Prevent Dll hijacking

AndreasScholl · Aug 26, 2019

We got a request from one of our customers that is asking for dll hijacking prevention measurements.

A third party security company discovered that it is possible to put malicious .dlls (i.e a modified xinput1_3.dll) into the application folder and have it loaded by unity on application start.

Is there a common way to protect unity applications from dll hijacking? What would be the recommended procedure to protect our applications?

Thanks a lot for any feedback or help,

Andreas

FMark92 · Aug 26, 2019

Hardcode the file's checksum?

AndreasScholl · Aug 26, 2019

FMark92 said: ↑

Hardcode the file's checksum?
Click to expand...

Thanks for your reply. Are you relating to the checksum of the loaded dll, for example the xinput1_3.dll?

How would you check for this file? Can we put the code to check the dlls inside the unity-application or will it already be to late to check there at this point?

Do you know of any standard solutions for this?

FMark92 · Aug 26, 2019

AndreasScholl said: ↑

How would you check for this file?
Click to expand...

https://stackoverflow.com/questions/10520048/calculate-md5-checksum-for-a-file

Have the original checksum saved somewhere in your code and then just compare it to whatever
md5.ComputeHash(stream); spits out.

AndreasScholl said: ↑

will it already be to late to check there at this point?
Click to expand...

Depends. I don't think you'll be able to catch everything but you can exit if you detect alterations after application started.

Tautvydas-Zilys · Aug 26, 2019

You can't check the checksum. It can change with a Windows update.

Generally this isn't considered a security vulnerability. Usually, programs are installed in Program Files directory, which is read only for non-admin users and write/read for administrators. So if a DLL can be placed next to your executable, you're already compromised.

However, there are ways around this if you have a good reason to. Read this: https://support.microsoft.com/en-us...f-libraries-to-prevent-dll-preloading-attacks

Implement calls to SetDllDirectory with an empty string (“”) to remove the current working directory from the default DLL search order where it is required. Be aware that SetDllDirectory affects the whole process. Therefore, you should do this one time early in process initialization, not before and after calls to LoadLibrary. Because SetDllDirectory affects the whole process, multiple threads calling SetDllDirectory with different values could cause undefined behavior. Additionally, if the process is designed to load third-party DLLs, testing will be needed to determine whether making a process-wide setting will cause incompatibilities. A known issue is that when an application depends on Visual Basic for Applications, a process-wide setting may cause incompatibilities.
Click to expand...

You could modify the game executable in a way that makes it not link to anything but kernel32.dll, then on startup call SetDllDirectory("") and then do LoadLibrary on UnityPlayer.dll with an absolute path to start up the game.

EusebiuMarcu · Apr 8, 2022

Tautvydas-Zilys said: ↑

You can't check the checksum. It can change with a Windows update.

Generally this isn't considered a security vulnerability. Usually, programs are installed in Program Files directory, which is read only for non-admin users and write/read for administrators. So if a DLL can be placed next to your executable, you're already compromised.

However, there are ways around this if you have a good reason to. Read this: https://support.microsoft.com/en-us...f-libraries-to-prevent-dll-preloading-attacks

You could modify the game executable in a way that makes it not link to anything but kernel32.dll, then on startup call SetDllDirectory("") and then do LoadLibrary on UnityPlayer.dll with an absolute path to start up the game.
Click to expand...

Yes, you are correct, the admin account is compromised (and this can happen). But this does not mean that the admin account has some access that the normal user has (like access to a shared file location based on some AD group set of permissions).
Hence, the app/game can access the data by the normal user (non-local admin) and then the dll could get the data loaded by the app/game. So, from this perspective it is a security vulnerability.

Coming to your (&MS) solution, how would we do that modification of the game executable if we do not control the build process? How can we link it with only kernel32.dll, call SetDllDirectory("") and then LoadLibrary("path/to/UnityPlayer.dll")? I think this part should be done by Unity build system...

Tautvydas-Zilys · Apr 8, 2022

EusebiuMarcuUCB said: ↑

Yes, you are correct, the admin account is compromised (and this can happen). But this does not mean that the admin account has some access that the normal user has (like access to a shared file location based on some AD group set of permissions).
Hence, the app/game can access the data by the normal user (non-local admin) and then the dll could get the data loaded by the app/game. So, from this perspective it is a security vulnerability.
Click to expand...

The attacker could just replace the whole game executable with theirs if they can modify the game files.

EusebiuMarcuUCB said: ↑

Coming to your (&MS) solution, how would we do that modification of the game executable if we do not control the build process? How can we link it with only kernel32.dll, call SetDllDirectory("") and then LoadLibrary("path/to/UnityPlayer.dll")? I think this part should be done by Unity build system...
Click to expand...

The source code for the game executable is shipped in "<UNITY_INSTALL_DIR>\Editor\Data\PlaybackEngines\windowsstandalonesupport\Source\WindowsPlayer". You can modify it any way you want.

EusebiuMarcu · Apr 9, 2022

Tautvydas-Zilys said: ↑

The attacker could just replace the whole game executable with theirs if they can modify the game files.

The source code for the game executable is shipped in "<UNITY_INSTALL_DIR>\Editor\Data\PlaybackEngines\windowsstandalonesupport\Source\WindowsPlayer". You can modify it any way you want.
Click to expand...

Does not load in VS2022.

C:\Program Files\Unity\Hub\Editor\2021.1.27f1\Editor\Data\PlaybackEngines\windowsstandalonesupport\Source\WindowsPlayer\WindowsPlayer\WindowsPlayer.vcxproj : error : The imported project "C:\Program Files\Unity\Hub\Editor\2021.1.27f1\Editor\Data\PlaybackEngines\windowsstandalonesupport\Source\WindowsPlayer\UnityCommon.props" was not found. Confirm that the expression in the Import declaration "C:\Program Files\Unity\Hub\Editor\2021.1.27f1\Editor\Data\PlaybackEngines\windowsstandalonesupport\Source\WindowsPlayer\UnityCommon.props" is correct, and that the file exists on disk. C:\Program Files\Unity\Hub\Editor\2021.1.27f1\Editor\Data\PlaybackEngines\windowsstandalonesupport\Source\WindowsPlayer\WindowsPlayer\UnityData.vcxitems

Tautvydas-Zilys · Apr 9, 2022

The project in that folder is not complete, but the source code is. You can either build your Unity project or an empty Unity project using "Generate Visual Studio Solution" option and it will spit out a project that builds.

Search Unity

Prevent Dll hijacking

AndreasScholl

FMark92

AndreasScholl

FMark92

Tautvydas-Zilys

Unity Technologies

EusebiuMarcu

Tautvydas-Zilys

Unity Technologies

EusebiuMarcu

Tautvydas-Zilys

Unity Technologies

Search Unity

Unity ID

Useful Searches

Prevent Dll hijacking

Unity Technologies

Unity Technologies

Unity Technologies