tobiohlala / psmemory Goto Github PK

View Code? Open in Web Editor NEW

28.0 0.0 5.0 25 KB

Automation Capable Multi Search 64 Bit Windows Memory Scanner

Home Page: https://www.powershellgallery.com/packages/PSMemory

License: BSD 3-Clause "New" or "Revised" License

PowerShell 100.00%

powershell automation capable 64-bit windows memory scanner

psmemory's Introduction

PSMemory is a 64 bit windows memory scanner written in PowerShell hence fully automation capable.

Description

Cmdlets

`Search-Memory`

searches the virtual address space of a process for specific values returning references to the memory they reside in. Besides the value itself these references contain other related information such as the concrete memory address or the protection of the page the value was found in. A search can be specified by the -Values parameter in the form of a hashtable where the keys define data types and the corresponding values define the values of that data type to be searched for as a comma-separated list. Valid data types to be specified as keys for the search table are

Byte for 8 bit numerical values
Short for 16 bit numerical values
Int for 32 bit numerical values
Long for 64 bit numerical values
String for ASCII text of arbitrary length
Bytes for Unicode byte arrays of arbitrary length

Example: a search for two 32 bit numerical values 1234 and 5678 as well as the text Notepad within the memory of the process notepad saving the result in a variable notepad for further processing may look like

Get-Process notepad | Search-Memory -Values @{
    Int = 1234, 5678
    String = 'Notepad'
} -OutVariable notepad

`Compare-Memory`

compares those references' values as present in memory when the reference was created or last updated to the current in-memory value. With the -Changed and -Unchanged parameters each reference will be matched whose in-memory value has either changed in any way or stood the same. For numerical values exclusively there are additionally the -Increased and -Decreased parameters which track if the in-memory value did either become greater or lower. For everything else there is the -Filter parameter where a PowerShell ScriptBlock may be supplied with a custom comparison criteria.

Example: given the above search now keep only those references whose in-memory value is either exactly 42 or has increased and update the reference result variable

$notepad | Compare-Memory -Increased -Filter {$_.Value -eq 42} -OutVariable notepad

`Update-Memory`

updates the current in-memory value referenced by a reference. The new value to be written may be supplied by one of the data type parameters depending on what value of what size to write.

Example: after filtering the memory references above now update each remaining referenced in-memory value with a new 32 bit numerical value of 9876

$notepad | Update-Memory -Int 9876

`Format-Memory`

formats reference objects as returned by all the aforementioned Cmdlets into formatted and human readable output.

Example:

Get-Process notepad | Search-Memory -Values @{Int = 42} -OutVariable notepad | Format-Memory

$notepad | Compare-Memory -Increased -Filter {$_.Value -eq 42} | Format-Memory

Alternatively, you can use the alias fm.

Installation

Install from PowerShell Gallery

Install-Module -Name PSMemory

git clone https://github.com/tobiohlala/PSMemory

psmemory's People

Contributors

Stargazers

Forkers

nullbind jimshew m00zh33 nieuport askyeye

psmemory's Issues

Unable to find type [PSMemory.Native].

Name                           Value
----                           -----
PSVersion                      5.1.17763.503
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.503
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

This is my powershell environment.

Unable to find type [PSMemory.Native].
At C:\Program Files\WindowsPowerShell\Modules\PSMemory\1.0.0\PSMemory.psm1:215 char:27
+     if (($processHandle = [PSMemory.Native]::OpenProcess(
+                           ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (PSMemory.Native:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

New-Object : Cannot find type [PSMemory.Native+SYSTEM_INFO]: verify that the assembly containing this type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\PSMemory\1.0.0\PSMemory.psm1:224 char:19
+     $systemInfo = New-Object PSMemory.Native+SYSTEM_INFO
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Unable to find type [PSMemory.Native].
At C:\Program Files\WindowsPowerShell\Modules\PSMemory\1.0.0\PSMemory.psm1:225 char:5
+     [PSMemory.Native]::GetNativeSystemInfo([ref]$systemInfo)
+     ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (PSMemory.Native:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

New-Object : Cannot find type [PSMemory.Native+MEMORY_BASIC_INFORMATION64]: verify that the assembly containing this
type is loaded.
At C:\Program Files\WindowsPowerShell\Modules\PSMemory\1.0.0\PSMemory.psm1:229 char:19
+ ...   $memoryInfo = New-Object PSMemory.Native+MEMORY_BASIC_INFORMATION64
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Exception calling "SizeOf" with "1" argument(s): "Value cannot be null.
Parameter name: structure"
At C:\Program Files\WindowsPowerShell\Modules\PSMemory\1.0.0\PSMemory.psm1:230 char:5
+     $memoryInfoSize = [Runtime.InteropServices.Marshal]::SizeOf($memo ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException

Unable to find type [PSMemory.Native].
At C:\Program Files\WindowsPowerShell\Modules\PSMemory\1.0.0\PSMemory.psm1:330 char:12
+     [void] [PSMemory.Native]::CloseHandle($processHandle)
+            ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (PSMemory.Native:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

I've got this error message when I trying a script below:

Get-Process notepad | Search-Memory -Values @{
    Int = 1234, 5678
    String = 'Notepad'
} -OutVariable notepad

Of course, I executed notepad.exe at the time.

what's the problem??

I installed this with Install-Module -Name PSMemory and A(All to yes)

Issue with Bytes search

Hello, Thank you for your work on this project, it is very interesting. I am using it to do a research project where I am using PowerShell to read process memory. Would it be possible for you to provide an example command using the Bytes parameter? I have tried a few and can't seem to get it to search for Unicode bytes. Thanks!

tobiohlala / psmemory Goto Github PK

psmemory's Introduction

Description

Cmdlets

`Search-Memory`

`Compare-Memory`

`Update-Memory`

`Format-Memory`

Installation

psmemory's People

Contributors

Stargazers

Forkers

psmemory's Issues

Unable to find type [PSMemory.Native].

Issue with Bytes search

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent