From fcdd3ad6428b4f1ecfd7f63be629af8cbe3204af Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Sat, 17 Aug 2013 17:55:31 -0400 Subject: [PATCH] Explicitly casting types as [Type] The latest version of .NET added generics to many of the InteropService methods. Therefore, all of my uses of types need to be explicitly cast with [Type]. --- ReverseEngineering/Get-NtSystemInformation.ps1 | 6 +++--- ReverseEngineering/Get-StructFromMemory.ps1 | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index b571ac07..bb0871a8 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -633,7 +633,7 @@ foreach ($i in 0..($Count-1)) { - [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, $StructType) + [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $StructType) $StructAddress = ([IntPtr]($StructAddress.ToInt64() + $StructSize)) } @@ -958,7 +958,7 @@ # Base address of the _SYSTEM_OBJECTTYPE_INFORMATION struct $ObjectTypeAbsoluteAddress = [IntPtr]($PtrData.ToInt64() + $NextTypeOffset) - $Result = [Runtime.InteropServices.Marshal]::PtrToStructure($ObjectTypeAbsoluteAddress, $ObjectTypeClass) + $Result = [Runtime.InteropServices.Marshal]::PtrToStructure($ObjectTypeAbsoluteAddress, [Type] $ObjectTypeClass) if ($Result.NumberOfObjects -gt 0) { @@ -970,7 +970,7 @@ do { - $ObjectResult = [Runtime.InteropServices.Marshal]::PtrToStructure(( [IntPtr]($ObjectBaseAddr.ToInt64() + $NextObjectOffset) ), $ObjectClass) + $ObjectResult = [Runtime.InteropServices.Marshal]::PtrToStructure(( [IntPtr]($ObjectBaseAddr.ToInt64() + $NextObjectOffset) ), [Type] $ObjectClass) $ResultHashTable2 = @{ Object = $ObjectResult.Object diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index ccf6d5be..c32c1901 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -131,7 +131,7 @@ http://www.exploit-monday.com $MemoryBasicInformation = [Activator]::CreateInstance($MEMORY_BASIC_INFORMATION) # Confirm you can actually read the address you're interested in - $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf($MEMORY_BASIC_INFORMATION)) | Out-Null + $NativeUtils::VirtualQueryEx($Handle, $MemoryAddress, [Ref] $MemoryBasicInformation, [Runtime.InteropServices.Marshal]::SizeOf([Type] $MEMORY_BASIC_INFORMATION)) | Out-Null $PAGE_EXECUTE_READ = 0x20 $PAGE_EXECUTE_READWRITE = 0x40 @@ -154,7 +154,7 @@ http://www.exploit-monday.com throw 'The address specified does not have read access.' } - $StructSize = [Runtime.InteropServices.Marshal]::SizeOf($StructType) + $StructSize = [Runtime.InteropServices.Marshal]::SizeOf([Type] $StructType) $EndOfAllocation = $AllocationBase + $RegionSize $EndOfStruct = $MemoryAddress.ToInt64() + $StructSize @@ -194,7 +194,7 @@ http://www.exploit-monday.com Write-Verbose "Struct Size: $StructSize" Write-Verbose "Bytes read: $BytesRead" - $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, $StructType) + $ParsedStruct = [Runtime.InteropServices.Marshal]::PtrToStructure($LocalStructPtr, [Type] $StructType) [Runtime.InteropServices.Marshal]::FreeHGlobal($LocalStructPtr) $SafeHandle.Close()