[core] drop direct hooking into dwmapi DLL and use delay-loading instead

* Now that we can delay-load DLLs for both MinGW and MSVC, we can also remove the direct DLL hook that was added into dwmapi.dll due to side loading and revert to using a direct API call instead. * This reverts part of e1d864f755. * Also attempt to silence that damn Coverity warning.
2025-06-05 17:14:26 -04:00 · 2022-04-12 13:55:33 +01:00 · 2022-04-12 13:55:33 +01:00 · d029551929
commit d029551929
parent 3194a4dac4
9 changed files with 32 additions and 34 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -2,7 +2,7 @@ SUBDIRS = ../.mingw bled ext2fs ms-sys syslinux/libfat syslinux/libinstaller sys
 # As far as I can tell, the following libraries are *not* vulnerable to side-loading, so we link using their regular version:
 NONVULNERABLE_LIBS = -lsetupapi -lole32 -lgdi32 -lshlwapi -lcrypt32 -lcomdlg32 -lcomctl32 -luuid
 # The following libraries are vulnerable (or have an unknown vulnerability status), so we link using our delay-loaded replacement:
-VULNERABLE_LIBS = -lwintrust-delaylib -lversion-delaylib -lwininet-delaylib
+VULNERABLE_LIBS = -ldwmapi-delaylib -lversion-delaylib -lwininet-delaylib -lwintrust-delaylib

 noinst_PROGRAMS = rufus

--- a/src/Makefile.in
+++ b/src/Makefile.in
@ -276,7 +276,7 @@ SUBDIRS = ../.mingw bled ext2fs ms-sys syslinux/libfat syslinux/libinstaller sys
 # As far as I can tell, the following libraries are *not* vulnerable to side-loading, so we link using their regular version:
 NONVULNERABLE_LIBS = -lsetupapi -lole32 -lgdi32 -lshlwapi -lcrypt32 -lcomdlg32 -lcomctl32 -luuid
 # The following libraries are vulnerable (or have an unknown vulnerability status), so we link using our delay-loaded replacement:
-VULNERABLE_LIBS = -lwintrust-delaylib -lversion-delaylib -lwininet-delaylib
+VULNERABLE_LIBS = -ldwmapi-delaylib -lversion-delaylib -lwininet-delaylib -lwintrust-delaylib
 AM_V_WINDRES_0 = @echo "  RC     $@";$(WINDRES)
 AM_V_WINDRES_1 = $(WINDRES)
 AM_V_WINDRES_ = $(AM_V_WINDRES_$(AM_DEFAULT_VERBOSITY))
--- a/src/iso.c
+++ b/src/iso.c
@ -1580,7 +1580,6 @@ BOOL DumpFatDir(const char* path, int32_t cluster)
 	}

 	do {
-		// coverity[tainted_data_return]
 		dirpos.cluster = libfat_dumpdir(lf_fs, &dirpos, &diritem);
 		if (dirpos.cluster >= 0) {
 			name = wchar_to_utf8(diritem.name);
@ -1640,6 +1639,7 @@ BOOL DumpFatDir(const char* path, int32_t cluster)
 			safe_free(target);
 			safe_free(name);
 		}
+	// coverity[tainted_data]
 	} while (dirpos.cluster >= 0);
 	ret = TRUE;

--- a/src/rufus.c
+++ b/src/rufus.c
@ -2332,9 +2332,6 @@ static INT_PTR CALLBACK MainCallback(HWND hDlg, UINT message, WPARAM wParam, LPA
 		case IDC_LOG:
 			// Place the log Window to the right (or left for RTL) of our dialog on first display
 			if (first_log_display) {
-				// Can't link to dwmapi.lib since it sideloads dwapi.dll *before* we get a chance
-				// to prevent local directory lookup (Sideloading mitigation).
-				PF_TYPE_DECL(WINAPI, HRESULT, DwmGetWindowAttribute, (HWND, DWORD, PVOID, DWORD));
 				GetClientRect(GetDesktopWindow(), &DesktopRect);
 				GetWindowRect(hLogDialog, &DialogRect);
 				nWidth = DialogRect.right - DialogRect.left;
@ -2342,14 +2339,13 @@ static INT_PTR CALLBACK MainCallback(HWND hDlg, UINT message, WPARAM wParam, LPA
 				GetWindowRect(hDlg, &DialogRect);
 				offset = GetSystemMetrics(SM_CXBORDER);
 				if (nWindowsVersion >= WINDOWS_10) {
-					PF_INIT(DwmGetWindowAttribute, Dwmapi);
 					// See https://stackoverflow.com/a/42491227/1069307
 					// I agree with Stephen Hazel: Whoever at Microsoft thought it would be a great idea to
 					// add a *FRIGGING INVISIBLE BORDER* in Windows 10 should face the harshest punishment!
-					if (pfDwmGetWindowAttribute != NULL) {
-						pfDwmGetWindowAttribute(hDlg, DWMWA_EXTENDED_FRAME_BOUNDS, &rc, sizeof(RECT));
-						offset += 2 * (DialogRect.left - rc.left);
-					}
+					// Also calling this API will create DLL sideloading issues through 'dwmapi.dll' so make
+					// sure you delay-load it in your application.
+					DwmGetWindowAttribute(hDlg, DWMWA_EXTENDED_FRAME_BOUNDS, &rc, sizeof(RECT));
+					offset += 2 * (DialogRect.left - rc.left);
 				}
 				if (right_to_left_mode)
 					Point.x = max(DialogRect.left - offset - nWidth, 0);
--- a/src/rufus.rc
+++ b/src/rufus.rc
@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 3.19.1883"
+CAPTION "Rufus 3.19.1884"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
    LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@ -395,8 +395,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 3,19,1883,0
- PRODUCTVERSION 3,19,1883,0
+ FILEVERSION 3,19,1884,0
+ PRODUCTVERSION 3,19,1884,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -414,13 +414,13 @@ BEGIN
            VALUE "Comments", "https://rufus.ie"
            VALUE "CompanyName", "Akeo Consulting"
            VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "3.19.1883"
+            VALUE "FileVersion", "3.19.1884"
            VALUE "InternalName", "Rufus"
            VALUE "LegalCopyright", "© 2011-2022 Pete Batard (GPL v3)"
            VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
            VALUE "OriginalFilename", "rufus-3.19.exe"
            VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "3.19.1883"
+            VALUE "ProductVersion", "3.19.1884"
        END
    END
    BLOCK "VarFileInfo"