feat(handler): support NSIS Installers #1255

jcrussell · 2025-09-03T14:56:52Z

Searches for "Nullsoft" in the manifest to avoid false positives. Possibly too strict.

Searches for "Nullsoft" in the manifest to avoid false positives. Possibly too strict. Fixes onekey-sec#1249

qkaiser · 2025-09-04T07:51:27Z

python/unblob/handlers/executable/pe.py

+        if not self.is_nsis(binary):
+            return None


This check should be moved to a custom extractor, say PEExtractor so that if there is a PE file chunk in a file it will be carved out.

In the PEExtractor you can check if it's NSIS and do this if it is:

Command("7z", "x", "-y", "{inpath}", "-o{outdir}").extract(inpath, outdir)

If it's not NSIS, do nothing. Unless you can think of anything to do with "normal" PE ?

qkaiser · 2025-09-04T07:52:18Z

python/unblob/handlers/executable/pe.py

+        """
+        Test if binary appears to be a Nullsoft Installer self-extracting archive
+
+        TODO: this series of tests is possibly too strict


I leave that call to you. I don't know much about NullSoft.

qkaiser · 2025-09-04T07:52:51Z

python/unblob/handlers/executable/pe.py

+        if not binary.has_resources:
+            return False
+
+        if not binary.resources_manager.has_manifest:
+            return False
+
+        return "Nullsoft" in binary.resources_manager.manifest


Can be simplified to:

Suggested change

if not binary.has_resources:

return False

if not binary.resources_manager.has_manifest:

return False

return "Nullsoft" in binary.resources_manager.manifest

return binary.has_resources and binary.resources_manager.has_manifest and "Nullsoft" in binary.resources_manager.manifest

qkaiser · 2025-09-04T07:56:06Z

python/unblob/handlers/executable/pe.py

+            // MZ header
+            4d 5a


Should we check for the "PE" signature (50 45 00 00) too ?

qkaiser · 2025-09-04T09:32:03Z

@jcrussell you should also create integration tests to check that the handler works as expected.

You have to create the following directories:

unblob/tests/integration/executable/pe/__input__
unblob/tests/integration/executable/pe/__output

I would put the following in the input directory:

a normal PE file
a normal PE file with prefix and suffix padding
a nullsoft PE file
a nullsoft PE file with prefix and suffix padding

To generate the output directory content, run the following:

find unblob/tests/integration/executable/pe/__input__ -type f -exec unblob -f -k -e unblob/tests/integration/executable/pe/__output__ {} \;

feat(handler): support NSIS Installers

7e1b6fd

Searches for "Nullsoft" in the manifest to avoid false positives. Possibly too strict. Fixes onekey-sec#1249

qkaiser self-assigned this Sep 4, 2025

qkaiser self-requested a review September 4, 2025 07:45

qkaiser added enhancement New feature or request format:executable python Pull requests that update Python code labels Sep 4, 2025

qkaiser reviewed Sep 4, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(handler): support NSIS Installers #1255

feat(handler): support NSIS Installers #1255

Uh oh!

jcrussell commented Sep 3, 2025

Uh oh!

qkaiser Sep 4, 2025

Uh oh!

qkaiser Sep 4, 2025

Uh oh!

qkaiser Sep 4, 2025

Uh oh!

qkaiser Sep 4, 2025

Uh oh!

qkaiser commented Sep 4, 2025

Uh oh!

Uh oh!

feat(handler): support NSIS Installers #1255

Are you sure you want to change the base?

feat(handler): support NSIS Installers #1255

Uh oh!

Conversation

jcrussell commented Sep 3, 2025

Uh oh!

qkaiser Sep 4, 2025

Choose a reason for hiding this comment

Uh oh!

qkaiser Sep 4, 2025

Choose a reason for hiding this comment

Uh oh!

qkaiser Sep 4, 2025

Choose a reason for hiding this comment

Uh oh!

qkaiser Sep 4, 2025

Choose a reason for hiding this comment

Uh oh!

qkaiser commented Sep 4, 2025

Uh oh!

Uh oh!