问题
For example, COMDLG32.DLL implicitly links against the following system DLLs (among others): xmllite.dll msftedit.dll srvcli.dll wkscli.dll linkinfo.dll netutils.dll msi.dll
Since these are implicitly loaded by the operating system, not explicitly loaded using LoadLibrary call, the hijack vulnerability workaround using SetDllDirectory does not affect these loads being done when COMDLG32.DLL is loaded.
Hence, after my application is loaded, and I hit Ctrl+O to use the File Open dialog, these "bad" DLLs (that exist in my EXE's folder) get loaded.
COMDLG32.DLL is loading the ones in my EXE folder, not the legitimate ones in the system folder, even though I am calling SetDllDirectory(""); in InitInstace() long before I launch the File Open dialog.
How can I get a system DLL (e.g. COMDLG32.DLL) to properly utilize the correct DLL for its implicitly loaded DLLs?
回答1:
SetDllDirectory("") removes the current/working directory from the DLL search path, it does not have any effect on the application directory (where your .exe is located).
You can call SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) if you want to limit yourself to the system32 directory.
来源:https://stackoverflow.com/questions/46180293/how-to-stop-dll-hijacking-for-secondary-implicitly-loaded-dlls