...61/4„1.111ailtay vvkt� 110 12, FCLI 116 n/ �itSC� te-c-le(e'"ii- Pct.treYvt �"Ma C( tZet..� Cpzed..tiew' '
RoLe c S fl ker-iP(c,4 q \'Cakeo.t0vc. ---fc 14K1442,)7
ikevv.-Ove — plaftot9e,tebrt d o(e 4:,16
cu.� atik-a-C3 -evNke w+� (e Na� e� SccD 2ectpi‘-e-,4 Q--
rr - Ma rict_cj &vie 01 Role� ‘Asc_so f¢cc.ric,,4 2� —Ae C Ors ct,41„) k 1010%�
.Ao,) - FYI vate-e'l-AGa 14I-e Ctle'y� C a ,� :� e -L (Led Use( Rc �Erd-rj "A-Sc SD lott,f f\u(A) � , t r Ma A 61162- Nke '14 g-,t) (e,� VAC� '3-C (CC.1)eSk 12cuirtAf ( �4ec_cpt �ta.i t a 7204-Crif CC. 2 f 4 _ (AA � �t �4\1� La - irtG, one -the "re.,KoJe� 1
itAcK-cie �R(€ �f �- ---\ 1 �',0(60,11AD f b,1 4,4-0 . c �/ /g (a Yee 5 ,5,24.) j -l Aita A cud -i-A-eirt-Ce-t) 1 _ (cc.- (4- �" kisfi� (ti� '`)� r
-or
2c r,96] NeW - t".419 cael. use., (1-,t -- � i 0 5 (As ,- �- p-e, 1.1 ct. ,c- �)� Me lx-r-T �4-gegli-- 4c-- - rt er,-.4 b `i. r iiesSc..1., .. _. �.-- ,,:ie ;TO 4, ro �caileci ____-_e_SJeft_ — c-)c..6-Th Co?.
Zec--r e .4 Ci.ect..+1. or\
if ------� .2.0(e Alaiveye men4
- 0c1 Sc e (x.2.01 f„ c Le. id Jatho moje.A 6-31 go le
klicifba - �A� -� y� r; fr.) 064, vr c-A-S, N-a.ci re LS At 6r-o„Ito D,t to,/b Pare 4:t /1/iy � cNA.� c,(-119 "-vIjc. Icj tAca 09...sac:y (i2vCE.0 1,646A-b �‘9v1- --,� LiforVtild - s h„
60-iftr--t L-i0 111111'r
.e,A/ .4/ la in cky,e e �rytice.g 4.1 -g° (e 4 ° 6/6), - P8 t;c-� 04-...ei� 41-si5 ,
Cref- ma et Age '1,0,1 Ro(e -470 Rk- c-,-,01(efs �C' re
Vic e
t
C-e� - 4i P of
Ce-t g horttlotiCi
V v LtirU� t
E, 2o (� C c4 ( e +s
CU I
-fed
:+)t �4 (, .‘ vm-FJ-t- 71-z) 44ve� 4(A- (; --At 61, Cr' � i/a7 fCC evk Ai I-)(LT)
r 4'..t 144- JC ' ef el/r C /Ed
6e # ck �Lie C p f/ct,71a.f
(olcs k---( 6 r• 6L-61 2 a (6. .Cers e x Ke naiS -e kfrte-(4)( f
g4 Ct-
� we Pb' 0 / o2 (A5 S Icik/ Iet'
IVA
Are t� C/S-Prf
©I 6.7 .--ev-r.4,-&-74 =,C es- /1,7 61)C
Gravig� sse,� � 0 Oddls technology I process I people
f � ay 12 1.?<01/14 1� ct a 61 - 3; ""3
S tc 125 A 4-c Ickvnivt'ts 4-ftL4--c.:/)
ctrl /4( -C
c� ca_,,
� G-e-- titea (2e
ve l to-tVoJ
et- - Comw10,0d I se if vt -vv, t u-izt -� eJ? ck c� 9th"_ Gd - ker C,elt--E,JR,A.4 Lc.� Ce(- P4AA1 - S� v e, e.
