Is loading a Module from memory possible?

This topic contains 6 replies, has 4 voices, and was last updated by  Max Kozlov 1 year ago.

  • Author
  • #70610


    Hi everyone,
    I'm interested in loading a module that that reside in the memory (but not in the disk).
    is that possible? I would appreciate any suggestion and explanation regarding this procedure.
    This is for forensics purposes which is why i'm interested in loading it from the memory.

  • #70655

    Don Jones

    You'll have to explain a bit more about what you mean.

    If the scenario is, "I have an instance of PowerShell which has loaded a module... I want to inspect that module as it sits in memory," the answer is very probably, "no." PowerShell itself runs inside the .NET runtime, and does its own memory management in terms of module contents. You can't "see" inside another instance very easily.

    If you have code running inside the same instance, and it's a script module, then the FUNCTION: drive would contain the loaded commands.

    • #70711


      Let me explain my self further.
      •I have a psm file on server1
      •I want to transfer that file to server2
      •I do not want to write on the disk, but transfer the file directly to the volatile memory.
      •I then want to import the module in a powershell instance on server2 (where the psm file should reside in the memory)

      My goal is to take a psm file from a server and save it on a different server only in the volatile memory (not to write it on the disk) and then import that module that is in the memory somewhere to a powershell instance in the server i sent to psm file.

      this is for forensics purposes if you're wondering why i would choose this way to import a module.

    • #70714

      Olaf Soyk

      ... and simply importing the module on the server2 from the remote server server1 is not an option?

    • #70720


      No because i cant allow access from server2 to server1

  • #70724

    Don Jones

    If you can't allow access from server1 to server2, how do you plan to actually move the bits back and forth?

    Given your other restrictions, generally, no – you can't do what you're asking.

  • #70751

    Max Kozlov

    If you have remote or physical access to server2 you may copy/paste all needed functions from module. Of course if it not binary module.

You must be logged in to reply to this topic.