Windows Installers
by street
Windows files with the MSI extension are used to install software packages. They do this by extracting themselves to the file system and modifying the Windows Registry. They are special files used by the Windows operating system. Normally we take these files for granted, and trust the source that they come from.
MSI installation packages can be built with several tools. WiX and Visual Studio Community Edition are both available free and can build MSI packages.
The gold standard for building MSI packages has always been InstallShield. While InstallShield offers a free demo, the price of the commercial license was more than I could afford. But that didn't stop me!
Revenera is the company that owns InstallShield, and they also provide training courses for their product. It wasn't necessary for me to take the courses, because they already have free documentation online (docs.revenera.com/?product=InstallShield).
Using InstallShield to create an MSI file is very simple. You can add files and folders from your computer into the project, and then tell InstallShield where you want it to install them on the target machine. It can even add shortcuts to the start menu and desktop, or modify the registry. It's not hard to make your own forms, or change the default ones. The dialogs are customizable, and you can add your own graphics.
If you open the dialogs from the InstallShield menu, you can click on the dialogs text and graphics and quickly change them. You can also change a dialog's button and modify its destination to another dialog that you want the button to lead to.
As a hacker, I'm interested in what MSI packages aren't intended to do. I can use an MSI file to bundle legitimate software along with malicious code. I can even take a legitimate MSI file and reverse its installation by preserving the file structure and registry entries of the original installation. Add a simple reverse shell or whatever additional software you want. Then add a registry entry to Windows, telling it to run the new program at startup.
Microsoft provides a free tool called Process Monitor (docs.microsoft.com/en-us/sysinternals/downloads/procmon). This tool lists all the changes to the Windows file system and registry. It becomes a simple matter after that to build the delivery system for a Trojan horse program.
Any kind of malware could work as a payload, and there is no need to change the flow of the original program or understand low level code. The only change is in how the software is installed.
Most companies will sign their programs with digital signatures to prevent the code from being modified. To do this they will buy a code signing certificate, which uses public/private keys to verify the program's integrity. However, creating anew Windows Installer does not actually modify the program.
The option to stop uncertified programs from running completely is something Microsoft has been playing with. They have been moving forward with new security changes in Windows 11 to only run apps verified in the Microsoft Store. This can prevent you from running perfectly safe software, or software that is even more secure than what is being offered in the Windows Store.
Microsoft has built a new installer format called MSIX. The MSIX format requires you to register the installer with Microsoft. They have not however stopped us from using the old MSI format.