e,� (i get--cytit
acre j— ry
CE" c� ott,,sue
te. 5 izz
VO, 0,\ IL Smjcitc �-0,J4).1- 0(0:i �t. okvokeke
1),./ �(Nio- RAC� NG.SO
-19,113A-� /i -a/C(0G� J ^A
(
• A (4,9
- r � 0
—c0-1-0-v4 I� —0\op=c1 'J_ 'j- �-wtoack pah.1-1,iv
Cit-e,(A,L� a
- cSV� vrsk,� (Itt� c,,, CkC
\
/4r-efa
� � / 1 Cc 1442 �box 130
j� c o • r r c(e..(64.00, c,A.� ( &tonal� r-t)� , etc
(1� tiafvf.Z. (c)� 6.,F6LOt ce� "A& t 1-(04t,� vc
e,1, 0444- ILA< C 0 s" D J c. 0 -tet-1 Cj ev ci1 41S_,
� �� ,,.„1 $ ( Atli-5� e ve ytt ,c r Lt V tiCksc, + • ttS C Ct. vi /of,./1&13 r C C Oci � p
vr q V / �12
Se 14 t2� e f-tle PowerShell Byte Array And Hex Functions� Page 1 of 13
Find Training Live Training Online Training Pi
Wndows Security B og
PowerShell Byte Array And Hex Functions 11 f2e0
Posted by Jason Fossen Filed under PowerShell
Pc,,,verholl can manipulate and convert binary byte arrays, which is important for malware analysis, nteracting with TCP ports, Fyn sing binary log data, and a myriad other tasks. This article is a collection of PowerShell functions and notes for manipulating byte data, All the code here is in the public domain. If you find an error or have a suggested addition, please j a comment! The intention is to create a one-stop shop for PowerShell functions related to byte arrays and binary file handli It's best to assume that the functions here all require PowerShell 2.0 or later. Background: Byte Array Issues
Handling byte arrays can be a challenge for many reasons:
. Bytes can be arranged in big-endian or little-endian format, and the endianness may need to be switched by one's code on the fly, e.g., Intel x86 processors use little-endian format internally, but TCP/IP is big-endian.
. A raw byte can be represented in one's code as a ,NET object of type Systern.Byte, as a hexadecimal string, in some other format, and this format may need to be changed as the bytes are saved to a file, passed in as argument to a function, or sent to a TCP port over the network.
. Hex strings can be delimited in different ways in text files ("OxA5,0xB6" vs, "\xA51xB6" vs. "A5-B6") or not delimited at all ("A5B6").
. Some cmdlets inject unwanted newlines into byte streams when piping,
. The redirection operators (> and >>) mangle byte streams as they attempt on-the-fly Unicode conversion.
. Bytes which represent text strings can encode those strings using ASCII, Unicode, UTF, UCS, etc.
Newline delim ters in text files can be one or more different bytes depending on the application and operatinc system which created the file.
. Some .NET classes have unexpected working directories when their methods are invoked, so paths must be resolved explicitly first.
• Stdln and StdOut in PowerShell on Windows are not the same as in other languages on other platforms, whi can lead to undesired surprises.
. Manipulating very large arrays can lead to performance problems if the arrays are mishandled, e.g., not usin, [Ref] where appropriate, constantly recopying to new arrays under the hood, recasting to different types unnecessarily, using the wrong .NET class or cmdlet, etc.
http ://www. sans. org/windows-security/20l0/02/ll/powershell-byte-array-hex-convert �13/12/2011 PowerShell Byte Array And Hex Functions� Page 2 of 13
~-»~~~~''''^~x =~
All \h riables in PowerShell are .NET objects, including 8-bit unsigned integer bytes. A byte object is an object of type Ayfe in the .NET class library, hence, it has properties and methods accessible to PowerShell (you can pipe them i ember). To create a single Byte object or an array of Bytes:
If you don't cast as a [Byte] or [Byte[]] array, then you'll accidentally get integers. When in doubt, check the type with get- member.
If you want your array to span multiple lines and include comments, that's OK with PowerShell, and remember that you car mply paste the code into your shell, you don't always have to save it to a script file first, hence, you can simply copy the following code and paste it into your shell. it'll work as-is:
Bitwise Operators (AND, OR, XOR)
PowerShell includes support for some bit-level operators that can work with Byte objects: binary AND (-band), binary OR (- bor) and binary XOR (-bxor). See the about_Comparison_Operators help file for details, and also see the format operator ( for handling hex and other formats. PowerShell 2.0 and later supports bitwise operators on 64-bit integers too.
