-
-
Notifications
You must be signed in to change notification settings - Fork 924
/
SafeDLLPath.pas
62 lines (47 loc) · 2.26 KB
/
SafeDLLPath.pas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
unit SafeDLLPath;
{
Inno Setup
Copyright (C) 1997-2024 Jordan Russell
Portions by Martijn Laan
For conditions of distribution and use, see LICENSE.TXT.
To provide protection against "DLL preloading" attacks, this unit calls
SetDefaultDllDirectories. SetDefaultDllDirectories is available on Windows 8
and newer, and on previous versions that have the KB2533623 update installed
which was released in July 2011.
It also calls SetSearchPathMode to enable "safe search mode", which causes
SearchPath, and callers of SearchPath such as CreateProcess, to search the
current directory after the system directories (rather than before).
Finally, it calls SetProcessDEPPolicy (where available) to enable DEP for
the lifetime of the process. (This has nothing to do with search paths;
it's just convenient to put the call here.)
This unit should be listed at the top of the program's "uses" clause to
ensure that it runs prior to any LoadLibrary calls that other units might
make during their initialization. (The System unit will always initialize
first, though.)
}
interface
implementation
uses
Windows;
const
LOAD_LIBRARY_SEARCH_SYSTEM32 = $00000800;
BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE = $00000001;
BASE_SEARCH_PATH_PERMANENT = $00008000;
var
KernelModule: HMODULE;
SetDefaultDllDirectoriesFunc: function(DirectoryFlags: DWORD): BOOL; stdcall;
SetSearchPathModeFunc: function(Flags: DWORD): BOOL; stdcall;
SetProcessDEPPolicyFunc: function(dwFlags: DWORD): BOOL; stdcall;
initialization
KernelModule := GetModuleHandle(kernel32);
SetDefaultDllDirectoriesFunc := GetProcAddress(KernelModule, PAnsiChar('SetDefaultDllDirectories'));
if Assigned(SetDefaultDllDirectoriesFunc) then
SetDefaultDllDirectoriesFunc(LOAD_LIBRARY_SEARCH_SYSTEM32);
SetSearchPathModeFunc := GetProcAddress(KernelModule, PAnsiChar('SetSearchPathMode'));
if Assigned(SetSearchPathModeFunc) then
SetSearchPathModeFunc(BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE or
BASE_SEARCH_PATH_PERMANENT);
SetProcessDEPPolicyFunc := GetProcAddress(KernelModule, PAnsiChar('SetProcessDEPPolicy'));
if Assigned(SetProcessDEPPolicyFunc) then
SetProcessDEPPolicyFunc(PROCESS_DEP_ENABLE);
end.