Archive: Installer made with NSIS?


Installer made with NSIS?
is there a way to detect if an installer was made using nsis without running it? i guess i could monitor if the installer creates a pluginsdir, but i don't want to run it.


open in resource hacker and look at the dialogs or search the exe for the string "NullsoftInst"


the reason why i was asking, an installer of mine calls another one. i'd love that installer to detect if the other is made using nsis (it might differ!), so i can use some default nsis commandline options. hence, reshacker is not a very good option.


You can use reshacker from the commandline.
You can try something like

ResHacker.exe -extract "installer.exe", assembly.rc,  24,,
Two files will be created: assembly.rc, which contains the filename of the other file.
This second file contains the assembly info in xml format. The 'name' value in assembly -> assemblyIdentity of an NSIS installer should be "Nullsoft.NSIS.exehead".
Hope this helps you, I'm not able test this right now.

You can also use commandline tool sigcheck.exe from Sysinternals to check the manifest of the installer.

Something like:

Sigcheck -i -m -h -a <installer.exe> | find "Nullsoft" /i


a exe manifest is not required, looking for NullsoftInst after the PE+sections is your best bet


thanks for the help, but i trying to keep my installer's footprints as low as possible. with an average installer size of 100kb, i will not add an extra 230kb (uncompressed) for reshacker. there is no "internal" way to solve this? what about the mighty system plugin?


you can probably do this without the system plugin even, just IntOp + FileOpen/ReadByte/Seek (But using the system plugin to read pointer sized numbers is probably less work than using filereadbyte and intop)

see
http://msdn.microsoft.com/en-us/magazine/cc301805.aspx
http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
http://msdn.microsoft.com/en-us/library/ms809762.aspx
and http://nsis.svn.sourceforge.net/view...58&view=markup


phew, i previously used FileOpen/ReadByte/Seek on relatively small dll files and scanning them takes forever. i take it, the information relevant sits in a specific part (header?) of the file to be scanned? so could i limit my ReadByte/Seek to a portion of the file to get a quicker result?


the nsis header you are looking for (with the NullsoftInst signature) comes after the PE header and its sections, so you need to parse the PE header to figure out where it ends