Executable created by InnoSetup 是否有方法防止 DLL 重定向?

huangapple go评论48阅读模式
英文:

Is there a way for the executable created by InnoSetup to prevent DLL redirection?

问题

当启动使用InnoSetup创建的安装程序时,它会尝试从Windows加载通用控件DLL。我假设这是为了渲染UI对话框。然而,通过使用Windows提供的DLL重定向功能(https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection),您可以使安装程序运行不同的DLL,该DLL放置在特定位置。

这种行为可能会成为问题,特别是如果安装程序本身需要提升的权限来运行,但安装程序文件已放置在更容易访问的位置,比如用户的下载文件夹。

Microsoft提供了一些选项来管理DLL加载行为,比如在构建应用程序时使用一些特定的链接器参数(https://devblogs.microsoft.com/oldnewthing/20230328-00/?p=107978)。

因此,我想知道是否有办法告诉InnoSetup使用这种(或其他)缓解替代方案来防止这种情况发生。这是否是已知的问题,并且是否存在有关如何处理此问题的文档?

附注:我目前正在使用InnoSetup v6.0.5。

英文:

When launching an installer created with InnoSetup it tries to load the common-controls DLL from Windows. I'm assuming this is for rendering the UI dialogas. However, by using the DLL Redirection feature provided by Windows (https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection) you can make the installer run a different DLL that you place on a specific location.

This behavior can be a problem especially if the installer itself requires elevated privileges to run but the installer file has been placed in a more accessible location, like the user Downloads folder.

Microsoft provides a couple of options to manage the DLL-loading behavior, like using some specific parameters on the linker when building the application (https://devblogs.microsoft.com/oldnewthing/20230328-00/?p=107978)

So I'm wondering if there is a way to tell InnoSetup to use this (or other) mitigation alternatives to prevent this from happening. Is this a known issue and some documentation exists somewhere on how to deal with this?

PS: I'm currently using InnoSetup v6.0.5

答案1

得分: 1

在InnoSetup文档中进一步查找后,发现这个问题在较新版本中已修复。使用v6.2.2(当前最新版本)构建的安装程序似乎没有出现相同的问题,也不会尝试运行“假”dll。

来自JRSoftware网站的信息:

> 默认行为变更:从Inno Setup 6.1开始,[Setup] 部分的指令MinVersion默认为6.1sp1,因此默认情况下,Setup不会在Windows Vista或未更新的Windows 7和Windows Server 2008 R2版本上运行。将MinVersion设置为6.0以允许在Windows Vista上运行Setup是支持的,但不建议:Windows Vista不支持Setup针对潜在DLL预加载攻击的一些安全措施,因此如果MinVersion低于6.1,则编译器必须将其删除,从而使您的安装程序在所有版本的Windows上都不太安全。

英文:

So after digging some more in InnoSetup documentation, it turns out that this was fixed in a later version. An installer built with v6.2.2 (current latest) does not seem to present the same issue and will not try to run the "fake" dll.

From JRSoftware's website:

> Change in default behavior: Starting with Inno Setup 6.1 the [Setup]
> section directive MinVersion defaults to 6.1sp1, so by default Setup
> will not run on Windows Vista or on versions of Windows 7 and Windows
> Server 2008 R2 which have not been updated. Setting MinVersion to 6.0
> to allow Setup to run on Windows Vista is supported but not
> recommended: Windows Vista doesn't support some of Setup's security
> measures against potential DLL preloading attacks
so these have to be
> removed by the compiler if MinVersion is below 6.1 making your
> installer less secure on all versions of Windows.

huangapple
  • 本文由 发表于 2023年6月29日 05:49:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/76576918.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定