Windows: Fix Dll hijacking vulnerability affecting installer that allows arbitrary code execution with elevation of privilege (CVE-2016-1281)

src/Common/BootEncryption.cpp

@@ -13,7 +13,6 @@
 #include "Tcdefs.h"
 #include "Platform/Finally.h"
 #include "Platform/ForEach.h"
-#include <Setupapi.h>
 #include <devguid.h>
 #include <io.h>
 #include <shlobj.h>
@@ -810,16 +809,6 @@ namespace VeraCrypt
 	}
 
 
-	wstring BootEncryption::GetTempPath ()
-	{
-		wchar_t tempPath[MAX_PATH];
-		DWORD tempLen = ::GetTempPath (ARRAYSIZE (tempPath), tempPath);
-		if (tempLen == 0 || tempLen > ARRAYSIZE (tempPath))
-			throw ParameterIncorrect (SRC_POS);
-
-		return wstring (tempPath);
-	}
-
 
 	uint16 BootEncryption::GetInstalledBootLoaderVersion ()
 	{
@@ -1953,7 +1942,7 @@ namespace VeraCrypt
 		case VolumeFilter:
 			filter = "veracrypt";
 			filterReg = "UpperFilters";
-			regKey = SetupDiOpenClassRegKey (deviceClassGuid, KEY_READ | KEY_WRITE);
+			regKey = OpenDeviceClassRegKey (deviceClassGuid);
 			throw_sys_if (regKey == INVALID_HANDLE_VALUE);
 
 			break;
@@ -1994,24 +1983,7 @@ namespace VeraCrypt
 		}
 		else
 		{
-			wstring infFileName = GetTempPath() + L"\\veracrypt_driver_setup.inf";
-
-			File infFile (infFileName, false, true);
-			finally_do_arg (wstring, infFileName, { DeleteFile (finally_arg.c_str()); });
-
-			string infTxt = "[veracrypt]\r\n"
-							+ string (registerFilter ? "Add" : "Del") + "Reg=veracrypt_reg\r\n\r\n"
-							"[veracrypt_reg]\r\n"
-							"HKR,,\"" + filterReg + "\",0x0001" + string (registerFilter ? "0008" : "8002") + ",\"" + filter + "\"\r\n";
-
-			infFile.Write ((byte *) infTxt.c_str(), (DWORD) infTxt.size());
-			infFile.Close();
-
-			HINF hInf = SetupOpenInfFile (infFileName.c_str(), NULL, INF_STYLE_OLDNT | INF_STYLE_WIN4, NULL);
-			throw_sys_if (hInf == INVALID_HANDLE_VALUE);
-			finally_do_arg (HINF, hInf, { SetupCloseInfFile (finally_arg); });
-
-			throw_sys_if (!SetupInstallFromInfSection (ParentWindow, hInf, L"veracrypt", SPINST_REGISTRY, regKey, NULL, 0, NULL, NULL, NULL, NULL));
+			RegisterDriverInf (registerFilter, filter, filterReg, ParentWindow, regKey);
 		}
 	}
 
@@ -2304,7 +2276,7 @@ namespace VeraCrypt
 		}
 
 		// Temporary files
-		if (towupper (GetTempPath()[0]) != windowsDrive)
+		if (towupper (GetTempPathString()[0]) != windowsDrive)
 		{
 			throw ErrorException (wstring (GetString ("TEMP_NOT_ON_SYS_PARTITION")) 
 				+ GetString ("LEAKS_OUTSIDE_SYSPART_UNIVERSAL_EXPLANATION"), SRC_POS);

src/Common/BootEncryption.h

@@ -166,7 +166,6 @@ namespace VeraCrypt
 		Partition GetPartitionForHiddenOS ();
 		bool IsBootLoaderOnDrive (wchar_t *devicePath);
 		BootEncryptionStatus GetStatus ();
-		wstring GetTempPath ();
 		void GetVolumeProperties (VOLUME_PROPERTIES_STRUCT *properties);
 		SystemDriveConfiguration GetSystemDriveConfiguration ();
 		void Install (bool hiddenSystem);

src/Common/Dlgcode.c

@@ -16,6 +16,7 @@
 #include <windowsx.h>
 #include <dbghelp.h>
 #include <dbt.h>
+#include <Setupapi.h>
 #include <fcntl.h>
 #include <io.h>
 #include <math.h>
@@ -190,6 +191,34 @@ DWORD SystemFileSelectorCallerThreadId;
 #define RANDPOOL_DISPLAY_COLUMNS 20
 
