Breaking News



Unmanaged PowerShell execution the usage of DLLs or a standalone executable.

Creation

PowerShx is a rewrite and growth at the PowerShdll drawback. PowerShx supply functionalities for bypassing AMSI and dealing PS Cmdlets.

Possible choices

  • Run Powershell with DLLs the usage of rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
  • Run Powershell with out powershell.exe or powershell_ise.exe
  • AMSI Bypass possible choices.
  • Run Powershell scripts right away from the command line or Powershell wisdom
  • Import Powershell modules and execute Powershell Cmdlets.

Utilization

.dll sort

rundll32

<div class=”snippet-clipboard-content position-relative overflow-auto” data-snippet-clipboard-copy-content=”rundll32 PowerShx.dll,primary -e
rundll32 PowerShx.dll,primary -f Run the script handed as argument
rundll32 PowerShx.dll,primary -f -c Load a script and run a PS cmdlet
rundll32 PowerShx.dll,primary -w Get started an interactive console in a brand new window
rundll32 PowerShx.dll,primary -i Get started an interactive console
rundll32 PowerShx.dll,primary -s Try to bypass AMSI
rundll32 PowerShx.dll,primary -v Print Execution Output to the console “>

rundll32 PowerShx.dll,primary -e <PS script to run>
rundll32 PowerShx.dll,primary -f <trail> Run the script handed as argument
rundll32 PowerShx.dll,primary -f <trail> -c <PS Cmdlet> Load a script and run a PS cmdlet
rundll32 PowerShx.dll,primary -w Get started an interactive console in a brand new window
rundll32 PowerShx.dll,primary -i Get started an interactive console
rundll32 PowerShx.dll,primary -s Try to bypass AMSI
rundll32 PowerShx.dll,primary -v Print Execution Output to the console
Calls DllUnregisterServer regsvr32 /s PowerShx.dll –> Calls DllRegisterServer “>

1. 
x86 - C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
x64 - C:WindowsMicrosoft.NETFramework64v4.0.3031964InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
2.
x86 C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe PowerShx.dll
x64 C:WindowsMicrosoft.NETFramework64v4.0.30319regsvcs.exe PowerShx.dll
3.
x86 C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe /U PowerShx.dll
x64 C:WindowsMicrosoft.NETFramework64v4.0.30319regasm.exe /U PowerShx.dll
4.
regsvr32 /s /u PowerShx.dll -->Calls DllUnregisterServer
regsvr32 /s PowerShx.dll --> Calls DllRegisterServer

.exe sort
<div class=”snippet-clipboard-content position-relative overflow-auto” data-snippet-clipboard-copy-content=”PowerShx.exe -i Get started an interactive console
PowerShx.exe -e
PowerShx.exe -f Run the script handed as argument
PowerShx.exe -f -c Load a script and run a PS cmdlet
PowerShx.exe -s Try to bypass AMSI. “>


Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X