-
Notifications
You must be signed in to change notification settings - Fork 90
feat(handler): support NSIS Installers #1255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
@jcrussell you should also create integration tests to check that the handler works as expected. You have to create the following directories:
I would put the following in the input directory:
To generate the output directory content, run the following: find unblob/tests/integration/executable/pe/__input__ -type f -exec unblob -f -k -e unblob/tests/integration/executable/pe/__output__ {} \; |
@jcrussell any update on this ? do you need assistance ? |
@qkaiser: I believe the code is close to final. Do you mind adding the integration test data? It is easier for me to release code than data. Here's what I have been testing with:
Thanks in advance! |
|
||
return ValidChunk( | ||
start_offset=start_offset, | ||
end_offset=start_offset + binary.original_size, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
original_size
is the file size on disk, not the actual PE file size. Samples with suffix are carved with the suffix, which is incorrect. I'm looking into it.
@jcrussell had to figure out how to handle LFS on forks, looks like it's okay now. Made some adjustments to keep pyright happy given LIEF's ability to return completely different types for the same object. We need to fix the way the end offset is calculated, it'll probably be based on sections size and header size. Without unblob considers everything after the PE as part of the PE chunk. |
…table Add support for PE file by relying on LIEF to parse PE file once matched on 'MZ' or 'PE' signature. If the file is a self-extractable NSIS executable ("Nullsoft.NSIS.exehead" present in manifest) we extract it with 7zip. Co-authored-by: Quentin Kaiser <[email protected]>
Thanks for moving this along!
I started looking into this:
Found this script that dumps a bunch of info, going to try a more complete look at all the parts tomorrow. https://github.com/lief-project/LIEF/blob/main/api/python/examples/pe_reader.py |
This works for (some) non-NSIS PEs but trims off the data that NSIS adds after the PE that contains what we actually want to extract. The "trimmed" data is not recognized by any handler. It seems like we need to detect if it's a NSIS installer in
|
Searches for "Nullsoft" in the manifest to avoid false positives. Possibly too strict.
Fixes #1249