safe-dll-search-mode-disabled: Safe DLL Search Mode Disabled

日期: 2025-08-01 | 影响软件: Safe DLL Search Mode Disabled | POC: 已公开

漏洞描述

Determines if Safe DLL search mode is disabled.

PoC代码[已公开]

id: safe-dll-search-mode-disabled

info:
  name: Safe DLL Search Mode Disabled
  author: princechaddha
  severity: high
  description: Determines if Safe DLL search mode is disabled.
  impact: |
    Disabling Safe DLL search mode may allow attackers to load malicious DLLs from untrusted locations.
  remediation: |
    Enable Safe DLL search mode by setting the SafeDllSearchMode registry key to 1.
  tags: windows,dll,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $dllSearchMode = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Session Manager' -Name 'SafeDllSearchMode'
      Write-Host "SafeDllSearchMode: $($dllSearchMode.SafeDllSearchMode)"

    matchers:
      - type: word
        words:
          - "SafeDllSearchMode: 0"
# digest: 4a0a0047304502202657d8ed33cd0bec531ba2330e27bda71b63f0e97f5f39087bbcf8fb330073ff022100b19b8c90623fd7e6d3cff204727641ce78be478d6b1489f482a41fe73bca530d:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./code/windows/audit/safe-dll-search-mode-disabled.yaml