Analysing PS2EXE executables…

In my older posts I have shown how to deal with ‘encrypted’ or otherwise ‘protected’ script-to-exe executable files that aim to hide, obfuscate, or otherwise make scripts used to generate them – unreadable f.ex. these generated with WinBatch, Perl2exe, 64-bit Autoit files, SHC files, etc. .

Today I will show you how to deal with Powershell scripts converted into executable file using Ps2exe tool.

These files are easy to recognize as they are .NET PE executables that include references to ‘PS2EXE’ string.

Provided the unmodified ps2exe version has been used to create these files you just need to run the following command in your VM (where sample is your target sample):

sample -extract:sample.ps1

Yup, it’s that simple.

Well, unless the extracted PowerShell script is heavily obfuscated, that is 🙂