Skip to main content

Prevention of DLL hijacking

Programs that run on Microsoft Windows can be vulnerable to a type of security attack known as binary planting. Starting in version 16, the Here RVM implements strategies to prevent dynamic link libraries (DLLs) from being hijacked through a binary planting attack. These strategies include the following:

  • Load each system DLL only from the system directory; avoid looking elsewhere in the standard DLL search path, including the current directory.
  • Delay loading any system DLL until the first actual call to a function in the DLL.
  • Pin system DLLs to ensure they are not unloaded while the RVM process is running.
  • In case of errors while loading DLLs (which might indicate a compromised system), create a crtStartupFailed analytics event and write it to the RVM log.