View Single Post
  #17  
Old 08-28-2022, 05:30
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 198
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 253
Thanks Rcvd at 138 Times in 67 Posts
Stingered Reputation: 2
Quote:
Originally Posted by FoxB View Post
ok
we can not load dll from %systemroot%\system32 in some situations.
the behavior is change if used the registry data for "SafeDllSearchMode" is set 1 in
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

or
"DevOverrideEnable" is set 1 in
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
with .local for the executable file extension
I don't understand how setting SafeDllSearchMode to 1, change any behavior. Value 1 is enabled and ON by default (at least on current OS - XP/Win7 probably not). But this value only change the search order, not remove them:

Standard Search Order for Desktop Applications
The standard DLL search order used by the system depends on whether safe DLL search mode is enabled or disabled. Safe DLL search mode places the user's current directory later in the search order.

Safe DLL search mode is enabled by default. To disable this feature, create the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode registry value and set it to 0. Calling the SetDllDirectory function effectively disables SafeDllSearchMode while the specified directory is in the search path and changes the search order as described in this topic.

If SafeDllSearchMode is enabled, the search order is as follows:

The directory from which the application loaded.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The current directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.


If SafeDllSearchMode is disabled, the search order is as follows:

The directory from which the application loaded.
The current directory.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.


Also, the DevOverrideEnable is used for DLL redirection.

hxxps://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/Dlls/dynamic-link-library-redirection.md

There must be a PEfilename.exe.local file created in the same directory of the "older" DLL to allow the dependent application to load from the location on executable that need specific DLL.

I actually don't know if this even an issue due to DLL search order mechanics in place today. I know I use this in Win7 (for certain DLLs - maybe known DLLs? I can't recall), but on Win10/11 I just drop a .DLL I build into the folder of the EXE I want to patch it's memory. EXE loads my DLL and I can call Loadlibrary() to load \system32 DLL to handle any function requests that the EXE may call.

Last edited by Stingered; 08-28-2022 at 05:47.
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
niculaita (09-08-2022)