BtShftn( g
There are no built-in operators for bit shifting yet, but you can get functions for that here at Joel Bennett's site.
Get/Set/Add-Content Cmdlets
The following PowerShell omdlets will take an "-encoding byte" argument, which you will want to use whenever manipulatir raw bytes with cmdlets in order to avoid unwanted on-the-fly Unicode conversions:
• Get-Content
• Set-Content
• Add-Content
The Out-File cmdlet has an -Encoding parameter too, but it will not take "byte" as an argument. The redirection operators ( and "»") actually use Out-File under the hood, which is why you should not use redirection operators (or Out-File) when handling raw bytes. The problem is that PowerShell often tries to be helpful by chomping and converting piped string data i lines of Unicode, but this is not helpful when you wish to handle a raw array of bytes as is.
To read the bytes of a file into an array:
[byte[1]� - get-content encoding byte -path. \,file.eNe
To read only the first 1000 bytes of a file into an array:
http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-conyert 13/12/2011 PowerShell Byte Array And Hex Functions� Page 3 of 13
� [byte I 1, -encoding- byte -pa �\file.� :� icount 1000
However, the performance of get-content is horrible with large files. Unless you are reading less than 200KB, don't use get content, use the get-filebyte function below.
The same is not true, though, for set-content and add-content, their performance is probably adequate for even 5MB of dal but the write-filebyte function below is still much faster when working with more than 5MB.
Remember that you can't pipe just anything into set-content or add-content when using byte encoding, you must pipe objet of type System Byte specifically. You will often need to convert your input data into a Systern.Bytell array first (and there at functions below for this).
To overwrite or create a file with raw bytes, avoiding any hidden string conversion, where $x is a Byteg array:
-value $x -encoding byte -path .\butfile.exe
To append to or create a file with raw bytes, avoiding any hidden string conversion, where $x is a Byte!] array: a(.� $x. -encoding byte -bdLb .\outfile.exe
Reading The Bytes Of A File Into A Byte Array
To quickly read the bytes of a file into a Byteil array, even if the file is megabytes in size:
Le[j of the file contents.
•F or as System. TO.� ject . is a
.1.41-i+4###4101#4
$True, ValueFroffEdpelineByPropertyName� STrue)] 1.1e1:aidi")]
$Path.'; )
Writing Byte Array To File
To write a Bytell array in memory to a new file or to overwrite an existing file (use the Add-Content cmdlet if you simply wai to append):
a. fila� an array� raw bytes.
http://www. sans. org/windows-security/2010/02/11/powershell-byte-array-hex-convert �13/12/2011 PowerShell Byte Array And Hex Functions� Page 4 of 13
] array of bytes to put into the file. If you in, you. limst pipe the [Ref] to the array.
•a string or as System.IO.Fileinfo objr,ct. ...e1 relative, absolute, or a simpJe file present working dirP.ctory,
is -path outfile.bin
.bin *-4-#1i-ifff:#1f
= $True)] F,System.Byte[I]
T.O.FileInfo]) iThNaIi.,.. fiI e name.
•)f script "^\.",Spw,..,.'ath
",$:� .... -item $1� 1
Convert Hex String To Byte Array
You will often need to work with bytes represented in different formats and to convert between these formats. And sometirr you'll have source code written in other programming languages that contain the equivalent of Bytell arrays which you wan extract and convert into something more PowerShell-malleable, which is not hard if you paste that code into a here-string ii your shell and then convert that string into a ByteU array.
To extract hex data out of a string and convert that data into a Byteg array while ignoring whitespaces, formatting or other -hex characters in the string:
4, of he •� 'ilto a cyst� •r] array. An returned, even if it contains only one byte.
4� data in� a variety of format, rir without extra. # ta� )1.:. other i:• .� characters: Ox41,0x.,i)x.43,0x44 # 4ii41\...42\x13\.-x44
http://vvww. sans. org/windows-security/2010/02/11/powershell-byte-array-hex-convert �13/12/2011 �
PowerShell Byte Array And Hex Functions� Page 5 of 13
Param (� STrue, ValueFromPipeline� $True)] [String:
:mi. any other•'on-hex crud.
