{"id":8556,"date":"2023-06-01T22:52:56","date_gmt":"2023-06-01T22:52:56","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8556"},"modified":"2023-06-03T22:10:38","modified_gmt":"2023-06-03T22:10:38","slug":"analysing-ps2exe-executables","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/06\/01\/analysing-ps2exe-executables\/","title":{"rendered":"Analysing PS2EXE executables&#8230;"},"content":{"rendered":"\n<p>In my older posts I have shown how to deal with &#8216;encrypted&#8217; or otherwise &#8216;protected&#8217; script-to-exe executable files that aim to hide, obfuscate, or otherwise make scripts used to generate them &#8211; unreadable f.ex. these generated with <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/12\/21\/enter-sandbox-part-20-intercepting-buffers-f-ex-python-code-from-compiled-binaries\/\" data-type=\"post\" data-id=\"5691\">WinBatch<\/a>, <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/11\/04\/memory-buffers-for-initiated\/\" data-type=\"post\" data-id=\"7499\">Perl2exe<\/a>, <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/01\/08\/decompiling-compiled-autoit-scripts-64-bit-take-two\/\" data-type=\"post\" data-id=\"2766\">64-bit Autoit files<\/a>, <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/01\/13\/decrypting-shell-compiled-shc-elf-files\/\" data-type=\"post\" data-id=\"8374\">SHC files<\/a>, etc. . <\/p>\n\n\n\n<p>Today I will show you how to deal with Powershell scripts converted into executable file using <a href=\"https:\/\/github.com\/MScholtes\/PS2EXE\">Ps2exe<\/a> tool.<\/p>\n\n\n\n<p>These files are easy to recognize as they are .NET PE executables that include references to &#8216;PS2EXE&#8217; string.<\/p>\n\n\n\n<p>Provided the unmodified ps2exe version has been used to create these files you just need to run the following command in your VM (where<em> sample <\/em>is your target sample):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sample -extract:sample.ps1<\/pre>\n\n\n\n<p>Yup, it&#8217;s that simple. <\/p>\n\n\n\n<p>Well, unless the extracted PowerShell script is heavily obfuscated, that is \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my older posts I have shown how to deal with &#8216;encrypted&#8217; or otherwise &#8216;protected&#8217; script-to-exe executable files that aim to hide, obfuscate, or otherwise make scripts used to generate them &#8211; unreadable f.ex. these generated with WinBatch, Perl2exe, 64-bit &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/06\/01\/analysing-ps2exe-executables\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[112,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8556"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8556"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8556\/revisions"}],"predecessor-version":[{"id":8562,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8556\/revisions\/8562"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}