Application installers are supposed to save you time, automatically configuring your PC to properly run their host application.
Unfortunately, many setup programs only exist as a way to get adware onto your system, sometimes without you even noticing.
One way to avoid this is to extract the contents of your setup file before you run it. At a minimum you’ll get a better idea what your particular setup.exe contains, and you may find you can extract and run small applications without installing them at all.
Archiving software can often do this, at a basic level. Install 7-Zip, for instance, and you’ll be able to right-click Windows Installer files (*.MSI) and extract their contents.
This only gets you the source files, so there’s no information on what the installer was going to do, but just seeing the contents of your particular setup.msi might be useful.
Inno Setup Unpacker takes the process further by extracting both the application files and the setup script of Inno Setup installers. (It won’t work with other types of setup files, but Inno is so popular that you’ve a good chance of success.)
As you’d expect with this kind of tool, Inno Setup Unpacker doesn’t require installation itself. It’s an open-source command-line tool which arrives as a very tiny download (134KB), and once unpacked it’s ready to go.
Basic usage is simple enough. There are command line switches to list file contents, test for integrity, define paths and so on, but you can get by with nothing more than this:
innounp -x setup.exe
The command tells Inno Setup Unpacker to extract the components of setup.exe into the current folder.
Assuming this is an Inno Setup installer, the unpacker will probably produce an iss file, like install_script.iss -- the script which holds the instructions for the installer -- and an [app] folder with the application’s various components.
Check the [app] folder to see what it contains. If it’s something very simple, maybe a readme file, an internet shortcut, one executable, perhaps a DLL, then you can probably run it immediately without using the official installer.
There are no guarantees, though, so keep in mind that you’re on your own here. If the application crashes your PC or causes some data loss because it’s not been installed correctly -- unlikely, but not impossible -- then it’s your responsibility. We would only try this on relatively simple applications, and on systems which are fully backed up.
Decoding installation scripts
Unpacking installers isn’t just about looking at the source files, of course. The setup script can tell you a lot about the application, and you don’t have to be a developer to find it useful.
We tried Inno Setup Unpacker with NoVirusThanks Stream Detector, for example, a handy tool for detecting and working on alternate data streams. It worked, but our [app] folder had two files, StreamDetector,1.exe and StreamDetector,2.exe. What was going on?
We opened install_script.iss in Notepad, and browsed to the Files section, which began like this.
[Files]
Source: "{app}\StreamDetector,1.exe”; DestDir: “{app}"; DestName: "StreamDetector.exe"; Check: "Is64BitInstallMode"; MinVersion: 0.0,5.0; Flags: ignoreversion
Source: "{app}\StreamDetector,2.exe”; DestDir: “{app}"; DestName: "StreamDetector.exe"; Check: "not Is64BitInstallMode"; MinVersion: 0.0,5.0; Flags: ignoreversion
The "Source" parameter names the files we’re looking for.
"DestDir" tells the installer where the file should be placed. In this case it’s the application folder, but if it’s some other location you’ll be able to read it here.
The third "Check" parameter is the one which answers our question, though. The installer places StreamDetector,1.exe on your system if "Is64BitInstallMode" is true, so that will be the 64-bit version. StreamDetector,2.exe is used if "not Is64BitInstallMode", so that’ll be the 32-bit build.
This is a good example of why companies might use an installer, when it doesn’t initially seem necessary. NoVirusThanks is an honest company, and not trying to install adware or do anything sneaky: they’re just making sure you get the appropriate 32 or 64-bit version, without having to choose it yourself.
But it’s also a good example of how unpacking the installer can pay off, as you can see there’s no harmful payload, and that it’s most likely safe to take the 32 or 64-bit build and run it anywhere, without installing first.
There are other useful elements to the script, and scanning the various sections can tell you more about what’s happening. Here are a few examples.
[Setup]
DefaultDirName={pf}\NoVirusThanks\Stream Detector
[Tasks]
Name: "desktopicon"; Description: "{cm:CreateDesktopIcon}"; GroupDescription: "{cm:AdditionalIcons}"; MinVersion: 0.0,5.0;
Name: "quicklaunchicon"; Description: "{cm:CreateQuickLaunchIcon}"; GroupDescription: "{cm:AdditionalIcons}"; MinVersion: 0.0,5.0;
[Run]
Filename: "{app}\StreamDetector.exe"; Description: "Open NoVirusThanks Stream Detector"; MinVersion: 0.0,5.0; Flags: shellexec postinstall skipifsilent nowait
As before, it’s not difficult to figure out the basic details.
DefaultDirName is the default storage location of the program ({pf} is your 32 or 64-bit Program Files folder).
The "Tasks" entries tell us this is one of those installers that will ask if you’d like a desktop or quick launch shortcut to the program.
And the "Run" entry tells us there will be a "run the program now" option when setup is complete. That’s just launching the main application, no other files or command line parameters involved, so it all looks safe and secure.
While this is easy enough, you probably won’t want to analyze installers on a regular basis. If you trust the developer, there’s little need; if the package is something vast and complex then you won’t be able to get much from it anyway.
Inno Setup Unpacker can give you a lot of information about more obscure installers, though, and on balance it’s well worth a place in your security toolkit.
Aucun commentaire:
Enregistrer un commentaire