 HMODULE hRichEditDll = NULL;
+HMODULE hComctl32Dll = NULL;
+HMODULE hSetupDll = NULL;
+HMODULE hShlwapiDll = NULL;
+
+#define FREE_DLL(h)	if (h) { FreeLibrary (h); h = NULL;}
+
+typedef void (WINAPI *InitCommonControlsPtr)(void);
+typedef HIMAGELIST  (WINAPI *ImageList_CreatePtr)(int cx, int cy, UINT flags, int cInitial, int cGrow);
+typedef int         (WINAPI *ImageList_AddPtr)(HIMAGELIST himl, HBITMAP hbmImage, HBITMAP hbmMask);
+
+typedef VOID (WINAPI *SetupCloseInfFilePtr)(HINF InfHandle);
+typedef HKEY (WINAPI *SetupDiOpenClassRegKeyPtr)(CONST GUID *ClassGuid,REGSAM samDesired);
+typedef BOOL (WINAPI *SetupInstallFromInfSectionWPtr)(HWND,HINF,PCWSTR,UINT,HKEY,PCWSTR,UINT,PSP_FILE_CALLBACK_W,PVOID,HDEVINFO,PSP_DEVINFO_DATA);
+typedef HINF (WINAPI *SetupOpenInfFileWPtr)(PCWSTR FileName,PCWSTR InfClass,DWORD InfStyle,PUINT ErrorLine);
+
+typedef LSTATUS (STDAPICALLTYPE *SHDeleteKeyWPtr)(HKEY hkey, LPCWSTR pszSubKey);
+
+typedef HRESULT (STDAPICALLTYPE *SHStrDupWPtr)(LPCWSTR psz, LPWSTR *ppwsz);
+
+ImageList_CreatePtr ImageList_CreateFn = NULL;
+ImageList_AddPtr ImageList_AddFn = NULL;
+
+SetupCloseInfFilePtr SetupCloseInfFileFn = NULL;
+SetupDiOpenClassRegKeyPtr SetupDiOpenClassRegKeyFn = NULL;
+SetupInstallFromInfSectionWPtr SetupInstallFromInfSectionWFn = NULL;
+SetupOpenInfFileWPtr SetupOpenInfFileWFn = NULL;
+SHDeleteKeyWPtr SHDeleteKeyWFn = NULL;
+SHStrDupWPtr SHStrDupWFn = NULL;
 
 /* Windows dialog class */
 #define WINDOWS_DIALOG_CLASS L"#32770"
@@ -476,11 +505,11 @@ void AbortProcessDirect (wchar_t *abortMsg)
 	// Note that this function also causes localcleanup() to be called (see atexit())
 	MessageBeep (MB_ICONEXCLAMATION);
 	MessageBoxW (NULL, abortMsg, lpszTitle, ICON_HAND);
-	if (hRichEditDll)
-	{
-		FreeLibrary (hRichEditDll);
-		hRichEditDll = NULL;
-	}
+	FREE_DLL (hRichEditDll);
+	FREE_DLL (hComctl32Dll);
+	FREE_DLL (hSetupDll);
+	FREE_DLL (hShlwapiDll);
+
 	exit (1);
 }
 
@@ -492,11 +521,10 @@ void AbortProcess (char *stringId)
 
 void AbortProcessSilent (void)
 {
-	if (hRichEditDll)
-	{
-		FreeLibrary (hRichEditDll);
-		hRichEditDll = NULL;
-	}
+	FREE_DLL (hRichEditDll);
+	FREE_DLL (hComctl32Dll);
+	FREE_DLL (hSetupDll);
+	FREE_DLL (hShlwapiDll);
 	// Note that this function also causes localcleanup() to be called (see atexit())
 	exit (1);
 }
@@ -2288,10 +2316,10 @@ void DoPostInstallTasks (HWND hwndDlg)
 
 void InitOSVersionInfo ()
 {
-	OSVERSIONINFO os;
-	os.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
+	OSVERSIONINFOW os;
+	os.dwOSVersionInfoSize = sizeof (OSVERSIONINFOW);
 
-	if (GetVersionEx (&os) == FALSE)
+	if (GetVersionExW (&os) == FALSE)
 		AbortProcess ("NO_OS_VER");
 
 	CurrentOSMajor = os.dwMajorVersion;
@@ -2303,10 +2331,10 @@ void InitOSVersionInfo ()
 		nCurrentOS = WIN_XP;
 	else if (os.dwPlatformId == VER_PLATFORM_WIN32_NT && CurrentOSMajor == 5 && CurrentOSMinor == 2)
 	{
-		OSVERSIONINFOEX osEx;
+		OSVERSIONINFOEXW osEx;
 
