Skip to content
Reverse Engineering
Packing & Cryptersbeginner

NSIS Installer Stub

Wrapping malware inside a Nullsoft (NSIS) installer so the payload ships as compressed data the setup stub extracts and runs at install time.

NSIS (Nullsoft Scriptable Install System) is a legitimate open-source tool for building Windows installers. The compiler produces a single .exe whose code is a generic setup stub and whose data is a compressed archive of the files to install, driven by an embedded install script. Malware families abuse it constantly: the dropper looks like an ordinary installer, but the archive carries the real payload and the script's Section logic writes and launches it.

The appeal is that the malicious behaviour lives in interpreted NSIS script and compressed archive data, not in the PE's own code section. The setup stub itself is benign, signed-looking boilerplate, so a quick static glance sees a normal installer rather than a dropper.

How it works

After the PE headers, an NSIS installer stores a firstheader block followed by a compressed (zlib/bzip2/LZMA) archive of files and the compiled install script. The stub parses the firstheader, decompresses entries to $PLUGINSDIR or $TEMP, and executes them:

text
NSIS installer file layout
+----------------------------+ offset 0
| PE headers + setup stub    |  generic Nullsoft loader code
+----------------------------+
| firstheader                |  magic 0xDEADBEEF + "NullsoftInst"
|   flags / siginfo          |
|   header size, arc size     |
+----------------------------+
| compressed block           |  install script + payload files
|   [LZMA/zlib/bzip2 data]    |  -> extracted to $PLUGINSDIR / $TEMP
+----------------------------+

The compiled script's section logic drops the payload and runs it:

text
; decompiled NSIS install section (conceptual)
Section
  SetOutPath $PLUGINSDIR
  File       "payload.exe"            ; extract embedded malware
  Exec       "$PLUGINSDIR\payload.exe" ; launch it
SectionEnd

Detection & analysis

Static analysis: Search the file for the NSIS firstheader magic 0xDEADBEEF (EFBEADDE little-endian) and the ASCII string NullsoftInst; tools like 7-Zip, nsisunbz, and the nsisdecompiler family open the archive directly and recover both files and the compiled .nsi script. The compressed archive sits as a high-entropy region after the section table, so the gap between end-of-last-section and file size — and a ~7.8 bits/byte reading there — flags an embedded payload.

Dynamic analysis: Run the installer in a sandbox and watch $PLUGINSDIR (a randomly named folder under %TEMP%); breakpoint on CreateFileW, WriteFile, and CreateProcessW/ShellExecute to catch the dropped payload as it is written and launched. The extracted child process is the actual malware to analyse next.

Detection rule hint: Flag PE files that combine the NullsoftInst signature and 0xDEADBEEF firstheader with a child process spawned from a temp/plugins directory shortly after launch — typical of weaponised installers and unusual for software that installs to Program Files via a proper uninstaller entry.

Votes

Comments(0)