-
-
Notifications
You must be signed in to change notification settings - Fork 101
/
Copy pathExtact_string_from_dll_or_exe.ps1
45 lines (41 loc) · 1.23 KB
/
Extact_string_from_dll_or_exe.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# Extract string from .dll or .exe knowing its' string number
# Expands a Microsoft @-prefixed indirect string
# https://github.com/SamuelArnold/StarKill3r/blob/master/Star Killer/Star Killer/bin/Debug/Scripts/SANS-SEC505-master/scripts/Day1-PowerShell/Expand-IndirectString.ps1
$Signature = @{
Namespace = "WinAPI"
Name = "IndirectStrings"
Language = "CSharp"
UsingNamespace = "System.Text"
MemberDefinition = @"
[DllImport("shlwapi.dll", CharSet=CharSet.Unicode)]
private static extern int SHLoadIndirectString(string pszSource, StringBuilder pszOutBuf, int cchOutBuf, string ppvReserved);
public static string GetIndirectString(string indirectString)
{
try
{
int returnValue;
StringBuilder lptStr = new StringBuilder(1024);
returnValue = SHLoadIndirectString(indirectString, lptStr, 1024, null);
if (returnValue == 0)
{
return lptStr.ToString();
}
else
{
return null;
// return "SHLoadIndirectString Failure: " + returnValue;
}
}
catch // (Exception ex)
{
return null;
// return "Exception Message: " + ex.Message;
}
}
"@
}
if (-not ("WinAPI.IndirectStrings" -as [type]))
{
Add-Type @Signature
}
[WinAPI.IndirectStrings]::GetIndirectString("@%SystemRoot%\system32\user32.dll,-702")