-		osEx.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEX);
-		GetVersionEx ((LPOSVERSIONINFOW) &osEx);
+		osEx.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXW);
+		GetVersionExW ((LPOSVERSIONINFOW) &osEx);
 
 		if (osEx.wProductType == VER_NT_SERVER || osEx.wProductType == VER_NT_DOMAIN_CONTROLLER)
 			nCurrentOS = WIN_SERVER_2003;
@@ -2315,10 +2343,10 @@ void InitOSVersionInfo ()
 	}
 	else if (os.dwPlatformId == VER_PLATFORM_WIN32_NT && CurrentOSMajor == 6 && CurrentOSMinor == 0)
 	{
-		OSVERSIONINFOEX osEx;
+		OSVERSIONINFOEXW osEx;
 
-		osEx.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEX);
-		GetVersionEx ((LPOSVERSIONINFOW) &osEx);
+		osEx.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXW);
+		GetVersionExW ((LPOSVERSIONINFOW) &osEx);
 
 		if (osEx.wProductType == VER_NT_SERVER || osEx.wProductType == VER_NT_DOMAIN_CONTROLLER)
 			nCurrentOS = WIN_SERVER_2008;
@@ -2341,14 +2369,64 @@ void InitOSVersionInfo ()
 		nCurrentOS = WIN_UNKNOWN;
 }
 
+static void LoadSystemDll (LPCTSTR szModuleName, HMODULE *pHandle)
+{
+	wchar_t dllPath[MAX_PATH];
+
+	/* Load dll explictely from System32 to avoid Dll hijacking attacks*/
+	if (!GetSystemDirectory(dllPath, MAX_PATH))
+		StringCbCopyW(dllPath, sizeof(dllPath), L"C:\\Windows\\System32");
+
+	StringCbCatW(dllPath, sizeof(dllPath), L"\\");
+	StringCbCatW(dllPath, sizeof(dllPath), szModuleName);
+
+	if ((*pHandle = LoadLibrary(dllPath)) == NULL)
+	{
+		// This error is fatal
+		handleWin32Error (NULL, SRC_POS);
+		AbortProcess ("INIT_DLL");
+	}
+}
 
 /* InitApp - initialize the application, this function is called once in the
    applications WinMain function, but before the main dialog has been created */
 void InitApp (HINSTANCE hInstance, wchar_t *lpszCommandLine)
 {
 	WNDCLASSW wc;
-	char langId[6];
-	wchar_t dllPath[MAX_PATH];
+	char langId[6];	
+	InitCommonControlsPtr InitCommonControlsFn = NULL;	
+
+	LoadSystemDll (L"COMCTL32.DLL", &hComctl32Dll);
+	LoadSystemDll (L"Riched20.dll", &hRichEditDll);
+	LoadSystemDll (L"SETUPAPI.DLL", &hSetupDll);
+	LoadSystemDll (L"SHLWAPI.DLL", &hShlwapiDll);
+
+	// call InitCommonControls function
+	InitCommonControlsFn = (InitCommonControlsPtr) GetProcAddress (hComctl32Dll, "InitCommonControls");
+	ImageList_AddFn = (ImageList_AddPtr) GetProcAddress (hComctl32Dll, "ImageList_Add");
+	ImageList_CreateFn = (ImageList_CreatePtr) GetProcAddress (hComctl32Dll, "ImageList_Create");
+
+	if (InitCommonControlsFn && ImageList_AddFn && ImageList_CreateFn)
+	{
+		InitCommonControlsFn();
+	}
+	else
+		AbortProcess ("INIT_DLL");
+
+	// Get SetupAPI functions pointers
+	SetupCloseInfFileFn = (SetupCloseInfFilePtr) GetProcAddress (hSetupDll, "SetupCloseInfFile");
+	SetupDiOpenClassRegKeyFn = (SetupDiOpenClassRegKeyPtr) GetProcAddress (hSetupDll, "SetupDiOpenClassRegKey");
+	SetupInstallFromInfSectionWFn = (SetupInstallFromInfSectionWPtr) GetProcAddress (hSetupDll, "SetupInstallFromInfSectionW");
+	SetupOpenInfFileWFn = (SetupOpenInfFileWPtr) GetProcAddress (hSetupDll, "SetupOpenInfFileW");
+
+	if (!SetupCloseInfFileFn || !SetupDiOpenClassRegKeyFn || !SetupInstallFromInfSectionWFn || !SetupOpenInfFileWFn)
+		AbortProcess ("INIT_DLL");
+
+	// Get SHDeleteKeyW function pointer
+	SHDeleteKeyWFn = (SHDeleteKeyWPtr) GetProcAddress (hShlwapiDll, "SHDeleteKeyW");
+	SHStrDupWFn = (SHStrDupWPtr) GetProcAddress (hShlwapiDll, "SHStrDupW");
+	if (!SHDeleteKeyWFn || !SHStrDupWFn)
+		AbortProcess ("INIT_DLL");
 
