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
	    # Get a reference to the GetModuleHandle and GetProcAddress methods
	    $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
	    $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
	    # Get a handle to the module specified
	    $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
	    $tmpPtr = New-Object IntPtr
	    $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)

	    # Return the address of the function
	    Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
    }

    #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
    Function Get-DelegateType
    {
	    Param
	    (
	        [OutputType([Type])]

	        [Parameter( Position = 0)]
	        [Type[]]
	        $Parameters = (New-Object Type[](0)),

	        [Parameter( Position = 1 )]
	        [Type]
	        $ReturnType = [Void]
	    )

	    $Domain = [AppDomain]::CurrentDomain
	    $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
	    $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
	    $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
	    $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	    $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
	    $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
	    $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
	    $MethodBuilder.SetImplementationFlags('Runtime, Managed')

	    Write-Output $TypeBuilder.CreateType()
    }

    $excludeList = @(".cs",".bin",".psx")

    $Win32Functions = New-Object System.Object
    $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
    $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
    $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
    $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary


    $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
    $FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr])
    $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
    $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary

    Get-ChildItem -Path $DirPath  -Recurse -File | Where {$item -like $_}

    Out-File -Encoding Ascii -append $outputLog

    foreach ($item in Get-ChildItem -Path $DirLocation  -Recurse -File )
    {
        $Result = $Win32Functions.LoadLibrary.Invoke($item.FullName)
        if ($Result -eq $null -or $Result -eq [IntPtr]::Zero){
            continue;
        }
        $Win32Functions.FreeLibrary.Invoke( $Result)
        $item.FullName| Add-Content $outputLog

    }
}
	#Function written by Michael Gorelik, Twitter: @smgoreli
	function ListOfLoadableExecutables
	{
	Param
	(
	[Parameter( Position = 0, Mandatory = $True )]
	[String]
	$DirLocation,

	[Parameter( Position = 1, Mandatory = $True )]
	[String]
	$outputLog
	)

	#Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
	Function Get-ProcAddress
	{
	Param
	(
	[OutputType([IntPtr])]

	[Parameter( Position = 0, Mandatory = $True )]
	[String]
	$Module,

	[Parameter( Position = 1, Mandatory = $True )]
	[String]
	$Procedure
	)

	# Get a reference to System.dll in the GAC
	$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() \|
	Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
	$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
	# Get a reference to the GetModuleHandle and GetProcAddress methods
	$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
	$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
	# Get a handle to the module specified
	$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
	$tmpPtr = New-Object IntPtr
	$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)

	# Return the address of the function
	Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
	}

	#Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/
	Function Get-DelegateType
	{
	Param
	(
	[OutputType([Type])]

	[Parameter( Position = 0)]
	[Type[]]
	$Parameters = (New-Object Type[](0)),

	[Parameter( Position = 1 )]
	[Type]
	$ReturnType = [Void]
	)

	$Domain = [AppDomain]::CurrentDomain
	$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
	$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
	$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
	$TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
	$ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
	$MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
	$MethodBuilder.SetImplementationFlags('Runtime, Managed')

	Write-Output $TypeBuilder.CreateType()
	}

	$excludeList = @(".cs",".bin",".psx")

	$Win32Functions = New-Object System.Object
	$LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA
	$LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr])
	$LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate)
	$Win32Functions \| Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary


	$FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
	$FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr])
	$FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
	$Win32Functions \| Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary

	Get-ChildItem -Path $DirPath -Recurse -File \| Where {$item -like $_}

	Out-File -Encoding Ascii -append $outputLog

	foreach ($item in Get-ChildItem -Path $DirLocation -Recurse -File )
	{
	$Result = $Win32Functions.LoadLibrary.Invoke($item.FullName)
	if ($Result -eq $null -or $Result -eq [IntPtr]::Zero){
	continue;
	}
	$Win32Functions.FreeLibrary.Invoke( $Result)
	$item.FullName\| Add-Content $outputLog

	}
	}