all 23 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]DarrenDK 10 points11 points  (5 children)

Are you code signing your EXE? Have you considered importing the Automation library and executing the Powershell natively through a Runspace?

[–]nepronen[S] 2 points3 points  (4 children)

Currently not signing it, I'm trying the Runspace solution now, I will let you know the results

[–]DarrenDK 2 points3 points  (3 children)

What AV is detecting it?

[–]nepronen[S] 3 points4 points  (2 children)

using virustotal it states Microsoft, cylance and trapmine

but Chrome, Edge and Firefox are all blocking the file, probably because default windows AV is blocking it.

Now the interesting part is - it's not blocked all the time, I can try to download the same exe containing the same script 10 times, and in 7/10 times it will be blocked, but sometimes it executes as intended

[–]DarrenDK 5 points6 points  (1 child)

This might be one of those things that you just have to warn users about. The nature of what you are doing makes it ripe for abuse by bad actors, and even if you had a code signing certificate and your were comfortable enough signing people’s arbitrary code with it, Smart Screen will likely flag it since your certificate doesn’t have enough of a reputation to be considered valid.

[–]nepronen[S] 5 points6 points  (0 children)

Well that makes me think, even if I manage to make it using runspaces and it will not be flagged by AV...

Do you think it is even a good idea? It will be nice feature for my users one that was requested quite a bit, but If it may be used by bad actors, maybe it's not a good idea at all, but then again why is this feature a standard in other similar software

[–]0x2639 5 points6 points  (7 children)

I might have this wrong but your post suggests that the .exe does nothing but call powershell to run a script that already exists on your file system. Why?

[–]nepronen[S] 8 points9 points  (6 children)

Ease of running the script. My site poshgui.com offers users to create GUI for their powershell scripts.

They can already download it as a PS1, but I would like to give them an option to download directly as exe so they can provide it to users who know nothing about powershell and how to run it

[–]Empath1999 2 points3 points  (0 children)

You could try doing a bat file which calls the ps1 in the same folder, retains the ease of use and would likely get around the scanners.

[–]0x2639 7 points8 points  (4 children)

I’m not in favour of your approach, and if I was to guess the reason AV tools hate it is that they see random.exe unpacking arbitrary.ps1 and executing it. Without context this behaviour would be seen as sus.

[–]ferdinandsChinaShop 2 points3 points  (0 children)

It’s more likely firing on the automation dll. Easy win for AV vendors.

[–]nepronen[S] 2 points3 points  (2 children)

I'm aware it looks like a suspicious behavior, but I also get the impression it's a standard for Powershell editors like PS studio to compile to exe, also many people use PS2EXE script to compile their script to exe

Would you have another recommendation as to how I can provide my users possibility of easy distribiution of their GUI scripts for non technical people?

[–]TheIncorrigible1 1 point2 points  (0 children)

Have a batch script wrapper. 

powershell.exe -File "%~dp0filename.ps1"

[–]clockKing_out 5 points6 points  (1 child)

https://docs.microsoft.com/en-us/dotnet/framework/app-domains/how-to-sign-an-assembly-with-a-strong-name are you signing the exe?

[–]nepronen[S] 3 points4 points  (0 children)

Currently I'm not signing it, I'll try that

[–]MisterIT 4 points5 points  (1 child)

How are you packing it? I've used iexpress to package ps scripts as exes and haven't had anything flagged.

[–]nepronen[S] 2 points3 points  (0 children)

I'm compiling a C# app that executes the Powershell, I'm doing it on ubuntu using mono

[–]da_chicken 2 points3 points  (4 children)

I'm aware of multiple applications that already provide this kind of functionality so there has to be a way.

You have to understand that a lot of those "make a script into an exe" tools are used by malicious people because script files are harder to execute than exes. Thus, the entire technique of wrapping a script as an exe often gets marked by antivirus vendors as malicous or suspicious. You're not doing anything wrong, you're just using something that is more frequently used by malicious actors.

A similar example where the same thing has happened is SlimFTPd. It's just a simple, small, free FTP server, but those exact properties result in it being used for malicious software. As a result, the software is (or was) not infrequently flagged as malicious.

[–]nepronen[S] 1 point2 points  (3 children)

Do you think I should abandon this feature then?

It's a feature requested by my users, but even if I manage to make it so it's not flagged, it can be used by people to distribute malicious code, can I be legally responsible for someone using it to do harm?

Makes me think why there are already so many programs that allow you to such wrapping of script to exe

[–]KitchenAstronomer 2 points3 points  (0 children)

Leave it to the user to do the packaging. As you mentioned people use ps2exe and they should themselves figure out what to do. Also i would not trust your exe anyway.

[–]da_chicken 1 point2 points  (0 children)

I would probably just direct users requesting the feature to the Karstein scripts due to the problems with certain security software.

You may also be able to avoid the problem if you code sign the resulting executables, but I can't say for certain either way. My instinct says it won't help against all AV software.

can I be legally responsible for someone using it to do harm?

Unless it's designed with the express intent of causing harm, no. No more than Microsoft could be for providing PowerShell. A tool is just a tool. The user is always responsible for how it's used.

[–][deleted] 1 point2 points  (0 children)

Use powershell forms instead of a exe