mattifestation · October 9, 2019 21:22
diff --git a/msobjs_event_table.ps1 b/msobjs_event_table.ps1
 $Source = @'
 using System;
 using System.Runtime.InteropServices;
 using System.Text;

 public class Win32Native {
    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
 	[return: MarshalAs(UnmanagedType.Bool)]
 	public static extern bool FreeLibrary(IntPtr hModule);

    [DllImport("kernel32.dll", BestFitMapping = true, CharSet = CharSet.Auto)]
    public static extern int FormatMessage(int dwFlags, IntPtr lpSource, int dwMessageId, int dwLanguageId, StringBuilder lpBuffer, int nSize, IntPtr va_list_arguments);
 }
 '@

 Add-Type -TypeDefinition $Source

 function Get-MSObjsMessage {
    param (
        [Parameter(ValueFromPipeline)]
        [Int[]]
        $MessageIDs
    )

    BEGIN {
        $LOAD_LIBRARY_AS_IMAGE_RESOURCE = 0x20

        $hMSObjs = [Win32Native]::LoadLibraryEx('C:\Windows\System32\msobjs.dll', [IntPtr]::Zero, $LOAD_LIBRARY_AS_IMAGE_RESOURCE)

        $StrBuilder = New-Object -TypeName System.Text.StringBuilder -ArgumentList 0x500

        $FORMAT_MESSAGE_IGNORE_INSERTS = 0x200
        $FORMAT_MESSAGE_FROM_HMODULE = 0x800
        $FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x1000
    }

    PROCESS {
        foreach ($Id in $MessageIDs) {
            $Result = [Win32Native]::FormatMessage(($FORMAT_MESSAGE_IGNORE_INSERTS -bor $FORMAT_MESSAGE_FROM_HMODULE -bor $FORMAT_MESSAGE_ALLOCATE_BUFFER), $hMSObjs, $Id, 0, $StrBuilder, $StrBuilder.Capacity, [IntPtr]::Zero)

            if ($Result) { $StrBuilder.ToString() }

            $null = $StrBuilder.Clear()
        }
    }

    END {
        $null = [Win32Native]::FreeLibrary($hMSObjs)
    }
 }

 $ChannelMessageIDs = 0x1400..0x140F

 $ChannelMessageIDs | Get-MSObjsMessage
	$Source = @'
	using System;
	using System.Runtime.InteropServices;
	using System.Text;

	public class Win32Native {
	[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
	public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);

	[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
	[return: MarshalAs(UnmanagedType.Bool)]
	public static extern bool FreeLibrary(IntPtr hModule);

	[DllImport("kernel32.dll", BestFitMapping = true, CharSet = CharSet.Auto)]
	public static extern int FormatMessage(int dwFlags, IntPtr lpSource, int dwMessageId, int dwLanguageId, StringBuilder lpBuffer, int nSize, IntPtr va_list_arguments);
	}
	'@

	Add-Type -TypeDefinition $Source

	function Get-MSObjsMessage {
	param (
	[Parameter(ValueFromPipeline)]
	[Int[]]
	$MessageIDs
	)

	BEGIN {
	$LOAD_LIBRARY_AS_IMAGE_RESOURCE = 0x20

	$hMSObjs = [Win32Native]::LoadLibraryEx('C:\Windows\System32\msobjs.dll', [IntPtr]::Zero, $LOAD_LIBRARY_AS_IMAGE_RESOURCE)

	$StrBuilder = New-Object -TypeName System.Text.StringBuilder -ArgumentList 0x500

	$FORMAT_MESSAGE_IGNORE_INSERTS = 0x200
	$FORMAT_MESSAGE_FROM_HMODULE = 0x800
	$FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x1000
	}

	PROCESS {
	foreach ($Id in $MessageIDs) {
	$Result = [Win32Native]::FormatMessage(($FORMAT_MESSAGE_IGNORE_INSERTS -bor $FORMAT_MESSAGE_FROM_HMODULE -bor $FORMAT_MESSAGE_ALLOCATE_BUFFER), $hMSObjs, $Id, 0, $StrBuilder, $StrBuilder.Capacity, [IntPtr]::Zero)

	if ($Result) { $StrBuilder.ToString() }

	$null = $StrBuilder.Clear()
	}
	}

	END {
	$null = [Win32Native]::FreeLibrary($hMSObjs)
	}
	}

	$ChannelMessageIDs = 0x1400..0x140F

	$ChannelMessageIDs \| Get-MSObjsMessage