$theTitle=wp_title(" - ", false); if($theTitle != "") { ?>
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
Recently I stumbled upon an executable that appeared to be a PowerShell script converted into an executable.
I was curious to the actual script so I decided to have a look and see how I could convert the executable back into PowerShell.
Having seen similar techniques to turn vb scripts and java jar’s into executables I first looked if this particular executable was simply carrying the payload in the resource section.
I opened the executable with Resource Hacker and saw 2 resources (note that I am using a simple HelloWorld executable here in the screenshots). The first resource, named 1, is clearly a Unicode string with the title:
The second resource, named 4 is probably carrying the payload and is encrypted or obfuscated:
I saved the resource as a .bin file and inspected it with a hex viewer:
The code turned out to be AES encrypted and I wrote a tool to decrypt it. As the decrypted code had a comment line Code generated by: SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.3.130
I could conclude that it was compiled using Sapien PowerShell Studio.
I asked a few PowerShell people I know to test my decryptor and they came back with positive results. In this testing I noticed that there were some different variants of the code that Sapien uses and so far I have identified 3 different ones which can be decrypted.
One tester noted of a different tool, ISESteroids, that can also convert PowerShell scripts into executables. ISESteroids uses a different technique but the decryptor tool also supports it.
The decryptor has the following commandline arguments:
Note that the tool comes in both 32- and 64 bit versions so you need to use the one that matches your binaries bitness (else you will get a System.BadImageFormatException
).
Here’s an example of using it:
Update 16-9-2020: Google is flagging my site as one that serves malicous files because ExeToPosh is triggering some antivirus products (false positives). As Google doesn’t respond to my clarifications I have published the source code on GitHub. This allows everyone to ensure there is no included malware, alternatively if you do trust me you can fetch the binary from the releases section on Github.
11 Responses for "Convert Executable to PowerShell"
Good job but the download link doesn’t work! Thanks for sharing 😉
The download works now! 🙂
Everything so nice , so much work done, and here you are not providing source code or anything else that the exe, you sure should work for Microsoft.
I’m not sure what bashing Microsoft adds here. With regards to the source code I have reasons for not publishing it. Goal was enable you to read exe powershell scripts before executing and that has been accomplished…
Not sure why you are responding so harsh, I have good reasons for not publishing the source code… The goal was to be able to view what’s inside PowerShell Executables and that has been accomplished.
Too bad it looks like it has a trojan in it. I was hoping for a real solution, not to get my enterprise owned.
Hi Reggie, I can tell you the alerts is a false positive and I’ve even reported that to several AV vendors but sadly due to the nature of the program (encryption and loading resources from exe) it flags some AV’s.
If you don’t trust me on this, try it in a VM or a sandbox solution such as Sandboxie.
Hi Remko,
When using your tool it say’s “password ????????????>??????????” and the output is still encrypted. Do you know why? Can you tell more about how you found the key and IV?
Cheers,
Squ1zZy
There’s a document online how to decrypt an executable using a newer version of PowerShell Studio:
https://www.thalpius.com
Hey mate, thanks for writing this.
i tried it today and am getting the following
C:\Temp>ExeToPosh.exe /i Monitor.exe /o test.ps1
ExeToPosh 0.2 written by Remko Weijnen
Input file: Monitor.exe
Output file: test.ps1
Packer: Sapien (PowerShell Studio) variant 3
Unhandled Exception: System.ArgumentNullException: Value cannot be null.
Parameter name: source
at System.Runtime.InteropServices.Marshal.CopyToManaged(IntPtr source, Object destination, Int32 startIndex, Int32 length)
at ExeToPosh.Program.LoadProperties(Assembly ass)
at ExeToPosh.Program.Main(String[] args)
followed by a crash window.
I am running the x64 version on x64 win 10 1803, under an elevated command prompt.
any suggestions ?
Can you share the exe?
Leave a reply