matterpreter/find_iunknown_vtable.ps1

## find_iunknown_vtable.ps1
 # Instantiate the object
$clsid = '{A845DCD6-BB08-4F37-9BA5-AAC66F5ADDCE}'
$obj = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID($clsid))

# Get the address of the IUnknown vtable
Add-Type -AssemblyName 'System.Runtime.InteropServices'
$iunk = [System.Runtime.InteropServices.Marshal]::GetIUnknownForObject($obj)
$vtable = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($iunk)

# Locate the in-proc server and get it's base address
$modbase = (gps -Id $pid).Modules | ? ModuleName -Like 'SimpleCOMServer*' | % BaseAddress

# Calculate the offset
'{0:x}' -f ($vtable.ToInt64() - $modbase.ToInt64())
	# Instantiate the object
	$clsid = '{A845DCD6-BB08-4F37-9BA5-AAC66F5ADDCE}'
	$obj = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID($clsid))

	# Get the address of the IUnknown vtable
	Add-Type -AssemblyName 'System.Runtime.InteropServices'
	$iunk = [System.Runtime.InteropServices.Marshal]::GetIUnknownForObject($obj)
	$vtable = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($iunk)

	# Locate the in-proc server and get it's base address
	$modbase = (gps -Id $pid).Modules \| ? ModuleName -Like 'SimpleCOMServer*' \| % BaseAddress

	# Calculate the offset
	'{0:x}' -f ($vtable.ToInt64() - $modbase.ToInt64())