I have a process that loads an external DLL (sort of a plugin system) where I want to verify that the loaded DLL is signed correctly using Authenticode. After perusing the documentation for WinVerifyTrust and LoadLibrary (and friends) one thing that struck me as significant is that both operations work from a file path to the DLL.
It looks to me that its quite feasible to exploit this to cause my program to load an unsigned DLL, by presenting the program with a signed DLL, causing WinVerifyTrust() to succeed and immediately replacing the DLL with unsigned code before the LoadLibrary() call gets executed (this is a hard race condition, but it can be better controlled if the attacker has some control on the file system, for example when using a networked file system).
The API for WinVerifyTrust() seems to suggest that I can run the verification process on a handle to an open file. If I can open the file, verify the open file handle and then load the library from the same file handle - then I will be safe. Unfortunately LoadLibraryEx() - which would have been my prime suspect for implementing this - documents its hFile parameter as "reserved for future use".
My Next avenue of thought was to load the file contents into memory and then load the DLL from the memory, and I found the library MemoryModule that does this. I was wondering if there is some existing implementation that already goes and combines all this and allows the developer to securely verify and load a DLL, meaning I won't have to write it and maintain it myself.
Any suggestions?
