SHBrowseForFolder API が System32ではなく EXEフォルダの "WindowsCodecs.dll" を開こうとする際の Process Moniter で見たスナップショット
スタックフレーム0-46番が SHBrowseForFolder内部の挙動
この後、この不正DLLのDLLMainが呼ばれることを確認済み

High Resolution Date & Time:	2017/08/01 11:08:09.1481376
Event Class:	File System
Operation:	CreateFile
Result:	SUCCESS
Path:	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\WindowsCodecs.dll
TID:	24984
Duration:	0.0000157
Desired Access:	Read Attributes
Disposition:	Open
Options:	Open Reparse Point
Attributes:	n/a
ShareMode:	Read, Write, Delete
AllocationSize:	n/a
OpenResult:	Opened

0	FLTMGR.SYS	FltDecodeParameters + 0x1a6c	0xfffff80007384b4c	C:\WINDOWS\System32\drivers\FLTMGR.SYS
1	FLTMGR.SYS	FltDecodeParameters + 0x160c	0xfffff800073846ec	C:\WINDOWS\System32\drivers\FLTMGR.SYS
2	FLTMGR.SYS	FltQueryInformationFile + 0x6e7	0xfffff800073b6117	C:\WINDOWS\System32\drivers\FLTMGR.SYS
3	ntoskrnl.exe	NtDeviceIoControlFile + 0x1ba5	0xfffff800260a3265	C:\WINDOWS\system32\ntoskrnl.exe
4	ntoskrnl.exe	ObReferenceObjectByHandle + 0xb1b	0xfffff800260ae61b	C:\WINDOWS\system32\ntoskrnl.exe
5	ntoskrnl.exe	ObOpenObjectByNameEx + 0x1e0	0xfffff800260b2150	C:\WINDOWS\system32\ntoskrnl.exe
6	ntoskrnl.exe	FsRtlFreeExtraCreateParameterList + 0x200	0xfffff80026047e90	C:\WINDOWS\system32\ntoskrnl.exe
7	ntoskrnl.exe	setjmpex + 0x3c23	0xfffff80025d83413	C:\WINDOWS\system32\ntoskrnl.exe
8	ntdll.dll	ZwQueryAttributesFile + 0x14	0x7ff94c895b44	C:\WINDOWS\SYSTEM32\ntdll.dll
9	ntdll.dll	RtlAddRefActivationContext + 0xa67	0x7ff94c836187	C:\WINDOWS\SYSTEM32\ntdll.dll
10	ntdll.dll	RtlAddRefActivationContext + 0x8a8	0x7ff94c835fc8	C:\WINDOWS\SYSTEM32\ntdll.dll
11	ntdll.dll	RtlAddRefActivationContext + 0x6b8	0x7ff94c835dd8	C:\WINDOWS\SYSTEM32\ntdll.dll
12	ntdll.dll	RtlAddRefActivationContext + 0xd1d	0x7ff94c83643d	C:\WINDOWS\SYSTEM32\ntdll.dll
13	ntdll.dll	RtlReleaseActivationContext + 0x936	0x7ff94c834846	C:\WINDOWS\SYSTEM32\ntdll.dll
14	ntdll.dll	RtlDosPathNameToNtPathName_U_WithStatus + 0x5ba	0x7ff94c80d62a	C:\WINDOWS\SYSTEM32\ntdll.dll
15	ntdll.dll	RtlDosPathNameToNtPathName_U + 0x349	0x7ff94c80c9c9	C:\WINDOWS\SYSTEM32\ntdll.dll
16	ntdll.dll	RtlInitAnsiString + 0xda	0x7ff94c80c09a	C:\WINDOWS\SYSTEM32\ntdll.dll
17	ntdll.dll	RtlWalkFrameChain + 0x11f4	0x7ff94c806fe4	C:\WINDOWS\SYSTEM32\ntdll.dll
18	ntdll.dll	LdrResolveDelayLoadedAPI + 0xe6	0x7ff94c804086	C:\WINDOWS\SYSTEM32\ntdll.dll
19	COMCTL32.dll	EnumMRUListW + 0x461	0x7ff9349544a1	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
20	COMCTL32.dll	InitializeFlatSB + 0x1570	0x7ff934961090	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
21	COMCTL32.dll	ImageList_Create + 0x4803	0x7ff934920003	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
22	COMCTL32.dll	ImageList_Create + 0x6076	0x7ff934921876	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
23	SHELL32.dll	IsDesktopExplorerProcess + 0xf2	0x7ff949ef26d2	C:\WINDOWS\System32\SHELL32.dll
24	SHELL32.dll	SHELL32_IconOverlayManagerInit + 0x4e8	0x7ff949ef1558	C:\WINDOWS\System32\SHELL32.dll
25	SHELL32.dll	SHGetImageList + 0x204	0x7ff949f0f634	C:\WINDOWS\System32\SHELL32.dll
26	SHELL32.dll	Ordinal939 + 0x8e	0x7ff949efb06e	C:\WINDOWS\System32\SHELL32.dll
27	SHELL32.dll	Ordinal939 + 0x1f	0x7ff949efafff	C:\WINDOWS\System32\SHELL32.dll
28	explorerframe.dll	DllGetClassObject + 0x17ec9	0x7ff92e5e7909	C:\WINDOWS\system32\explorerframe.dll
29	explorerframe.dll	DllGetClassObject + 0x1e570	0x7ff92e5edfb0	C:\WINDOWS\system32\explorerframe.dll
30	SHELL32.dll	Ordinal848 + 0x2377	0x7ff94a0fa327	C:\WINDOWS\System32\SHELL32.dll
31	SHELL32.dll	Ordinal848 + 0x274d	0x7ff94a0fa6fd	C:\WINDOWS\System32\SHELL32.dll
32	SHELL32.dll	Ordinal848 + 0x1cc0	0x7ff94a0f9c70	C:\WINDOWS\System32\SHELL32.dll
33	SHELL32.dll	Ordinal848 + 0x26d	0x7ff94a0f821d	C:\WINDOWS\System32\SHELL32.dll
