Declaring DLL with environmental variable in path?

[trparky]

How can I create a DLL declare statement with an environmental variable in it so as to make sure that I'm loading the system DLL from the right place, the system32 folder? For instance...

Declare Function GetExtendedTcpTable Lib "iphlpapi.dll" Alias "GetExtendedTcpTable" (ByVal tcpTable As IntPtr, ByRef tcpTableLength As Integer, ByVal sort As Boolean, ByVal ipVersion As Integer, ByVal tcpTableType As TcpTableType, ByVal reserved As Integer) As UInteger
Declare Function GetExtendedUdpTable Lib "iphlpapi.dll" Alias "GetExtendedUdpTable" (ByVal tcpTable As IntPtr, ByRef tcpTableLength As Integer, ByVal sort As Boolean, ByVal ipVersion As Integer, ByVal tcpTableType As TcpTableType, ByVal reserved As Integer) As UInteger


But, instead of relying on the folders in the path, I want to specify where to load the DLL from. For instance...


Declare Function GetExtendedTcpTable Lib "%windir%\system32\iphlpapi.dll" Alias "GetExtendedTcpTable" (ByVal tcpTable As IntPtr, ByRef tcpTableLength As Integer, ByVal sort As Boolean, ByVal ipVersion As Integer, ByVal tcpTableType As TcpTableType, ByVal reserved As Integer) As UInteger
Declare Function GetExtendedUdpTable Lib "%windir%\system32\iphlpapi.dll" Alias "GetExtendedUdpTable" (ByVal tcpTable As IntPtr, ByRef tcpTableLength As Integer, ByVal sort As Boolean, ByVal ipVersion As Integer, ByVal tcpTableType As TcpTableType, ByVal reserved As Integer) As UInteger

The reason I'm asking is that there has been talk about people injecting invalid/malicious DLLs into folders along with applications and whatnot and I see this as an issue if you don't specify the SYSTEM directory. Yeah, I could specify it to load from c:\windows\system32 but what happens if a person doesn't have their Windows installed in c:\windows? Hence the reason to use an environmental variable to find system32.

 

[trparky]

There must be a way to be able to close this gaping security hole.

Anyone could put a malicious DLL with the same name of a known system DLL into a program's folder and because Windows's path is setup to access DLLs starting with the program's own folder as the first place to look for DLLs and that malicious DLL could instantly take over the program and do whatever it pleases with the privileges of that program. God help you if you're running as Administrator.

I've tried System.Environment.SystemDirectory to get the SYSTEM32 folder, yes... that returns the path to the system32 folder but you can't use that in a statement like this...

<DllImport(System.Environment.SystemDirectory & "\iphlpapi.dll", SetLastError:=True)> _
Public Shared Function GetExtendedTcpTable(ByVal tcpTable As IntPtr, ByRef tcpTableLength As Integer, ByVal sort As Boolean, ByVal ipVersion As Integer, ByVal tcpTableType As TcpTableType, ByVal reserved As Integer) As UInteger
End Function

or

Declare Function GetExtendedTcpTable Lib System.Environment.SystemDirectory & "\iphlpapi.dll" Alias "GetExtendedTcpTable" (ByVal tcpTable As IntPtr, ByRef tcpTableLength As Integer, ByVal sort As Boolean, ByVal ipVersion As Integer, ByVal tcpTableType As TcpTableType, ByVal reserved As Integer) As UInteger

So how does Microsoft expect you to close this gaping security hole in how you can access external system DLLs?

Sure, you could specify that you load it from specifically "C:\Windows\System32" but what if a person doesn't have Windows installed on the C Drive? What if it's C:\WinNT as versus C:\Windows, D:\Windows, or D:\WinNT? That means your program's broken because it can't access the DLL.

 

[trparky]

Unless... I find the location of the DLLs in question that I'm trying to use and copy them from the SYSTEM32 upon run-time of the program (every single run-time) and copy them to the program's path so as to make sure that I'm loading a known good DLL. But no, that won't work either since the external function thus the DLL is loaded and declared before the Form's OnLoad event. Unless I put the code into the Application's StartUp event.