Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>So it seems its impossible to redirect calls to LoadLibrary with absolute paths using manifests.</p> <p>After a lot of playing around with manifests, it seems that once you get past all the bad documentation manifests are actually stupidly simple.</p> <p>Basically when the executable is loaded windows collects all the related manifests that are linked using the identity and dependency elements. Then for each file element contained in the manifest files, it adds an entry into the activation context:</p> <pre><code>'name attribute of file element' -&gt; 'absolute path of manifest file' + 'name attribute of file element' </code></pre> <p>Now when a load library call is made, it searches the activation context map for a key that matches the path argument of load library, and then does the loadlibrary with the value for that key.</p> <p>So if my application c:\foo\foo.exe has a dependency to the manifest in c:\foo\baa\baa.manifest, and baa.manifest contains a file element <code>&lt;file name="empty.dll"/&gt;</code>, then the activation context will have a mapping: <code>"empty.dll" -&gt; "c:\foo\baa\empty.dll"</code></p> <p>So any calls to <code>LoadLibrary("empty.dll")</code> will be redirected to <code>LoadLibrary("C:\foo\baa\empty.dll")</code>.</p> <p>However, <code>LoadLibrary("c:\anotherpath\empty.dll")</code> Will not be redirected!</p> <p>Now to prove my point of how stupidly simple manifest files and activation contexts are. If the file element of baa.manifest was <code>&lt;file name="c:\anotherpath\empty.dll"/&gt;</code> and you made a <code>LoadLibrary("C:\anotherpath\empty.dll")</code> call, the LoadLibrary call will be redirected to <code>LoadLibrary("C:\foo\baa\C:\anotherpath\empty.dll")</code>, yes, a malformed path...</p> <p>The file element does have an undocumented attribute called "loadFrom", which does what it sounds like, and seems like its perfect to solve this problem. Using loadFrom, I was able to redirect an absolute path loadlibrary call, but it seemed to screw up other dependencies in the executable in weird ways. If someone knows more about how "loadFrom" works I would be very interested.</p> <p>So how did I solve my problem in the end? By using an incredibly heavy handed approach of DLL Trojaning described at <a href="http://www.ethicalhacker.net/content/view/207/2/" rel="noreferrer">Ethical Hacker</a>. Basically you create a dummy kernel32.dll that redirects all calls to the original kenerl32.dll, except for the LoadLibrary calls, in which you place your own redirection logic. Then in the applications manifest, you place a file element that redirects the kernel32.dll to your dummy. Fun.</p> <p>All this describes my experiments on Windows Xp Sp2. For extra fun I'm led to believe manifests behave differently on almost every version of Windows.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload