[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL
Jean-Baptiste Kempf
jb at videolan.org
Fri Mar 10 18:22:13 CET 2017
On Fri, 10 Mar 2017, at 18:17, Rémi Denis-Courmont wrote:
> You can't load kernel32.dll at run-time anyway, since it contains the
> run-time
> loader.
Take any of those. Remove gdi or advapi or user32 or any other library
that we link statically against.
Show me how.
> > If you can change advapi32, kernel32, user32, shell32, psapi or
> > msvcrt.dll and change them to either not be KnownDLL or be modified,
> > then your system security is fucked.
>
> Sure. And if an attacker can overwrite any (other) of the MSDN documented
> DLLs, I am fucked too. Whether or not it´s a known DLL.
>
> Because plenty of executables will link them in the PE header.
And your point is?
winmm.dll and wininet.dll are not knowndll, so putting a dll named like
that on a portable VLC, next to VLC.exe will load them, in the normal
configuration, without being admin.
So, our implibs for vlc.exe/libvlccore.dll/libvlc.dll can only be
KnownDLLs. For any other library we shit, we have protection.
--
Jean-Baptiste Kempf - President
+33 672 704 734
More information about the vlc-devel
mailing list