#Try� ....nto canro. colon -delindted format. $String� '17
' ending colons and othtr
-ing •..ce
(
ring� or without colon. delimiters.
0) -and� tring.index0f(":") -eq -11) I fon.. '-pbject ( if (,'S:1) ([System.Convert- ::ToByte($
- Ajt� I for• -ftl-o'ject� ,..Convert]::
is� force the output intp chere� one� in the output (or none).
Convert Byte Array To Hex
To convert a Bytefl array into a string containing hex characters in a variety of formats:
ring ''.!i!ft41-444444# 4 ##111g ,
System.Byter] arruy . can be changed.
1...,PL into the fie. If vou •.1- e [Ref] to the array. instead of Byte[1.
rs per line of output.
http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert 13/12/2011 �
PowerShell Byte Array And Hex Functions� Page 6 of 13
� of he te of input.) will De 0aUr in ti.• output. Tie default ••,OKE1'9" but you coui # yo� "\x411,N.EF\uB9" ina..ead. You do 4 no!� un extu.a �semicolon colon 4� , each flue� ,uatput. The default
#.Pai 4 An� ru....j you, ca, �o. each 1....� gt" hex ou� like ' $z� gas -Le int. single quotes.
•ch line in. double-quotes,
#� j• .Xi.
OX
- Ox41,0x4:,• -ByteArrayToTiex6Lf'
True)] iSystem-BYEejUlY 10,
} ,ge 1\1\1\:\t1","" $From - 0 $T0 = SWidth - I
• � Stfing(SBteArlay[$From...$T01) :ng -replace "\-",$Delimiter) + la 1-
http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert 13/12/2011 PowerShell Byte Array And Hex Functions� Page 7 of 13
Convert Byte Array To String (ASCII, Unicode or UTF)
To cony,:l a F:) ..C.?[,/ ;.3 ay which encodes ASCII, Unicode or UTF characters into a regular string:
array. (inicooe, ITITS and
It lat-.• he file. If you � # Pi a the array. � # Al of Byte)].
Unic(Xe, UTF7, UTF8 or UTF32.
14-41-44###4.#############4#####44###
STrue)] [Syst, p.� ?[]]
as
"Syst. Text.ASCI-(7n(
t.UTE77; f "So Pm....(c. Mcs:odin.g"
tVS5TS, Text,
Display A File's Hex Dump
There are many hex dumpers, but PowerShell dumpers can be copied into one's profile script, accept piped file objects, an support parameters like -Width. -Count, -NoOffset and -NoText to hopefully make it more flexible. You can get this as a sta alone script (Get-FileHex,psi) from the SEC505 zip file if you wish, along with lots of other scripts.
, ttiffir -####4#41,f,4144#44444#44)4444*4)#444######4##
4 Path ..).Filein±o object; 45 string cannot.
05 L,,Lpwn. per line (deraulz - 16).
http://vvww. sans. org/windows-security/2010/02/11/powershell-byte-array-hex-convert �13/12/2011 �
PowerShell Byte Array And Hex Functions� Page 8 of 13
• in the fiiP to process� efult
offeet line� in output.
'n� 1.art 40
•$True)]
file UC . a letter or dig-it.
eadcoent. Swidth. -totalcount $count
'•� -� ell •bjects that. is $width items in length.
("10:Xl", Thyte) # Convert byt..e to hex, e.g., "L". (2,"0")� " " �Pad with zero to force 2-
file unlikely to be evenly d.� fix laet line. is '$width ' 3' because Cl th� .... �. :0Uld hex • -It $w� • t($widt.h. * 3," ")
xt.
too. Pa.0 •7.h. 1.11V� epresent.i� $wicith
http://www. sans. org/windows-security/2010/02/11/powershell-byte-array-hex-convert �13/12/2011 �
PowerShell Byte Array And Hex Functions� Page 9 of 13
T:ff'?zt. Spaddedhex" 1 � ci 4-� itext
Toggle Big/Little Endian (With Sub-Widths)
Different platforms, languages, protocols and file formats may represent data in big-endian, little-endian, middle-endian or some other format (this is also called the "NtJXI problem" or the "byte order problem"). If the relevant unit of data within an array is the single byte, then reversing the order of the array is sufficient to toggle endianness, but if the unit to be swapper two or more bytes (within a larger array) then a simple reversing might not be desired because then the ordering is change within that unit too. Ideally, a single function could be called multiple times, if necessary, with different unit lengths on a
chopped up array of bytes to achieve the right endianness both within and across units in the original array. However, USUE you'll probably have just an array of bytes (1 unit = 1 byte) that simply needs to be reversed to toggle the endianness.
