Merge pull request Squirrel#1444 from bitdisaster/dll_hijacking_fix

Dll hijacking fix
discord · Jun 1, 2020 · a43f16a · a43f16a
1 parent 95a588b
commit a43f16a
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 9 deletions.
diff --git a/src/Setup/Setup.vcxproj b/src/Setup/Setup.vcxproj
@@ -25,6 +25,7 @@
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>v140</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
@@ -83,7 +84,8 @@
     <Link>
       <SubSystem>Windows</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
-      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;urlmon.lib;secur32.lib</AdditionalDependencies>
+      <AdditionalDependencies>kernel32.lib;user32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;urlmon.lib</AdditionalDependencies>
+      <DelayLoadDLLs>user32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;urlmon.dll;%(DelayLoadDLLs)</DelayLoadDLLs>
     </Link>
     <Manifest>
       <AdditionalManifestFiles>compat.manifest</AdditionalManifestFiles>
@@ -109,7 +111,8 @@
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <UACExecutionLevel>AsInvoker</UACExecutionLevel>
-      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;urlmon.lib;secur32.lib</AdditionalDependencies>
+      <AdditionalDependencies>kernel32.lib;user32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;urlmon.lib</AdditionalDependencies>
+      <DelayLoadDLLs>user32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;urlmon.dll;%(DelayLoadDLLs)</DelayLoadDLLs>
     </Link>
     <Manifest>
       <AdditionalManifestFiles>compat.manifest</AdditionalManifestFiles>
@@ -137,7 +140,8 @@
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <UACExecutionLevel>AsInvoker</UACExecutionLevel>
-      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;urlmon.lib;secur32.lib</AdditionalDependencies>
+      <AdditionalDependencies>kernel32.lib;user32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;urlmon.lib</AdditionalDependencies>
+      <DelayLoadDLLs>user32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;urlmon.dll;%(DelayLoadDLLs)</DelayLoadDLLs>
     </Link>
     <Manifest>
       <AdditionalManifestFiles>compat.manifest</AdditionalManifestFiles>

diff --git a/src/Setup/winmain.cpp b/src/Setup/winmain.cpp
@@ -8,23 +8,49 @@
 #include "MachineInstaller.h"
 #include <cstdio>
 #include <cstdarg>
+#include <string>
 
 CAppModule _Module;
 
 typedef BOOL(WINAPI *SetDefaultDllDirectoriesFunction)(DWORD DirectoryFlags);
 
-int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
-                      _In_opt_ HINSTANCE hPrevInstance,
-                      _In_ LPWSTR lpCmdLine,
-                      _In_ int nCmdShow)
+// Some libraries are still loaded from the current directories.
+// If we pre-load them with an absolute path then we are good.
+void PreloadLibs()
+{
+	wchar_t sys32Folder[MAX_PATH];
+	GetSystemDirectory(sys32Folder, MAX_PATH);
+
+	std::wstring version = (std::wstring(sys32Folder) + L"\\version.dll");
+	std::wstring logoncli = (std::wstring(sys32Folder) + L"\\logoncli.dll");
+	std::wstring sspicli = (std::wstring(sys32Folder) + L"\\sspicli.dll");
+
+	LoadLibrary(version.c_str());
+	LoadLibrary(logoncli.c_str());
+	LoadLibrary(sspicli.c_str());
+}
+
+void MitigateDllHijacking()
 {
-	// Attempt to mitigate http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die
+	// Set the default DLL lookup directory to System32 for ourselves and kernel32.dll
+	SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32);
+
 	HMODULE hKernel32 = LoadLibrary(L"kernel32.dll");
 	ATLASSERT(hKernel32 != NULL);
 
-	SetDefaultDllDirectoriesFunction pfn = (SetDefaultDllDirectoriesFunction) GetProcAddress(hKernel32, "SetDefaultDllDirectories");
+	SetDefaultDllDirectoriesFunction pfn = (SetDefaultDllDirectoriesFunction)GetProcAddress(hKernel32, "SetDefaultDllDirectories");
 	if (pfn) { (*pfn)(LOAD_LIBRARY_SEARCH_SYSTEM32); }
 
+	PreloadLibs();
+}
+
+int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
+                      _In_opt_ HINSTANCE hPrevInstance,
+                      _In_ LPWSTR lpCmdLine,
+                      _In_ int nCmdShow)
+{
+	MitigateDllHijacking();	
+
 	int exitCode = -1;
 	CString cmdLine(lpCmdLine);