 	/* Save the instance handle for later */
 	hInst = hInstance;
@@ -2448,11 +2526,11 @@ void InitApp (HINSTANCE hInstance, wchar_t *lpszCommandLine)
 	}
 	else
 	{
-		OSVERSIONINFOEX osEx;
+		OSVERSIONINFOEXW osEx;
 
 		// Service pack check & warnings about critical MS issues
-		osEx.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEX);
-		if (GetVersionEx ((LPOSVERSIONINFOW) &osEx) != 0)
+		osEx.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXW);
+		if (GetVersionExW ((LPOSVERSIONINFOW) &osEx) != 0)
 		{
 			CurrentOSServicePack = osEx.wServicePackMajor;
 			switch (nCurrentOS)
@@ -2528,18 +2606,6 @@ void InitApp (HINSTANCE hInstance, wchar_t *lpszCommandLine)
 		handleWin32Error (NULL, SRC_POS);
 		AbortProcess ("INIT_REGISTER");
 	}
-	
-	if (GetSystemDirectory(dllPath, MAX_PATH))
-		StringCbCatW(dllPath, sizeof(dllPath), L"\\Riched20.dll");
-	else
-		StringCbCopyW(dllPath, sizeof(dllPath), L"c:\\Windows\\System32\\Riched20.dll");
-	// Required for RichEdit text fields to work
-	if ((hRichEditDll = LoadLibrary(dllPath)) == NULL)
-	{
-		// This error is fatal e.g. because legal notices could not be displayed
-		handleWin32Error (NULL, SRC_POS);
-		AbortProcess ("INIT_RICHEDIT");	
-	}
 
 	// DPI and GUI aspect ratio
 	DialogBoxParamW (hInst, MAKEINTRESOURCEW (IDD_AUXILIARY_DLG), NULL,
@@ -2551,11 +2617,10 @@ void InitApp (HINSTANCE hInstance, wchar_t *lpszCommandLine)
 	if (!EncryptionThreadPoolStart (ReadEncryptionThreadPoolFreeCpuCountLimit()))
 	{
 		handleWin32Error (NULL, SRC_POS);
-		if (hRichEditDll)
-		{
-			FreeLibrary (hRichEditDll);
-			hRichEditDll = NULL;
-		}
+		FREE_DLL (hRichEditDll);
+		FREE_DLL (hComctl32Dll);
+		FREE_DLL (hSetupDll);
+		FREE_DLL (hShlwapiDll);
 		exit (1);
 	}
 #endif
@@ -2563,11 +2628,10 @@ void InitApp (HINSTANCE hInstance, wchar_t *lpszCommandLine)
 
 void FinalizeApp (void)
 {
-	if (hRichEditDll)
-	{
-		FreeLibrary (hRichEditDll);
-		hRichEditDll = NULL;
-	}
+	FREE_DLL (hRichEditDll);
+	FREE_DLL (hComctl32Dll);
+	FREE_DLL (hSetupDll);
+	FREE_DLL (hShlwapiDll);
 }
 
 void InitHelpFileName (void)
@@ -4377,6 +4441,16 @@ wstring IntToWideString (int val)
 	return szTmp;
 }
 
+wstring GetTempPathString ()
+{
+	wchar_t tempPath[MAX_PATH];
+	DWORD tempLen = ::GetTempPath (ARRAYSIZE (tempPath), tempPath);
+	if (tempLen == 0 || tempLen > ARRAYSIZE (tempPath))
+		throw ParameterIncorrect (SRC_POS);
+
+	return wstring (tempPath);
+}
+
 void GetSizeString (unsigned __int64 size, wchar_t *str, size_t cbStr)
 {
 	static wchar_t *b, *kb, *mb, *gb, *tb, *pb;
@@ -9051,9 +9125,9 @@ BOOL Is64BitOs ()
 
