-
Notifications
You must be signed in to change notification settings - Fork 33
/
unsafe-dll-loading.yaml
42 lines (41 loc) · 1.25 KB
/
unsafe-dll-loading.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rules:
- id: unsafe-dll-loading
message: >-
The function is vulnerable to DLL hijacking attacks.
Use `windows.NewLazySystemDLL()` function to limit DLL search to the Windows directory
languages: [go]
severity: ERROR
metadata:
category: security
cwe: "CWE-427: Uncontrolled Search Path Element"
subcategory: [vuln]
confidence: HIGH
likelihood: MEDIUM
impact: HIGH
technology: [--no-technology--]
description: "Use of function vulnerable to DLL hijacking attacks"
references:
- https://pkg.go.dev/golang.org/x/sys/windows#LazyDLL
patterns:
- pattern-either:
- pattern: syscall.LoadDLL(...)
- pattern: syscall.LoadLibrary(...)
- pattern: windows.LoadDLL(...)
- pattern: windows.MustLoadDLL(...)
- pattern: syscall.NewLazyDLL(...)
- pattern: |
$X = windows.NewLazyDLL(...)
...
$X.$Y()
...
$X.System = true
- pattern: |
$X = windows.NewLazyDLL(...)
...
$X.$Y()
- pattern-not: |
$X = windows.NewLazyDLL(...)
...
$X.System = true
...
$X.$Y()