usr/Get-PeDebug.ps1
|
function Get-PeDebug { [CmdletBinding()]param($Path) end { Get-PeView -Path $Path -Debugs -Callback { $fs.Position = Convert-RvaToRaw $Data.RVA $IMAGE_OPTIONAL_HEADER.SectionAlignment Format-Table -InputObject (1..($Data.Size / 0x1C)).ForEach{ Get-Block IMAGE_DEBUG_DIRECTORY { UInt32 Characteristics UInt32 TimeDateStamp UInt16 MajorVersion UInt16 MinorVersion UInt32 Type UInt32 SizeOfData UInt32 AddressOfRawData UInt32 PointerToRawData } $cursor = $fs.Position $fs.Position = $IMAGE_DEBUG_DIRECTORY.PointerToRawData [PSCustomObject]@{ Time = $IMAGE_DEBUG_DIRECTORY.TimeDateStamp.ToString('X') Type = $IMAGE_DEBUG_DIRECTORY.Type Size = $IMAGE_DEBUG_DIRECTORY.SizeOfData.ToString('X') RVA = $IMAGE_DEBUG_DIRECTORY.AddressOfRawData.ToString('X') Pointer = $IMAGE_DEBUG_DIRECTORY.PointerToRawData.ToString('X') Info = switch ($IMAGE_DEBUG_DIRECTORY.Type) { 2 { # IMAGE_DEBUG_TYPE_CODEVIEW ($sig = [String]::new($br.ReadChars(0x04))) -ceq 'RSDS' ? ( "Format: $sig, {$([Guid]::new($br.ReadBytes(0x10)))}, $($br.ReadUInt32()), $( [String]::new($br.ReadBytes($IMAGE_DEBUG_DIRECTORY.SizeOfData - 0x18)) )" ) : "Format: $sig, Offset: $($br.ReadUInt32())" } 12 { # IMAGE_DEBUG_TYPE_VC_FEATURE "Counts: Pre-VC++ 11.00=$($br.ReadUInt32()), C\C++=$($br.ReadUInt32()), /GC=$( $br.ReadUInt32()), /sdl=$($br.ReadUInt32()), guardN=$($br.ReadUInt32())" } 13 { # IMAGE_DEBUG_TYPE_POGO [String]::new([Linq.Enumerable]::Reverse($br.ReadChars(0x04))) } 16 { # IMAGE_DEBUG_TYPE_REPRO $fs.Position += 0x04 $br.ReadBytes($IMAGE_DEBUG_DIRECTORY.SizeOfData - 0x04).ForEach{$_.ToString('X2')} -join ' ' } default { '???' } } # debug directory description } $fs.Position = $cursor $IMAGE_DEBUG_DIRECTORY = @{} } } # Debug } } Export-ModuleMember -Function Get-PeDebug |