[zadig] prevent DLL side-load from current directory

pbatard · pbatard · commit 367ef154c70c · 2016-02-09T12:55:36.000Z
* Also add platform version to User Agent info and fix warnings
diff --git a/examples/wdi-simple.rc b/examples/wdi-simple.rc
@@ -7,8 +7,8 @@
 #endif
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,2,5,691
- PRODUCTVERSION 1,2,5,691
+ FILEVERSION 1,2,5,692
+ PRODUCTVERSION 1,2,5,692
  FILEFLAGSMASK 0x17L
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -25,13 +25,13 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "akeo.ie"
             VALUE "FileDescription", "WDI-Simple"
-            VALUE "FileVersion", "1.2.5.691"
+            VALUE "FileVersion", "1.2.5.692"
             VALUE "InternalName", "WDI-Simple"
             VALUE "LegalCopyright", "� 2010-2014 Pete Batard (LGPL v3)"
             VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/lesser.html"
             VALUE "OriginalFilename", "wdi-simple.exe"
             VALUE "ProductName", "WDI-Simple"
-            VALUE "ProductVersion", "1.2.5.691"
+            VALUE "ProductVersion", "1.2.5.692"
             VALUE "Comments", "http://libwdi.akeo.ie"
         END
     END
diff --git a/examples/zadic.rc b/examples/zadic.rc
@@ -56,8 +56,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,2,5,691
- PRODUCTVERSION 1,2,5,691
+ FILEVERSION 1,2,5,692
+ PRODUCTVERSION 1,2,5,692
  FILEFLAGSMASK 0x17L
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -74,13 +74,13 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "akeo.ie"
             VALUE "FileDescription", "Zadic"
-            VALUE "FileVersion", "1.2.5.691"
+            VALUE "FileVersion", "1.2.5.692"
             VALUE "InternalName", "Zadic"
             VALUE "LegalCopyright", "� 2010-2014 Pete Batard (LGPL v3)"
             VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/lesser.html"
             VALUE "OriginalFilename", "zadic.exe"
             VALUE "ProductName", "Zadic"
-            VALUE "ProductVersion", "1.2.5.691"
+            VALUE "ProductVersion", "1.2.5.692"
             VALUE "Comments", "http://libwdi.akeo.ie"
         END
     END
diff --git a/examples/zadig.c b/examples/zadig.c
@@ -1755,6 +1755,9 @@ int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine
 	int i, wait_for_mutex = 0;
 	BOOL r;
 
+	// Disable loading system DLLs from the current directory (DLL sideloading mitigation)
+	SetDllDirectoryA("");
+
 	// Retrieve the current application directory
 	GetCurrentDirectoryU(MAX_PATH, app_dir);
 
diff --git a/examples/zadig.h b/examples/zadig.h
@@ -59,7 +59,7 @@
 #define FIELD_ORANGE                RGB(255,240,200)
 #define ARROW_GREEN                 RGB(92,228,65)
 #define ARROW_ORANGE                RGB(253,143,56)
-#define APP_VERSION                 "Zadig 2.2.691"
+#define APP_VERSION                 "Zadig 2.2.692"
 
 // These are used to flag end users about the driver they are going to replace
 enum driver_type {
diff --git a/examples/zadig.rc b/examples/zadig.rc
@@ -248,8 +248,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 2,2,682,691
- PRODUCTVERSION 2,2,682,691
+ FILEVERSION 2,2,682,692
+ PRODUCTVERSION 2,2,682,692
  FILEFLAGSMASK 0x17L
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -266,13 +266,13 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "akeo.ie"
             VALUE "FileDescription", "Zadig"
-            VALUE "FileVersion", "2.2.691"
+            VALUE "FileVersion", "2.2.692"
             VALUE "InternalName", "Zadig"
             VALUE "LegalCopyright", "� 2010-2016 Pete Batard (GPL v3)"
             VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
             VALUE "OriginalFilename", "zadig.exe"
             VALUE "ProductName", "Zadig"
-            VALUE "ProductVersion", "2.2.691"
+            VALUE "ProductVersion", "2.2.692"
             VALUE "Comments", "http://libwdi.akeo.ie"
         END
     END
diff --git a/examples/zadig_net.c b/examples/zadig_net.c
@@ -1,7 +1,7 @@
 /*
  * Zadig: Automated Driver Installer for USB devices (GUI version)
  * Networking functionality (web file download, check for update, etc.)
- * Copyright © 2012-2014 Pete Batard <pete@akeo.ie>
+ * Copyright © 2012-2016 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -31,6 +31,7 @@
 #include <inttypes.h>
 
