Author: Valli-Nayagam Chokkalingam

https://github.com/AdversaryCraft/nsis-dll-hijack-poc
I’ve published a new proof-of-concept on GitHub demonstrating NSIS plugin DLL proxying using the NSIS-based CCleaner installer in a controlled lab environment. Rather than modifying DllMain, the proxy exports the plugin’s expected Create function before forwarding execution to the original DLL. This approach preserves the installer’s expected execution flow while allowing researchers to execute custom logic before seamlessly handing control back to the legitimate plugin.
One interesting aspect of NSIS installers is that plugin DLLs are extracted into a transient ns*.tmp directory under the executing user’s %TEMP% folder immediately before they are loaded. Because this extraction occurs before the plugin is consumed, it creates a narrow time-of-check/time-of-use (TOCTOU) window that is valuable for studying installer behavior and defensive telemetry. Using the legitimate CCleaner installer provides a realistic environment for detection engineering and purple team validation, enabling defenders to evaluate whether their security controls can identify plugin DLL replacement attempts and other anomalous activity during trusted installer execution.
References
Official Installer Download Link – https://download.ccleaner.com/ccsetup564.exe

Leave a Reply