Archive: I think this is needed now.


I think this is needed now.
I have noticed quite frequently a very disturbing trend starting in online software distribution. More and more people are taking freeware programs and spyware installers and using NSIS to bundle them together. Because there is currently no decompiler for NSIS, it is impossible to check these files beforehand to see if they do anything evil to your system. I think that there should at least be a program developed that could extract the files to be installed from the installer w/o actually running it. That way the end user would be able to tell much easier if the content was safe or not. This would help put an end to the use of NSIS to help spread spyware. BTW, if you don't belive me, just go and check around the net at sites like this (http://www.sherv.net)


Re: I think this is needed now.

Originally posted by AnonUser
I think that there should at least be a program developed that could extract the files to be installed from the installer w/o actually running it.
Two comments:

1. NSIS is open source. Often, when someone says that "something should be done" when discussing an open source project, specifically regarding a programming task, it is often suggested that the person making the request be the person who does the work. I don't care to speculate on what motivates people to respond like this, and I don't know if it will happen in the NSIS community. Be prepared. Take a minute to cool off before responding if you feel insulted.

2. AFAIK, this request has been made before. The general consensus seemed to be that creating a tool allowing users to peek into other peoples' installers wouldn't be very polite. Specifically, people claim it would make it possible to bypass copy-prevention mechanisms built into the installer, or examine data that the installer's creator did not intend to be viewed. This is not true, but you might meet some resistance in this area.

I saw one free DVD-player installer with spyware, but looking from my corner efficiency of your offer will be very low. 95% of end users can click Next button only (and most of them have problems with this button too :( ), 4% can change installation folder to MyDocuments|Desktop and after this to uninstall program ASAP (with all other stuff, do not forget RMDir /r $INSTDIR in Uninstaller :) ). And last 1% will see spyware during installation any case.


I think you have to keep in mind that -any- application that you allow to execute could do very nasty things to your computer. If a NSIS-decompiler exists, who is to say the decompiler doesn't contain a trojan?

If you're really paranoid about things, visit www.sysinternals.com, and download tools such as DiskMon, FileMon, RegMon and TDIMon to keep an eye on disk access, file access, registry access and network access (no packet dumps in it though).
If you're really, really paranoid, then get an industrial strength runtime decompiler, learn assembly language, learn all the bells and whistles of Windows API calls, etc. You'll never get the source .NSI files out of the executable, so you'd need to learn these :)

--------------------------------------------------

On the flip side - I do think that those creating installers could help the paranoid / power users out.

My installer, for example, does force everybody to go through an EULA page (with much thanks to ScrollLicense to void the 'click-through generation' argument). However, the user then ends up at an Install Type page with:
(o) Typical
( ) Custom
( ) Dump Files (expert users only)

Where "Dump Files" dumps all the files that would normally be installed to various locations, along with instructions on e.g. what would be adjusted in the registry, other programs' files (ini files in my case), environment variable changes, etc. to a single location - and shows the instructional file to the user.
This is mainly intended for 'power users', where the software being installed may be integrated in network deployment software, or where Typical/Custom don't suffice for their setup.
However, it can be used just as well by the paranoid to have at least some sense of the installer doing nothing at all, and just spitting out its guts. There's still some level of trust required, of course, that the installer doesn't do anything -beside- dumping the files.


There is nothing to prevent spyware vendors from using InstallShield, InstallAnywhere or InnoSetup to bundle and distribute their wares. Do those installers allow you to inspect their contents?
Why is this an NSIS issue?


Well if you must,

try the demo of PE Explorer from http://www.heaventools.com/

Maybe we should not have made NSIS so good, thus SW creators would have used another tool ;)

And ofcourse if is not good enough, wrap your application with an Authenticode signature and help with:

http://sourceforge.net/projects/osslsigncode/

At least that's wat I'm going to do to improve the world...


I agree with the majority of you all. I do not see a need for a decompiler to be made. As Takhir said, most (>95%) users will have no idea how to use a decompiler to examine the contents of an NSIS installer. Secondly, people should be downloading installers from places they trust in the first place, that's the first and best line of defense, don't even expose your computer to anything harmful. And lastly, developers would lose the ability to protect the contents of the installer. For example, I have customers that have purchased varying levels/amounts of our software. Currently, I can still send out just 1 installer/update to all our customers, and only extract what the customer has paid for and leave the goodies they have not paid for safely stored away in the installer.

AnonUser, while there would be some advantage to a decompiler, there would not be a net benefit.


AnonUser, while there would be some advantage to a decompiler, there would not be a net benefit.
There wouldn't have a great benefit for both sides. Until ISP's don't take care of those who abuse their internet connections to create spyware (greater right for users), then all users won't be protected from what other people produce either (greater right for developers).

This is like getting games for free on the internet when they are actually paid. If there is a lot of people getting those, then companies have the right of putting more and more protections to the games. Who receives the blame? The companies. But who caused the problem? The users who don't allow that to be enforced.

And the problems go on and on...