Invoke-ReflectivePEInjection fix for Win 10.0.17134 (SOLVED)
Opened this issue · 2 comments
sharpbazil commented
It appears that windows now has two methods for GetProcAddress, which breaks the Get-ProcAddress function. It looks like they aren't accepting pull requests, so... I'm just gonna point this out
I was able to fix it like this:
Function Get-ProcAddress
{
Param
(
[OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )]
[String]
$Module,
[Parameter( Position = 1, Mandatory = $True )]
[String]
$Procedure
)
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') };
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods');
# Get a reference to the GetModuleHandle and GetProcAddress methods
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle');
#Deal with the fact that windows now has two of these, we'll select the second one
$x=$($UnsafeNativeMethods.GetMethods() | where-object {$_.name -eq "getprocaddress"});
if(Get-Member -InputObject $x -Name Length -MemberType Properties) {
write-host $x | format-table
$GetProcAddress = $x[1];
} else {
$GetProcAddress = $UnsafeNativeMethods.GetMethod("GetProcAddress");
}
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
}
CG-root commented
Please try to change the line:
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
to
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);
Let me know if it works
AdrianVollmer commented
Can confirm that your solution works