Avoid DLL Hijacking

Resolved Avoid DLL Hijacking

How-to

Votes

Undo

Ranjiv Sharma
PowerBuilder
Wednesday, 22 December 2021 09:03 AM UTC

Hi Everyone,

What can be done to avoid DLL hijacking for a Powerbuilder application in a Windows environment.

Files may be signed using Microsoft sign tool but this will not protect from hijacking unless you somehow use verify to check the

files but I am not sure how feasible this would be.

Any ideas there are functions like LoadlibraryEx (specify path and file) but how would this work in a PB environment and would it be feasible ?

Thanks,

Ranj.

Also on the security tab of a project, I can use the following which means the application must Authenticode signed

Allow access to protected system UI

Select if the application needs to drive input to higher privilege windows on the desktop, such as an on-screen keyboard. Microsoft provides this setting for user interface Assistive Technology (Section 508) applications.

Note
If you check this box, the application must be Authenticode signed and must reside in a protected location, such as \Program Files\ or \windows\system32\.

Security

Responses (4)

Stuart Macandrew Accepted Answer Pending Moderation

Thursday, 23 December 2021 02:36 AM UTC
PowerBuilder
# 1

Is this a real or a hypothetical threat?

If you are deploying your application with an installer, then your application is placed in an administrator controlled location (some location under program files). An attacker cannot just "replace mystuff.dll" without first elevating to admin privilege.

If the attacker has no admin credentials and your application is securely installed, then there is no threat.

If your application is not securely installed, then review and fix your install strategy.

If the attacker has admin credentials and can elevate then - well the scenario you outline is the least of your security issues.

Comment

Armeen Mazda @Appeon
Thursday, 10 February 2022 15:51 PM UTC

SolarWinds attack was hijack example.

Helpful 0

There are no comments made yet.

Armeen Mazda @Appeon Accepted Answer Pending Moderation

Wednesday, 22 December 2021 16:54 PM UTC
PowerBuilder
# 2

Hi Ranjiv,

Just use the the new PowerClient deployment option of PowerBuilder 2021. It verifies the hash values to reduce chance your app can be hijacked. https://www.appeon.com/products/power-client

Best regards,
Armeen

Comment

Load more comments

Ranjiv Sharma
Tuesday, 11 January 2022 09:39 AM UTC

Hi Armeen,

I have tried Powerclient is works fine. However I cant use Powerclient yet thats why Im using manifest and Authenticode. My question is about the prorected location , it does not seem to be enforced, can you confirm if it is supposed to do that or it does not do it anymore ?

Thanks,

Ranjiv.

Helpful 0

Armeen Mazda @Appeon
Tuesday, 11 January 2022 15:46 PM UTC

I'm not aware that PowerBuilder itself enforces any such thing you say. The Windows OS version and configuration would dictate this. So as I mentioned, I suggest you test it out.

Helpful 0

Ranjiv Sharma
Thursday, 10 February 2022 10:36 AM UTC

Hi Armeen,

Yes I have tested it. I dont think the Powerbuilder documentation is correct:

"If you check this box, the application must be Authenticode signed and must reside in a protected location, such as \Program Files\ or \windows\system32\."

The above is not enforced I can run the application in a non protected area such as C:\TEMP\testpbmanifest

on the security tab of a project, I can use the following which means the application must Authenticode signed

Allow access to protected system UI

Select if the application needs to drive input to higher privilege windows on the desktop, such as an on-screen keyboard. Microsoft provides this setting for user interface Assistive Technology (Section 508) applications.

Note

If you check this box, the application must be Authenticode signed and must reside in a protected location, such as \Program Files\ or \windows\system32\.

Helpful 0

There are no comments made yet.

Ranjiv Sharma Accepted Answer Pending Moderation

Wednesday, 22 December 2021 14:36 PM UTC
PowerBuilder
# 3

Hi David,

I'm talking about the application dlls that are built and deployed from powerbuilder.

if i have a library called mystuff.pbl and I build my app and will have a resulting mystuff.dll then in the application directory I could replace the mystuff.dll

with a rogue version and hijack some functionality.

Thanks,

Ranj.

Comment

Load more comments

Ranjiv Sharma
Thursday, 6 January 2022 13:25 PM UTC

How do we raise a request for this ? "Perhaps they could be persuaded to add that functionality to the EXE/DLL build process?"

Helpful 0

Roland Smith
Thursday, 6 January 2022 13:56 PM UTC

Having the encryption of application files feature from cloud apps added to standard desktop would be a good idea. Send an email to product@appeon.com which is the product manager.

Helpful 0

Ranjiv Sharma
Thursday, 6 January 2022 13:58 PM UTC

Thankyou

Helpful 0

There are no comments made yet.

David Peace (Powersoft) Accepted Answer Pending Moderation

Wednesday, 22 December 2021 14:27 PM UTC
PowerBuilder
# 4

Hi Ranj

What DLLs are you specifically talking about?

If you are refering to the PBDs then there is not a lot you can do. We do not compile with PBDs and compile everything into the EXE file in order to eliminate this issue.

If you are refering to 3rd party DLLs then perhaps someone with more knowledge that me can advise.

Cheers

David

Comment

There are no comments made yet.

Page :
1

There are no replies made for this question yet.
However, you are not allowed to reply to this question.

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here. Register Here »

Forgot Password?

Resolved Avoid DLL Hijacking

Find Questions by Tag