OSD

24.11.13.1

Public/Functions/Other/Get-NativeMatchineImage.ps1

                                Function Get-NativeMatchineImage {

    #Code from https://github.com/rweijnen/Posh-Snippets/blob/master/PoshWow64ApiSet

$source = @"

using System;

using System.Runtime.InteropServices;

using System.Diagnostics;

using System.ComponentModel;

public static class WinApi

{

    public const ushort IMAGE_FILE_MACHINE_UNKNOWN = 0;

    public const ushort IMAGE_FILE_MACHINE_TARGET_HOST = 0x0001; // Useful for indicating we want to interact with the host and not a WoW guest.

    public const ushort IMAGE_FILE_MACHINE_I386 = 0x014c; // Intel 386.

    public const ushort IMAGE_FILE_MACHINE_R3000 = 0x0162; // MIPS little-endian, = 0x160 big-endian

    public const ushort IMAGE_FILE_MACHINE_R4000 = 0x0166; // MIPS little-endian

    public const ushort IMAGE_FILE_MACHINE_R10000 = 0x0168; // MIPS little-endian

    public const ushort IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x0169; // MIPS little-endian WCE v2

    public const ushort IMAGE_FILE_MACHINE_ALPHA = 0x0184; // Alpha_AXP

    public const ushort IMAGE_FILE_MACHINE_SH3 = 0x01a2; // SH3 little-endian

    public const ushort IMAGE_FILE_MACHINE_SH3DSP = 0x01a3;

    public const ushort IMAGE_FILE_MACHINE_SH3E = 0x01a4; // SH3E little-endian

    public const ushort IMAGE_FILE_MACHINE_SH4 = 0x01a6; // SH4 little-endian

    public const ushort IMAGE_FILE_MACHINE_SH5 = 0x01a8; // SH5

    public const ushort IMAGE_FILE_MACHINE_ARM = 0x01c0; // ARM Little-Endian

    public const ushort IMAGE_FILE_MACHINE_THUMB = 0x01c2; // ARM Thumb/Thumb-2 Little-Endian

    public const ushort IMAGE_FILE_MACHINE_ARMNT = 0x01c4; // ARM Thumb-2 Little-Endian

    public const ushort IMAGE_FILE_MACHINE_AM33 = 0x01d3;

    public const ushort IMAGE_FILE_MACHINE_POWERPC = 0x01F0; // IBM PowerPC Little-Endian

    public const ushort IMAGE_FILE_MACHINE_POWERPCFP = 0x01f1;

    public const ushort IMAGE_FILE_MACHINE_IA64 = 0x0200; // Intel 64

    public const ushort IMAGE_FILE_MACHINE_MIPS16 = 0x0266; // MIPS

    public const ushort IMAGE_FILE_MACHINE_ALPHA64 = 0x0284; // ALPHA64

    public const ushort IMAGE_FILE_MACHINE_MIPSFPU = 0x0366; // MIPS

    public const ushort IMAGE_FILE_MACHINE_MIPSFPU16 = 0x0466; // MIPS

    public const ushort IMAGE_FILE_MACHINE_AXP64 = IMAGE_FILE_MACHINE_ALPHA64;

    public const ushort IMAGE_FILE_MACHINE_TRICORE = 0x0520; // Infineon

    public const ushort IMAGE_FILE_MACHINE_CEF = 0x0CEF;

    public const ushort IMAGE_FILE_MACHINE_EBC = 0x0EBC; // EFI Byte Code

    public const ushort IMAGE_FILE_MACHINE_AMD64 = 0x8664; // AMD64 (K8)

    public const ushort IMAGE_FILE_MACHINE_M32R = 0x9041; // M32R little-endian

    public const ushort IMAGE_FILE_MACHINE_ARM64 = 0xAA64; // ARM64 Little-Endian

    public const ushort IMAGE_FILE_MACHINE_CEE = 0xC0EE;

    public const UInt32 S_OK = 0;

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]

    public static extern UInt32 IsWow64GuestMachineSupported(ushort WowGuestMachine, out bool MachineIsSupported);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]

    public static extern bool IsWow64Process2(IntPtr hProcess, out ushort pProcessMachine, out ushort pNativeMachine);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]

    public static extern IntPtr GetCurrentProcess();

    public static string MachineTypeToStr(ushort MachineType)

    {

        switch (MachineType)

