6.39 lpk.dll是干什么用的

https://scz.617.cn/windows/201504301213.txt

Q:

有一种DLL劫持技术用到了lpk.dll，它本来是干什么用的？

A:

简单点说，lpk.dll提供多语言支持。

--------------------------------------------------------------------------
微软开发了语言包，使得用户可以创建、编辑不同语言的文件，切换菜单、帮助系统
所使用的语言。

使用不同语言的用户可以方便地使用同一种应用程序，所需的语言资源保存在lpk.dll
中。对于Office系列，lpk.dll允许用户以他们所选择的语言创建、编辑文档。

lpk.dll使得切换用户界面(包括菜单和帮助)所用语言的工作变得简单，它还提供了
37种不同语言的拼写检查器、字典、辞典。

lpk.dll为语言包中每种语言赋予一个识别ID。

lpk.dll还允许用户从在线Office网站获取所选语言的最新帮助信息、文档模板。
--------------------------------------------------------------------------

Q:

谈谈lpk.dll与DLL劫持的事

A: zz@nsfocus 2015-04-29

参看

Dynamic-Link Library Search Order
https://msdn.microsoft.com/en-us/library/ms682586(VS.85).aspx

Dynamic-Link Library Redirection
https://msdn.microsoft.com/en-us/library/ms682600(v=VS.85).aspx

Dynamic-Link Library Security
https://msdn.microsoft.com/en-us/library/ff919712(VS.85).aspx

Windows NT/2000/XP Uses KnownDLLs Registry Entry to Find DLLs
https://support.microsoft.com/en-us/kb/164501

很多进程默认就会加载lpk.dll，其原始位置是:

C:\Windows\System32\lpk.dll

Win7的KnownDLLs中加入了LPK键值，有效阻止了lpk.dll相关的劫持。

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs]
"clbcatq"="clbcatq.dll"
"ole32"="ole32.dll"
"advapi32"="advapi32.dll"
"COMDLG32"="COMDLG32.dll"
"DllDirectory"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,00,00
"DllDirectory32"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
  6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,77,00,6f,00,77,00,36,00,34,00,00,\
  00
"gdi32"="gdi32.dll"
"IERTUTIL"="IERTUTIL.dll"
"IMAGEHLP"="IMAGEHLP.dll"
"IMM32"="IMM32.dll"
"kernel32"="kernel32.dll"
"LPK"="LPK.dll"
"MSCTF"="MSCTF.dll"
"MSVCRT"="MSVCRT.dll"
"NORMALIZ"="NORMALIZ.dll"
"NSI"="NSI.dll"
"OLEAUT32"="OLEAUT32.dll"
"PSAPI"="PSAPI.DLL"
"rpcrt4"="rpcrt4.dll"
"sechost"="sechost.dll"
"Setupapi"="Setupapi.dll"
"SHELL32"="SHELL32.dll"
"SHLWAPI"="SHLWAPI.dll"
"URLMON"="URLMON.dll"
"user32"="user32.dll"
"USP10"="USP10.dll"
"WININET"="WININET.dll"
"WLDAP32"="WLDAP32.dll"
"WS2_32"="WS2_32.dll"
"DifxApi"="difxapi.dll"
--------------------------------------------------------------------------

出于测试目的，有时想绕过KnownDLLs的限制，可以利用ExcludeFromKnownDlls:

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"ExcludeFromKnownDlls"=hex(7):6c,00,70,00,6b,00,2e,00,64,00,6c,00,6c,00,00,00,\
  00,00
--------------------------------------------------------------------------

ExcludeFromKnownDlls的优先级高于KnownDLLs。

微软过去的文档里说ExcludeFromKnownDlls处需要输入8.3格式的DLL名，不知现在如
何。