Add-Type -TypeDefinition @"
// ref: http://showlinkroom.me/2020/10/16/WindowKernelExploit01/
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
public static class EVD2
{
    [DllImport("kernel32.dll")]
    public static extern uint GetLastError();

    [DllImport("psapi")]
    public static extern bool EnumDeviceDrivers(
        [MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.U4)] [In][Out] UInt64[] ddAddresses,
        UInt32 arraySizeBytes,
        [MarshalAs(UnmanagedType.U4)] out UInt32 bytesNeeded
    );
}
"@

Function LeakBaseAddress(){
    $dwByte = 0
    $status=[bool] [EVD2]::EnumDeviceDrivers(0, 0, [ref]$dwByte)
    if(!$status){
        echo $("[*] Unable to enum device.... with error 0x{0:x}`n" -f [EVD2]::GetLastError())
    }
    $ptrAddress = [Uint64[]](9)*0x1000
    $status=[bool] [EVD2]::EnumDeviceDrivers([UInt64[]]$ptrAddress, $dwByte+10, [ref]$dwByte)
    # echo $("Address is {0:x}" -f $ptrAddress[0])
    return $ptrAddress[0]
}
$leakAddress = LeakBaseAddress
echo $("Address is {0:x}" -f $leakAddress)