jaredcatkinson / psreflect-functions Goto Github PK

I've been reading through the PSReflect code, and I want to take a shot at creating my own interpretation of it. It may or may not have any value to others.

But I'm wondering if I should work in parallel in forks of both PSReflect and PSReflect-Functions, just to keep things in sync. (In case my project bears any fruit)

Actually, I just noticed that in @mattifestation's copy, it has the update that I found necessary to get it to run under PowerShell 7. (Because they moved the .DefineDynamicAssembly() method)
https://github.com/mattifestation/PSReflect/blob/e8a4e831d1c58b2dd38662153909f9a8b135badc/PSReflect.psm1#L51

And I think that .DefineDynamicModule( [string], [bool] ) is going away in .NET 5. .DefineDynamicModule( [string] ) will be it; there will be no other overloads as far as I can tell.

My use case is to do P/Invoke stuff involving user32.dll , which is outside the scope of what is going on here. Of course, what I'm doing could just as easily be done with C# code in a string, passed to Add-Type. But that's not as much fun.

One last question: How important is PowerShell version 2 compatibility for code like this, moving forward?

PSReflect-Functions/Enumerations/Untitled7.ps1
Untitled7.ps1 is Get-StructureOffset

See title - I'm working with our AV folks, but these sorts of things tend to have a cascading effect on AV groupthink (e.g. rep heuristics, partner ID of PUPs), might want to start a convo w CS

I get the following when trying to install:

Install-Package: C:\program files\powershell\7\Modules\PowerShellGet\PSModule.psm1:9711
Line |
9711 |  … talledPackages = PackageManagement\Install-Package @PSBoundParameters
     |                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Package 'PSReflect-Functions' failed to be installed because: Operation did not complete successfully
     | because the file contains a virus or potentially unwanted software. :
     | 'C:\Users\Scott\AppData\Local\Temp\e5unvpcv\PSReflect.ps1'

Windows Defender also flags "HackTool:PowerShell/PowerView" on the same file.

https://github.com/jaredcatkinson/PSReflect-Functions/blob/master/FunctionDefinitions.ps1#L475

This bug fix must have been accidentally reverted.

Missing call to FreeHGlobal to free memory

    $Data.cbStruct = $WINTRUST_DATA::GetSize()
!    $Data.pData = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($Size)
    $Data.dwUIChoice = $WTD_UI::None
    [System.Runtime.InteropServices.Marshal]::StructureToPtr($Info, $Data.pData, $false)

    $SUCCESS = $wintrust::WinVerifyTrust($WindowHandle, [ref]$ActionID, [ref]$Data)

    if($SUCCESS -eq 0)
    {
        Write-Output $true
    }
    else
    {
        if(($SUCCESS -eq 0x80096010) -or ($SUCCESS -eq 0x800b0100))
        {
            Write-Output $false
        }
        else
        {
! no call to FreeHGlobal in exception path
            throw ([ComponentModel.Win32Exception]$SUCCESS).Message
        }
    }
! no call to FreeHGlobal    

Similar issue here with missing FreeHGlobal for AllocHGlobal call:

Ditto:

Similar issue in the paths that throw exceptions in GetIpNetTable.ps1:

        elseif($SUCCESS -eq $ERROR_NO_DATA)
        {
            Write-Output $null
        }
        else
        {
            throw "[GetIpNetTable] Error: $($SUCCESS)"
! leak due to failure to call FreeHGlobal($pIpNetTable)
        }
    }
    else
    {
        throw "[GetIpNetTable] Error: $($SUCCESS)"
! leak due to failure to call FreeHGlobal($pIpNetTable)
    }

    [System.Runtime.InteropServices.Marshal]::FreeHGlobal($pIpNetTable)
}

Might want to do a pass through the repo for these.