Forums Ultimate UI for WPF
Your Privacy Matters: We use our own and third-party cookies to improve your experience on our website. By continuing to use the website we understand that you accept their use. Cookie Policy
Close
Vignir Jonsson
25
Veracode Flaw in InfragisticsWPF.dll
posted

Hello,

We are using the InfragisticsWFP.dll, version 15.1 in our application.

Recently our application was scanned by Veracode, and the results identified a potential security flaw because somewhere within this particular dll "user32_dll.SetWindowsHookExW" is being called. Their fear is that this call may be an instance of dll injection.

Would it be possible for you to provide me with some assurance or even the snippet of code where this call is being made to confirm that no external dlls are being injected?

  • 34430
    Verified Answer
    Offline posted

    Hello Vignir,

    The SetWindowsHookExW call that you are seeing picked up by Veracode appears to be the Unicode name for the SetWindowHookEx function mentioned here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms644990(v=vs.85).aspx.

    After looking through our source code related to the InfragisticsWPF.dll in version 15.1, it does appear that we are calling this in a single spot. This spot exists in our ToolWindowHostWindow.cs file in a method called "InstallActivationHook." This method is not being used for external dll injection, but rather for notifications related to this hosted window, as the ToolWindowHostWindow is used primarily with the XamDockManager, which may feature floating windows that may or may not be owned by the XamDockManager. The main snippet of code that is calling this SetWindowsHookEx looks like this:

    this._hook = NativeWindowMethods.SetWindowsHookEx(NativeWindowMethods.WH_CBT,
        this._hookCallback,
        IntPtr.Zero,
        NativeWindowMethods.GetCurrentThreadIdApi());

    Note, the first parameter in the above method is NativeWindowMethods.WH_CBT. This is a constant integer of 5. Matching this with the table on the link I had sent you, you can see that this corresponds to a hook procedure related to CBT applications and CBTProc hooks. You can read more about CBTProc hooks here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms644977(v=vs.85).aspx. As you can see, this is mainly used for window-related notifications, and you needn't worry about any external DLL injection happening with this method.

    Note, if you would like to see this for yourself, you will need to be registered to an Infragistics product, and we will make our source code available for you to download and run against if you see the need. Once registered to an Infragistics product, you can sign into your account on our website, and visit the following webpage: https://www.infragistics.com/my-account/keys-and-downloads. This page will yield a list of the products you are registered to. By clicking one, you will open a new set of tabs - one of which will read "Source Code." You can download the source code here.

    Please let me know if you have any other questions or concerns on this matter.

    Sincerely,
    Andrew
    Associate Developer