Thursday, February 06, 2014

PowerGUI wraps PS1 to EXE - How does it work ?

I have lot of PowerShell Script which I want wrapped as an executable using PowerGUI (as PowerGUI Pro is free now).

PowerGUI lets you do that easy.....




After this it gives you option to name the exe , .NET version to target, Hide/Show console window in the back-end, Password protect your source etc.




I thought maybe putting password will protect my source and was curious how does it really works. 

But it works a bit differently then I thought. When you share this with your colleagues then in order for them to use this exe you need to share the password above.




In this case I have a simple script which creates a simple UI and asks for a Computer name to reboot.




When I give a wrong machine name it throws me an error and if you see the highlighted entry it points to a PS1 .
If I go to the path in the error message I can see the source lying around:




Now I haven't put any hard-coded credentials on it (BTW that's a bad practice ).
Though PowerGUI wraps the PS1 as an exe, but it eventually puts the PS1 in a temporary location and executes it.

Now I can hide the back console window just as a precaution but my source PS1 is still lying around in the system.

9 comments:

  1. http://www.sapien.com/blog/2012/04/30/how-safe-are-credentials-in-script-packages/

    We do not advise to put credentials into a script, but that was the question we have been asked. Our packager does not use temporary files unless specifically told to do so. It's not 100% secure of course but it keeps the regular folks out.

    ReplyDelete
  2. Hi Alexander,
    Does PowerShell Studio support obscuring the PassWord or other sensitive data too ?
    The blog refers only Primal Script. Sure that is one level of added security.

    Regards

    ReplyDelete
  3. how about this? http://ps2exe.codeplex.com/

    ReplyDelete
    Replies
    1. HI Chaitanya... had used this a while back...forgot about it. Will give it a try and update the post.
      Thanks and Cheers :)

      ~Regards~
      Dex

      Delete
    2. Hi Chaitanya,
      Sorry this took long to reply. I tried the ps2exe codeplex project and indeed it doesn't dump the PS1 somewhere but as per the Developer of the project it has the whole script encoded and embedded which I was able to retrieve using dot peek.

      I think that will be make a good post.
      Thanks again for suggesting it :)

      Delete
  4. PrimalScript and PowerShell Studio share the same packager. So yes, it applies.
    Everything you package is encrypted and not visible for anyone looking at the exe with a binary editor.
    Keep in mind that it will have to be decrypted at some point to run the script, so you can potentially get to it with a debugger.
    Think of it like a car lock. You lock your car to keep the riff-raff out but it won't defeat the car thief with the tow truck :-)

    ReplyDelete
    Replies
    1. Thanks Alexander...that makes sense.

      BTW I think Sapien makes great tools, am a big fan of PowerShell Studio.
      I bet every PowerShell Scripter does want it in their Toolkit...makes the GUI dev so easy.

      Delete
  5. I got probs with it.

    After I compiled to EXE to my desktop I cannot execute it frome anywhere else.
    Or if I compiled to EXE to a USB drive then it will execute only from USB.

    ReplyDelete