DLL hijacking vulnerability

[masat]

I inspected DLL hijacking vulnerability for my app's installer.

Procedure:
1.Placed DLL files into the directory which the installer placed.
2.Execute installer

Then I found below DLL files loaded from directory which the installer placed.

IMJP10K.DLL
apphelp.dll
GIMEJa.ime (If Google Japanese IME use)

Environment:
NSIS version : 3.01
OS : Windows Vista Ultimate SP2 32bit
System language : Japanese

Is it NSIS problem or Windows?

[Anders]

The problem is in Windows. There is also a bug in Vista that makes it hard for us to properly work around the issue.

We try to preload apphelp from system32, if the IME loads it first then there is nothing we can do. We only call SetErrorMode and GetVersion before we start preloading DLLs to try to help Windows not acting stupid.

[masat]

Anders,

Thank you for reply.
I will ask MS about this problem.

I found GIMEJa.ime was loaded on Windows7 (64bit).
Is it also Windows problem?

[Anders]

Quote:

Originally Posted by masat

Thank you for reply.
I will ask MS about this problem.

Support for Vista ends this April, MS is not going to do anything about this issue.

Quote:

Originally Posted by masat

I found GIMEJa.ime was loaded on Windows7 (64bit).
Is it also Windows problem?

Yes. On Windows 7 and later we call SetDefaultDllDirectories if it is available to restrict loading to system32 only but it is possible that the IME does something before we start executing our code.

[masat]

I found version.dll was loaded on Windows7 (64bit) and Windows10 (64bit).

This DLL was solved by "Patch: 3_do_not_link_version_dll.patch" but is there any problem?
https://sourceforge.net/p/nsis/bugs/1125/

[Anders]

Asking if there is a problem is not helpful without more information. Attaching a Process Monitor log might help.

SetDefaultDllDirectories is always called on Windows 10 and it is called on Windows 7 if it is available.

[masat]

I have uploaded the Process Monitor log.
version.dll was loaded in highlighted row.

If you want to know other infomation, please let me know.

[Anders]

I don't have Office. I actually wanted a Process Monitor .pml log file, sorry for not making that clear.

[masat]

Anders,

Here is PML log files.

[Anders]

Thanks, these pml logs are interesting.

Trend Micro is hooking into the process, disable it (maybe just the UMH component/feature) and try again. You could also inspect those two Trend Micro .dlls with Dependency Walker (dependencywalker.com) and see if they import version.dll.

[masat]

Thank you for investigation.

I uninstalled trend micro virusbuster then version.dll was not loaded.
I also asked MS this problem. They said the problem is in trend micro and it resolved in the latest Win10(ver.1607). However, version.dll was loaded when virusbuster enabled in WIn10(ver.1607).

Anyway, it has become clear that the problem has not been in NSIS or myapp.
Thank you.

[Anders]

Did you ask on the Microsoft forum or a direct contact?

[masat]

I asked direct contact.