The text above is the result of the nsisdump.py utility when run on a malicious NSIS executable. NRS is capable of obtaining block information, strings and header information. Additions have been made to allow nsisdump.py to properly dump NSIS function code as well as properly parse UTF-16LE binaries.

To ensure that NRS could fully parse the NSIS executables we would see on a regular basis, we made modifications to add support for additional types of NSIS files to our fork of the library. For instance, we added support for NSIS 2 UTF-16LE executables. Unicode strings are not supported on NSIS 2.x executables by default; however, additional versions of NSIS 2.x have been released that contain the functionality. A significant portion of the executables we observed utilized this version of NSIS. In order to be able to parse information from executables that utilize this version of NSIS, we added support for NSIS 2.x UTF-16LE into NRS.

In addition to adding NSIS 2.x Unicode support, we also added support for method disassembly to NRS. Disassembling the NSIS script is extremely important when parsing NSIS executables. Information regarding embedded files and actions taken on the system is only stored within the various instructions of the script. In order to allow parsing of this information, we added a disassembler to NRS. The disassembler is capable of finding the various script methods embedded within the NSIS executable and outputting disassembly for all present methods. The dump output above shows an example of what the disassembly output may look like. Instructions such as ExtractFile are used to obtain the embedded files within the installer. In addition to disassembling various methods, we added support for dumping the contents of the NSIS script to a file or string. The result generally looks similar to how 7-Zip would decompile NSIS scripts.

All together, NRS was a great expansion of our capabilities to parse and extract information from NSIS executables.