2. NSIS Discussion
  3. Installer made with NSIS?

Archive: Installer made with NSIS?


Yathosho
23rd September 2009 11:42 UTC

Installer made with NSIS?
is there a way to detect if an installer was made using nsis without running it? i guess i could monitor if the installer creates a pluginsdir, but i don't want to run it.

Anders
23rd September 2009 12:20 UTC

open in resource hacker and look at the dialogs or search the exe for the string "NullsoftInst"

Yathosho
23rd September 2009 12:41 UTC

the reason why i was asking, an installer of mine calls another one. i'd love that installer to detect if the other is made using nsis (it might differ!), so i can use some default nsis commandline options. hence, reshacker is not a very good option.

jpderuiter
23rd September 2009 16:21 UTC

You can use reshacker from the commandline.
You can try something like

ResHacker.exe -extract "installer.exe", assembly.rc,  24,,
Two files will be created: assembly.rc, which contains the filename of the other file.
This second file contains the assembly info in xml format. The 'name' value in assembly -> assemblyIdentity of an NSIS installer should be "Nullsoft.NSIS.exehead".
Hope this helps you, I'm not able test this right now.

ErikET
28th September 2009 11:55 UTC

You can also use commandline tool sigcheck.exe from Sysinternals to check the manifest of the installer.

Something like:

Sigcheck -i -m -h -a <installer.exe> | find "Nullsoft" /i

Anders
28th September 2009 12:36 UTC

a exe manifest is not required, looking for NullsoftInst after the PE+sections is your best bet

Yathosho
28th September 2009 13:50 UTC

thanks for the help, but i trying to keep my installer's footprints as low as possible. with an average installer size of 100kb, i will not add an extra 230kb (uncompressed) for reshacker. there is no "internal" way to solve this? what about the mighty system plugin?

Anders
28th September 2009 16:17 UTC

you can probably do this without the system plugin even, just IntOp + FileOpen/ReadByte/Seek (But using the system plugin to read pointer sized numbers is probably less work than using filereadbyte and intop)

see
http://msdn.microsoft.com/en-us/magazine/cc301805.aspx
http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
http://msdn.microsoft.com/en-us/library/ms809762.aspx
and http://nsis.svn.sourceforge.net/view...58&view=markup

Yathosho
1st October 2009 15:37 UTC

phew, i previously used FileOpen/ReadByte/Seek on relatively small dll files and scanning them takes forever. i take it, the information relevant sits in a specific part (header?) of the file to be scanned? so could i limit my ReadByte/Seek to a portion of the file to get a quicker result?

Anders
1st October 2009 15:52 UTC

the nsis header you are looking for (with the NullsoftInst signature) comes after the PE header and its sections, so you need to parse the PE header to figure out where it ends

Fork me on GitHub