For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that Windows users can execute to install software on a Windows system. Of course, you can replace “software” by “malware”. MSI files look less suspicious and they could bypass simple filters based on file extensions like “(com|exe|dll|js|vbs|…)”. They also look less dangerous because they are Composite Document Files:
$ file sample.msi
Just based on the information returned by the UNIX file command, you can expect a suspicious file : The tool used to create the MSI file is MSI Wrapper. This tool is not malicious and can be very useful but it looks like being used by bad guys...
In fact, MSI files are little databases laid out in a structured storage file. The content of an MSI file can be extracted using tools like 7z. The structure is always the same:
The file with names starting with an exclamation point are the database tables. It is possible to read them with the COM-based API for working with MSI:
Const msiOpenDatabaseModeReadOnly = 0
Exe to msi converter free
But this technique is not easy to process the database. Let’s search for other tools. There exists the Wix toolset that can easily convert a MSI file into a XML file:
C:\Users\REM>dark.exe -swall -x . sample.msi
The ‘-x .’ parameter asks the tools to dump binaries from cabinets and embedded binaries to the specified directory.
Xavier Mertens (@xme)
Nov 30th -0001
201 decades ago