英文:
Is there a way for the executable created by InnoSetup to prevent DLL redirection?
问题
当启动使用InnoSetup创建的安装程序时,它会尝试从Windows加载通用控件DLL。我假设这是为了渲染UI对话框。然而,通过使用Windows提供的DLL重定向功能(https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection),您可以使安装程序运行不同的DLL,该DLL放置在特定位置。
这种行为可能会成为问题,特别是如果安装程序本身需要提升的权限来运行,但安装程序文件已放置在更容易访问的位置,比如用户的下载文件夹。
Microsoft提供了一些选项来管理DLL加载行为,比如在构建应用程序时使用一些特定的链接器参数(https://devblogs.microsoft.com/oldnewthing/20230328-00/?p=107978)。
因此,我想知道是否有办法告诉InnoSetup使用这种(或其他)缓解替代方案来防止这种情况发生。这是否是已知的问题,并且是否存在有关如何处理此问题的文档?
附注:我目前正在使用InnoSetup v6.0.5。
英文:
When launching an installer created with InnoSetup it tries to load the common-controls DLL from Windows. I'm assuming this is for rendering the UI dialogas. However, by using the DLL Redirection feature provided by Windows (https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection) you can make the installer run a different DLL that you place on a specific location.
This behavior can be a problem especially if the installer itself requires elevated privileges to run but the installer file has been placed in a more accessible location, like the user Downloads folder.
Microsoft provides a couple of options to manage the DLL-loading behavior, like using some specific parameters on the linker when building the application (https://devblogs.microsoft.com/oldnewthing/20230328-00/?p=107978)
So I'm wondering if there is a way to tell InnoSetup to use this (or other) mitigation alternatives to prevent this from happening. Is this a known issue and some documentation exists somewhere on how to deal with this?
PS: I'm currently using InnoSetup v6.0.5
答案1
得分: 1
在InnoSetup文档中进一步查找后,发现这个问题在较新版本中已修复。使用v6.2.2(当前最新版本)构建的安装程序似乎没有出现相同的问题,也不会尝试运行“假”dll。
来自JRSoftware网站的信息:
> 默认行为变更:从Inno Setup 6.1开始,[Setup] 部分的指令MinVersion默认为6.1sp1,因此默认情况下,Setup不会在Windows Vista或未更新的Windows 7和Windows Server 2008 R2版本上运行。将MinVersion设置为6.0以允许在Windows Vista上运行Setup是支持的,但不建议:Windows Vista不支持Setup针对潜在DLL预加载攻击的一些安全措施,因此如果MinVersion低于6.1,则编译器必须将其删除,从而使您的安装程序在所有版本的Windows上都不太安全。
英文:
So after digging some more in InnoSetup documentation, it turns out that this was fixed in a later version. An installer built with v6.2.2 (current latest) does not seem to present the same issue and will not try to run the "fake" dll.
From JRSoftware's website:
> Change in default behavior: Starting with Inno Setup 6.1 the [Setup]
> section directive MinVersion defaults to 6.1sp1, so by default Setup
> will not run on Windows Vista or on versions of Windows 7 and Windows
> Server 2008 R2 which have not been updated. Setting MinVersion to 6.0
> to allow Setup to run on Windows Vista is supported but not
> recommended: Windows Vista doesn't support some of Setup's security
> measures against potential DLL preloading attacks so these have to be
> removed by the compiler if MinVersion is below 6.1 making your
> installer less secure on all versions of Windows.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论