load dll safely

Have a suggestion for "Everything"? Please post it here.
Post Reply
hjy
Posts: 1
Joined: Fri Oct 25, 2019 11:25 am

load dll safely

Post by hjy »

I noticed everything installer use LoadLibraryA to load dlls, according to microsoft's recommendations:

Where possible, use a fully qualified path name when loading a library;
Remove the current directory from the search path by using SetDLLDirectory;
Do not use SearchPath to locate a library. SearchPath was not intended to look for libraries to be loaded into the application process space, and uses an insecure search order;
Do not attempt to load libraries purely to identify the version of Windows. Instead, use GetVersionEx or a similar function offered by the Windows API.

(https://msrc-blog.microsoft.com/2010/08 ... ck-vector/)

For example, if SHFOLDER.dll is in the same directory of Everything-1.4.1.935.x86-Setup.exe/Everything-1.4.1.935.x64-Setup.exe then this SHFOLDER.dll will get executed.
void
Developer
Posts: 17159
Joined: Fri Oct 16, 2009 11:31 pm

Re: load dll safely

Post by void »

This is a limitation with the nsis installer.
This is not an issue with msi installer.

The plan is to use my own installer for future releases.

Thanks for the suggestion.

The installed Everything.exe will always use fully qualified names when calling LoadLibrary.
Post Reply