How LNK Exploit Protection works

We have been contacted by a few people that asked how the Hitman Pro LNK Exploit Protection works. Well here it is.

Vulnerability

The vulnerability is in the Window Shell component shell32.dll. This library is responsible for parsing shortcuts (.LNK files) and their icons (see IExtractIcon). Certain special shortcuts specify that their icon resides in a separate library file and the shell32.dll uses the LoadLibraryW function in kernel32.dll to load that icon library file.

Now the LoadLibraryW function reads the icon library file with execute rights and it calls the icon library’s DllMain function. Hence, it executes (possibly malicious) code while trying to fetch icon data!

Normally icon libraries do not have a DllMain or even hold code, but malware trying to exploit the vulnerability do.

So in order to provide proper protection for the exploit, we need to prevent the use of LoadLibraryW when shell32.dll is reading an icon from a library file.

Protection

The Hitman Pro LNK Exploit Protection Shell Extension intercepts the LoadLibraryW function (using an API hook) when shell32.dll tries to load the icon library file. The intercept replaces the LoadLibraryW call with a function that loads the library as a data file. Reading the library as a data file ensures that the library’s DllMain is not called, meaning no code is executed while reading the icon. This is how shell32.dll SHOULD have read the icon from a library file.

The intercept of the LoadLibraryW function (while reading the icon library file) is a very elegant solution. It works very transparent for the user and it works across the entire system.

PIDL filtering

Other vendors perform PIDL filtering (example code here) in an effort to block malicious shortcuts. While effective, it also blocks non-malicious shortcuts (like VPN shortcuts). The real vulnerability is the use of the wrong function to load the icon’s library file, not in the use of specific PIDLs.

Patch

Until Microsoft provides a patch, Hitman Pro offers the user to protect their computer from the exploit. Since we do not know yet how to recognize Microsoft’s patch we will roll-out an update when Microsoft starts pushing its patch for the vulnerability. The Hitman Pro update will then detect the patch and disable the LNK Exploit Protection Shell Extension.

Comments are closed.

%d bloggers like this: