diff --git a/src/burn/stub/precomp.h b/src/burn/stub/precomp.h index bb7ded9c2..46239a6ca 100644 --- a/src/burn/stub/precomp.h +++ b/src/burn/stub/precomp.h @@ -9,6 +9,7 @@ #include #include +#include #include #include #include diff --git a/src/burn/stub/stub.cpp b/src/burn/stub/stub.cpp index 339a54da3..9c9dfeef9 100644 --- a/src/burn/stub/stub.cpp +++ b/src/burn/stub/stub.cpp @@ -2,6 +2,10 @@ #include "precomp.h" +static const HRESULT E_SUSPECTED_TAMPERING = MAKE_HRESULT(SEVERITY_ERROR, 500/*FACILITY_WIX*/, 2001); + +static void AvoidLocalDllRedirection(LPCWSTR wzPath); + int WINAPI wWinMain( __in HINSTANCE hInstance, @@ -52,6 +56,8 @@ int WINAPI wWinMain( AppInitialize(rgsczSafelyLoadSystemDlls, countof(rgsczSafelyLoadSystemDlls)); } + AvoidLocalDllRedirection(sczPath); + // call run hr = EngineRun(hInstance, hEngineFile, lpCmdLine, nCmdShow, &dwExitCode); ExitOnFailure(hr, "Failed to run application."); @@ -63,3 +69,23 @@ int WINAPI wWinMain( return FAILED(hr) ? (int)hr : (int)dwExitCode; } + +static void AvoidLocalDllRedirection(LPCWSTR wzPath) +{ + LPWSTR sczLocalPath = NULL; + HMODULE hmodComCtl = NULL; + + // Bail if there's a .exe.local directory, as it's a feature of + // DLL redirection that has no real use for a bundle and is a hole for + // DLL hijacking attacks. + + if (FAILED(StrAllocFormatted(&sczLocalPath, L"%ls.local", wzPath)) + || DirExists(sczLocalPath, NULL) + || FileExistsEx(sczLocalPath, NULL) + || FAILED(LoadSystemLibrary(L"Comctl32.dll", &hmodComCtl))) + { + ::ExitProcess((UINT)E_SUSPECTED_TAMPERING); + } + + ReleaseStr(sczLocalPath); +} diff --git a/src/burn/stub/stub.vcxproj b/src/burn/stub/stub.vcxproj index 29da8d054..03f492099 100644 --- a/src/burn/stub/stub.vcxproj +++ b/src/burn/stub/stub.vcxproj @@ -63,6 +63,7 @@ true true cabinet.dll;crypt32.dll;msi.dll;shlwapi.dll;userenv.dll;version.dll;wininet.dll;wintrust.dll + /DEPENDENTLOADFLAG:0x800 %(AdditionalOptions)