SelfDel plug-in: Difference between revisions
(SelfDel plugin was recognized as virus. Kaspersky cannot fix this detection) |
|||
(4 intermediate revisions by one other user not shown) | |||
Line 10: | Line 10: | ||
Plug-in launches hidden Window Explorer, it waits installer (uninstaller) to finish and deletes exe. Optionaly removes exe' directory. After this Explorer exits as well. | Plug-in launches hidden Window Explorer, it waits installer (uninstaller) to finish and deletes exe. Optionaly removes exe' directory. After this Explorer exits as well. | ||
== Tested on == | |||
* Windows XP 32-bit | |||
* Windows Vista 32-bit/64-bit | |||
* Windows 7 32-bit/64-bit | |||
* Windows 8 32-bit/64-bit | |||
== Syntax == | == Syntax == | ||
=== "del" DLL function === | === "del" DLL function === | ||
<highlight-nsis> | <highlight-nsis> | ||
SelfDel::del [/RMDIR] </highlight-nsis> | SelfDel::del [/RMDIR] [/REBOOT | /SHUTDOWN] </highlight-nsis> | ||
: Creates remote thread in the hidden Windows Explorer process, it waits parent process to exit and deletes it's file. | : Creates remote thread in the hidden Windows Explorer process, it waits parent process to exit and deletes it's file. | ||
; RMDIR | ; /RMDIR | ||
: if exe | : if exe directory is empty after file deletion, removes directory as well with this option. | ||
; /REBOOT (added by Afrow UK) | |||
: reboots the machine after installer deletion. | |||
; /SHUTDOWN (added by Afrow UK) | |||
: shuts the machine down after installer deletion. | |||
== Example == | == Example == | ||
Line 29: | Line 37: | ||
FunctionEnd | FunctionEnd | ||
</highlight-nsis> | </highlight-nsis> | ||
== Note== | |||
The nsis setup with the SelfDel plugin was recognized as virus ''HEUR:Trojan.Win32.Invade'' by Kaspersky Lab. | |||
<blockquote> | |||
"The Kaspersky product is detecting not on the NSIS installer, but what the NSIS installer is doing. It calls a subfunction Del inside of SelfDel which starts explorer.exe as a suspended process, writes memory into it, and then executes it. If you stay away from using SelfDel and its Del function, the detection would stop occurring. We cannot fix this detection. Attempting to fix it would also allow a large amount of malware to go undetected. ''The NSIS plugin authors are encouraged to look for other alternatives for deleting the installer after execution.''" | |||
</blockquote> | |||
[[Category:Plugins]] | [[Category:Plugins]] |
Latest revision as of 17:54, 11 October 2013
Author: Takhir (talk, contrib) |
Plug-in for setup in place deletion without exe copy or reboot.
Links
Download:
SelfDel.zip (25 KB)
Description
Plug-in launches hidden Window Explorer, it waits installer (uninstaller) to finish and deletes exe. Optionaly removes exe' directory. After this Explorer exits as well.
Tested on
- Windows XP 32-bit
- Windows Vista 32-bit/64-bit
- Windows 7 32-bit/64-bit
- Windows 8 32-bit/64-bit
Syntax
"del" DLL function
SelfDel::del [/RMDIR] [/REBOOT | /SHUTDOWN]
- Creates remote thread in the hidden Windows Explorer process, it waits parent process to exit and deletes it's file.
- /RMDIR
- if exe directory is empty after file deletion, removes directory as well with this option.
- /REBOOT (added by Afrow UK)
- reboots the machine after installer deletion.
- /SHUTDOWN (added by Afrow UK)
- shuts the machine down after installer deletion.
Example
Setup deletion:
Function .onInstSuccess SelfDel::del FunctionEnd
Note
The nsis setup with the SelfDel plugin was recognized as virus HEUR:Trojan.Win32.Invade by Kaspersky Lab.
"The Kaspersky product is detecting not on the NSIS installer, but what the NSIS installer is doing. It calls a subfunction Del inside of SelfDel which starts explorer.exe as a suspended process, writes memory into it, and then executes it. If you stay away from using SelfDel and its Del function, the detection would stop occurring. We cannot fix this detection. Attempting to fix it would also allow a large amount of malware to go undetected. The NSIS plugin authors are encouraged to look for other alternatives for deleting the installer after execution."