1. No category

Fix Your Broken Applications: The Black Art of Shims

Chris Jackson
The App Compat Guy
Microsoft Corporation
WCL304
How Shims Work
Import
Function
Export
Function
Application
Windows
Shim DLL
Shims for User Account Control
Standard User Analyzer
Application
LuaPriv
Windows
AppVerifier
Logs
XML
SUA Mitigations
SUA can recommend:
ElevateCreateProcess
ForceAdminAccess
LocalMappedObject
VirtualizeDeleteFile
VirtualizeHKCRLite
CorrectFilePaths
VirtualRegistry
ElevateCreateProcess
Symptoms
ERROR_ELEVATION_REQUIRED
Fix description
Tries again, requesting elevation
ForceAdminAccess
Symptoms
Fails explicit administrator check
Fix description
Lies
ForceAdminAccess Shim for IsUserAnAdmin:
return TRUE;
LocalMappedObject
Symptoms
Can’t create in Global namespace
Fix description
Creates in Local namespace
VirtualizeDeleteFile
Symptoms
Can’t delete files
Fix description
Pretends to delete files
VirtualizeHKCRLite
Symptoms
Can’t register COM components
Fix description
Registers them per-user
SUA Mitigations
UAC Manifests
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
manifestVersion="1.0">
<assemblyIdentity type="win32" processorArchitecture="*"
version="1.0.0.0" name="MyApplication.exe"/>
<description>My totally sweet Vista application</description>
<ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoftcom:asm.v2">
<ms_asmv2:security>
<ms_asmv2:requestedPrivileges>
<ms_asmv2:requestedExecutionLevel level="asInvoker ||
highestAvailable || requireAdministrator"/>
</ms_asmv2:requestedPrivileges>
</ms_asmv2:security>
</ms_asmv2:trustInfo>
</assembly>
Installer Detection
Legacy installers / updaters
SpecificInstaller
GenericInstaller
SpecificNonInstaller
RunAsAdmin
Symptoms
Requires admin
Fix description
Prompts for elevation
RunAsHighest
Symptoms
Had both admin and standard user views
Fix description
Provides most powerful token
RunAsInvoker
Symptoms
Prompting unnecessarily
Fix description
No more prompt
SpecificInstaller
Symptoms
Not fixed as a legacy setup
Fix description
Flags it as a legacy setup
SpecificNonInstaller
Symptoms
Flagged as a legacy setup inappropriately
Fix description
No longer flagged as a legacy setup
Run Level Specification
VirtualizeRegisterTypeLib
Symptoms
Registering type library fails
Fix description
Registers type library per-user
Shims for File and Registry Paths
VirtualRegistry
Symptoms
Problem reading/writing registry value
Fix description
Returns a different registry value
Command line parameters...
VirtualRegistry Generic Fix
AddRedirect ( HKLM\Key ^ HKCU\Key ^
HKLM\Key2 ^ HKCU\Key2)
VirtualRegistry
CorrectFilePaths
Symptoms
Problem reading/writing a file
Fix description
Redirects to a different file
CorrectFilePaths
Shims for User Interface
Process Isolation
UIPIEnableStandardMessages
Symptoms
Window messages not delivered
Fix description
Adds the message to the filter
Parameters
MessageID1 MessageID2 MessageID3
Example:
1055 1056 1057 1058 1069
UIPIEnableCustomMessages
Symptoms
Custom window messages not delivered
Fix description
Adds the custom window message to the allowed filter
Parameters
MessageString1 MessageString2
User Interface Process Isolation
Shims for Windows
Resource Protection
Shims for
WRPMitigation
Symptoms
Writing protected operating system file / registry key
Fix description
Lies
WRPDllRegister
Symptoms
Registering protected OS component
Fix description
New DllRegisterServer
Parameters
componet1.dll;component2.dll
Example:
hhctrl.ocx;itircl.dll;itss.dll
WRPRegDeleteKey
Symptoms
Can’t delete protected OS registry key
Fix description
Lies
Windows Resource Protection
Shims for Operating System Version
I Can't Find the > Key…
Operating System
Version Number
Release Date
Windows 1.0
1.04
1985
Windows 2.0
2.11
1987
Windows 3.0
3.00
1990
Windows NT 3.1
3.10.528
1993
Windows for Workgroups 3.11
3.11
1993
Windows NT Workstation 3.5
3.5.807
1994
Windows NT Workstation 3.51
