แก้ไข

แชร์ผ่าน


/DEPENDENTLOADFLAG (Set default dependent load flags)

The /DEPENDENTLOADFLAG option requires Visual Studio 2017 or later.

Sets the default load flags used when the operating system resolves the statically linked imports of a module.

Syntax

/DEPENDENTLOADFLAG[:load_flags]

Arguments

load_flags
An optional integer value that specifies the load flags to apply when resolving statically linked import dependencies of the module. The default value is 0. For a list of supported flag values, see the LOAD_LIBRARY_SEARCH_* entries in LoadLibraryEx.

Remarks

When the operating system resolves the statically linked imports of a module, it uses the default search order. Use the /DEPENDENTLOADFLAG option to specify a load_flags value that changes the search path used to resolve these imports. On supported operating systems, it changes the static import resolution search order, similar to what LoadLibraryEx does when using LOAD_LIBRARY_SEARCH parameters. For information on the search order set by load_flags, see Search order using LOAD_LIBRARY_SEARCH flags.

This flag can be used to make one DLL planting attack vector more difficult. For example, consider an app that has statically linked a DLL:

  • An attacker could plant a DLL with the same name earlier in the import resolution search path, such as the application directory. Protected directories are more difficult - but not impossible - for an attacker to change.

  • If the DLL is missing from the application, %windows%\system32, and %windows% directories, import resolution falls through to the current directory. An attacker could plant a DLL there.

In both cases, if you specify the link option /DEPENDENTLOADFLAG:0x800 (the value of the flag LOAD_LIBRARY_SEARCH_SYSTEM32), then the module search path is limited to the %windows%\system32 directory. It offers some protection from planting attacks on the other directories. For more information, see Dynamic-Link Library Security.

To see the value set by the /DEPENDENTLOADFLAG option in any DLL, use the DUMPBIN command with the /LOADCONFIG option.

The /DEPENDENTLOADFLAG option is new in Visual Studio 2017. It applies only to apps running on Windows 10 RS1 and later Windows versions. This option is ignored by other operating systems that run the app.

To set the DEPENDENTLOADFLAG linker option in the Visual Studio development environment

  1. Open the project's Property Pages dialog box. For details, see Set C++ compiler and build properties in Visual Studio.

  2. Select the Configuration Properties > Linker > Command Line property page.

  3. Enter the option in Additional Options.

To set this linker option programmatically

See also