Dynamically loading libraries in an application can lead to vulnerabilities if not secured properly. In this blog post we talk about loading a library using LoadLibraryEx() API and make use of options to make it safe.
Know the defaults:
Control the DLL search order:
There are various option to modify the order in which the loading library is searched other than the default search order when absolute name is provided.
Some of the APIs that can influence the DLL search order/path by the LoadLibraryEx() are as below:
LoadLibraryEx() provide many flags that can be used to alter the default search order. Below table lists most of the flags and also depicts the DLL search order that is followed for each of them. Some of the options even consider the paths set with above mentioned APIs.
Table 1: Depicting different options to the LoadLibraryEx and how it affects the DLL search order.
Loading library as non-executable:It is not always required to load a library as an executable image. LoadLibraryEx() makes it possible to load a library as a data file, or an image resource, for example. For this purpose, it supports following different options:
These options helps in treating a file as a normal data file rather as an executable module. Loading with this option doesn't call DLLMain() and none of the memory space of the loaded DLL data is marked as executable.
Blocking the library from loading:Sometimes it might be required to block a library or block an illegitimate library from loading into an application. Check out following facilities to aid that:
To summarize our discussion:
To ensure secure loading of libraries
Some common attack vectors we see:
- Swamy Shivaganga Nagaraju, MSRC engineering team