array w- f more thar # or� .1 that unit. is NOT sv,• �a.n bo� little- and bj.„.!"-endian Les or bits within a singl:•: yte,
be r.:rra-T.- . If you ! ipe Ih t"te axray, but (onally ,•::aed) . , • 4 F. � Defines th-n: of bytes in each. u t
nic TA0 swapping. , that 1.1.• the ByteAiray djvisible by St.
7� $True, ValueFromPipeline� ii sell [System_Byte[]] $By Ht.] $SubWidthinEytes� I
;13ytelArray.cGunt eq I -oL� :_ ..fray.count -eq 0) f SByteArray ; return
..hInByts -eq� f [ Syterh.A.rray] : :Reverse(SByteArray) ; $ByteATray ; cc ci
http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert 13/12/2011 PowerShell Byte Array And Hex Functions� Page 10 of 13
...nBytes -no 0) an.. even multiple of SubWidthinBytes!" ; return
,J:ay� new-oblect System-Byte[] $ByteArray.count
# Si track:,;.•ButPAry. $j tracks NewArray from_ end. - 1) $..i„
S(Si $SubWidthInBvtes))
; Sk $kj� Syterray[$i + Ski
Inject Byte Array Into Listening TCP or UDP Port
As long as we're on the subject of manipulating bytes, sending bytes to a listening TCP or UDP port is easy (but processini responses requires more effort -- Lee Holmes has a nice script for it). Since it seems every miscellaneous language has bE used to demonstrate how to run a particular DoS attack against SMBv2 on some Windows versions, here it is in PowerShe too for the bandwagon (there's nothing new here, the attack is well-known, it's just a demo for the function):
tunctic,n V..
[String. ] 7stem.Not.Soce� 'an ss':$port." ; • ,,.t.urn
. • �Td)
1 secon,'� PCP
0 fields as shown •in Wlresbark)
(normal. value should ,0W0,0x00,0x00, 0 Signattire
http://www.sans.org/windows-security/2010/02/1 1 /powershell-byte-array-hex-convert �13/12/2011 � PowerShell Byte Array And Hex Functions Page 11 of 13
•.:.3t: Word Count (WC'
,04f,0x52,0x4b,Ox20,0x50,0x52,0N4f,Ox47, #� Dialects: T.
,r4x4c� ?„.02e,0x3ii, ,;2eOH31,� 'T,. 0/.02,0x53,0x4d,C.- � -K30,Dx32,0x00 #
•'load ipaddress "127.0.0.1" -port 445
And here's a function for pushing a Bytefl array to a UDP port.
u!:.'WP1 1 441 3 4: 4#
IP adc'
("or the UDP payload,
Df the destinatinn hnst.
at destination. host.
1, OH42,� -44, Ox45 •••-• . p "wwv.si.';Is.org" -port 1531
System.Net.Socket. •
lendth1 I out-nuli
Misc Notes
The "OxFF,OxFE" bytes at the beginning of a Unicode text file are byte order marks to indicate the use of little-endian UTF-
http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert 13/12/2011 PowerShell Byte Array And Hex Functions� Page 12 of 13
"Ox0D" and "Ox0A" are the ASCII carriage-return and linefeed ASCII bytes, respectively, which together represent a Winda style newline delimiter. This Windows-style newline delimiter in Unicode is "Ox00,0x0D,Ox00,0x0A". But in Unix-like system the ASCII newline is just "Ox0A", and older Macs use "Ox0D", so you will see these formats too; but be aware that many cmdlets will do on-the-fly conversion to Windows-style newlines (and possibly Unicode conversion too) when saving back t disk. When hashing text files, be aware of how the newlines and encoding (ASCII vs. Unicode) may have changed, since ". same" text will hash to different thumbprints if the newlines or encoding have unexpectedly changed. What Else?
I'm sure there are other byte array functions missing here, so what else should be added? And if you find a bug, please let knnw!
SHA RE Iri� Permalink I Comments RSS Feed - Post a comment I Trackback URL