How to prevent a system DLL from being loaded by my own app
Posted: Wed Mar 06, 2019 11:58 pm
Is there any way of blocking a Windows system DLL from being loaded into my process? Perhaps through some kind of hook? Or another trick (that does not impact the system or other processes)?
Note: If that matters, I'm using Win 10, x64.
For instance, in the below example, can I prevent my application from loading "C:\Windows\System32\riched20.dll" and thus prevent the EditorGadget from loading/appearing?
I realize that may cause a crash in this particular example. I hope this question does not sound too weird - What I'm trying to do is prevent certain legacy Windows DLLs from ever loading into one of my applications, to reduce the possible attack surface.
EDIT 1: Perhaps a simpler approach than hooks:
Isn't it possible to load my own version of comctl32.dll (from my EXE directory) instead of the system32 version? I tried that but it doesn't seem to work (the system32 instance still gets loaded)
EDIT 2: For other system DLLs, it seems to work:
Placing a local copy of riched20.dll in the same directory as my EXE actually works (and prevents the system32 copy from being loaded), but for some reason this does not work for other DLLs such as comctl32.dll. Any ideas why?
Note: If that matters, I'm using Win 10, x64.
For instance, in the below example, can I prevent my application from loading "C:\Windows\System32\riched20.dll" and thus prevent the EditorGadget from loading/appearing?
Code: Select all
OpenWindow(0, 0, 0, 580, 650, "TEST", #PB_Window_SizeGadget | #PB_Window_MaximizeGadget | #PB_Window_MinimizeGadget)
StringGadget(1,10,10,100,20,"TEST")
;; can we prevent the load of comctl32.dll from the System directory
If EditorGadget(2,10,50,300,500) : EndIf
Repeat : Until WaitWindowEvent() = #PB_Event_CloseWindow
EDIT 1: Perhaps a simpler approach than hooks:
Isn't it possible to load my own version of comctl32.dll (from my EXE directory) instead of the system32 version? I tried that but it doesn't seem to work (the system32 instance still gets loaded)
EDIT 2: For other system DLLs, it seems to work:
Placing a local copy of riched20.dll in the same directory as my EXE actually works (and prevents the system32 copy from being loaded), but for some reason this does not work for other DLLs such as comctl32.dll. Any ideas why?