2 files changed, 27 insertions, 0 deletions
diff --git a/src/burn/stub/precomp.h b/src/burn/stub/precomp.h
index bb7ded9c..46239a6c 100644
--- a/src/burn/stub/precomp.h
+++ b/src/burn/stub/precomp.h
@@ -9,6 +9,7 @@
 #include <dutil.h>
 #include <apputil.h>
+#include <dirutil.h>
 #include <strutil.h>
 #include <fileutil.h>
 #include <pathutil.h>
diff --git a/src/burn/stub/stub.cpp b/src/burn/stub/stub.cpp
index 339a54da..9c9dfeef 100644
--- a/src/burn/stub/stub.cpp
+++ b/src/burn/stub/stub.cpp
@@ -2,6 +2,10 @@
 #include "precomp.h"
+static const HRESULT E_SUSPECTED_TAMPERING = MAKE_HRESULT(SEVERITY_ERROR, 500/*FACILITY_WIX*/, 2001);
+static void AvoidLocalDllRedirection(LPCWSTR wzPath);
 int WINAPI wWinMain(
    __in HINSTANCE hInstance,
@@ -52,6 +56,8 @@ int WINAPI wWinMain(
        AppInitialize(rgsczSafelyLoadSystemDlls, countof(rgsczSafelyLoadSystemDlls));
    }
+    AvoidLocalDllRedirection(sczPath);
    // call run
    hr = EngineRun(hInstance, hEngineFile, lpCmdLine, nCmdShow, &dwExitCode);
    ExitOnFailure(hr, "Failed to run application.");
@@ -63,3 +69,23 @@ LExit:
    return FAILED(hr) ? (int)hr : (int)dwExitCode;
 }
+static void AvoidLocalDllRedirection(LPCWSTR wzPath)
+{
+    LPWSTR sczLocalPath = NULL;
+    HMODULE hmodComCtl = NULL;
+    // Bail if there's a <bundle>.exe.local directory, as it's a feature of
+    // DLL redirection that has no real use for a bundle and is a hole for
+    // DLL hijacking attacks.
+    if (FAILED(StrAllocFormatted(&sczLocalPath, L"%ls.local", wzPath))
+        || DirExists(sczLocalPath, NULL)
+        || FileExistsEx(sczLocalPath, NULL)
+        || FAILED(LoadSystemLibrary(L"Comctl32.dll", &hmodComCtl)))
+    {
+        ::ExitProcess((UINT)E_SUSPECTED_TAMPERING);
+    }
+    ReleaseStr(sczLocalPath);
+}

diff --git a/src/burn/stub/precomp.h b/src/burn/stub/precomp.h index bb7ded9c..46239a6c 100644 --- a/src/burn/stub/precomp.h +++ b/src/burn/stub/precomp.h
@@ -9,6 +9,7 @@
9		9
10	#include <dutil.h>	10	#include <dutil.h>
11	#include <apputil.h>	11	#include <apputil.h>
		12	#include <dirutil.h>
12	#include <strutil.h>	13	#include <strutil.h>
13	#include <fileutil.h>	14	#include <fileutil.h>
14	#include <pathutil.h>	15	#include <pathutil.h>


diff --git a/src/burn/stub/stub.cpp b/src/burn/stub/stub.cpp index 339a54da..9c9dfeef 100644 --- a/src/burn/stub/stub.cpp +++ b/src/burn/stub/stub.cpp
@@ -2,6 +2,10 @@
2		2
3	#include "precomp.h"	3	#include "precomp.h"
4		4
		5	static const HRESULT E_SUSPECTED_TAMPERING = MAKE_HRESULT(SEVERITY_ERROR, 500/FACILITY_WIX/, 2001);
		6
		7	static void AvoidLocalDllRedirection(LPCWSTR wzPath);
		8
5		9
6	int WINAPI wWinMain(	10	int WINAPI wWinMain(
7	__in HINSTANCE hInstance,	11	__in HINSTANCE hInstance,
@@ -52,6 +56,8 @@ int WINAPI wWinMain(
52	AppInitialize(rgsczSafelyLoadSystemDlls, countof(rgsczSafelyLoadSystemDlls));	56	AppInitialize(rgsczSafelyLoadSystemDlls, countof(rgsczSafelyLoadSystemDlls));
53	}	57	}
54		58
		59	AvoidLocalDllRedirection(sczPath);
		60
55	// call run	61	// call run
56	hr = EngineRun(hInstance, hEngineFile, lpCmdLine, nCmdShow, &dwExitCode);	62	hr = EngineRun(hInstance, hEngineFile, lpCmdLine, nCmdShow, &dwExitCode);
57	ExitOnFailure(hr, "Failed to run application.");	63	ExitOnFailure(hr, "Failed to run application.");
@@ -63,3 +69,23 @@ LExit:
63		69
64	return FAILED(hr) ? (int)hr : (int)dwExitCode;	70	return FAILED(hr) ? (int)hr : (int)dwExitCode;
65	}	71	}
		72
		73	static void AvoidLocalDllRedirection(LPCWSTR wzPath)
		74	{
		75	LPWSTR sczLocalPath = NULL;
		76	HMODULE hmodComCtl = NULL;
		77
		78	// Bail if there's a <bundle>.exe.local directory, as it's a feature of
		79	// DLL redirection that has no real use for a bundle and is a hole for
		80	// DLL hijacking attacks.
		81
		82	if (FAILED(StrAllocFormatted(&sczLocalPath, L"%ls.local", wzPath))
		83	\|\| DirExists(sczLocalPath, NULL)
		84	\|\| FileExistsEx(sczLocalPath, NULL)
		85	\|\| FAILED(LoadSystemLibrary(L"Comctl32.dll", &hmodComCtl)))
		86	{
		87	::ExitProcess((UINT)E_SUSPECTED_TAMPERING);
		88	}
		89
		90	ReleaseStr(sczLocalPath);
		91	}