 BOOL IsServerOS ()
 {
-	OSVERSIONINFOEXA osVer;
-	osVer.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXA);
-	GetVersionExA ((LPOSVERSIONINFOA) &osVer);
+	OSVERSIONINFOEXW osVer;
+	osVer.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXW);
+	GetVersionExW ((LPOSVERSIONINFOW) &osVer);
 
 	return (osVer.wProductType == VER_NT_SERVER || osVer.wProductType == VER_NT_DOMAIN_CONTROLLER);
 }
@@ -9134,7 +9208,7 @@ std::wstring GetWindowsEdition ()
 	wstring osname = L"win";
 
 	OSVERSIONINFOEXW osVer;
-	osVer.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXA);
+	osVer.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEXW);
 	GetVersionExW ((LPOSVERSIONINFOW) &osVer);
 
 	BOOL home = (osVer.wSuiteMask & VER_SUITE_PERSONAL);
@@ -10986,4 +11060,51 @@ void HandleShowPasswordFieldAction (HWND hwndDlg, UINT checkBoxId, UINT edit1Id,
 			0);
 		InvalidateRect (GetDlgItem (hwndDlg, edit2Id), NULL, TRUE);
 	}
-}
+}
+
+void RegisterDriverInf (bool registerFilter, const string& filter, const string& filterReg, HWND ParentWindow, HKEY regKey)
+{
+	wstring infFileName = GetTempPathString() + L"\\veracrypt_driver_setup.inf";
+
+	File infFile (infFileName, false, true);
+	finally_do_arg (wstring, infFileName, { DeleteFile (finally_arg.c_str()); });
+
+	string infTxt = "[veracrypt]\r\n"
+					+ string (registerFilter ? "Add" : "Del") + "Reg=veracrypt_reg\r\n\r\n"
+					"[veracrypt_reg]\r\n"
+					"HKR,,\"" + filterReg + "\",0x0001" + string (registerFilter ? "0008" : "8002") + ",\"" + filter + "\"\r\n";
+
+	infFile.Write ((byte *) infTxt.c_str(), (DWORD) infTxt.size());
+	infFile.Close();
+
+	HINF hInf = SetupOpenInfFileWFn (infFileName.c_str(), NULL, INF_STYLE_OLDNT | INF_STYLE_WIN4, NULL);
+	throw_sys_if (hInf == INVALID_HANDLE_VALUE);
+	finally_do_arg (HINF, hInf, { SetupCloseInfFileFn (finally_arg); });
+
+	throw_sys_if (!SetupInstallFromInfSectionWFn (ParentWindow, hInf, L"veracrypt", SPINST_REGISTRY, regKey, NULL, 0, NULL, NULL, NULL, NULL));
+}
+
+HKEY OpenDeviceClassRegKey (const GUID *deviceClassGuid)
+{
+	return SetupDiOpenClassRegKeyFn (deviceClassGuid, KEY_READ | KEY_WRITE);
+}
+
+LSTATUS DeleteRegistryKey (HKEY hKey, LPCTSTR keyName)
+{
+	return SHDeleteKeyWFn(hKey, keyName);
+}
+
+HIMAGELIST  CreateImageList(int cx, int cy, UINT flags, int cInitial, int cGrow)
+{
+	return ImageList_CreateFn(cx, cy, flags, cInitial, cGrow);
+}
+
+int AddBitmapToImageList(HIMAGELIST himl, HBITMAP hbmImage, HBITMAP hbmMask)
+{
+	return ImageList_AddFn(himl, hbmImage, hbmMask);
+}
+
+HRESULT VCStrDupW(LPCWSTR psz, LPWSTR *ppwsz)
+{
+	return SHStrDupWFn (psz, ppwsz);
+}

src/Common/Dlgcode.h

@@ -491,6 +491,11 @@ void SetPim (HWND hwndDlg, UINT ctrlId, int pim);
 BOOL GetPassword (HWND hwndDlg, UINT ctrlID, char* passValue, int bufSize, BOOL bShowError);
 void SetPassword (HWND hwndDlg, UINT ctrlID, char* passValue);
 void HandleShowPasswordFieldAction (HWND hwndDlg, UINT checkBoxId, UINT edit1Id, UINT edit2Id);
+HKEY OpenDeviceClassRegKey (const GUID *deviceClassGuid);
+LSTATUS DeleteRegistryKey (HKEY, LPCTSTR);
+HIMAGELIST  CreateImageList(int cx, int cy, UINT flags, int cInitial, int cGrow);
+int AddBitmapToImageList(HIMAGELIST himl, HBITMAP hbmImage, HBITMAP hbmMask);
+HRESULT VCStrDupW(LPCWSTR psz, LPWSTR *ppwsz);
 
