Recently I stumbled upon an executable that appeared to be a PowerShell script converted into an executable.

I was curious to the actual script so I decided to have a look and see how I could convert the executable back into PowerShell.

Having seen similar techniques to turn vb scripts and java jar’s into executables I first looked if this particular executable was simply carrying the payload in the resource section.

I opened the executable with Resource Hacker and saw 2 resources (note that I am using a simple HelloWorld executable here in the screenshots). The first resource, named 1, is clearly a Unicode string with the title:

Resource Hacker Screenshot showing the resources

Resource Hacker – HelloWorld.exe


The second resource, named 4 is probably carrying the payload and is encrypted or obfuscated:

Resource Hacker showing the encrypted PowerShell script

Resource Hacker

I saved the resource as a .bin file and inspected it with a hex viewer:

Encrypted Data in Hex Viewer


The code turned out to be AES encrypted and I wrote a tool to decrypt it. As the decrypted code had a comment line Code generated by:  SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.3.130 I could conclude that it was compiled using Sapien PowerShell Studio.

I asked a few PowerShell people I know to test my decryptor and they came back with positive results. In this testing I noticed that there were some different variants of the code that Sapien uses and so far I have identified 3 different ones which can be decrypted.

One tester noted of a different tool, ISESteroids, that can also convert PowerShell scripts into executables. ISESteroids uses a different technique but the decryptor tool also supports it.

The decryptor has the following commandline arguments:

ExeToPosh Screenshot showing the commandline arguments

ExeToPosh usage

Note that the tool comes in both 32- and 64 bit versions so you need to use the one that matches your binaries bitness (else you will get a System.BadImageFormatException).

Here’s an example of using it:

ExeToPosh Screenshot showing example usage

ExeToPosh Example (53 downloads)