|
Most the MSI unpacking tools will only unpack the *.CAB files inside the MSI, they will ignore any files outside the *.CAB, but still embedded in the MSI.
Extracting these files can be a bit tricky, one easy way is to simply prevent the files from being deleted. This can be done by breaking on DeleteFile or (if available) by telling your host intrusion prevention system to deny the file delete privilege to any application. If breaking on DeleteFile will not work, the file handle will have the "delete on close" flag set and you will have to start looking there. A HIPS will prevent this trick.
LoadLibrary might be called many times before you see the call you're looking for.
Is the MSI you're working with available for public download?
|