 #ifdef __cplusplus
 }
@@ -555,6 +560,8 @@ std::wstring HarddiskVolumePathToPartitionPath (const std::wstring &harddiskVolu
 std::wstring FindLatestFileOrDirectory (const std::wstring &directory, const wchar_t *namePattern, bool findDirectory, bool findFile);
 std::wstring GetUserFriendlyVersionString (int version);
 std::wstring IntToWideString (int val);
+void RegisterDriverInf (bool registerFilter, const std::string& filter, const std::string& filterReg, HWND ParentWindow, HKEY regKey);
+std::wstring GetTempPathString ();
 inline std::wstring AppendSrcPos (const wchar_t* msg, const char* srcPos)
 {
 	return std::wstring (msg? msg : L"") + L"\n\nSource: " + SingleStringToWide (srcPos);

src/Common/Language.xml

@@ -563,7 +563,7 @@
     <string lang="en" key="INIT_RAND">Failed to initialize the random number generator!\n\n\n(If you report a bug in connection with this, please include the following technical information in the bug report:\n%hs, Last Error = 0x%.8X)</string>
     <string lang="en" key="CAPI_RAND">Windows Crypto API failed!\n\n\n(If you report a bug in connection with this, please include the following technical information in the bug report:\n%hs, Last Error = 0x%.8X)</string>
     <string lang="en" key="INIT_REGISTER">Unable to initialize the application. Failed to register the Dialog class.</string>
-    <string lang="en" key="INIT_RICHEDIT">Error: Failed to load the Rich Edit system library.</string>
+    <string lang="en" key="INIT_DLL">Error: Failed to load a system library.</string>
     <string lang="en" key="INTRO_TITLE">VeraCrypt Volume Creation Wizard</string>
     <string lang="en" key="MAX_HIDVOL_SIZE_BYTES">Maximum possible hidden volume size for this volume is %.2f bytes.</string>
     <string lang="en" key="MAX_HIDVOL_SIZE_KB">Maximum possible hidden volume size for this volume is %.2f KB.</string>

src/ExpandVolume/ExpandVolume.vcproj

@@ -75,7 +75,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="version.lib comctl32.lib setupapi.lib ..\Crypto\Debug\crypto.lib"
+				AdditionalDependencies="..\Crypto\Debug\crypto.lib"
 				OutputFile="$(OutDir)/VeraCryptExpander.exe"
 				LinkIncremental="2"
 				GenerateManifest="false"
@@ -168,7 +168,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="version.lib comctl32.lib setupapi.lib ..\Crypto\x64\Debug\crypto.lib"
+				AdditionalDependencies="..\Crypto\x64\Debug\crypto.lib"
 				OutputFile="$(OutDir)/VeraCryptExpander.exe"
 				LinkIncremental="2"
 				GenerateManifest="false"
@@ -256,7 +256,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib version.lib ..\Crypto\Release\crypto.lib"
+				AdditionalDependencies="..\Crypto\Release\crypto.lib"
 				OutputFile="$(OutDir)/VeraCryptExpander.exe"
 				LinkIncremental="1"
 				GenerateManifest="false"
@@ -347,7 +347,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib version.lib ..\Crypto\x64\Release\crypto.lib"
+				AdditionalDependencies="..\Crypto\x64\Release\crypto.lib"
 				OutputFile="$(OutDir)/VeraCryptExpander.exe"
 				LinkIncremental="1"
 				GenerateManifest="false"

src/ExpandVolume/WinMain.cpp

@@ -986,7 +986,6 @@ int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpsz
 	VirtualLock (&VeraCryptExpander::defaultMountOptions, sizeof (VeraCryptExpander::defaultMountOptions));
 	VirtualLock (&VeraCryptExpander::szFileName, sizeof(VeraCryptExpander::szFileName));
 
-	InitCommonControls ();
 	InitApp (hInstance, lpszCommandLine);
 
 	/* application title */

src/Format/Format.vcproj

@@ -68,7 +68,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib ..\Crypto\Debug\crypto.lib"
+				AdditionalDependencies="..\Crypto\Debug\crypto.lib"
 				OutputFile="$(OutDir)/VeraCryptFormat.exe"
 				LinkIncremental="2"
 				GenerateManifest="false"
@@ -154,7 +154,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib ..\Crypto\x64\Debug\crypto.lib"
+				AdditionalDependencies="..\Crypto\x64\Debug\crypto.lib"
 				OutputFile="$(OutDir)/VeraCryptFormat.exe"
 				LinkIncremental="2"
 				GenerateManifest="false"
@@ -240,7 +240,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib ..\Crypto\Release\crypto.lib"
+				AdditionalDependencies="..\Crypto\Release\crypto.lib"
 				OutputFile="$(OutDir)/VeraCryptFormat.exe"
 				LinkIncremental="1"
 				GenerateManifest="false"
@@ -329,7 +329,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib ..\Crypto\x64\Release\crypto.lib"
+				AdditionalDependencies="..\Crypto\x64\Release\crypto.lib"
 				OutputFile="$(OutDir)/VeraCryptFormat.exe"
 				LinkIncremental="1"
 				GenerateManifest="false"

