Suggestion: Simplify Electron App Vulnerability Detection #25
Description
Hi Bobby,
I've conducted research over the past few years focusing on the security of Electron-based applications, and I’d like to suggest a more practical and direct approach for detecting whether an application is vulnerable to loading code directly from the resources/app/ directory when the app.asar file is missing.
In the documentation and analysis workflows found in the repository, the use of Process Monitor (Procmon) is demonstrated to observe file access attempts and determine whether Electron falls back to the resources/app/ path. While this approach works, there are simpler and more efficient ways to achieve the same result.
It’s possible to retrieve this information much more directly using static tools or programmatic inspection:
- Using
@electron/fuses
Electron includes a set of internal fuses that control runtime behavior. The fuse responsible for disabling fallback loading is OnlyLoadAppFromAsar. You can check if it's enabled by running:
npx @electron/fuses read --app "C:\Path\test.exe"
Example output:
Analyzing app: test.exe
Fuse Version: v1
OnlyLoadAppFromAsar is Enabled
EnableEmbeddedAsarIntegrityValidation is Disabled
...
OnlyLoadAppFromAsar is not enabled, the application will attempt to load files from resources/app/, which may allow an attacker to inject code if app.asar is deleted or replaced.
- Export Table Analysis + Direct Function Invocation
Electron executables expose internal fuse-related functions such as:
?IsEmbeddedAsarIntegrityValidationEnabled@fuses@electron@@YA_NXZ?IsOnlyLoadAppFromAsarEnabled@fuses@electron@@YA_NXZ
These functions can be discovered using tools like dumpbin:
dumpbin /exports app.exe | findstr -i electronYou can also write a small program (in Rust, C, or any language) to load the executable and invoke these functions directly, without relying on Node.js or any external CLI tools.