Struct PluginCall 

pub struct PluginCall<'a> { /* private fields */ }

A plugin DLL invocation (EW_REGISTERDLL, opcode 44).

This is the mechanism behind NSIS plugin calls. In NSIS script, a plugin call like System::Call "kernel32::VirtualAlloc(...)" compiles to an EW_REGISTERDLL instruction with:

• param 0: DLL path (e.g., $PLUGINSDIR\System.dll)
• param 1: function name (e.g., Call)
• param 2: 0 for plugin calls, non-zero for COM DLL registration
• param 3: /NOUNLOAD flag

Malware frequently abuses System::Call to invoke Win32 APIs directly: VirtualAlloc, VirtualProtect, CreateThread, NtCreateSection, etc. The actual API call string is typically pushed onto the NSIS stack before the CallInstDLL instruction.

Source: exec.c case EW_REGISTERDLL, 7-Zip NsisIn.cpp lines 4381-4412.

Implementations

impl<'a> PluginCall<'a>

pub fn dll(&self) -> Result<NsisString, Error>

Returns the DLL file path.

Typically $PLUGINSDIR\<name>.dll — the plugin is extracted to the temp plugins directory and loaded from there.

pub fn function(&self) -> Result<NsisString, Error>

Returns the exported function name being called.

Common values:

• "Call" — System::Call (arbitrary Win32 API invocation)
• "Create" — nsDialogs::Create (UI dialog creation)
• "DllRegisterServer" — standard COM registration
• "DllUnregisterServer" — standard COM unregistration

pub fn is_plugin_call(&self) -> bool

Returns true if this is a CallInstDLL (plugin call).

When false, this is a RegDLL or UnRegDLL COM registration operation instead.

pub fn no_unload(&self) -> bool

Returns true if the /NOUNLOAD flag is set.

When set, the DLL remains loaded in memory after the call returns. This is used by plugins that maintain state across multiple calls.

pub fn entry(&self) -> &Entry<'a>

Returns the underlying Entry.