segfo · September 21, 2019 10:14
diff --git a/Cargo.toml b/Cargo.toml
 [package]
 name = "sideloading_dll"
 version = "0.1.0"
 authors = ["segfo <[email protected]>"]
 edition = "2018"

 [lib]
 name = "sideloading"
 path = "src/lib.rs"
 crate-type = ["dylib"]

 [dependencies]
diff --git a/lib.rs b/lib.rs
 #[no_mangle]
 pub extern "C" fn MessageBoxW(handle: usize,text:usize,caption:usize,icon_type:i32) -> bool {
    println!("side loading !");
    return true;
 }
diff --git a/vuln_dll_SearchOrderHijacking.c b/vuln_dll_SearchOrderHijacking.c
 #include <windows.h>
 #include <tchar.h>
 #include<stdio.h>

 typedef int (*MSGBOX)(HWND,LPCWSTR,LPCWSTR,UINT);

 int main(){
    char user32_path[255]={0};
    char *file_name = NULL;
    // DLLのサーチを行う(!!!!!Vulnerability!!!!!)
    SearchPathA(NULL,"user32.dll",NULL,255,user32_path,&file_name);
    // サーチしたDLLパスからDLLを読み込む
    HMODULE user32 = LoadLibraryA(user32_path);
    // MessageBox関数のポインタを取得する
    MSGBOX F_MessageBoxW =(MSGBOX) GetProcAddress(user32, "MessageBoxW");
    // 使う
    F_MessageBoxW(NULL,L"hello world!",L"not malware!",0);
    FreeLibrary(user32);
 }
	[package]
	name = "sideloading_dll"
	version = "0.1.0"
	authors = ["segfo <[email protected]>"]
	edition = "2018"

	[lib]
	name = "sideloading"
	path = "src/lib.rs"
	crate-type = ["dylib"]

	[dependencies]
	#[no_mangle]
	pub extern "C" fn MessageBoxW(handle: usize,text:usize,caption:usize,icon_type:i32) -> bool {
	println!("side loading !");
	return true;
	}
	#include <windows.h>
	#include <tchar.h>
	#include<stdio.h>

	typedef int (*MSGBOX)(HWND,LPCWSTR,LPCWSTR,UINT);

	int main(){
	char user32_path[255]={0};
	char *file_name = NULL;
	// DLLのサーチを行う(!!!!!Vulnerability!!!!!)
	SearchPathA(NULL,"user32.dll",NULL,255,user32_path,&file_name);
	// サーチしたDLLパスからDLLを読み込む
	HMODULE user32 = LoadLibraryA(user32_path);
	// MessageBox関数のポインタを取得する
	MSGBOX F_MessageBoxW =(MSGBOX) GetProcAddress(user32, "MessageBoxW");
	// 使う
	F_MessageBoxW(NULL,L"hello world!",L"not malware!",0);
	FreeLibrary(user32);
	}