Defending Against Malicious Application Compatibility Shims
by Sean Pierce
Black Hat Europe, 2015
| Notes |
|---|
| Sean Pierce |
| CISSP |
| Twitter @secure_sean |
| GitHub https://github.com/securesean |
| https://sdb.tools |
| iSIGHT |
| Application Compatibility |
| Windows 95 |
| Flush File Cache |
| Undocumented APIs and structures |
| Windows |
| Application Compatibility Shim |
| Shim Database file |
| .sdb file extension |
| CreateProcess() |
| Import Address Table |
| Microsoft Fix it Patches |
| EMET |
| CVE-2014-0322 |
| Registry |
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom |
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB |
| C:\Windows\AppPatch\Custom\ |
| C:\Windows\AppPatch\Custom\Custom64\ |
| Yara |
| Snort |
| persistence |
| IFEO |
| obfuscation |
| UAC |
| hooking |
| sdbinst.exe |
| Windows Vista |
| KB3045645 |
| UAC bypass |
| in the wild |
| BlackEnergy 2 |
| Roaming Tiger |
| GetHookAPIs |
| NotifyShims |
| PuTTY |
| Metasploit |
| PuttyRider |
| Firefox |
| Autoruns |
| VirtualRegistry |
| Hot patch |
| Shim explorer.exe |
| InjectDll |
| LoadLibraryRedirect |
| return-oriented programming |
| IgnoreException |
| anti-analysis |
| shellcode |
| Group Policy |
| Shim Engine |
| Microsoft Application Compatibility Toolkit |
| Shim Cache Parser |
| Shimcache Memory Scan |
| shims.exe |
| python-sdb |
| Shim-File-Scanner |
| Shim-Process-Scanner |
| Shim-Process-Scanner-Lite |
| Shim-Guard |
| Shim-Guard-Lite |
| Sdb Ingest Module (Autopsy) |
| Sdb Scanner (Volatility) |
| Windows 7 |
| Microsoft |
| Alex Ionescu: Secrets of the Application Compatibility Database |
| Recx: Windows AppCompat Research Notes |
| Mark Baggett (2013): Derbycon 2013 - Owned by Default! |
| Graham Posts: Shimming your way past UAC |
| Jon Erikson: Black Hat Asia - Persist It. Using and Abusing Microsoft Fix It Patches |