 #include "msapi_utf8.h"
+#include "stdfn.h"
 #include "zadig.h"
 #include "zadig_registry.h"
 #include "zadig_resource.h"
@@ -286,8 +287,9 @@ BOOL DownloadFile(const char* url, const char* file, HWND hProgressDialog)
 		dprintf("Network is unavailable: %s\n", WinInetErrorString());
 		goto out;
 	}
-	_snprintf(agent, ARRAYSIZE(agent), APPLICATION_NAME "/%d.%d.%d.%d",
-		application_version[0], application_version[1], application_version[2], application_version[3]);
+	safe_sprintf(agent, ARRAYSIZE(agent), APPLICATION_NAME "/%d.%d.%d  (Windows NT %d.%d%s)",
+		application_version[0], application_version[1], application_version[2],
+		nWindowsVersion >> 4, nWindowsVersion & 0x0F, is_x64() ? "; WOW64" : "");
 	hSession = InternetOpenA(agent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
 	if (hSession == NULL) {
 		dprintf("Could not open internet session: %s\n", WinInetErrorString());
@@ -472,8 +474,9 @@ static DWORD WINAPI CheckForUpdatesThread(LPVOID param)
 		goto out;
 	hostname[sizeof(hostname)-1] = 0;
 
-	safe_sprintf(agent, ARRAYSIZE(agent), APPLICATION_NAME "/%d.%d.%d.%d",
-		application_version[0], application_version[1], application_version[2], application_version[3]);
+	safe_sprintf(agent, ARRAYSIZE(agent), APPLICATION_NAME "/%d.%d.%d  (Windows NT %d.%d%s)",
+		application_version[0], application_version[1], application_version[2],
+		nWindowsVersion >> 4, nWindowsVersion & 0x0F, is_x64() ? "; WOW64" : "");
 	hSession = InternetOpenA(agent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
 	if (hSession == NULL)
 		goto out;
@@ -518,7 +521,7 @@ static DWORD WINAPI CheckForUpdatesThread(LPVOID param)
 			dwSize = sizeof(dwStatus);
 			dwStatus = 404;
 			HttpQueryInfoA(hRequest, HTTP_QUERY_STATUS_CODE|HTTP_QUERY_FLAG_NUMBER, (LPVOID)&dwStatus, &dwSize, NULL);
-			if (dwStatus == 200) 
+			if (dwStatus == 200)
 				break;
 			InternetCloseHandle(hRequest);
 			hRequest = NULL;
@@ -553,7 +556,7 @@ static DWORD WINAPI CheckForUpdatesThread(LPVOID param)
 		if (!force_update_check) {
 			if ((local_time > server_time + 600) || (local_time < server_time - 600)) {
 				dprintf("IMPORTANT: Your local clock is more than 10 minutes in the %s. Unless you fix this, "
-					APPLICATION_NAME " may not be able to check for updates...", 
+					APPLICATION_NAME " may not be able to check for updates...",
 					(local_time > server_time + 600)?"future":"past");
 			}
 		}
@@ -576,7 +579,7 @@ static DWORD WINAPI CheckForUpdatesThread(LPVOID param)
 		parse_update(buf, dwTotalSize+1);
 
 		vuprintf("UPDATE DATA:\n");
-		vuprintf("  version: %d.%d.%d.%d (%s)\n", update.version[0], update.version[1], 
+		vuprintf("  version: %d.%d.%d.%d (%s)\n", update.version[0], update.version[1],
 			update.version[2], update.version[3], channel[k]);
 		vuprintf("  platform_min: %d.%d\n", update.platform_min[0], update.platform_min[1]);
 		vuprintf("  url: %s\n", update.download_url);
diff --git a/libwdi/libwdi.rc b/libwdi/libwdi.rc
@@ -50,8 +50,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,2,5,691
- PRODUCTVERSION 1,2,5,691
+ FILEVERSION 1,2,5,692
+ PRODUCTVERSION 1,2,5,692
  FILEFLAGSMASK 0x17L
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -68,13 +68,13 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "akeo.ie"
             VALUE "FileDescription", "libwdi: Windows Driver Installer Library"
-            VALUE "FileVersion", "1.2.5.691"
+            VALUE "FileVersion", "1.2.5.692"
             VALUE "InternalName", "libwdi"
             VALUE "LegalCopyright", "� 2010-2014 Pete Batard (LGPL v3)"
             VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/lesser.html"
             VALUE "OriginalFilename", "libwdi"
             VALUE "ProductName", "libwdi"
-            VALUE "ProductVersion", "1.2.5.691"
+            VALUE "ProductVersion", "1.2.5.692"
             VALUE "Comments", "http://libwdi.akeo.ie"
         END
     END
diff --git a/libwdi/stdfn.h b/libwdi/stdfn.h
@@ -64,14 +64,14 @@ static __inline BOOL ReadRegistryStr(HKEY key_root, const char* key_name, char*
 	if (key_name == NULL)
 		return FALSE;
 
-	for (i = safe_strlen(key_name); i>0; i--) {
+	for (i = strlen(key_name); i>0; i--) {
 		if (key_name[i] == '\\')
 			break;
 	}
 
 	if (i != 0) {
 		strcpy(long_key_name, "SOFTWARE\\");
-		safe_strcat(long_key_name, sizeof(long_key_name), key_name);
+		strncat(long_key_name, key_name, sizeof(long_key_name));
 		long_key_name[sizeof("SOFTWARE\\") + i - 1] = 0;
 		i++;
 		if (RegOpenKeyExA(key_root, long_key_name, 0, KEY_READ, &hApp) != ERROR_SUCCESS) {
