Hesham/wintun
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

api: fix dll hijacking vulns

Browse Source 
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld 2020-10-30 11:43:47 +01:00 committed by Simon Rozman
parent abf6962144
commit c928ad4de7
4 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/api.c
View File

@ -43,6 +43,18 @@ cleanupKey:
return Result; return Result;
} }
static FARPROC WINAPI DelayedLoadLibraryHook(unsigned dliNotify, PDelayLoadInfo pdli)
{
if (dliNotify != dliNotePreLoadLibrary)
return NULL;
HMODULE Library = LoadLibraryExA(pdli->szDll, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
if (!Library)
abort();
return (FARPROC)Library;
}
const PfnDliHook __pfnDliNotifyHook2 = DelayedLoadLibraryHook;
BOOL APIENTRY BOOL APIENTRY
DllMain(_In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved) DllMain(_In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved)
{ {

3
api/api.vcxproj
View File

@ -158,7 +158,8 @@
<PreprocessorDefinitions Condition="'$(Platform)'=='ARM64'">_M_ARM64=1;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions Condition="'$(Platform)'=='ARM64'">_M_ARM64=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile> </ResourceCompile>
<Link> <Link>
<AdditionalDependencies>Bcrypt.lib;Cfgmgr32.lib;Crypt32.lib;Iphlpapi.lib;newdev.lib;ntdll.lib;Setupapi.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies> <DelayLoadDLLs>bcrypt.dll;iphlpapi.dll</DelayLoadDLLs>
<AdditionalDependencies>Bcrypt.lib;Crypt32.lib;Cfgmgr32.lib;Iphlpapi.lib;ntdll.lib;Setupapi.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>exports.def</ModuleDefinitionFile> <ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
<SubSystem>Windows</SubSystem> <SubSystem>Windows</SubSystem>
</Link> </Link>

4
api/nci.c
View File

@ -18,9 +18,9 @@ DWORD(WINAPI *NciGetConnectionName)
void void
NciInit(void) NciInit(void)
{ {
NciModule = LoadLibraryW(L"nci.dll"); NciModule = LoadLibraryExW(L"nci.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
if (!NciModule) if (!NciModule)
return; abort();
NciSetConnectionName = NciSetConnectionName =
(DWORD(WINAPI *)(const GUID *, const WCHAR *))GetProcAddress(NciModule, "NciSetConnectionName"); (DWORD(WINAPI *)(const GUID *, const WCHAR *))GetProcAddress(NciModule, "NciSetConnectionName");
NciGetConnectionName = NciGetConnectionName =

4
api/pch.h
View File

@ -15,6 +15,8 @@
#include "resource.h" #include "resource.h"
#include "wintun.h" #include "wintun.h"
#pragma warning(push)
#pragma warning(disable: 4201) /* nonstandard extension used: nameless struct/union */
#include <bcrypt.h> #include <bcrypt.h>
#include <cfgmgr32.h> #include <cfgmgr32.h>
#include <devguid.h> #include <devguid.h>
@ -30,4 +32,6 @@
#include <Shlwapi.h> #include <Shlwapi.h>
#include <string.h> #include <string.h>
#include <TlHelp32.h> #include <TlHelp32.h>
#include <delayimp.h>
#include <wchar.h> #include <wchar.h>
#pragma warning(pop)