search

PowerShellMafia / PowerSploit

PowerSploit - A PowerShell Post-Exploitation Framework
Other
11.96k stars 4.62k forks source link

Invoke-ReflectivePEInjection fix for Win 10.0.17134 (SOLVED) #293

Open sharpbazil opened 6 years ago

sharpbazil commented 6 years ago

It appears that windows now has two methods for GetProcAddress, which breaks the Get-ProcAddress function. It looks like they aren't accepting pull requests, so... I'm just gonna point this out

I was able to fix it like this:

Function Get-ProcAddress
    {
        Param
        (
            [OutputType([IntPtr])]
            [Parameter( Position = 0, Mandatory = $True )]
            [String]
            $Module,
            [Parameter( Position = 1, Mandatory = $True )]
            [String]
            $Procedure
        )
        $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') };
        $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods');
        # Get a reference to the GetModuleHandle and GetProcAddress methods
        $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle');
        #Deal with the fact that windows now has two of these, we'll select the second one
        $x=$($UnsafeNativeMethods.GetMethods() | where-object {$_.name -eq "getprocaddress"});

        if(Get-Member -InputObject $x -Name Length -MemberType Properties) {
            write-host $x | format-table
            $GetProcAddress = $x[1];
        } else {
            $GetProcAddress = $UnsafeNativeMethods.GetMethod("GetProcAddress");
        }

        $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
        $tmpPtr = New-Object IntPtr
        $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
        Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
    }
CG-root commented 6 years ago

Please try to change the line: $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')

to

$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);

Let me know if it works

AdrianVollmer commented 6 years ago

Can confirm that your solution works