The following is the DLL Search Order for the LoadLibraryand LoadLibraryExfunctions, which are used to dynamically load DLLs: However, if Windows does not find the DLL in any of the directories in the DLL Search Order, it will return a failure to the DLL load operation. If Windows locates the DLL within the DLL Search Order, it will load that DLL. When an application dynamically loads a DLL without specifying a fully qualified path, Windows tries to locate this DLL by linearly searching through a well-defined set of directories, known as DLL Search Order.
Summary Description of DLL preloading attacks LoadLibrary-based attacks To limit the effect that this issue has on our mutual customers, we are releasing this document to the developer community to make sure that they know about this issue and have the necessary tools to address the issue in their applications. We know about renewed interest in these attacks. When the application is being run as Administrator, this could lead to a local elevation of privilege. The effect of such attacks could be that an attacker can execute code in the context of the user who is running the application.
These attacks are known as “DLL preloading attacks” and are common to all operating systems that support dynamically loading shared DLL libraries. If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting. When an application dynamically loads a dynamic link library (DLL) without specifying a fully qualified path, Windows tries to locate the DLL by searching a well-defined set of directories. For more information, refer to this Microsoft web page: Support is ending for some versions of Windows. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. Secure loading of libraries to prevent DLL preloading attacks