IShellLink -> IPersistFile->Load() で、System32ではなく EXEフォルダの "linkinfo.dll" を開こうとする際の Process Moniter で見たスナップショット
スタックフレーム0-24番が IShellLink / IPersistFile 内部の挙動
この後、この不正DLLのDLLMainが呼ばれることを確認済み

High Resolution Date & Time:	2017/08/01 11:39:26.1674056
Event Class:	File System
Operation:	CreateFile
Result:	SUCCESS
Path:	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\linkinfo.dll
TID:	9480
Duration:	0.0000183
Desired Access:	Read Attributes
Disposition:	Open
Options:	Open Reparse Point
Attributes:	n/a
ShareMode:	Read, Write, Delete
AllocationSize:	n/a
OpenResult:	Opened

0	FLTMGR.SYS	FltDecodeParameters + 0x1a6c	0xfffff80007384b4c	C:\WINDOWS\System32\drivers\FLTMGR.SYS
1	FLTMGR.SYS	FltDecodeParameters + 0x160c	0xfffff800073846ec	C:\WINDOWS\System32\drivers\FLTMGR.SYS
2	FLTMGR.SYS	FltQueryInformationFile + 0x6e7	0xfffff800073b6117	C:\WINDOWS\System32\drivers\FLTMGR.SYS
3	ntoskrnl.exe	NtDeviceIoControlFile + 0x1ba5	0xfffff800260a3265	C:\WINDOWS\system32\ntoskrnl.exe
4	ntoskrnl.exe	ObReferenceObjectByHandle + 0xb1b	0xfffff800260ae61b	C:\WINDOWS\system32\ntoskrnl.exe
5	ntoskrnl.exe	ObOpenObjectByNameEx + 0x1e0	0xfffff800260b2150	C:\WINDOWS\system32\ntoskrnl.exe
6	ntoskrnl.exe	FsRtlFreeExtraCreateParameterList + 0x200	0xfffff80026047e90	C:\WINDOWS\system32\ntoskrnl.exe
7	ntoskrnl.exe	setjmpex + 0x3c23	0xfffff80025d83413	C:\WINDOWS\system32\ntoskrnl.exe
8	ntdll.dll	ZwQueryAttributesFile + 0x14	0x7ff94c895b44	C:\WINDOWS\SYSTEM32\ntdll.dll
9	ntdll.dll	RtlAddRefActivationContext + 0xa67	0x7ff94c836187	C:\WINDOWS\SYSTEM32\ntdll.dll
10	ntdll.dll	RtlAddRefActivationContext + 0x8a8	0x7ff94c835fc8	C:\WINDOWS\SYSTEM32\ntdll.dll
11	ntdll.dll	RtlAddRefActivationContext + 0x6b8	0x7ff94c835dd8	C:\WINDOWS\SYSTEM32\ntdll.dll
12	ntdll.dll	RtlAddRefActivationContext + 0xd1d	0x7ff94c83643d	C:\WINDOWS\SYSTEM32\ntdll.dll
13	ntdll.dll	RtlReleaseActivationContext + 0x936	0x7ff94c834846	C:\WINDOWS\SYSTEM32\ntdll.dll
14	ntdll.dll	RtlDosPathNameToNtPathName_U_WithStatus + 0x5ba	0x7ff94c80d62a	C:\WINDOWS\SYSTEM32\ntdll.dll
15	ntdll.dll	RtlDosPathNameToNtPathName_U + 0x349	0x7ff94c80c9c9	C:\WINDOWS\SYSTEM32\ntdll.dll
16	ntdll.dll	RtlInitAnsiString + 0xda	0x7ff94c80c09a	C:\WINDOWS\SYSTEM32\ntdll.dll
17	ntdll.dll	RtlWalkFrameChain + 0x11f4	0x7ff94c806fe4	C:\WINDOWS\SYSTEM32\ntdll.dll
18	ntdll.dll	LdrResolveDelayLoadedAPI + 0xe6	0x7ff94c804086	C:\WINDOWS\SYSTEM32\ntdll.dll
19	SHELL32.dll	DllCanUnloadNow + 0x111	0x7ff949ef46d1	C:\WINDOWS\System32\SHELL32.dll
20	SHELL32.dll	StrStrW + 0x5c66	0x7ff949fc00c6	C:\WINDOWS\System32\SHELL32.dll
21	windows.storage.dll	IsLibraryPolicyEnabled + 0x45c	0x7ff948ebef4c	C:\WINDOWS\System32\windows.storage.dll
22	windows.storage.dll	Ordinal764 + 0x1fad9	0x7ff948e465d9	C:\WINDOWS\System32\windows.storage.dll
23	windows.storage.dll	Ordinal764 + 0x1e933	0x7ff948e45433	C:\WINDOWS\System32\windows.storage.dll
