Hi @ll, according to <https://msdn.microsoft.com/en-us/library/aa480483.aspx> Microsoft's "Application Verifier" [°] should detect the well-known beginner's error <https://cwe.mitre.org/data/definitions/428.html>:
| Checking for Proper Use of CreateProcess | | Calls to the CreateProcess API function are subject to attack if | parameters are not specified correctly. AppVerifier generates an | error if CreateProcess (or other related API functions) are called | with a NULL lpApplicationName parameter and an lpCommandLine | parameter that contains spaces. For example, it does not allow the | following as the command line parameter: | | c:\program files\sample.exe -t -g c:\program files\sample\test | | Using this command line, an application can inadvertently execute | unwanted code if a malicious user installs his program to C:\Program. Unfortunately the MSDN article cited above tells a blatant lie: Application Verifier does NOT perform the check described there! The sad truth^Wreality is that Application Verifier also performs NO check for other way too common path handling errors, like <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>, well-known as "DLL hijacking" alias "DLL preloading" alias "binary planting" [']. See <https://skanthak.homepage.t-online.de/verifier.html> for an "Application Verifier Provider" which performs the missing checks. stay tuned Stefan Kanthak [°] introduced with Windows XP some 16 years ago, available via <https://www.microsoft.com/en-us/download/details.aspx?id=20028> as stand-alone package then, later distributed with the "Debugging Tools for Windows", now included in the Windows SDK (see <https://msdn.microsoft.com/en-us/library/ff538115.aspx>) ['] see <https://skanthak.homepage.t-online.de/sentinel.html> for the full story. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/