When ever I try to use SetDLLDirectoryA SetDllDirectoryA function (winbase.h) - Win32 apps | Microsoft Docs
I always get an access violation.
Now the reason for doing this, is I want to force where a DLL is loaded from.
There is a reg setting HKLM\system\currentcontrolset\control\session manager\ SafeDLLSearchMode Dword which when created and set to 0 switches off DLL Safe Search.
Dynamic-Link Library Search Order - Win32 apps | Microsoft Docs
Dynamic-Link Library Security - Win32 apps | Microsoft Docs
There is a list of known safe dlls which can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs .
which are a few windows dlls, like kernel32.dll, so switching safesearch off would make it possible to use (guessing not tried) a malicious version of the windows dll’s.
SetDllDirectoryA also switches off the SafeSearch, so when I tried to do a proof of concept, all I get is access violations when trying to use this api. Now I should stress this is an offline development machine, and whilst I can see the api call in the dll and create a lib file for it, it just crashes when the code is called, making me wonder if this is some sort fake api call built into the kernel32.dll.
Anyone got any ideas if its a genuine api call or some sort of api bait?
I did see on a MS webpage a comment in a code example that the path can be included for security reasons, negating having to rely on the DLL search order by using GetSystemDirectoryA function (sysinfoapi.h) - Win32 apps | Microsoft Docs and GetWindowsDirectoryA function (sysinfoapi.h) - Win32 apps | Microsoft Docs but I’ve not established if the SxS(Side by Side assemblies - a solution to Dll Hell) which is specified in the app manifest file can still override any specified path.
Anyone know if the manifest file can override a path specified in api calls like LoadLibrary(Ex), GetModuleHandle(Ex)? Not tried yet, just curious.