From a43f16afa460a9a36097c5c87912c6f20870b8e0 Mon Sep 17 00:00:00 2001 From: Paul Betts Date: Wed, 30 Jan 2019 15:53:52 -0800 Subject: [PATCH] Merge pull request #1444 from bitdisaster/dll_hijacking_fix Dll hijacking fix --- src/Setup/Setup.vcxproj | 10 +++++++--- src/Setup/winmain.cpp | 38 ++++++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/src/Setup/Setup.vcxproj b/src/Setup/Setup.vcxproj index 8a85caf46..40cf7805b 100644 --- a/src/Setup/Setup.vcxproj +++ b/src/Setup/Setup.vcxproj @@ -25,6 +25,7 @@ true v140 Unicode + Static Application @@ -83,7 +84,8 @@ Windows true - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;urlmon.lib;secur32.lib + kernel32.lib;user32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;urlmon.lib + user32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;urlmon.dll;%(DelayLoadDLLs) compat.manifest @@ -109,7 +111,8 @@ true true AsInvoker - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;urlmon.lib;secur32.lib + kernel32.lib;user32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;urlmon.lib + user32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;urlmon.dll;%(DelayLoadDLLs) compat.manifest @@ -137,7 +140,8 @@ true true AsInvoker - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;urlmon.lib;secur32.lib + kernel32.lib;user32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;urlmon.lib + user32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;urlmon.dll;%(DelayLoadDLLs) compat.manifest diff --git a/src/Setup/winmain.cpp b/src/Setup/winmain.cpp index 8747a54b9..57a60706d 100644 --- a/src/Setup/winmain.cpp +++ b/src/Setup/winmain.cpp @@ -8,23 +8,49 @@ #include "MachineInstaller.h" #include #include +#include CAppModule _Module; typedef BOOL(WINAPI *SetDefaultDllDirectoriesFunction)(DWORD DirectoryFlags); -int APIENTRY wWinMain(_In_ HINSTANCE hInstance, - _In_opt_ HINSTANCE hPrevInstance, - _In_ LPWSTR lpCmdLine, - _In_ int nCmdShow) +// Some libraries are still loaded from the current directories. +// If we pre-load them with an absolute path then we are good. +void PreloadLibs() +{ + wchar_t sys32Folder[MAX_PATH]; + GetSystemDirectory(sys32Folder, MAX_PATH); + + std::wstring version = (std::wstring(sys32Folder) + L"\\version.dll"); + std::wstring logoncli = (std::wstring(sys32Folder) + L"\\logoncli.dll"); + std::wstring sspicli = (std::wstring(sys32Folder) + L"\\sspicli.dll"); + + LoadLibrary(version.c_str()); + LoadLibrary(logoncli.c_str()); + LoadLibrary(sspicli.c_str()); +} + +void MitigateDllHijacking() { - // Attempt to mitigate http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die + // Set the default DLL lookup directory to System32 for ourselves and kernel32.dll + SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32); + HMODULE hKernel32 = LoadLibrary(L"kernel32.dll"); ATLASSERT(hKernel32 != NULL); - SetDefaultDllDirectoriesFunction pfn = (SetDefaultDllDirectoriesFunction) GetProcAddress(hKernel32, "SetDefaultDllDirectories"); + SetDefaultDllDirectoriesFunction pfn = (SetDefaultDllDirectoriesFunction)GetProcAddress(hKernel32, "SetDefaultDllDirectories"); if (pfn) { (*pfn)(LOAD_LIBRARY_SEARCH_SYSTEM32); } + PreloadLibs(); +} + +int APIENTRY wWinMain(_In_ HINSTANCE hInstance, + _In_opt_ HINSTANCE hPrevInstance, + _In_ LPWSTR lpCmdLine, + _In_ int nCmdShow) +{ + MitigateDllHijacking(); + int exitCode = -1; CString cmdLine(lpCmdLine);