|
![]() |
|
Thread Tools | Search this Thread | Display Modes |
![]() |
#1 |
Junior Member
Join Date: Mar 2017
Posts: 7
|
DLL hijacking vulnerability
I inspected DLL hijacking vulnerability for my app's installer.
Procedure: 1.Placed DLL files into the directory which the installer placed. 2.Execute installer Then I found below DLL files loaded from directory which the installer placed. IMJP10K.DLL apphelp.dll GIMEJa.ime (If Google Japanese IME use) Environment: NSIS version : 3.01 OS : Windows Vista Ultimate SP2 32bit System language : Japanese Is it NSIS problem or Windows? |
![]() |
![]() |
![]() |
#2 |
Moderator
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,701
|
The problem is in Windows. There is also a bug in Vista that makes it hard for us to properly work around the issue.
We try to preload apphelp from system32, if the IME loads it first then there is nothing we can do. We only call SetErrorMode and GetVersion before we start preloading DLLs to try to help Windows not acting stupid. IntOp $PostCount $PostCount + 1 |
![]() |
![]() |
![]() |
#3 |
Junior Member
Join Date: Mar 2017
Posts: 7
|
Anders,
Thank you for reply. I will ask MS about this problem. I found GIMEJa.ime was loaded on Windows7 (64bit). Is it also Windows problem? |
![]() |
![]() |
![]() |
#4 |
Moderator
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,701
|
Support for Vista ends this April, MS is not going to do anything about this issue.
Yes. On Windows 7 and later we call SetDefaultDllDirectories if it is available to restrict loading to system32 only but it is possible that the IME does something before we start executing our code. IntOp $PostCount $PostCount + 1 |
![]() |
![]() |
![]() |
#5 |
Junior Member
Join Date: Mar 2017
Posts: 7
|
I found version.dll was loaded on Windows7 (64bit) and Windows10 (64bit).
This DLL was solved by "Patch: 3_do_not_link_version_dll.patch" but is there any problem? https://sourceforge.net/p/nsis/bugs/1125/ |
![]() |
![]() |
![]() |
#6 |
Moderator
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,701
|
Asking if there is a problem is not helpful without more information. Attaching a Process Monitor log might help.
SetDefaultDllDirectories is always called on Windows 10 and it is called on Windows 7 if it is available. IntOp $PostCount $PostCount + 1 |
![]() |
![]() |
![]() |
#7 |
Junior Member
Join Date: Mar 2017
Posts: 7
|
I have uploaded the Process Monitor log.
version.dll was loaded in highlighted row. If you want to know other infomation, please let me know. |
![]() |
![]() |
![]() |
#8 |
Moderator
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,701
|
I don't have Office. I actually wanted a Process Monitor .pml log file, sorry for not making that clear.
IntOp $PostCount $PostCount + 1 |
![]() |
![]() |
![]() |
#9 |
Junior Member
Join Date: Mar 2017
Posts: 7
|
Anders,
Here is PML log files. |
![]() |
![]() |
![]() |
#10 |
Moderator
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,701
|
Thanks, these pml logs are interesting.
Trend Micro is hooking into the process, disable it (maybe just the UMH component/feature) and try again. You could also inspect those two Trend Micro .dlls with Dependency Walker (dependencywalker.com) and see if they import version.dll. IntOp $PostCount $PostCount + 1 |
![]() |
![]() |
![]() |
#11 |
Junior Member
Join Date: Mar 2017
Posts: 7
|
Thank you for investigation.
I uninstalled trend micro virusbuster then version.dll was not loaded. I also asked MS this problem. They said the problem is in trend micro and it resolved in the latest Win10(ver.1607). However, version.dll was loaded when virusbuster enabled in WIn10(ver.1607). Anyway, it has become clear that the problem has not been in NSIS or myapp. Thank you. |
![]() |
![]() |
![]() |
#12 |
Moderator
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,701
|
Did you ask on the Microsoft forum or a direct contact?
IntOp $PostCount $PostCount + 1 |
![]() |
![]() |
![]() |
#13 |
Junior Member
Join Date: Mar 2017
Posts: 7
|
I asked direct contact.
|
![]() |
![]() |
![]() |
|
Thread Tools | Search this Thread |
Display Modes | |
|
|