Squiblydoo
commented
11 months ago Considerations:
- NSIS Executables may contain bloated/normal binaries that are benign.
- The current workflow returns the NSIS Setup Script instructions which may or may not be interesting for tools like karton and assembly-line
- Malicious execution of files may be dependent on multiple files: for example, an EXE and a DLL. So, whenever possible, maintaining multiple file output is preferred.
TO DO:
-
[x] Test to better understand how karton handles multiple file output, if at all.
-
[x] Test to better understand how assembly-line handles multiple file output, if at all.
-
[ ] Consider logic for Debloat to determine the most likely malicious file and return that file if only one file is acceptable for other systems.
With 1.5.0 the ability to extract NSIS Installer contents the Debloat execution flow does not follow the normal execution path when a NSIS execution is detected. The plan is to solve this in a coming version (SOON).
Diverting from the normal execution path originally was intentional for the following reasons:
Because of these reasons, Debloat has unique output and writes the files at a unique place. The plan is to explore options to help maintain the expected return path for consistency and to maintain compatibility with tools like karton and assembly-line.
(I am writing about it here so that others are aware it is a problem, that is is a problem that I am aware of, and that it is a problem that I plan to solve.)