Skip to content
/ PowerChell Public

A PowerShell console in C/C++ with all the security features disabled

220 stars 20 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

scrt/PowerChell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
PowerChell
PowerChell
 
 
PowerChellLib
PowerChellLib
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
PowerChell.sln
PowerChell.sln
 
 
README.md
README.md
 
 

Repository files navigation

PowerChell

A proof-of-concept aimed at creating a PowerShell console in C/C++, with all the security features patched or disabled: Antimalware Scan Interface (AMSI), Script Block logging, Module logging, Transcription, Execution Policy, and Constrained Language Mode (CLM).

Build

  1. Open the solution file PowerChell.sln with Visual Studio (you must have the Windows SDK installed).
  2. In the toolbar, select RELEASE-EXE if you want to build the executable (.exe) file, or RELEASE-DLL if you want to build the DLL. In both cases, the target configuration will be x64 because this is the only supported platform.
  3. In the top bar, click Build > Build Solution to build the project.

Run

You should be able to run the executable straight away:

C:\Users\Dummy\Downloads>PowerChell.exe
Windows PowerChell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Dummy\Downloads> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.26100.2161
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.2161
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

As for the DLL, you can use the following command:

rundll32 PowerChell.dll,Start

In the command above, Start is the name of a dummy function. It exists only to prevent rundll32 from complaining about not finding the entry point. You can very well specify any entry point you want. It will work as long as you don't close the error dialog.

Caveats

  • If you open any of the source files and Visual Studio is screaming at you because it can't find the mscorlib stuff, that's expected. You need to build the solution at least once. It will generate the mscorlib.tlh file automatically.
  • The code of the DLL will likely need to be adapted if you want it to work properly using DLL sideloading.

Authors

Credit

There would be many resources, blog posts, and tools to credit. Unfortunately, I haven't kept track of all them, but here are the main ones.

Tools

Blog posts

About

A PowerShell console in C/C++ with all the security features disabled

Resources

Readme
Activity
Custom properties

Stars

220 stars

Watchers

4 watching

Forks

20 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages