-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PowerShell Remoting Usage #143
Comments
I should add that, in my scenario...implicit module importing will not work as the target endpoint cannot be aware of any credentials to connect back to the remote server. |
Hey Evan, Thanks for the kind words! I'm glad you are enjoying the project. I've created a Github project called PowerForensics Portable (https://github.com/Invoke-IR/PowerForensicsPortable), that leverages PowerForensics' public API. One of the cool things about PowerForensics being a .NET assembly is that it is truly a "forensics" library complete with publicly exposed classes and methods. PowerForensics Portable loads the PowerForensics assembly in memory using the System.Reflection.Assembly class' Load method. The basic idea is that you pass a .NET DLL as a byte array to the Load method and it will load that DLL in memory and expose all public functions. I then wrote a function to replicate each PowerForensics cmdlet's functionality by calling the corresponding public API. For instance, if we want to parse the UsnJrnl, then I can call [PowerForensics.Ntfs.UsnJrnl]::GetInstances('.\C:') which parses the UsnJrnl on the Logical C: volume. A little known feature (at least something that I just learned about) of Invoke-Command is the ability to run locally defined functions on a remote host. So by importing the PowerForensicsPortable module, you are defining all of the "Portable" functions locally. You can then use Invoke-Command to execute them on a remote system over PowerShell Remoting. Example: My colleague Matt Graeber also wrote a proxy function for Invoke-Command that leverages PowerShell's AST to dynamically resolve function dependencies. This helps the syntax become a little more straight forward. The Invoke-Command proxy function is included in PowerForensics Portable, so it is there once the module is loaded locally. Example: |
Hi jared, is your PowerForensicsPortable still ongoing project? |
This is a really great project! I'm looking at potentially incorporating some of it's functionality in a project I've been working on. In my case I need to execute these functions on a remote endpoints (via PS Remoting) that will not have the module locally imported. Any thoughts on how I might accomplish this? The PS Remoting session is established with C# & the System.Management.Automation library. Cheers!
The text was updated successfully, but these errors were encountered: