String str = Path.Combine(Environment.GetFolderPath(86), "Windows Kits\\10\\") Private static string optionalComponentPathx86 Private static string optionalComponentPath圆4 Assembly location: D:\reverse\SetupCommonDLLCmp2\ NET decompiler a class .CustomActions with the following code: Using 7-zip was able to extract the files from the DLL so we could analyze them: We can see this extracts a number of files, which are deleted straight after being created. Rundll32.exe “C:\WINDOWS\SYSTEM32\SetupCommonDLLCmp2.dll”,zzzzInvokeManagedCustomActionOutOfProc SfxCA_5457953 7 !.DetectAdk When we run this while monitoring with Process Monitor we can see it triggers creating a process with the following command line: Public static extern uint MsiCloseHandle(IntPtr -TypeDefinition $code Public static extern uint DetectAdk(IntPtr hMsiHandle) Public static extern IntPtr MsiCreateRecord(uint cParams) Typically these will be a DLL or a Script.Īs this is a 32-bit DLL we can test calling this custom action with 32-bit PowerShell In Binary view we can extract this item by clicking the and Write Binary to Filename to save the item to disk. In Custom Action we can see DetectAdk action We could just remove the condition, however was curious how the check actually ocurred… Opening the installation MSI in Orca we can set a condition that will prevent the DaRTRecoveryImage feature from installing. We can check with ORCA how the ADK installation check is occurring. We could look for components not found either through Windows Installer logging, or ProcMon, but here want to demonstrate some ways to analyze how the installer is making the checks. Suspected the issue was a specific version is required, but the download link in the setup is a dead link and just takes you to a generic Microsoft page. However, the latest Windows ADK + Windows PE ADK component has been installed. Trying to create a DART recovery image, got the message during the installation from Microsoft Desktop Optimization Pack 2015 running installer from \DaRT\DaRT 10\Installers\en-us\圆4\MSDart100.msi
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |