Add-Type
Compile and load C# or other .NET language code at runtime. Enables direct Windows API access and arbitrary .NET code execution without touching disk.
Binary Paths
PowerShell cmdlet
Glob Patterns
| Pattern | Notes |
|---|---|
& (gcm A*-T*) -TypeDefinition 'public class C { ... }'
|
Wildcards on both verb and noun |
& (gcm Add-Ty*) -TypeDefinition ...
|
Star suffix matches 'pe' |
& (gcm A?d-Type) -TypeDefinition ...
|
Single char wildcard replaces 'd' |
& (gcm *-Type) -TypeDefinition ...
|
Prefix wildcard — use -CommandType Cmdlet to limit results |
& (gcm A*-T*) -MemberDefinition '[DllImport("kernel32.dll")] public static extern ...' -Name Win32 -Namespace API
|
-MemberDefinition form for P/Invoke — inline DllImport without a full class definition |
& (gcm A[c-e]d-Type) -TypeDefinition 'public class C { ... }'
|
Character range [c-e] matches 'd' in Add — only character in range that satisfies Add-Type |
& ($ExecutionContext.InvokeCommand.GetCommand('A*-Type','Cmdlet')) -TypeDefinition 'public class C { ... }'
|
Engine-level cmdlet resolution via InvokeCommand.GetCommand — bypasses Get-Command entirely; A*-Type resolves to Add-Type |
& (gcm ('{0}dd-{1}' -f 'A','Type')) -TypeDefinition 'public class C { ... }'
|
-f format operator constructs the cmdlet name 'Add-Type' from string fragments before gcm resolves it |
Pattern Tester
$
Try typing Add-Type or a full path like PowerShell cmdlet
YARA Rule
Auto-generated detection rule for Add-Type
Platform Notes
Add-Type compiles C# code in memory (using the .NET compiler) and loads the resulting assembly into the PowerShell session. It enables P/Invoke for Windows API calls: Add-Type -MemberDefinition '[DllImport("kernel32.dll")] ...' -Name Win32 -Namespace API. No files are written to disk by default when using -TypeDefinition or -MemberDefinition.