How to avoid dll-Hijack issue  ?

We have a normal C++ MFC application but we kept a .dll file in the same path where our application resides. When we start the application the dll file present in the current directory also loaded and fall in an infinite loop and our real application is non-responsive because the name of the dll is one of the System module dll that is loaded by the framework from the system path.

The reason is it look in the currentdir instead of the system path on Priprity of Dll search.
How we can avoid this dll hijack issue in Windows ?

Means how to avoid the search of dll from current directory rather look at system path at first priority
0
LVL 32

Expert Comment

by:Zoppo
Hi Sudhansu Panda,

I think this probably can be can acchieved by registering the DLL as a 'Known DLL' - I didn't use it myself before, but from some comments I found I think this is what you need:

"The only thing KnownDLLs does is prevent implicitly loaded DLLs being loaded from the applications folder." - see https://stackoverflow.com/questions/3555749/microsoft-known-dll

"KnownDLL’s is a mechanism in Windows NT (and win9x) that allows the system to “cache” commonly used system DLLs.  It was originally added to improve application load time, but it also can be considered a security mechanism, since it prevents people from exploiting weak application directory permissions by dropping in Trojan horse versions of system DLLs" - see https://blogs.msdn.microsoft.com/larryosterman/2004/07/19/what-are-known-dlls-anyway/

Hope this helps,

ZOPPO
0

Author Comment

by:Sudhansu Panda
Thank you for this. Yes i tried to add dll in there but it says permission denied
How can i do that ?
Do the admin have access to this entry ?

Regards
Sudhansu
0

Author Comment

by:Sudhansu Panda
I have added the following entry by opening the command prompt with Admin privileges

C:\windows\system32>REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Session Manager\KnownDLLs" /v dwmapi /t REG_SZ /d dwmapi.dll
ERROR: Access is denied.

Can you let me know how to add the dll names here in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Session Manager\KnownDLLs entry
0
LVL 32

Expert Comment

by:Zoppo
Yes, to enter information in the registry in HKEY_LOCALMACHINE someone usually needs to be an admin.

It wouldn't make much sense if any user could change this, because each malware running with user right could change it too.
0

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month