src/Mount/Mount.c

@@ -4286,8 +4286,8 @@ void BuildTree (HWND hwndDlg, HWND hTree)
 		return;
 	hBitmapMask = LoadBitmap (hInst, MAKEINTRESOURCE (IDB_DRIVEICON_MASK));
 
-	hList = ImageList_Create (16, 12, ILC_COLOR8|ILC_MASK, 2, 2);
-	if (ImageList_Add (hList, hBitmap, hBitmapMask) == -1)
+	hList = CreateImageList (16, 12, ILC_COLOR8|ILC_MASK, 2, 2);
+	if (AddBitmapToImageList (hList, hBitmap, hBitmapMask) == -1)
 	{
 		DeleteObject (hBitmap);
 		DeleteObject (hBitmapMask);
@@ -4306,7 +4306,7 @@ void BuildTree (HWND hwndDlg, HWND hTree)
 		return;
 	hBitmapMask = LoadBitmap (hInst, MAKEINTRESOURCE (IDB_SYS_DRIVEICON_MASK));
 
-	if (ImageList_Add (hList, hBitmap, hBitmapMask) == -1)
+	if (AddBitmapToImageList (hList, hBitmap, hBitmapMask) == -1)
 	{
 		DeleteObject (hBitmap);
 		DeleteObject (hBitmapMask);
@@ -8663,7 +8663,6 @@ int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpsz
 	if (BootEncObj == NULL)
 		AbortProcess ("INIT_SYS_ENC");
 
-	InitCommonControls ();
 	InitApp (hInstance, lpszCommandLine);
 
 	RegisterRedTick(hInstance);

src/Mount/Mount.vcproj

@@ -74,7 +74,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib version.lib ..\Crypto\Debug\crypto.lib"
+				AdditionalDependencies="..\Crypto\Debug\crypto.lib"
 				OutputFile="$(OutDir)/VeraCrypt.exe"
 				LinkIncremental="2"
 				GenerateManifest="false"
@@ -166,7 +166,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib version.lib ..\Crypto\x64\Debug\crypto.lib"
+				AdditionalDependencies="..\Crypto\x64\Debug\crypto.lib"
 				OutputFile="$(OutDir)/VeraCrypt.exe"
 				LinkIncremental="2"
 				GenerateManifest="false"
@@ -254,7 +254,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib version.lib ..\Crypto\Release\crypto.lib"
+				AdditionalDependencies="..\Crypto\Release\crypto.lib"
 				OutputFile="$(OutDir)/VeraCrypt.exe"
 				LinkIncremental="1"
 				GenerateManifest="false"
@@ -345,7 +345,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="comctl32.lib setupapi.lib version.lib ..\Crypto\x64\Release\crypto.lib"
+				AdditionalDependencies="..\Crypto\x64\Release\crypto.lib"
 				OutputFile="$(OutDir)/VeraCrypt.exe"
 				LinkIncremental="1"
 				GenerateManifest="false"

src/Setup/Setup.c

@@ -329,13 +329,13 @@ void SearchAndDeleteRegistrySubString (HKEY hKey, const wchar_t *subKey, const w
 		// if the string to search for is empty, delete the sub key, otherwise, look for matching value and delete them
 		if (subStringLength == 0)
 		{
-			if (ERROR_ACCESS_DENIED == SHDeleteKeyW (hKey, ItSubKey->c_str()))
+			if (ERROR_ACCESS_DENIED == DeleteRegistryKey (hKey, ItSubKey->c_str()))
 			{
 				// grant permission to delete
 				AllowKeyAccess (hKey, ItSubKey->c_str());
 
 				// try again
-				SHDeleteKeyW (hKey, ItSubKey->c_str());
+				DeleteRegistryKey (hKey, ItSubKey->c_str());
 			}
 		}
 		else
@@ -427,6 +427,22 @@ BOOL SetPrivilege(LPTSTR szPrivilegeName, BOOL bEnable)
 	return bStatus;
 }
 
