Python script to extract embedded data from binaries generated by SAPIEN Script Packager
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
README.md
requirements.txt
unsapien.py

README.md

unsapien

unsapien is a Python script developed in order to extract scripts, files and configuration from executables created by SAPIEN Script Packager available in products such as:

Script has been initially created in order to quickly extract and triage PowerShell scripts from a large number of (potentially malicious) executables found on VirusTotal.

Requirements

This script needs Python 2.7.x and has been tested on macOS High Sierra and Ubuntu 17.10. Following additional Python modules are needed:

  • hexdump
  • pefile
  • construct (>=2.9)
  • pbkdf2
  • pycrypto

Usage

usage: unsapien.py [-h] [-v] [-d directory] file

Extracts embedded scripts, files and configuration from binaries generated by
SAPIEN Script Packager (available e.g. in PowerShell Studio or PrimalScript)

positional arguments:
  file                  Input file

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Enable verbose output
  -d directory, --dump directory
                        Dump files to specified directory

Limitations

Script is based solely on data obtained from analysis performed on limited number of executables found on VirusTotal and may not work with all versions of SAPIEN Script Packager.

References

ExeToPosh is a tool written by @RemkoWeijnen and capable of extracting scripts packaged by some versions of SAPIEN PowerShell Studio.

Blog post by @mattifestation showing how to dynamically extract script content from binaries generated by SAPIEN PrimalScript.