From c722f89a29fe81b2e554de3b03101794e4ad6aaa Mon Sep 17 00:00:00 2001
From: Tony <tony@endgame.com>
Date: Tue, 8 May 2018 20:17:33 -0400
Subject: [PATCH] Add support for Windows 10 v1803 to
 Invoke-ReflectivePEInjection

---
 .../Invoke-ReflectivePEInjection.ps1          | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1
index c756dd99..6c0fc776 100644
--- a/CodeExecution/Invoke-ReflectivePEInjection.ps1
+++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1
@@ -997,16 +997,26 @@ $RemoteScriptBlock = {
         $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
             Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
         $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
+
         # Get a reference to the GetModuleHandle and GetProcAddress methods
         $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
-        $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
+        $GetProcAddress = $UnsafeNativeMethods.GetMethods() | Where {$_.Name -eq "GetProcAddress"} | Select-Object -first 1
+
         # Get a handle to the module specified
         $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
-        $tmpPtr = New-Object IntPtr
-        $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
 
         # Return the address of the function
-        Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
+        try
+        {
+            $tmpPtr = New-Object IntPtr
+            $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
+            Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
+        }
+        catch
+        {
+            # Windows 10 v1803 needs $Kern32Handle as a System.IntPtr instead of System.Runtime.InteropServices.HandleRef
+            Write-Output $GetProcAddress.Invoke($null, @($Kern32Handle, $Procedure))
+        }
     }
 
     Function Enable-SeDebugPrivilege
@@ -2881,4 +2891,4 @@ Function Main
 }
 
 Main
-}
\ No newline at end of file
+}