        {

            case IMAGE_FILE_MACHINE_UNKNOWN:

                return "IMAGE_FILE_MACHINE_UNKNOWN";

            case IMAGE_FILE_MACHINE_TARGET_HOST:

                return "IMAGE_FILE_MACHINE_TARGET_HOST";

            case IMAGE_FILE_MACHINE_I386:

                return "IMAGE_FILE_MACHINE_I386";

            case IMAGE_FILE_MACHINE_R3000:

                return "IMAGE_FILE_MACHINE_R3000";

            case IMAGE_FILE_MACHINE_R4000:

                return "IMAGE_FILE_MACHINE_R4000";

            case IMAGE_FILE_MACHINE_R10000:

                return "IMAGE_FILE_MACHINE_R10000";

            case IMAGE_FILE_MACHINE_WCEMIPSV2:

                return "IMAGE_FILE_MACHINE_WCEMIPSV2";

            case IMAGE_FILE_MACHINE_ALPHA:

                return "IMAGE_FILE_MACHINE_ALPHA";

            case IMAGE_FILE_MACHINE_SH3:

                return "IMAGE_FILE_MACHINE_SH3";

            case IMAGE_FILE_MACHINE_SH3DSP:

                return "IMAGE_FILE_MACHINE_SH3DSP";

            case IMAGE_FILE_MACHINE_SH3E:

                return "IMAGE_FILE_MACHINE_SH3E";

            case IMAGE_FILE_MACHINE_SH4:

                return "IMAGE_FILE_MACHINE_SH4";

            case IMAGE_FILE_MACHINE_SH5:

                return "IMAGE_FILE_MACHINE_SH5";

            case IMAGE_FILE_MACHINE_ARM:

                return "IMAGE_FILE_MACHINE_ARM";

            case IMAGE_FILE_MACHINE_THUMB:

                return "IMAGE_FILE_MACHINE_THUMB";

            case IMAGE_FILE_MACHINE_ARMNT:

                return "IMAGE_FILE_MACHINE_ARMNT";

            case IMAGE_FILE_MACHINE_AM33:

                return "IMAGE_FILE_MACHINE_AM33";

            case IMAGE_FILE_MACHINE_POWERPC:

                return "IMAGE_FILE_MACHINE_POWERPC";

            case IMAGE_FILE_MACHINE_POWERPCFP:

                return "IMAGE_FILE_MACHINE_POWERPCFP";

            case IMAGE_FILE_MACHINE_IA64:

                return "IMAGE_FILE_MACHINE_IA64";

            case IMAGE_FILE_MACHINE_MIPS16:

                return "IMAGE_FILE_MACHINE_MIPS16";

            case IMAGE_FILE_MACHINE_ALPHA64:

                return "IMAGE_FILE_MACHINE_ALPHA64";

            case IMAGE_FILE_MACHINE_MIPSFPU:

                return "IMAGE_FILE_MACHINE_MIPSFPU";

            case IMAGE_FILE_MACHINE_MIPSFPU16:

                return "IMAGE_FILE_MACHINE_MIPSFPU16";

            case IMAGE_FILE_MACHINE_TRICORE:

                return "IMAGE_FILE_MACHINE_TRICORE";

            case IMAGE_FILE_MACHINE_CEF:

                return "IMAGE_FILE_MACHINE_CEF";

            case IMAGE_FILE_MACHINE_EBC:

                return "IMAGE_FILE_MACHINE_EBC";

            case IMAGE_FILE_MACHINE_AMD64:

                return "IMAGE_FILE_MACHINE_AMD64";

            case IMAGE_FILE_MACHINE_M32R:

                return "IMAGE_FILE_MACHINE_M32R";

            case IMAGE_FILE_MACHINE_ARM64:

                return "IMAGE_FILE_MACHINE_ARM64";

            case IMAGE_FILE_MACHINE_CEE:

                return "IMAGE_FILE_MACHINE_CEE";

            default:

                return "Unknown Machine Type";

        }

    }

}

"@

    Add-Type $source

    $ReturnTable = New-Object -TypeName PSObject

    [bool]$MachineIsSupported = $false

    $hr = [WinApi]::IsWow64GuestMachineSupported([WinApi]::IMAGE_FILE_MACHINE_I386, [ref]$MachineIsSupported)

    if ($hr -eq [WinApi]::S_OK){

        #$ReturnTable | Add-Member -MemberType NoteProperty -Name "IsWow64GuestMachineSupported IMAGE_FILE_MACHINE_I386" -Value $MachineIsSupported -Force    

    }

    [UInt16]$processMachine = 0;

    [UInt16]$nativeMachine = 0;

    $bResult = [WinApi]::IsWow64Process2([WinApi]::GetCurrentProcess(), [ref]$processMachine, [ref]$nativeMachine);

    if ($bResult){

        $Value = $([WinApi]::MachineTypeToStr($nativeMachine))

        $Value = $Value.Split("_") | Select-Object -Last 1

        $ReturnTable | Add-Member -MemberType NoteProperty -Name "NativeMachine" -Value $Value -Force

        $Value = $([WinApi]::MachineTypeToStr($processMachine))

        $Value = $Value.Split("_") | Select-Object -Last 1

        $ReturnTable | Add-Member -MemberType NoteProperty -Name "ProcessMachine" -Value $Value -Force

    }

    return $ReturnTable

}