+/*
+ * Creates a VT_LPWSTR propvariant.
+ * we use our own implementation to use SHStrDupW function pointer
+ * that we retreive ourselves to avoid dll hijacking attacks
+ */
+inline HRESULT VCInitPropVariantFromString(__in PCWSTR psz, __out PROPVARIANT *ppropvar)
+{
+    ppropvar->vt = VT_LPWSTR;
+    HRESULT hr = VCStrDupW(psz, &ppropvar->pwszVal);
+    if (FAILED(hr))
+    {
+        PropVariantInit(ppropvar);
+    }
+    return hr;
+}
+
 HRESULT CreateLink (wchar_t *lpszPathObj, wchar_t *lpszArguments,
 	    wchar_t *lpszPathLink, const wchar_t* iconFile, int iconIndex)
 {
@@ -457,7 +473,7 @@ HRESULT CreateLink (wchar_t *lpszPathObj, wchar_t *lpszArguments,
 			if (SUCCEEDED (psl->QueryInterface (IID_PPV_ARGS (&propStore))))
 			{
 				PROPVARIANT propVariant;
-				if (SUCCEEDED (InitPropVariantFromString (TC_APPLICATION_ID, &propVariant)))
+				if (SUCCEEDED (VCInitPropVariantFromString (TC_APPLICATION_ID, &propVariant)))
 				{
 					if (SUCCEEDED (propStore->SetValue (PKEY_AppUserModel_ID, propVariant)))
 						propStore->Commit();
@@ -1287,7 +1303,7 @@ BOOL DoRegUninstall (HWND hwndDlg, BOOL bRemoveDeprecated)
 		GetStartupRegKeyName (regk, sizeof(regk));
 		DeleteRegistryValue (regk, L"VeraCrypt");
 
-		SHDeleteKey (HKEY_LOCAL_MACHINE, L"Software\\Classes\\.hc");
+		DeleteRegistryKey (HKEY_LOCAL_MACHINE, L"Software\\Classes\\.hc");
 
 		// enable the SE_TAKE_OWNERSHIP_NAME privilege for this operation
 		SetPrivilege (SE_TAKE_OWNERSHIP_NAME, TRUE);
@@ -2447,8 +2463,6 @@ int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpsz
 
 	lpszTitle = L"VeraCrypt Setup";
 
-	InitCommonControls ();
-
 	/* Call InitApp to initialize the common code */
 	InitApp (hInstance, NULL);
 

src/Setup/Setup.vcproj

@@ -43,7 +43,7 @@
 				Name="VCCLCompilerTool"
 				Optimization="0"
 				AdditionalIncludeDirectories="..\Common;..\Crypto;..\;..\PKCS11"
-				PreprocessorDefinitions="SETUP;WIN32;DEBUG;_DEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS"
+				PreprocessorDefinitions="SETUP;WIN32;DEBUG;_DEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS;_ATL_NO_DEFAULT_LIBS"
 				MinimalRebuild="true"
 				BasicRuntimeChecks="3"
 				RuntimeLibrary="1"
@@ -65,7 +65,7 @@
 			<Tool
 				Name="VCLinkerTool"
 				AdditionalOptions="/NODEFAULTLIB:LIBCMTD"
-				AdditionalDependencies="libcmtd.lib comctl32.lib setupapi.lib"
+				AdditionalDependencies="libcmtd.lib"
 				OutputFile="$(OutDir)/VeraCryptSetup.exe"
 				LinkIncremental="2"
 				GenerateManifest="false"
@@ -130,7 +130,7 @@
 				AdditionalOptions="/w34189"
 				Optimization="2"
 				AdditionalIncludeDirectories="..\Common;..\Crypto;..\;..\PKCS11"
-				PreprocessorDefinitions="SETUP;WIN32;NDEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS"
+				PreprocessorDefinitions="SETUP;WIN32;NDEBUG;_WINDOWS;_CRT_SECURE_NO_DEPRECATE;_CRT_NON_CONFORMING_SWPRINTFS;_ATL_NO_DEFAULT_LIBS"
 				RuntimeLibrary="0"
 				BufferSecurityCheck="true"
 				UsePrecompiledHeader="0"
@@ -152,7 +152,6 @@
 			<Tool
 				Name="VCLinkerTool"
 				AdditionalOptions="/IGNORE:4089"
-				AdditionalDependencies="comctl32.lib setupapi.lib"
 				OutputFile="$(OutDir)/VeraCryptSetup.exe"
 				LinkIncremental="1"
 				GenerateManifest="false"