LoadLibraryExW returns ERROR_INVALID_IMAGE_HASH on official Microsoft DLLs

Question

LoadLibraryExW returns ERROR_INVALID_IMAGE_HASH on official Microsoft DLLs

Freedom Sy 26

I have this issue with where LoadLibraryExW is not able to verify the signature of some official Microsoft Windows DLLs when LOAD_LIBRARY_REQUIRE_SIGNED_TARGET is used.

Get-AuthenticodeSignature says the image is valid.

SignerCertificate Status Path

745A64E580C00EE694639E92FC9C8AC1BEAC5E5D Valid mswsock.dll

I tried both "mswsock.dll" and the absolute path, neither worked.

Freedom Sy 26 Reputation points

2023-03-14T16:25:26.45+00:00

Same thing for these 2 DLLs

d3d11.dll and comctl32.dll
David Lowndes 4,726 Reputation points

2023-03-14T17:06:59.7033333+00:00

Seems to have been encountered before.
Freedom Sy 26 Reputation points

2023-03-14T18:50:46.4766667+00:00

"Apparently LOAD_LIBRARY_REQUIRE_SIGNED_TARGET requires the PE image to be linked with IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY (0x0080) in its DLL characteristics."

Does that mean there is nothing I can do about it? How else can I verify the signature of every single DLL before they're loaded, regardless of that flag! I don't want to have to read it from disk on my own and use wintrust API to do that manually! Especially I can't implement the DLL name resolution on my own to be able to identify the DLL in question before LoadLibrary finds and loads it. Isn't there an alternative?

Accepted answer

0 additional answers

Your answer

Freedom Sy 26 Reputation points

2023-03-14T16:25:26.45+00:00

Same thing for these 2 DLLs

d3d11.dll and comctl32.dll
David Lowndes 4,726 Reputation points

2023-03-14T17:06:59.7033333+00:00

Seems to have been encountered before.
Freedom Sy 26 Reputation points

2023-03-14T18:50:46.4766667+00:00

"Apparently LOAD_LIBRARY_REQUIRE_SIGNED_TARGET requires the PE image to be linked with IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY (0x0080) in its DLL characteristics."

Does that mean there is nothing I can do about it? How else can I verify the signature of every single DLL before they're loaded, regardless of that flag! I don't want to have to read it from disk on my own and use wintrust API to do that manually! Especially I can't implement the DLL name resolution on my own to be able to identify the DLL in question before LoadLibrary finds and loads it. Isn't there an alternative?

Answer 1

RLWA32 49,536

Try calling SetProcessMitigationPolicy function with ProcessSignaturePolicy and PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY structure during process startup.

For example,

PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy{};
policy.MicrosoftSignedOnly = TRUE;

if (!SetProcessMitigationPolicy(ProcessSignaturePolicy, &policy, sizeof policy))
{
    // Handle error
}

When this is successful, using LoadLibrary to load a non-Microsoft DLL caused the system to display the following -

SystemError

and GetLastError returned the following right after LoadLibrary failed -

GetLastErrorText

RLWA32 49,536 Reputation points

2023-03-14T20:39:18.3266667+00:00

And if you use a launcher process you can set the policy for a child process by using an attribute list and UpdateProcThreadAttribute function to set PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY.
Freedom Sy 26 Reputation points

2023-03-16T09:05:53.3533333+00:00

Is there a way to allow any signed binary to be loaded not only ones signed by Microsoft?
RLWA32 49,536 Reputation points

2023-03-16T13:09:25.7033333+00:00

@Freedom Sy I'm not aware of any generalized capability to limit loading an image to any signed binary.

As you have seen, LoadLibraryEx and LOAD_LIBRARY_REQUIRE_SIGNED_TARGET also require the linker /INTEGRITYCHECK option for the target binary and the documentation also discusses very specific code-signing requirements.

The documentation indicates that the process mitigation policy method can be made less restrictive for third party binaries if they are distributed through and are signed by the Windows Store.
Freedom Sy 26 Reputation points

2023-03-16T15:42:37.11+00:00

Thank you.

Share via

LoadLibraryExW returns ERROR_INVALID_IMAGE_HASH on official Microsoft DLLs

0 additional answers

Your answer