[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Jean-Baptiste Kempf jb at videolan.org
Fri Mar 10 18:22:13 CET 2017

On Fri, 10 Mar 2017, at 18:17, Rémi Denis-Courmont wrote:
> You can't load kernel32.dll at run-time anyway, since it contains the
> run-time 
> loader.

Take any of those. Remove gdi or advapi or user32 or any other library
that we link statically against.
Show me how.

> > If you can change advapi32, kernel32, user32, shell32, psapi or
> > msvcrt.dll and change them to either not be KnownDLL or be modified,
> > then your system security is fucked.
> Sure. And if an attacker can overwrite any (other) of the MSDN documented 
> DLLs, I am fucked too. Whether or not it´s a known DLL.
> Because plenty of executables will link them in the PE header.

And your point is?

winmm.dll and wininet.dll are not knowndll, so putting a dll named like
that on a portable VLC, next to VLC.exe will load them, in the normal
configuration, without being admin.

So, our implibs for vlc.exe/libvlccore.dll/libvlc.dll can only be
KnownDLLs. For any other library we shit, we have protection.

Jean-Baptiste Kempf -  President
+33 672 704 734

More information about the vlc-devel mailing list