Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/calebstewart/bypass-clm
PowerShell Constrained Language Mode Bypass
https://github.com/calebstewart/bypass-clm
bypass powershell windows
Last synced: 27 days ago
JSON representation
PowerShell Constrained Language Mode Bypass
- Host: GitHub
- URL: https://github.com/calebstewart/bypass-clm
- Owner: calebstewart
- Created: 2021-01-29T04:46:23.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2021-01-31T19:13:55.000Z (almost 4 years ago)
- Last Synced: 2024-11-07T19:18:31.576Z (about 1 month ago)
- Topics: bypass, powershell, windows
- Language: C#
- Homepage:
- Size: 11.7 KB
- Stars: 230
- Watchers: 8
- Forks: 34
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - calebstewart/bypass-clm - PowerShell Constrained Language Mode Bypass (C# #)
README
# PowerShell Constrained Language Mode Bypass
This will build an executable which executes a Full Language Mode powershell session even when Constrained Language Mode is enabled. At the time of writing, the only bypass methods I have found are downgrading to PowerShell version 2 or using Runspaces from .Net. PowerShell version 2 is not commonly available now, and Runspaces do not natively provide an interactive interface. This method will provide a full powershell session just like running `powershell.exe`, but will *always* be in Full Language Mode.
This is accomplished by doing the following:
1. We reflectively load the internal `SystemPolicy` class within `System.Management.Automation`
2. We ensure the static method `GetSystemLockdownPolicy` has been compiled by the JIT engine.
3. We retrieve a function pointer for the compiled method.
4. We utilize VirtualProtect to ensure the function code is writable.
5. We overwrite the method with the stub `xor rax,rax; ret`. This effectively forces `GetSystemLockdownPolicy` to return `SystemEnforcementMode.None`.
6. We utilize the `Microsoft.PowerShell.ConsoleShell` module to load an interactive PowerShell session within this process.We also implement a method similar to the `rasta-mouse` AMSI Bypass to ensure the new shell is not scanned by AMSI.
It's worth noting that this will not spawn `powershell.exe`. The PowerShell prompt and interpreter are run from memory in the current process.
## Executing a FLM Shell under AppControl
If `AppControl` is enabled, you can use the well known `InstallUtil` method. This project supports being loaded by `InstallUtil`. Simply place the binary in a safe directory (`C:\Windows\Tasks\` is a common safe directory) and run the following:
```batch
REM find `InstallUtil`
dir \Windows\Microsoft.NET\* /s/b | findstr InstallUtil.exe$
REM Run the FLM powershell session
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U "C:\Windows\Tasks\bypass-clm.exe"
```