matterpreter · June 22, 2024 14:53
diff --git a/find_iunknown_vtable.ps1 b/find_iunknown_vtable.ps1
 # Instantiate the object
 $clsid = '{A845DCD6-BB08-4F37-9BA5-AAC66F5ADDCE}'
 $obj = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID($clsid))

 # Get the address of the IUnknown vtable
 Add-Type -AssemblyName 'System.Runtime.InteropServices'
 $iunk = [System.Runtime.InteropServices.Marshal]::GetIUnknownForObject($obj)
 $vtable = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($iunk)

 # Locate the in-proc server and get it's base address
 $modbase = (gps -Id $pid).Modules | ? ModuleName -Like 'SimpleCOMServer*' | % BaseAddress

 # Calculate the offset
 '{0:x}' -f ($vtable.ToInt64() - $modbase.ToInt64())
	# Instantiate the object
	$clsid = '{A845DCD6-BB08-4F37-9BA5-AAC66F5ADDCE}'
	$obj = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID($clsid))

	# Get the address of the IUnknown vtable
	Add-Type -AssemblyName 'System.Runtime.InteropServices'
	$iunk = [System.Runtime.InteropServices.Marshal]::GetIUnknownForObject($obj)
	$vtable = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($iunk)

	# Locate the in-proc server and get it's base address
	$modbase = (gps -Id $pid).Modules \| ? ModuleName -Like 'SimpleCOMServer*' \| % BaseAddress

	# Calculate the offset
	'{0:x}' -f ($vtable.ToInt64() - $modbase.ToInt64())