Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Get-FileBitness.ps1
- #Written for PowerShell 5.1
- [CmdletBinding()]
- Param(
- [Parameter(Mandatory)]
- [ValidateScript({Test-Path -Path $_ -PathType Leaf})]
- [String]$FilePath
- )
- #region constants
- New-Variable -Name IMAGE_NT_HEADER -Value ([uint32]"0x00004550") -Option Constant
- New-Variable -Name IMAGE_DOS_HEADER -Value ([uint16]"0x5A4D") -Option Constant
- New-Variable -Name IMAGE_FILE_MACHINE_I386 -Value ([uint16]"0x14C") -Option Constant
- New-Variable -Name IMAGE_FILE_MACHINE_AMD64 -Value ([uint16]"0x8664") -Option Constant
- #end region
- #region functions
- Function ConvertTo-DWord {
- [CmdletBinding(DefaultParameterSetName = 'ByName')]
- Param(
- [Parameter(Mandatory, ParameterSetName = 'ByName', Position = 0)]
- [ValidateScript({$_ -ge 0 -and $_ -lt 256})]
- [byte[]]$ByteArray,
- [Parameter(Mandatory, ParameterSetName = 'ByPipe', ValueFromPipeline)]
- [ValidateScript({$_ -ge 0 -and $_ -lt 256})]
- [byte[]]$InputObject,
- [Parameter(ParameterSetName = 'ByName')]
- [Parameter(ParameterSetName = 'ByPipe')]
- [switch]$BigEndian
- )
- begin {}
- process {
- If ($PSCmdlet.ParameterSetName -eq 'ByPipe') {
- [byte[]]$PipeBytes += $InputObject
- }
- }
- end {
- Switch ($PSCmdlet.ParameterSetName) {
- 'ByName' {
- [byte[]]$Bytes = $ByteArray
- break
- }
- 'ByPipe' {
- [byte[]]$Bytes = $PipeBytes
- break
- }
- }
- Switch ($Bytes | Measure-Object | Select-Object -ExpandProperty Count) {
- {$_ -lt 4} {
- Write-Error "Too few array elements"
- Return $null
- }
- {$_ -gt 4} {
- Write-Error "Too many array elements"
- Return $null
- }
- }
- If ($BigEndian) {
- [byte[]]$Bytes = $Bytes[3..0]
- }
- [uint32]$Result = 0
- for ($i = 0; $i -lt 4; $i++) {
- $Result += $Bytes[$i] * [math]::Pow(256,$i)
- }
- Return $Result
- }
- }
- Function ConvertTo-Word {
- [CmdletBinding(DefaultParameterSetName = 'ByName')]
- Param(
- [Parameter(Mandatory, ParameterSetName = 'ByName', Position = 0)]
- [ValidateScript({$_ -ge 0 -and $_ -lt 256})]
- [byte[]]$ByteArray,
- [Parameter(Mandatory, ParameterSetName = 'ByPipe', ValueFromPipeline)]
- [ValidateScript({$_ -ge 0 -and $_ -lt 256})]
- [byte[]]$InputObject,
- [Parameter(ParameterSetName = 'ByName')]
- [Parameter(ParameterSetName = 'ByPipe')]
- [switch]$BigEndian
- )
- begin {}
- process {
- If ($PSCmdlet.ParameterSetName -eq 'ByPipe') {
- [byte[]]$PipeBytes += $InputObject
- }
- }
- end {
- Switch ($PSCmdlet.ParameterSetName) {
- 'ByName' {
- [byte[]]$Bytes = $ByteArray
- break
- }
- 'ByPipe' {
- [byte[]]$Bytes = $PipeBytes
- break
- }
- }
- Switch ($Bytes | Measure-Object | Select-Object -ExpandProperty Count) {
- {$_ -lt 2} {
- Write-Error "Too few array elements"
- Return $null
- }
- {$_ -gt 2} {
- Write-Error "Too many array elements"
- Return $null
- }
- }
- If ($BigEndian) {
- [byte[]]$Bytes = $Bytes[1..0]
- }
- [uint16]$Result = 0
- For ($i = 0; $i -lt 2; $i++) {
- $Result += $Bytes[$i] * [math]::Pow(256,$i)
- }
- Return $Result
- }
- }
- #end region
- #region main
- [string]$FullPath = Resolve-Path -Path $FilePath | Select-Object -ExpandProperty Path
- [byte[]]$bytes = Get-Content -Path $FullPath -Encoding Byte -TotalCount 512
- If ((ConvertTo-Word $bytes[0,1]) -eq $IMAGE_DOS_HEADER) {
- [uint16]$PEHeaderOffset = $bytes[60,61] | ConvertTo-Word
- If ((ConvertTo-DWord $bytes[$PEHeaderOffset..($PEHeaderOffset + 3)]) -eq $IMAGE_NT_HEADER) {
- Class Arch {
- [string]$Arch
- }
- Switch ($bytes[($PEHeaderOffset + 4),($PEHeaderOffset + 5)] | ConvertTo-Word) {
- $IMAGE_FILE_MACHINE_AMD64 {
- & {$IMAGE_ARCH = New-Object Arch; [Arch]$IMAGE_ARCH = @{ARCH = 'AMD64'}; Write-Output $IMAGE_ARCH}
- Break
- }
- $IMAGE_FILE_MACHINE_I386 {
- & {$IMAGE_ARCH = New-Object Arch; [Arch]$IMAGE_ARCH = @{ARCH = 'I386'}; Write-Output $IMAGE_ARCH}
- Break
- }
- Default {
- Write-Error "Unsupported machine architecture"
- }
- }
- }
- Else {
- Write-Error "Not a valid Win32 image"
- }
- }
- Else {
- Write-Error "Not a valid executable image"
- }
- #end region
Add Comment
Please, Sign In to add comment
