PowerShellMafia#147 Bugfix: Invoke-Mimikatz

Matt Graeber · Matt Graeber · commit fee3b4c642c6 · 2016-07-15T14:28:55.000-07:00
Invoke-Mimikatz was not not handling functions exported by ordinal. Thank you @gentilkiwi for the suggested fix!
diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1
@@ -1687,7 +1687,14 @@ $RemoteScriptBlock = {
 					}
 					else
 					{
-						[IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName)
+						if($ProcedureName -is [string])
+						{
+						    [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName)
+						}
+						else
+						{
+						    [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressOrdinal.Invoke($ImportDllHandle, $ProcedureName)
+						}
 					}
 					
 					if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)

Original file line number	Diff line number	Diff line change
`@@ -1687,7 +1687,14 @@ $RemoteScriptBlock = {`
`1687`	`1687`	`}`
`1688`	`1688`	`else`
`1689`	`1689`	`{`
`1690`		`- [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName)`
	`1690`	`+ if($ProcedureName -is [string])`
	`1691`	`+ {`
	`1692`	`+ [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddress.Invoke($ImportDllHandle, $ProcedureName)`
	`1693`	`+ }`
	`1694`	`+ else`
	`1695`	`+ {`
	`1696`	`+ [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressOrdinal.Invoke($ImportDllHandle, $ProcedureName)`
	`1697`	`+ }`
`1691`	`1698`	`}`
`1692`	`1699`
`1693`	`1700`	`if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero)`