Recently I stumbled upon an executable that appeared to be a PowerShell script converted into an executable.

I was curious to the actual script so I decided to have a look and see how I could convert the executable back into PowerShell.

Having seen similar techniques to turn vb scripts and java jar’s into executables I first looked if this particular executable was simply carrying the payload in the resource section.

I opened the executable with Resource Hacker and saw 2 resources (note that I am using a simple HelloWorld executable here in the screenshots). The first resource, named 1, is clearly a Unicode string with the title:

Resource Hacker Screenshot showing the resources

Resource Hacker – HelloWorld.exe

The second resource, named 4 is probably carrying the payload and is encrypted or obfuscated:

Resource Hacker showing the encrypted PowerShell script

Resource Hacker

I saved the resource as a .bin file and inspected it with a hex viewer:

Encrypted Data in Hex Viewer

test.bin

The code turned out to be AES encrypted and I wrote a tool to decrypt it. As the decrypted code had a comment line Code generated by:  SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.3.130 I could conclude that it was compiled using Sapien PowerShell Studio.

I asked a few PowerShell people I know to test my decryptor and they came back with positive results. In this testing I noticed that there were some different variants of the code that Sapien uses and so far I have identified 3 different ones which can be decrypted.

One tester noted of a different tool, ISESteroids, that can also convert PowerShell scripts into executables. ISESteroids uses a different technique but the decryptor tool also supports it.

The decryptor has the following commandline arguments:

ExeToPosh Screenshot showing the commandline arguments

ExeToPosh usage

Note that the tool comes in both 32- and 64 bit versions so you need to use the one that matches your binaries bitness (else you will get a System.BadImageFormatException).

Here’s an example of using it:

ExeToPosh Screenshot showing example usage

ExeToPosh Example

Update 16-9-2020: Google is flagging my site as one that serves malicous files because ExeToPosh is triggering some antivirus products (false positives). As Google doesn’t respond to my clarifications I have published the source code on GitHub. This allows everyone to ensure there is no included malware, alternatively if you do trust me you can fetch the binary from the releases section on Github.