Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

README.md

unsapien

unsapien is a Python script developed in order to extract scripts, files and configuration from executables created by SAPIEN Script Packager available in products such as:

Script has been initially created in order to quickly extract and triage PowerShell scripts from a large number of (potentially malicious) executables found on VirusTotal.

Requirements

This script needs Python 2.7.x and has been tested on macOS High Sierra and Ubuntu 17.10. Following additional Python modules are needed:

  • hexdump
  • pefile
  • construct (>=2.9)
  • pbkdf2
  • pycrypto

Usage

usage: unsapien.py [-h] [-v] [-d directory] file

Extracts embedded scripts, files and configuration from binaries generated by
SAPIEN Script Packager (available e.g. in PowerShell Studio or PrimalScript)

positional arguments:
  file                  Input file

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Enable verbose output
  -d directory, --dump directory
                        Dump files to specified directory

Limitations

Script is based solely on data obtained from analysis performed on limited number of executables found on VirusTotal and may not work with all versions of SAPIEN Script Packager.

References

ExeToPosh is a tool written by @RemkoWeijnen and capable of extracting scripts packaged by some versions of SAPIEN PowerShell Studio.

Blog post by @mattifestation showing how to dynamically extract script content from binaries generated by SAPIEN PrimalScript.

About

Python script to extract embedded data from binaries generated by SAPIEN Script Packager

Resources

License

Releases

No releases published

Packages

No packages published

Languages