# PowerShell Pipeline Runners

As we mentioned in [Powershell Basics](https://otter.gitbook.io/red-teaming/notes/powershell/powershell-basics), PowerShell's functionality is not contained in the `powershell.exe` binary but in `System.Management.Automation.(ni.).dll` so PowerShell commands and code can be ran without the binary itself with PowerShell pipeline runners.

A project that showcases this is [UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell), what this does is:

1. Load the .NET common language runtime (CLR) in the current process using `CLRCreateInstance()` or `CorBindToRuntime()` (for older .NET versions)
2. Grabs the pointer to the CLR AppDomain with `.GetDefaultDomain()` and `.QueryInterface()`
3. Loads the PowerShell runner as a custom C# assembly using `appDomain->Load_3()`
4. Copies the command or scriptblock to be executed into the assembly
5. Calls the execution method in the assmebly