\nSuppose your PATH environment variable looks like this:\n<\/p>\n
\nC:\\dir1;\\\\server\\share;C:\\dir2\n<\/pre>\n\nSuppose that you call
LoadLibrary(\"foo.dll\")<\/code>\nintending to load the library at\nC:\\dir2\\foo.dll<\/code>.\nIf the network server is down, theLoadLibrary<\/code> call\nwill fail.\nWhy doesn’t it just skip the bad directory in the PATH and\ncontinue searching?\n<\/p>\n\nSuppose the
LoadLibrary<\/code> function skipped the bad\nnetwork directory and kept searching.\nSuppose that the code which called\nLoadLibrary(\"foo.dll\")<\/code> was really after the file\n\\\\server\\share\\foo.dll<\/code>.\nBy taking the server down, you have tricked theLoadLibrary<\/code>\nfunction into loadingc:\\dir2\\foo.dll<\/code> instead.\n(And maybe that was your DLL planting attack:\nIf you can convince the system to reject all the versions on the\nPATH<\/code> by some means, you can then getLoadLibrary<\/code>\nto look in the current directory, which is where you put your attack\nversion offoo.dll<\/code>.)\n<\/p>\n\nThis can manifest itself in very strange ways if the two\ncopies of
foo.dll<\/code> are not identical,\nbecause the program is now running with a version offoo.dll<\/code>\nit was not designed to use.\n“My program works okay during the day, but it starts returning\nbad data when I try to run between midnight and 3am.”\nReason:\nThe server is taken down for maintenance every night,\nso the program ends up running with the version in\nc:\\dir2\\foo.dll<\/code>, which happens to be an incompatible\nversion of the file.\n<\/p>\n\nWhen the
LoadLibrary<\/code> function\nis unable to contact\\\\server\\share\\foo.dll<\/code>,\nit doesn’t know whether it’s in the\n“don’t worry, I wasn’t expecting the file to be there anyway”\ncase or in the\n“I was hoping to get that version of the file,\ndon’t substitute any bogus ones”\ncase.\nSo it plays it safe and assumes it’s in the\n“don’t substitute any bogus ones” and fails the call.\nThe program can then perform whatever recovery it deems appropriate\nwhen it cannot load its preciousfoo.dll<\/code> file.\n<\/p>\n\nNow consider the case where there is also\na
c:\\dir1\\foo.dll<\/code> file,\nbut it’s corrupted.\nIf you do aLoadLibrary(\"foo.dll\")<\/code>,\nthe call will fail with the error\nERROR_BAD_EXE_FORMAT<\/code>\nbecause it found theC:\\dir1\\foo.dll<\/code> file,\ndetermined that it was corrupted, and gave up.\nIt doesn’t continue searching the path for a better version.\nThe path-searching algorithm is not a backtracking algorithm.\nOnce a file is found, the algorithm commits to trying to load\nthat file (a “cut” in logic programming parlance),\nand if it fails, it doesn’t backtrack and return\nto a previous state to try something else.\n<\/p>\n