24	windows.storage.dll	Ordinal764 + 0x1e9f9	0x7ff948e454f9	C:\WINDOWS\System32\windows.storage.dll
25	setup.exe	ReadLink + 0x98, c:\users\shirouzu\desktop\fastcopy330r3src\src\install\install.cpp(774)	0x1400035a8	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
26	setup.exe	TInstDlg::RemoveSameLink + 0xa9, c:\users\shirouzu\desktop\fastcopy330r3src\src\install\install.cpp(805)	0x1400036d9	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
27	setup.exe	TInstDlg::Install + 0x3f2, c:\users\shirouzu\desktop\fastcopy330r3src\src\install\install.cpp(559)	0x140002ca2	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
28	setup.exe	TInstDlg::EvCommand + 0x9b, c:\users\shirouzu\desktop\fastcopy330r3src\src\install\install.cpp(289)	0x140001ffb	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
29	setup.exe	TDlg::WinProc + 0x229, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tdlg.cpp(117)	0x140007a89	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
30	setup.exe	TApp::WinProc + 0x5b, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(96)	0x140008b1b	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
31	USER32.dll	Ordinal2707 + 0x1be	0x7ff94b79eade	C:\WINDOWS\System32\USER32.dll
32	USER32.dll	Ordinal2573 + 0x641	0x7ff94b79e261	C:\WINDOWS\System32\USER32.dll
33	USER32.dll	Ordinal2573 + 0x556	0x7ff94b79e176	C:\WINDOWS\System32\USER32.dll
34	USER32.dll	CallWindowProcW + 0x4d0	0x7ff94b79bc50	C:\WINDOWS\System32\USER32.dll
35	USER32.dll	SendMessageW + 0x37d	0x7ff94b79b16d	C:\WINDOWS\System32\USER32.dll
36	USER32.dll	SendMessageW + 0xf8	0x7ff94b79aee8	C:\WINDOWS\System32\USER32.dll
37	COMCTL32.dll	ImageList_SetBkColor + 0x524	0x7ff934916194	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
38	COMCTL32.dll	CCSetScrollInfo + 0x3a96	0x7ff934944ce6	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
39	USER32.dll	CallWindowProcW + 0x4d0	0x7ff94b79bc50	C:\WINDOWS\System32\USER32.dll
40	USER32.dll	DispatchMessageW + 0x1af	0x7ff94b79b5cf	C:\WINDOWS\System32\USER32.dll
41	USER32.dll	IsDialogMessageW + 0x10f	0x7ff94b796aef	C:\WINDOWS\System32\USER32.dll
42	setup.exe	TApp::PreProcMsg + 0xe8, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(72)	0x140008aa8	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
43	setup.exe	TApp::Run + 0x3e, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(55)	0x14000897e	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
44	setup.exe	WinMain + 0x1c, c:\users\shirouzu\desktop\fastcopy330r3src\src\install\install.cpp(109)	0x1400015dc	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
45	setup.exe	__scrt_common_main_seh + 0x117, f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl(246)	0x1400092c7	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
46	KERNEL32.DLL	BaseThreadInitThunk + 0x14	0x7ff94c752774	C:\WINDOWS\System32\KERNEL32.DLL
47	ntdll.dll	RtlUserThreadStart + 0x21	0x7ff94c860d51	C:\WINDOWS\SYSTEM32\ntdll.dll