3.51.1057
1995
Windows 95
4.0.950
1995
Windows NT Workstation 4.0
4.0.1381
1996
Windows 98
4.1.1998
1998
Windows 98 Second Edition
4.1.2222
1999
Windows Me
4.90.3000
2000
Windows 2000 Professional
5.0.2195
2000
Windows XP
5.1.2600
2001
Windows Vista
6.0.6000
2006
xxxVersionLie
Symptoms
“Unsupported operating system”
Fix description
Lies
Version Lie Shims
Win95VersionLie
WinNT4SP5VersionLie
Win98VersionLie
Win2000VersionLie
Win2000SP1VersionLie
Win2000SP2VersionLie
Win2000SP3VersionLie
WinXPVersionLie
WinXPSP1VersionLie
WinXPSP2VersionLie
Win2K3RTMVersionLie
Win2K3SP1VersionLie
VistaRTMVersionLie
Version Lie Layers
Win95
NT4SP5
Win98
Win2000
Win2000SP2
Win2000SP3
WinXP
WinXPSP1
WinXPSP2
WinXPSP2VersionLie
WinSrv03
WinSrv03SP1
VistaRTM
Shims and Layers
Application
Shim
Child Application
Layer
Windows
Layers: More Than Version Lies
XPSP2 Layer:
DirectXVersionLie
ElevateCreateProcess
EmulateSorting
EnableLegacyException
HandlingInOLE
FailObsoleteShellAPIs
GlobalMemoryStatus2GB
HandleBadPtr
HardwareAudioMixer
LoadLibraryCWD
NoGhost
RedirectMP3Codec
VirtualRegistry
WinXPSP2VersionLie
Operating System Version
How to INSTALL Custom
Shim Databases
sdbinst.exe
%windir%\system32\sdbinst.exe
sdbinst Command Line
-q
-u
-g
-n
Quiet mode
Uninstall
Guid (uninstall only)
Internal name (uninstall only)
Deployment Options
Per enterprise
Per application
Installing Custom Shim Databases
API Hooking Option #1
Overwriting code
Locate the address of the function
Save the first few bytes
Overwrite with JMP
Overwriting Code: Hooking
USER32!MessageBoxA:
mov edi,edi ;nop for hot patching
push ebp
;set up stack frame
mov ebp,esp ;””
Overwriting Code: Hooking
USER32!MessageBoxA:
jmp rel8
;short jump to hook
push ebp
;we never get here
mov ebp,esp ;””
Overwriting Code: Challenges
CPU dependent
JUMP instructions vary between x86, x64, IA-64
Not thread safe
“…it is the programmer’s responsibility to ensure
that no other threads are executing in the address
space while a detour is inserted or removed.”
API Hooking Option #2
Module import section
Modify address
No CPU dependency
No thread synchronization
IAT Modification: Data Structures
PE Signature
File Headers
MS-DOS Header
Optional Headers
Export Table
NT Headers
Data Directories
Import Table
Section Headers
Resource Table
Section Images
Exception Table
...
IAT Modification: Import Table
Original First Thunk
Time Date Stamp
0x1034
GetModuleHandleA
0x1047
LoadLibrary
...
...
Forwarder Chain
Imported DLL Name
First Thunk
kernel32.dll
...
user32.dll
advapi32.dll
...
IAT Modification: Sample Code
Richter & Nasarre, 2008
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;
__try {
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
} __except (InvalidReadExceptionFilter(GetExceptionInformation())) {}
if (pImportDesc == NULL) return;
for (; pImportDesc->Name; pImportDesc++) {
PSTR pszModName=(PSTR)((PBYTE)hmodCaller + pImportDesc->Name);
if (lstrcmpiA(pszModName, pszCalleeModName) == 0) {
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++) {
PROC* ppfn = (PROC*)&pThunk->u1.Function;
BOOL bFound = (*ppfn == pfnCurrent);
if (bFound) {
if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew),
NULL) && (ERROR_NOACCESS == GetLastError())) {
DWORD dwOldProtect;
if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect)) {
WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL);
VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect);
}
}
return;
}
}
}
}
Security: the Good
Application
Shim
Security: Something to Think About
Crack resources to locate dialog item ID
Implement hook for GetDlgItemText
Trick user into installing it
Your user-mode API interception can now
harvest passwords
API Hooking
Compatibility Administrator
/x switch
Search
Not perfect
Query
Shim Debug Spew
[HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags]
"ShowDebugInfo"=dword:00000009
Debugger, DebugView, etc.
