Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/NSIS-Nullsoft-Scriptable-Install-Systems

From aldeid

Jump to navigation Jump to search

You are here

Digital-Forensics

Computer-Forensics

Anti-Reverse-Engineering

NSIS-Nullsoft-Scriptable-Install-Systems

Description

Some malware is packed with Nullsoft Scriptable Install Systems (NSIS), a professional open source system to create Windows Installers.

Unpacking

The NSIS is an 7z archive that contains several directories, for example:

$EXEDIR
$PLUGINSDIR. Additional information can be found here about NSIS plugins: http://nsis.sourceforge.net/Category:Plugins
$SHELL[17]
$TEMP

Unpacking such malware is as easy as uncompressing the archive using 7zip.

$ 7z x b999d1ad460bd367275a798b5f334f37.exe 

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=fr_FR.utf8,Utf16=on,HugeFiles=on,8 CPUs)

Processing archive: b999d1ad460bd367275a798b5f334f37.exe

Extracting  $TEMP/NRWConfig.exe
Extracting  $TEMP/setup.dat

Everything is Ok

Files: 2
Size:       159246
Compressed: 135127

This category currently contains no pages or media.

Retrieved from "https://www.aldeid.com/w/index.php?title=Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/NSIS-Nullsoft-Scriptable-Install-Systems&oldid=29394"

Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers

Share your opinion