Menu
I think I have researched this pretty thoroughly and I have not found an acceptable answer. First the broad strokes: Windows 8.1, Visual Studio 2013. Although, I don't think these are important.
Problem as follows. The application I am writing makes use of A.dll. We use a third-party vendor product (a backup program, but again this is not important) that has installed a Context Menu Handler control under HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers. Let's say the path to this is c:\Program Files\Vendor\control.dll.
Now, the issue is that when my program opens a file chooser dialog (it's a Qt program that uses QFileDialog which then uses the standard Windows one), this control is loaded to provide context-sensitive right-click functionality. This control depends on a different version of "A.dll" and when control.dll is loaded, my program promptly crashes.
I don't need this extra functionality. What I would love to do is to prevent this specific dll (control.dll) from loading in my process. In an object-oriented world I would simply overload LoadLibrary(), check for this specific DLL, and then call the standard one otherwise. However this doesn't seem feasible.
Is there an easy way to do this?
Thanks! Dan
507
DLL hijacking is a cyberattack method that injects an infected file within the search parameters of an application. A user then attempts to load a file from that directory and instead loads the infected DLL file. This infected file takes action when the application is loaded.
DLL's are shared resources on the same machine and can be used by multiple process on the same machine.
If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting. These attacks are known as “DLL preloading attacks” and are common to all operating systems that support dynamically loading shared DLL libraries.
Once running, enable viewing of loaded DLLs by either pressing CTRL+D or using the View > Lower Pane View > DLLs entry from the menu bar. Select the target process in the upper pane. The lower pane should now show loaded modules.
To prevent the vendor.dll from loading you can use a hook on the following Win32API function LoadLibrary and LoadLibraryEx which are responsible for dynamically loading DLLs and which are also used to load shell extensions. The hook is really assembler code at the code site of the LoadLibrary function, which redirects (jumps) to a function defined by yourself. In this function you can then intercept any call to vendor.dll being loaded and just return 0, which indicates that the library could not be loaded.
Some example code how to go about it using MinHook library:
HMODULE WINAPI LoadLibraryA_check(_In_ LPCTSTR lpFileName)
{
if (isInWhiteList(lpFileName))
return loadLibraryA_Original(lpFileName);
else
{
// Pretend that the module was not found by returning
// 126 (0x7E): "The specified module could not be found."
SetLastError(ERROR_MOD_NOT_FOUND);
return NULL;
}
}
bool installWhitelistFilter()
{
// Initialize MinHook.
if (MH_Initialize() != MH_OK)
return false;
if (MH_CreateHook(&LoadLibraryA, &LoadLibraryA_check,
reinterpret_cast<LPVOID*>(&loadLibraryA_Original)) != MH_OK)
return false;
if (MH_EnableHook(&LoadLibraryA) != MH_OK)
return false;
// same for LoadLibraryW, LoadLibraryExW, LoadLibraryExA
return true;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
