Quick Post: Extracting MSI files

07 Nov 2013

This is just a quick post to show how to extract MSI files. Nothing exciting, but I thought I should start posting some things that might not be common knowledge.

Microsoft announced this week CVE-2013-3906, a graphics vulnerability in Office and Lync, which is being actively exploited. In an incident like this, Microsoft will create a Fixit, which is a short-term solution to disable whatever functionality the exploit is abusing, often by setting a registry value. It is interesting that Microsoft has built-in many kill switches into their products, which allow functionality to be disabled by setting certain registry values.

Microsoft says what this Fixit does. It simply sets: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1

This post will just show how to confirm that.

Download MicrosoftFixit51004.msi (hash: 121797190c6c0bb386166b67565f0ce5) from https://support.microsoft.com/kb/2896666.

You can use 7-zip to "decompress" the file. 7-zip will "decompress" .exe's into it's different sections (.data, .text., resources). 7-zip is amazing. It's the robitussin of the file world. Apply it to everything and liberally.

I use 7-zip on .MSI's so I can extract out the executables inside without needing to actually install the software. In this case though the Fixit just has a bunch of directories for the locale ids (meaning this is the text that should be displayed when the MSI is run on a system configured for that language) and then some binary data. The only file of interest there is Binary.LogDll which is a DLL file that seems to do some telemetry back to Microsoft, but that's not what this post is about.

As we saw, 7-zip gave us a lot of binary data. It's helpful at this point to know how MSI's are created. The 3 ways you'll probably end up creating an installer on Windows are to use:

  • NSIS from Nullsoft (yep, the makers of Winamp... "Winamp, it really whips the llama's ass!"). It's open-source but only makes .exe files. You write a little script that says what files you want in your installer, how you want the installation process to work, and it takes care of the rest.
  • InstallShield which is garbage and saves everything in a binary format so you can't version control it, but since it's been around since the dawn of time, you'll probably run into it.
  • Wix which is open-source and is used to make the installer for Visual Studio and many other products. It was one of the first projects Microsoft released as open-source, back in 2004. This is the tool you want to use to make installers.

One cool thing about Wix is it has a "decompiler" of sorts to take a .msi and turn it into the script that was used to create it. Standard decompiling issues apply: It won't work perfectly and what you get will still barely be readable. Run: dark MicrosoftFixit51004.msi

Most of the wix tools are named things like "candle", "heat", "smoke", "melt", etc. so the opposite of that is "dark".

You'll end up with a file called MicrosoftFixit51004.wxs with 859 lines to it. Skimming through it, you'll see the line: <RegistryValue Id="ADDKEY1" Root="HKLM" Key="SOFTWARE\Microsoft\Gdiplus" Name="DisableTIFFCodec" Value="1" Type="integer" KeyPath="yes" />

So this does what we expected. Maybe there is other stuff in the .msi, like that telemetry stuff, but I just wanted to show how you can do a little light reversing on .msi files.