0

Say there's a DLL in System32 that I'm linking against, but that might not be present in a different Windows installation.

Is there a way to specify in a manifest that the DLL must only be loaded from System32, to avoid hijacking from other directories when the DLL isn't present in System32?

user541686
  • 205,094
  • 128
  • 528
  • 886
  • Even if it's present in a particular Windows installation, you could still be hijacked by the DLL being placed alongside the executable – David Heffernan Mar 24 '21 at 13:52
  • 1
    I would use `LoadLibrary(Windir."System32\\library.dll"); GetProcAddress(Function);` to be sure that a Function form System32 library is invoked. – vitsoft Mar 24 '21 at 17:34
  • 1
    @vitsoft Alternatively, `LoadLibraryEx()` with `LOAD_LIBRARY_SEARCH_SYSTEM32`. But either way, this is assuming `library.dll` is not already loaded, such as statically linked by another DLL. Otherwise, `LoadLibrary/Ex()` will just use the already loaded copy, regardless of the path specified. – Remy Lebeau Mar 24 '21 at 18:52
  • *to avoid hijacking from other directories when the DLL isn't present in System32* - why you care about this at all ? – RbMm Mar 24 '21 at 23:31
  • @RbMm: Security? https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1 – user541686 Mar 24 '21 at 23:35
  • but why you need care about this ? why you decide that somebody will be "attack" your process ? and if really your process will be target - you can not prevent this at all. if somebody open your process and inject code ? if your process simply will be terminated ? – RbMm Mar 24 '21 at 23:38
  • @RbMm: DLL hijacking is a well-known attack vector. It has been exploited in the past. There's a lot of literature on it. I would suggest Googling. If you feel it's a hoax then this isn't the place to debate it. – user541686 Mar 24 '21 at 23:46
  • @DavidHeffernan: Not if it's a well-known DLL. – user541686 Mar 24 '21 at 23:47
  • @RemyLebeau: I was wondering if this is possible when importing the DLL, not when loading it dynamically. – user541686 Mar 24 '21 at 23:48
  • @user541686 Statically-linked DLLs can't specify full paths, so Windows' standard [DLL search path](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order) is used, unless DLL Redirection or a Side-by-Side manifest is used instead. If you need more control over where a DLL is loaded from, you have to load it dynamically yourself. See [Dynamic-Link Library Security](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security). – Remy Lebeau Mar 25 '21 at 00:12
  • @RemyLebeau: That's why I was asking how I can specify this in a manifest. How do I specify this in a manifest? Or are you saying manifests can't do this? – user541686 Mar 25 '21 at 00:13
  • @user541686 see Microsoft's [manifest](https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests) documentation, as well as SO posts like [DLL redirection using manifests](https://stackoverflow.com/questions/2100973/), [A way to load DLL from central repository](https://stackoverflow.com/questions/1969360/), [Altering DLL search path for static linked DLL](https://stackoverflow.com/questions/3832290/), etc. But, what DLL are you dependent on that can only exist in System32? Only system DLLs belong in there, don't put your own custom DLLs in there. – Remy Lebeau Mar 25 '21 at 00:23
  • @user541686 If you [`/delayLoad`](https://learn.microsoft.com/en-us/cpp/build/reference/delayload-delay-load-import?view=msvc-160) the DLL and handle [`dliNotePreLoadLibrary`](https://learn.microsoft.com/en-us/cpp/build/reference/understanding-the-helper-function?view=msvc-160) you can fully control what to load (or fail) where from. That said, I don't see how loading a DLL from System32 (only) provides any additional guarantees of integrity. – dxiv Mar 25 '21 at 00:24
  • @dxiv: Right, I know I can delay-load, that's what I'm doing if there isn't a solution for static loading. – user541686 Mar 25 '21 at 00:27
  • @RemyLebeau: I already skimmed those links, but I wasn't able to find anything that allowed me to specify System32 as the directory. It seems to me everything is regarding redirecting to a sibling folder. (The actual DLL shouldn't be relevant here, I don't want this to get sidetracked into an argument about whether my application has a need to load this DLL or not.) – user541686 Mar 25 '21 at 00:30

0 Answers0