Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Testing DLL Search Order Hijacking against security features.
Message
<blockquote data-quote="ForgottenSeer 97327" data-source="post: 1014079"><p>Forgive my naive post in this thread. I thought that enabling safe search mode would stop DLL hijacking?</p><p>[SPOILER="Registry key"]</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]</p><p>"SafeDllSearchMode"=dword:00000001</p><p>[/SPOILER]</p><p>___________________</p><p>EDIT 1</p><p>According to Microsoft it is enabled by default now</p><p>[SPOILER="SafeSearchDLL order"]</p><p>Safe DLL search mode is enabled by default.</p><p></p><p>If <strong>SafeDllSearchMode</strong> is enabled, the search order is as follows:</p><ol> <li data-xf-list-type="ol">The directory from which the application loaded.</li> <li data-xf-list-type="ol">The system directory. Use the <a href="https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya" target="_blank"><strong>GetSystemDirectory</strong></a> function to get the path of this directory.</li> <li data-xf-list-type="ol">The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.</li> <li data-xf-list-type="ol">The Windows directory. Use the <a href="https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya" target="_blank"><strong>GetWindowsDirectory</strong></a> function to get the path of this directory.</li> <li data-xf-list-type="ol">The current directory.</li> <li data-xf-list-type="ol">The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the <strong>App Paths</strong> registry key. The <strong>App Paths</strong> key is not used when computing the DLL search path.</li> </ol><p>[/SPOILER]</p><p>--------------------------</p><p>EDIT 2</p><p></p><p>I am understanding it now, by starting an application in a User folder, the replacement DLL hijacks the DLL loading because it is in the "The directory from which the application loaded." <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite117" alt=":eek:" title="Eek! :eek:" loading="lazy" data-shortname=":eek:" /></p><p></p><p><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" /> Luckily my WDAC policy only allows Microsoft signed (and Syncback) DLL's to execute in user space. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite114" alt=":cool:" title="Cool :cool:" loading="lazy" data-shortname=":cool:" /></p></blockquote><p></p>
[QUOTE="ForgottenSeer 97327, post: 1014079"] Forgive my naive post in this thread. I thought that enabling safe search mode would stop DLL hijacking? [SPOILER="Registry key"] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "SafeDllSearchMode"=dword:00000001 [/SPOILER] ___________________ EDIT 1 According to Microsoft it is enabled by default now [SPOILER="SafeSearchDLL order"] Safe DLL search mode is enabled by default. If [B]SafeDllSearchMode[/B] is enabled, the search order is as follows: [LIST=1] [*]The directory from which the application loaded. [*]The system directory. Use the [URL='https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya'][B]GetSystemDirectory[/B][/URL] function to get the path of this directory. [*]The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. [*]The Windows directory. Use the [URL='https://learn.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya'][B]GetWindowsDirectory[/B][/URL] function to get the path of this directory. [*]The current directory. [*]The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the [B]App Paths[/B] registry key. The [B]App Paths[/B] key is not used when computing the DLL search path. [/LIST] [/SPOILER] -------------------------- EDIT 2 I am understanding it now, by starting an application in a User folder, the replacement DLL hijacks the DLL loading because it is in the "The directory from which the application loaded." :eek: ;) Luckily my WDAC policy only allows Microsoft signed (and Syncback) DLL's to execute in user space. :cool: [/QUOTE]
Insert quotes…
Verification
Post reply
Top