34	USER32.dll	Ordinal2707 + 0x233	0x7ff94b79eb53	C:\WINDOWS\System32\USER32.dll
35	USER32.dll	Ordinal2573 + 0x641	0x7ff94b79e261	C:\WINDOWS\System32\USER32.dll
36	USER32.dll	Ordinal2573 + 0x556	0x7ff94b79e176	C:\WINDOWS\System32\USER32.dll
37	USER32.dll	CallWindowProcW + 0x4d0	0x7ff94b79bc50	C:\WINDOWS\System32\USER32.dll
38	USER32.dll	SendMessageW + 0x37d	0x7ff94b79b16d	C:\WINDOWS\System32\USER32.dll
39	USER32.dll	CreateWindowInBandEx + 0x1556	0x7ff94b7a4c86	C:\WINDOWS\System32\USER32.dll
40	USER32.dll	DwmGetDxSharedSurface + 0x1c5	0x7ff94b7be0b5	C:\WINDOWS\System32\USER32.dll
41	USER32.dll	DialogBoxIndirectParamAorW + 0x52	0x7ff94b7bd8f2	C:\WINDOWS\System32\USER32.dll
42	USER32.dll	DialogBoxParamW + 0x75	0x7ff94b7bd855	C:\WINDOWS\System32\USER32.dll
43	SHELL32.dll	SHGetStockIconInfo + 0x72d5	0x7ff949f964c5	C:\WINDOWS\System32\SHELL32.dll
44	SHELL32.dll	Ordinal848 + 0x456	0x7ff94a0f8406	C:\WINDOWS\System32\SHELL32.dll
45	SHELL32.dll	Ordinal848 + 0x6d8	0x7ff94a0f8688	C:\WINDOWS\System32\SHELL32.dll
46	SHELL32.dll	SHBrowseForFolderW + 0xd1	0x7ff94a0fbab1	C:\WINDOWS\System32\SHELL32.dll
47	FastCopy.exe	TBrowseDirDlgW::Exec + 0x33, c:\users\shirouzu\desktop\fastcopy330r3src\src\miscdlg.cpp(249)	0x1400202c3	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
48	FastCopy.exe	BrowseDirDlgW + 0x1f2, c:\users\shirouzu\desktop\fastcopy330r3src\src\miscdlg.cpp(182)	0x140020032	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
49	FastCopy.exe	TMainDlg::EvCommand + 0x98, c:\users\shirouzu\desktop\fastcopy330r3src\src\mainwin.cpp(847)	0x140016688	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
50	FastCopy.exe	TDlg::WinProc + 0x4c3, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tdlg.cpp(116)	0x140032c23	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
51	FastCopy.exe	TApp::WinProc + 0x5b, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(96)	0x14003243b	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
52	USER32.dll	Ordinal2707 + 0x1be	0x7ff94b79eade	C:\WINDOWS\System32\USER32.dll
53	USER32.dll	Ordinal2573 + 0x641	0x7ff94b79e261	C:\WINDOWS\System32\USER32.dll
54	USER32.dll	Ordinal2573 + 0x556	0x7ff94b79e176	C:\WINDOWS\System32\USER32.dll
55	USER32.dll	CallWindowProcW + 0x4d0	0x7ff94b79bc50	C:\WINDOWS\System32\USER32.dll
56	USER32.dll	SendMessageW + 0x37d	0x7ff94b79b16d	C:\WINDOWS\System32\USER32.dll
57	USER32.dll	SendMessageW + 0xf8	0x7ff94b79aee8	C:\WINDOWS\System32\USER32.dll
58	COMCTL32.dll	ImageList_SetBkColor + 0x524	0x7ff934916194	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
59	COMCTL32.dll	CCSetScrollInfo + 0x3a96	0x7ff934944ce6	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
60	USER32.dll	CallWindowProcW + 0x4d0	0x7ff94b79bc50	C:\WINDOWS\System32\USER32.dll
61	USER32.dll	DispatchMessageW + 0x1af	0x7ff94b79b5cf	C:\WINDOWS\System32\USER32.dll
62	USER32.dll	IsDialogMessageW + 0x10f	0x7ff94b796aef	C:\WINDOWS\System32\USER32.dll
63	FastCopy.exe	TApp::PreProcMsg + 0xe8, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(72)	0x1400323c8	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
64	FastCopy.exe	TApp::Run + 0x3e, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(55)	0x14003229e	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
65	FastCopy.exe	WinMain + 0x1c, c:\users\shirouzu\desktop\fastcopy330r3src\src\mainwin.cpp(75)	0x14001466c	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
66	FastCopy.exe	__scrt_common_main_seh + 0x117, f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl(246)	0x140034a17	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\FastCopy.exe
67	KERNEL32.DLL	BaseThreadInitThunk + 0x14	0x7ff94c752774	C:\WINDOWS\System32\KERNEL32.DLL
68	ntdll.dll	RtlUserThreadStart + 0x21	0x7ff94c860d51	C:\WINDOWS\SYSTEM32\ntdll.dll