SelfDel plug-in: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
(SelfDel plugin was recognized as virus. Kaspersky cannot fix this detection)
 
(2 intermediate revisions by one other user not shown)
Line 10: Line 10:
Plug-in launches hidden Window Explorer, it waits installer (uninstaller) to finish and deletes exe. Optionaly removes exe' directory. After this Explorer exits as well.
Plug-in launches hidden Window Explorer, it waits installer (uninstaller) to finish and deletes exe. Optionaly removes exe' directory. After this Explorer exits as well.


'''Now works on x64 (Vista/7) - Afrow UK; 17th July 2011'''
== Tested on ==
* Windows XP 32-bit
* Windows Vista 32-bit/64-bit
* Windows 7 32-bit/64-bit
* Windows 8 32-bit/64-bit


== Syntax ==
== Syntax ==
Line 33: Line 37:
FunctionEnd
FunctionEnd
</highlight-nsis>
</highlight-nsis>
== Note==
The nsis setup with the SelfDel plugin was recognized  as virus ''HEUR:Trojan.Win32.Invade''  by Kaspersky Lab.
<blockquote>
"The Kaspersky product is detecting not on the NSIS installer, but what the NSIS installer is doing. It calls a subfunction Del inside of SelfDel which starts explorer.exe as a suspended process, writes memory into it, and then executes it. If you stay away from using SelfDel and its Del function, the detection would stop occurring. We cannot fix this detection. Attempting to fix it would also allow a large amount of malware to go undetected. ''The NSIS plugin authors are encouraged to look for other alternatives for deleting the installer after execution.''"
</blockquote>


[[Category:Plugins]]
[[Category:Plugins]]

Latest revision as of 17:54, 11 October 2013

Author: Takhir (talk, contrib)


Plug-in for setup in place deletion without exe copy or reboot.

Links

Download:
SelfDel.zip (25 KB)

Description

Plug-in launches hidden Window Explorer, it waits installer (uninstaller) to finish and deletes exe. Optionaly removes exe' directory. After this Explorer exits as well.

Tested on

  • Windows XP 32-bit
  • Windows Vista 32-bit/64-bit
  • Windows 7 32-bit/64-bit
  • Windows 8 32-bit/64-bit

Syntax

"del" DLL function

SelfDel::del [/RMDIR] [/REBOOT | /SHUTDOWN]
Creates remote thread in the hidden Windows Explorer process, it waits parent process to exit and deletes it's file.
/RMDIR
if exe directory is empty after file deletion, removes directory as well with this option.
/REBOOT (added by Afrow UK)
reboots the machine after installer deletion.
/SHUTDOWN (added by Afrow UK)
shuts the machine down after installer deletion.

Example

Setup deletion:

Function .onInstSuccess
 
  SelfDel::del

FunctionEnd


Note

The nsis setup with the SelfDel plugin was recognized as virus HEUR:Trojan.Win32.Invade by Kaspersky Lab.

"The Kaspersky product is detecting not on the NSIS installer, but what the NSIS installer is doing. It calls a subfunction Del inside of SelfDel which starts explorer.exe as a suspended process, writes memory into it, and then executes it. If you stay away from using SelfDel and its Del function, the detection would stop occurring. We cannot fix this detection. Attempting to fix it would also allow a large amount of malware to go undetected. The NSIS plugin authors are encouraged to look for other alternatives for deleting the installer after execution."