Shim Logging
Environment variables:
reg add
"HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment" /v SHIM_DEBUG_LEVEL /t
REG_SZ /d 9 /f
reg add
"HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment" /v SHIM_FILE_LOG /t
REG_SZ /d logfile.txt /f
%appdata%\logfile.txt
Shim Diagnostic Tools
When to Use Shims
Define standards:
Vender no longer in business
Internal applications
Support negotiable
Custom SDBs Management
Custom SDBs defined by GUID
Affects updates
Define and enforce policy / workflow
Test / mitigation  deployment
Centralized resources
Custom SDB Deployment
Package with installer
Centralized enterprise SDB
Managing Shims in the Enterprise
http://go.microsoft.com/fwlink/?LinkId=107072
Custom SDB Deployment
(More) Shims for User Account Control
CorrectShellExecuteHWND
Symptom
Taskbar flasher
Fix description
Use the currently active HWND
RetryOpenServiceWithReadAccess
Symptoms
Access denied opening service
Fix description
Try again requesting fewer rights
RetryOpenSCManagerWithReadAccess
Symptoms
Access denied opening Service Control Manager
Fix description
Try again requesting fewer rights
(More) UAC Shims
Shims for User Interface Issues
DisableDWM
Symptoms
Not rendering correctly
Fix description
Turn off DWM when the app is running
FakeLunaTheme
Symptoms
Hard to read
Fix description
Use XP Luna theme colors
User Interface Shims
Shims for Miscellaneous Issues
EmulateSorting
Symptoms
Search functions fail
Fix description
Use legacy sorting tables
SessionShim
Symptoms
Unable to talk to service
Fix description
Global  Local  original API
Parameters
\\ delimited list of object names, otherwise all objects shimmed
IgnoreAltTab
Symptoms
Alt-Tab or other special keys fail
Fix description
Filters out special keys
Parameters
NOKEYS – doesn’t disable Filter Keys / Sticky Keys
OPENGL – do not shim if running in OpenGL
IgnoreException
Symptoms
Unhandled exception (typically crashes)
Fix description
Ignores the exception
Yes, this should make you nervous…
Parameters...
IgnoreException Parameters 1/2
EXCEPTION1_NAME:EXCEPTION1_LEVEL;
EXCEPTION2_NAME:EXCEPTION2_LEVEL;…
Exception names can be:
ACCESS_VIOLATION_READ
ACCESS_VIOLATION_WRITE
ARRAY_BOUNDS_EXCEEDED
BREAKPOINT
DATATYPE_MISALIGNMENT
FLT_DENORMAL_OPERAND
FLT_DIVIDE_BY_ZERO
FLT_INEXACT_RESULT
FLT_INVALID_OPERATION
FLT_OVERFLOW
FLT_STACK_CHECK
FLT_UNDERFLOW
ILLEGAL_INSTRUCTION
IN_PAGE_ERROR
INT_DIVIDE_BY_ZERO
INT_OVERFLOW
INVALID_DISPOSITION
NONCONTINUABLE_EXCEPTION
PRIV_INSTRUCTION
SINGLE_STEP
STACK_OVERFLOW
INVALID_HANDLE
IgnoreException Parameters 2/2
Exception levels can be:
0 - Don't ignore the exception
1 - Ignore first chance exception
2 - Ignore second chance exception
3 - Exit process on second chance exception
IgnoreMessageBox
Symptoms
Extraneous message box
Fix description
Ignores the message box
Parameters
MessageBoxText1,MessageBoxCaption1;
MessageBoxText2,MessageBoxCaption2
Empty arguments match anything
Supports * and ? wildcards
Escape these characters: ? * , ; \
Miscellaneous Shims
Frequently Asked Questions
Managed code?
VB6 code?
msvbvm60.dll
16-bit code?
Top 10 System SDB Shims
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
GameUX
VirtualRegistry
CorrectFilePaths
Win95VersionLie
WinXPSP2VersionLie
IgnoreAltTab
ShimViaEAT
AOLFindBundledInstaller
ElevateCreateProcess
OpenDirectoryACL
http://www.appcompatguy.com
[email protected]
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Related Content
Breakout Sessions (session codes and titles)
WCL302 – Are You Breaking my Stuff Again? The Windows 7 App Compat Story
WCL304 – Fix Your Broken Applications: The Black Art of Shims
WCL401 – Not for the Faint of Heart: Hard Core App Compat Debugging
Track Resources
→ Want to find out which Windows Client sessions are best
suited to help you in your deployment lifecycle?
→ Want to talk face-to-face with folks from
the Windows Product Team?
Meet us today at the
Springboard Series Lounge, or visit us at
www.microsoft.com/springboard
Springboard Series
The Springboard Series empowers you to select the right resources, at the right
technical level, at the right point in your Windows® Client adoption and management
process. Come see why Springboard Series is your destination for Windows 7.
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz