Prevent DLL search order hijacking for VentoyPlugson.exe and VentoyVlnk.exe

dcc58896 · longpanda · 04828df0 · dcc58896 · dcc58896 · dcc58896
Commit dcc58896 authored Apr 05, 2022 by longpanda
7 changed files
--- a/Plugson/src/main_windows.c
+++ b/Plugson/src/main_windows.c
@@ -464,6 +464,60 @@ static int ParseCmdLine(LPSTR lpCmdLine, char *ip, char *port)
 	return 0;
 }

+
+
+//
+//copy from Rufus
+//
+#include <delayimp.h>
+// For delay-loaded DLLs, use LOAD_LIBRARY_SEARCH_SYSTEM32 to avoid DLL search order hijacking.
+FARPROC WINAPI dllDelayLoadHook(unsigned dliNotify, PDelayLoadInfo pdli)
+{
+	if (dliNotify == dliNotePreLoadLibrary) {
+		// Windows 7 without KB2533623 does not support the LOAD_LIBRARY_SEARCH_SYSTEM32 flag.
+		// That is is OK, because the delay load handler will interrupt the NULL return value
+		// to mean that it should perform a normal LoadLibrary.
+		return (FARPROC)LoadLibraryExA(pdli->szDll, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
+	}
+	return NULL;
+}
+
+#if defined(_MSC_VER)
+// By default the Windows SDK headers have a `const` while MinGW does not.
+const
+#endif
+PfnDliHook __pfnDliNotifyHook2 = dllDelayLoadHook;
+
+typedef BOOL(WINAPI* SetDefaultDllDirectories_t)(DWORD);
+static void DllProtect(void)
+{
+	SetDefaultDllDirectories_t pfSetDefaultDllDirectories = NULL;
+
+	// Disable loading system DLLs from the current directory (sideloading mitigation)
+	// PS: You know that official MSDN documentation for SetDllDirectory() that explicitly
+	// indicates that "If the parameter is an empty string (""), the call removes the current
+	// directory from the default DLL search order"? Yeah, that doesn't work. At all.
+	// Still, we invoke it, for platforms where the following call might actually work...
+	SetDllDirectoryA("");
+
+	// For libraries on the KnownDLLs list, the system will always load them from System32.
+	// For other DLLs we link directly to, we can delay load the DLL and use a delay load
+	// hook to load them from System32. Note that, for this to work, something like:
+	// 'somelib.dll;%(DelayLoadDLLs)' must be added to the 'Delay Loaded Dlls' option of
+	// the linker properties in Visual Studio (which means this won't work with MinGW).
+	// For all other DLLs, use SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32).
+	// Finally, we need to perform the whole gymkhana below, where we can't call on
+	// SetDefaultDllDirectories() directly, because Windows 7 doesn't have the API exposed.
+	// Also, no, Coverity, we never need to care about freeing kernel32 as a library.
+	// coverity[leaked_storage]
+
+	pfSetDefaultDllDirectories = (SetDefaultDllDirectories_t)
+		GetProcAddress(LoadLibraryW(L"kernel32.dll"), "SetDefaultDllDirectories");
+	if (pfSetDefaultDllDirectories != NULL)
+		pfSetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32);
+}
+
+
 int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nCmdShow)
 {
    int rc;
@@ -472,6 +526,8 @@ int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLi

    UNREFERENCED_PARAMETER(hPrevInstance);

+	DllProtect();
+
    if (GetUserDefaultUILanguage() == 0x0804)
    {
        g_sysinfo.language = LANGUAGE_CN;

--- a/Plugson/vs/VentoyPlugson/Release/VentoyPlugson.exe
+++ b/Plugson/vs/VentoyPlugson/Release/VentoyPlugson.exe
--- a/Plugson/vs/VentoyPlugson/VentoyPlugson/VentoyPlugson.vcxproj
+++ b/Plugson/vs/VentoyPlugson/VentoyPlugson/VentoyPlugson.vcxproj
@@ -14,18 +14,19 @@
    <ProjectGuid>{321D6EE2-2AB3-4103-9F05-EC4EC67A75E1}</ProjectGuid>
    <Keyword>Win32Proj</Keyword>
    <RootNamespace>VentoyPlugson</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v120</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
    <CharacterSet>MultiByte</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v120</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>MultiByte</CharacterSet>
  </PropertyGroup>
@@ -61,6 +62,7 @@
      <SubSystem>Windows</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
+      <DelayLoadDLLs>gdi32.dll;winspool.dll;comdlg32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;uuid.dll;odbc32.dll;odbccp32.dll</DelayLoadDLLs>
    </Link>
    <Manifest>
      <AdditionalManifestFiles>$(ProjectDir)\Res\Plugson32.manifest %(AdditionalManifestFiles)</AdditionalManifestFiles>
@@ -84,6 +86,7 @@
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
+      <DelayLoadDLLs>gdi32.dll;winspool.dll;comdlg32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;uuid.dll;odbc32.dll;odbccp32.dll</DelayLoadDLLs>
    </Link>
    <Manifest>
      <AdditionalManifestFiles>$(ProjectDir)\Res\Plugson32.manifest %(AdditionalManifestFiles)</AdditionalManifestFiles>
@@ -151,7 +154,7 @@
  <ItemGroup>
    <ResourceCompile Include="VentoyPlugson.rc" />
  </ItemGroup>
-  <ItemGroup>   
+  <ItemGroup>
    <Image Include="Res\plugson.ico" />
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

--- a/Plugson/vs/VentoyPlugson/VentoyPlugson/VentoyPlugson.vcxproj.filters
+++ b/Plugson/vs/VentoyPlugson/VentoyPlugson/VentoyPlugson.vcxproj.filters
@@ -167,7 +167,7 @@
    </ResourceCompile>
  </ItemGroup>
  <ItemGroup>
-    <Image Include="Res\refresh.ico">
+    <Image Include="Res\plugson.ico">
      <Filter>资源文件</Filter>
    </Image>
  </ItemGroup>

--- a/Vlnk/src/main_windows.c
+++ b/Vlnk/src/main_windows.c
@@ -831,6 +831,58 @@ static int ParseCmdLine(LPSTR lpCmdLine)
    return argc;
 }

+
+//
+//copy from Rufus
+//
+#include <delayimp.h>
+// For delay-loaded DLLs, use LOAD_LIBRARY_SEARCH_SYSTEM32 to avoid DLL search order hijacking.
+FARPROC WINAPI dllDelayLoadHook(unsigned dliNotify, PDelayLoadInfo pdli)
+{
+    if (dliNotify == dliNotePreLoadLibrary) {
+        // Windows 7 without KB2533623 does not support the LOAD_LIBRARY_SEARCH_SYSTEM32 flag.
+        // That is is OK, because the delay load handler will interrupt the NULL return value
+        // to mean that it should perform a normal LoadLibrary.
+        return (FARPROC)LoadLibraryExA(pdli->szDll, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
+    }
+    return NULL;
+}
+
+#if defined(_MSC_VER)
+// By default the Windows SDK headers have a `const` while MinGW does not.
+const
+#endif
+PfnDliHook __pfnDliNotifyHook2 = dllDelayLoadHook;
+
+typedef BOOL(WINAPI *SetDefaultDllDirectories_t)(DWORD);
+static void DllProtect(void)
+{
+    SetDefaultDllDirectories_t pfSetDefaultDllDirectories = NULL;
+
+    // Disable loading system DLLs from the current directory (sideloading mitigation)
+    // PS: You know that official MSDN documentation for SetDllDirectory() that explicitly
+    // indicates that "If the parameter is an empty string (""), the call removes the current
+    // directory from the default DLL search order"? Yeah, that doesn't work. At all.
+    // Still, we invoke it, for platforms where the following call might actually work...
+    SetDllDirectoryA("");
+
+    // For libraries on the KnownDLLs list, the system will always load them from System32.
+    // For other DLLs we link directly to, we can delay load the DLL and use a delay load
+    // hook to load them from System32. Note that, for this to work, something like:
+    // 'somelib.dll;%(DelayLoadDLLs)' must be added to the 'Delay Loaded Dlls' option of
+    // the linker properties in Visual Studio (which means this won't work with MinGW).
+    // For all other DLLs, use SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32).
+    // Finally, we need to perform the whole gymkhana below, where we can't call on
+    // SetDefaultDllDirectories() directly, because Windows 7 doesn't have the API exposed.
+    // Also, no, Coverity, we never need to care about freeing kernel32 as a library.
+    // coverity[leaked_storage]
+
+    pfSetDefaultDllDirectories = (SetDefaultDllDirectories_t)
+        GetProcAddress(LoadLibraryW(L"kernel32.dll"), "SetDefaultDllDirectories");
+    if (pfSetDefaultDllDirectories != NULL)
+        pfSetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32);
+}
+
 int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nCmdShow)
 {
    DWORD dwAttrib;
@@ -838,6 +890,8 @@ int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLi

    UNREFERENCED_PARAMETER(hPrevInstance);

+    DllProtect();
+
    if (GetUserDefaultUILanguage() == 0x0804)
    {
        g_msg_lang = g_msg_cn;

--- a/Vlnk/vs/VentoyVlnk/Release/VentoyVlnk.exe
+++ b/Vlnk/vs/VentoyVlnk/Release/VentoyVlnk.exe
--- a/Vlnk/vs/VentoyVlnk/VentoyVlnk/VentoyVlnk.vcxproj
+++ b/Vlnk/vs/VentoyVlnk/VentoyVlnk/VentoyVlnk.vcxproj
@@ -14,18 +14,19 @@
    <ProjectGuid>{9987D9FE-1A40-4C5F-835C-D66B0FEADA26}</ProjectGuid>
    <Keyword>Win32Proj</Keyword>
    <RootNamespace>VentoyVlnk</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v120</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v120</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
@@ -61,6 +62,7 @@
      <SubSystem>Windows</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
+      <DelayLoadDLLs>gdi32.dll;winspool.dll;comdlg32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;uuid.dll;odbc32.dll;odbccp32.dll</DelayLoadDLLs>
    </Link>
    <Manifest>
      <AdditionalManifestFiles>$(ProjectDir)\Res\Vlnk32.manifest %(AdditionalManifestFiles)</AdditionalManifestFiles>
@@ -84,6 +86,7 @@
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
+      <DelayLoadDLLs>gdi32.dll;winspool.dll;comdlg32.dll;advapi32.dll;shell32.dll;ole32.dll;oleaut32.dll;uuid.dll;odbc32.dll;odbccp32.dll</DelayLoadDLLs>
    </Link>
    <Manifest>
      <AdditionalManifestFiles>$(ProjectDir)\Res\Vlnk32.manifest %(AdditionalManifestFiles)</AdditionalManifestFiles>