Yup, me neither – until today.<\/p>\n
Turns out that this is a very old school InstallShield setup program.<\/p>\n
It has an interesting property that it is signed and exists on lots of versions of Windows.<\/p>\n
It turns out that you can use it for at least two different purposes.<\/p>\n
- \n
- Side-load _setup.dll it relies on (signed .exe loading unsigned DLL)<\/li>\n
- Spawn .exe of your choice, breaking the process tree in a very lame way<\/li>\n<\/ul>\n
The first one is trivial.<\/p>\n
The second one is the really weird one – we have to create a fake setup directory layout that will allow us to execute program of our choice.<\/p>\n
We need these files to pull it off:<\/p>\n
- \n
- _inst32i.ex_\n
- \n
- the binary that is required by setup.exe; after toying around with an existing _inst32i.ex_ file from some old installation I came up with this minimalistic file layout that you need to save as _inst32i.ex_<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
00 : 2A AB 79 D8 00 01 00 00 00 00 00 00 00 00 00 00 *.y............. 000\r\n10 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016\r\n20 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 032\r\n30 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 048\r\n40 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 ................ 064\r\n50 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 080\r\n60 : 00 00 00 00 00 00 0B 00 49 4E 53 54 41 4C 4C 2E ........INSTALL. 096\r\n70 : 45 58 45 01 00 58 00 00 00 00 00 00 00 00 00 00 EXE..X.......... 112\r\n80 : 00 00 00 00 00 00 00 00 00 00 09 00 7A 64 61 74 ............zdat 128\r\n90 : 61 2E 64 6C 6C 01 00 5A 00 00 00 00 00 00 00 00 a.dll..Z........ 144\r\nA0 : 00 00 00 00 00 00 00 00 00 00 00 00 0B 00 57 55 ..............WU 160\r\nB0 : 54 4C 39 35 69 2E 44 4C 4C 01 00 58 00 00 00 00 TL95i.DLL..X.... 176\r\nC0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 192\r\nD0 : 0A 00 42 4F 4F 54 31 36 2E 45 58 45 01 00 58 ..BOOT16.EXE..X 208<\/pre>\n
- \n
- _setup.dll\n
- \n
- already on the system<\/li>\n<\/ul>\n<\/li>\n
- layout.bin\n
- \n
- just type “echo > layout.bin”<\/li>\n<\/ul>\n<\/li>\n
- setup.exe\n
- \n
- already on the system, signed<\/li>\n<\/ul>\n<\/li>\n
- SETUP.LID<\/li>\n<\/ul>\n
[Languages]\r\nkey0=0009\r\nDefault=0009\r\ncount=1<\/pre>\n
Finally, the payload – save it inside this file:<\/p>\n
- \n
- xtract_all.exe<\/li>\n<\/ul>\n
or, make xtract_all.exe a dummy and store the payload inside the\u00a0 _isdel.exe file.<\/p>\n
Now, all you have to do is to run:<\/p>\n
setup.exe \/extract_all \/s<\/pre>\n
This will execute setup.exe in a silent mode, and will force it to launch both xtract_all.exe and _isdel.exe.<\/p>\n
Interestingly, the _isdel.exe is launched from the same directory, but xtract_all.exe will be executed from the %TEMP% directory.<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/setupexe.png\")
<\/a><\/p>\nYup. It’s complicated, I told you \ud83d\ude09<\/p>\n
This can be taken a step further. Instead of using the \/extract_all trick, you can actually generate your own _inst32i.ex_ file that may hold the payload. Since it’s an old proprietary InstallShield package file format, it is unlikely its content is scanned for malware. To generate a payload you may either use an InstallShield installer (if you can find one!), or.. reverse engineer the package file format…<\/p>\n","protected":false},"excerpt":{"rendered":"
This is probably the most bizarre way of breaking the process tree you will see today, but well, it works, so there you go… Have you ever wondered what these guys are? C:\\Windows\\System32\\InstallShield\\setup.exe C:\\Windows\\SysWOW64\\InstallShield\\setup.exe Yup, me neither – until today. … Continue reading
- xtract_all.exe<\/li>\n<\/ul>\n
- _setup.dll\n
- the binary that is required by setup.exe; after toying around with an existing _inst32i.ex_ file from some old installation I came up with this minimalistic file layout that you need to save as _inst32i.ex_<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- _inst32i.ex_\n