api: fix dll hijacking vulns

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2020-10-30 11:43:47 +0100
committer: Simon Rozman <simon@rozman.si> 2020-10-31 10:41:48 +0100
commit: c928ad4de734efa62766ad62f539283f72af80e8 (patch)
tree: f7171ca74b24ca2ce2a3b2ed785e2871196ed9e0
parent: api: simplify driver removal (diff)
download: wintun-c928ad4de734efa62766ad62f539283f72af80e8.tar.xz
wintun-c928ad4de734efa62766ad62f539283f72af80e8.zip
4 files changed, 20 insertions, 3 deletions
diff --git a/api/api.c b/api/api.c
index 72c7633..531a160 100644
--- a/api/api.c
+++ b/api/api.c
@@ -43,6 +43,18 @@ cleanupKey:
     return Result;
 }
 
+static FARPROC WINAPI DelayedLoadLibraryHook(unsigned dliNotify, PDelayLoadInfo pdli)
+{
+    if (dliNotify != dliNotePreLoadLibrary)
+        return NULL;
+    HMODULE Library = LoadLibraryExA(pdli->szDll, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
+    if (!Library)
+        abort();
+    return (FARPROC)Library;
+}
+
+const PfnDliHook __pfnDliNotifyHook2 = DelayedLoadLibraryHook;
+
 BOOL APIENTRY
 DllMain(_In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved)
 {
diff --git a/api/api.vcxproj b/api/api.vcxproj
index 8bb4092..bb70111 100644
--- a/api/api.vcxproj
+++ b/api/api.vcxproj
@@ -158,7 +158,8 @@
       <PreprocessorDefinitions Condition="'$(Platform)'=='ARM64'">_M_ARM64=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ResourceCompile>
     <Link>
-      <AdditionalDependencies>Bcrypt.lib;Cfgmgr32.lib;Crypt32.lib;Iphlpapi.lib;newdev.lib;ntdll.lib;Setupapi.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <DelayLoadDLLs>bcrypt.dll;iphlpapi.dll</DelayLoadDLLs>
+      <AdditionalDependencies>Bcrypt.lib;Crypt32.lib;Cfgmgr32.lib;Iphlpapi.lib;ntdll.lib;Setupapi.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
       <SubSystem>Windows</SubSystem>
     </Link>
diff --git a/api/nci.c b/api/nci.c
index f57423d..21257ed 100644
--- a/api/nci.c
+++ b/api/nci.c
@@ -18,9 +18,9 @@ DWORD(WINAPI *NciGetConnectionName)
 void
 NciInit(void)
 {
-    NciModule = LoadLibraryW(L"nci.dll");
+    NciModule = LoadLibraryExW(L"nci.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
     if (!NciModule)
-        return;
+        abort();
     NciSetConnectionName =
         (DWORD(WINAPI *)(const GUID *, const WCHAR *))GetProcAddress(NciModule, "NciSetConnectionName");
     NciGetConnectionName =
diff --git a/api/pch.h b/api/pch.h
index 930a034..3898a76 100644
--- a/api/pch.h
+++ b/api/pch.h
@@ -15,6 +15,8 @@
 #include "resource.h"
 #include "wintun.h"
 
+#pragma warning(push)
+#pragma warning(disable: 4201) /* nonstandard extension used: nameless struct/union */
 #include <bcrypt.h>
 #include <cfgmgr32.h>
 #include <devguid.h>
@@ -30,4 +32,6 @@
 #include <Shlwapi.h>
 #include <string.h>
 #include <TlHelp32.h>
+#include <delayimp.h>
 #include <wchar.h>
+#pragma warning(pop)
author	Jason A. Donenfeld <Jason@zx2c4.com>	2020-10-30 11:43:47 +0100
committer	Simon Rozman <simon@rozman.si>	2020-10-31 10:41:48 +0100
commit	c928ad4de734efa62766ad62f539283f72af80e8 (patch)
tree	f7171ca74b24ca2ce2a3b2ed785e2871196ed9e0
parent	api: simplify driver removal (diff)
download	wintun-c928ad4de734efa62766ad62f539283f72af80e8.tar.xz wintun-c928ad4de734efa62766ad62f539283f72af80e8.zip