Horizontal Logic

Tuesday, March 24, 2009

Some notes on FileVersionInfo, finding Modules, loaded dlls:

(get-process -id $pid).modules | %{$_} | fl * | more

Size : 152

Company : Microsoft Corporation

FileVersion : 6.1.6949.0 (fbl_srv_powershell_ctp(srvbld).081105-1651)

ProductVersion : 6.1.6949.0

Description : Windows PowerShell

Product : Microsoft? Windows? Operating System

ModuleName : PowerShell.exe

FileName : C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe

BaseAddress : 579928064

ModuleMemorySize : 155648

EntryPointAddress : 579954429

FileVersionInfo : File: C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe

InternalName: POWERSHELL

OriginalFilename: PowerShell.EXE

FileVersion: 6.1.6949.0 (fbl_srv_powershell_ctp(srvbld).081105-1651)

FileDescription: Windows PowerShell

Product: Microsoft? Windows? Operating System

ProductVersion: 6.1.6949.0

Debug: False

Patched: False

PreRelease: False

PrivateBuild: True

SpecialBuild: False

Language: English (United States)

....

A workable tlist substitute:

$a =foreach ($id in (get-process)) {write $id.Name,$id.Size,$id.modules}

$a | more

alg

Size(K) ModuleName FileName

------- ---------- --------

52 alg.exe C:\WINDOWS\System32\alg.exe

700 ntdll.dll C:\WINDOWS\system32\ntdll.dll

984 kernel32.dll C:\WINDOWS\system32\kernel32.dll

352 msvcrt.dll C:\WINDOWS\system32\msvcrt.dll

68 ATL.DLL C:\WINDOWS\System32\ATL.DLL

580 USER32.dll C:\WINDOWS\system32\USER32.dll

292 GDI32.dll C:\WINDOWS\system32\GDI32.dll

620 ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll

584 RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll

68 Secur32.dll C:\WINDOWS\system32\Secur32.dll

1268 ole32.dll C:\WINDOWS\system32\ole32.dll

556 OLEAUT32.dll C:\WINDOWS\system32\OLEAUT32.dll

36 WSOCK32.dll C:\WINDOWS\System32\WSOCK32.dll

.....

Tuesday, March 24, 2009

No comments: