Mitigate Against DLL Pre-Loading

When an application loads a shared library such as kvfilter.dll or kvfilter.so, the Operating System or runtime linker might search several locations. This search can allow DLL pre-loading attacks if an attacker is able to place a malicious binary in one of the locations searched. It might also lead to unexpected results if a different version of KeyView is present in one of the locations searched.

Mitigation on Windows

On Windows, you can use the kvfilter import library, or manually load kvfilter.dll with LoadLibrary. If you use the import library, you can mitigate against DLL pre-loading attacks by embedding a manifest in your executable so that Windows only searches for kvfilter.dll in its expected location. For example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
      <file name="kvfilter.dll" />
   </assembly>

If you load kvfilter.dll with LoadLibrary, you must use a fully qualified path to prevent Windows searching for the library in other locations.

Mitigation on Other Platforms

On other platforms, you can link against kvfilter.so while building your application, or manually load it with dlopen. In either case, OpenText recommends that you use an absolute path to kvfilter.so to prevent the OS or runtime linker searching for the library in other locations.