Reverse Engineeringmsiwindows-installerforensicsextractionanalysis

msitools

msitools provides utilities to create, inspect, extract, and manipulate Windows Installer (.msi) files. It includes tools like msiinfo, msibuild, msidiff, msidump, and msiextract for handling MSI package contents and databases.

Description

msitools is a collection of programs designed for working with Windows Installer (.msi) files, enabling users to inspect, build, compare, dump, and extract their contents. This is particularly useful in cybersecurity for analyzing malware packaged in MSI format, reverse engineering installers, or extracting embedded files during forensic investigations.

The suite includes msiinfo for displaying package information, msibuild for constructing MSI packages, msidiff for comparing two packages, msidump for dumping tables and streams, and msiextract for pulling out contained files. Additionally, wixl offers MSI creation from XML documents, similar to the WiX toolset.

These tools rely on the libmsi library, which supports reading, writing, and querying MSI databases. They are valuable in penetration testing, malware analysis, and software reverse engineering contexts where understanding installer behavior is key.

How It Works

msitools leverages the libmsi library to parse and manipulate the internal structure of .msi files, which are CAB-based archives containing databases (in IDT text format) and binary streams. Tools query SQL-like databases within MSIs, dump tables as text, extract streams to files, compare contents via diff algorithms, and build packages by importing tables or adding streams. Operations overwrite existing data and support GObject introspection for integration.

Installation

bash

sudo apt install msitools

Flags

-s name [author] [template] [uuid]Set summary information (msibuild)

-q queryExecute SQL query/queries (msibuild)

-i table1.idtImport one table into the database (msibuild)

-a stream fileAdd 'stream' to storage with contents of 'file' (msibuild)

-t, --tablesDiff MSI tables as text. This is the default (msidiff)

-l, --listDiff lists of files (msidiff)

-L, --long-listDiff long lists (akin to 'find -ls') of files (msidiff)

-t, --tablesDump tables. This is the default (msidump)

-s, --streamsDump streams (msidump)

-S, --signatureDump asn1parse of digital signature (msidump)

-d, --directory DIRDump to given directory DIR (msidump)

-C, --directoryExtract to directory (msiextract)

-l, --listList files only (msiextract)

streamsList streams in a .msi file (msiinfo subcommand)

tablesList tables in a .msi file (msiinfo subcommand)

-v, --verboseVerbose output (wixl)

-o, --outputOutput file (wixl)

--directory-refDirectory Ref (wixl-heat)

Examples

Show help for msibuild, which builds MSI packages

msibuild -h

Show help for msidiff, which compares two MSI files

msidiff -h

Show help for msidump, which dumps MSI tables and streams

msidump -h

Show help for msiextract, which extracts files from MSI packages

msiextract -h

Show help for msiinfo, which displays and extracts MSI information

msiinfo -h

Show help for wixl, the Windows Installer creation tool

wixl -h

Show help for wixl-heat, which builds WiX XML fragments from files and directories

wixl-heat -h

Updated 2026-04-16kali.org ↗