How to Check ISAPI Extensions for Security Related API Calls

ID: Q232178

The information in this article applies to:

Microsoft Internet Information Server versions 1.0, 2.0, 3.0, 4.0
Microsoft Internet Information Services version 5.0

SUMMARY

When you run a Web hosting service or any other service that allows ISAPI extensions to be used, the potential for malicious code being written and posted to the Web server exists. For example, someone could write an ISAPI extension that uses the RevertToSelf (a highly trusted call) and effectively bypass the server's security through the ISAPI extension (for instance, they could restart the server or gain access to trusted files).

In order to minimize the risk involved with someone posting ISAPI extensions to a server, there is a check that can be run against these DLLs to search for privileged API calls. You can use the Dumpbin.exe utility found in Visual Studio and the Platform SDK to search through DLLs for any security-related API calls.

MORE INFORMATION

The following is an example of how to use the Dumpbin.exe utility to find RevertToSelf inside of a DLL:

From a command prompt (cmd.exe) type the following:

dumpbin /imports isapi.dll | find /i "RevertToSelf"

In the example above, isapi.dll should be changed with the name of the ISAPI extension on the server that you want to check.

NOTE: If an error occurs when you run Dumpbin.exe, you may need to run the bin\vcvars32.bat file from a command prompt. This batch file will register the paths to the appropriate folders.

For detailed information on Dumpbin.exe (including command-line switches that can be used), see the MSDN Visual Studio documentation. The Microsoft Platform SDK also contains some information on running this utility.

Additional query words:

Keywords :
Version : winnt:1.0,2.0,3.0,4.0
Platform : winnt
Issue type : kbhowto