Author Posts

May 14, 2017 at 11:36 am

Hi everyone,
I'm interested in loading a module that that reside in the memory (but not in the disk).
is that possible? I would appreciate any suggestion and explanation regarding this procedure.
This is for forensics purposes which is why i'm interested in loading it from the memory.

May 15, 2017 at 12:56 pm

You'll have to explain a bit more about what you mean.

If the scenario is, "I have an instance of PowerShell which has loaded a module... I want to inspect that module as it sits in memory," the answer is very probably, "no." PowerShell itself runs inside the .NET runtime, and does its own memory management in terms of module contents. You can't "see" inside another instance very easily.

If you have code running inside the same instance, and it's a script module, then the FUNCTION: drive would contain the loaded commands.

May 16, 2017 at 8:13 am

Let me explain my self further.
•I have a psm file on server1
•I want to transfer that file to server2
•I do not want to write on the disk, but transfer the file directly to the volatile memory.
•I then want to import the module in a powershell instance on server2 (where the psm file should reside in the memory)

My goal is to take a psm file from a server and save it on a different server only in the volatile memory (not to write it on the disk) and then import that module that is in the memory somewhere to a powershell instance in the server i sent to psm file.

this is for forensics purposes if you're wondering why i would choose this way to import a module.

May 16, 2017 at 9:32 am

... and simply importing the module on the server2 from the remote server server1 is not an option?

May 16, 2017 at 11:56 am

No because i cant allow access from server2 to server1

May 16, 2017 at 12:44 pm

If you can't allow access from server1 to server2, how do you plan to actually move the bits back and forth?

Given your other restrictions, generally, no – you can't do what you're asking.

May 16, 2017 at 1:20 pm

If you have remote or physical access to server2 you may copy/paste all needed functions from module. Of course if it not binary module.