Upload
gwendolyn-shields
View
234
Download
0
Tags:
Embed Size (px)
Citation preview
Fix your Broken Applications: The Black Art of Shims
Chris JacksonThe App Compat GuyMicrosoft CorporationWCL304
Application Windows
How Shims Work
Shim DLL
ImportFunction
ExportFunction
ImportFunction
ExportFunction
Shims for User Account Control
Standard User Analyzer
Application
Windows
AppVerifier Logs XMLLuaPriv
SUA Mitigations
SUA can recommend:ElevateCreateProcessForceAdminAccessLocalMappedObjectVirtualizeDeleteFileVirtualizeHKCRLiteCorrectFilePathsVirtualRegistry
ElevateCreateProcessSymptomsERROR_ELEVATION_REQUIRED
Fix descriptionTries again, requesting elevation
ForceAdminAccess
SymptomsFails explicit administrator check
Fix descriptionLies
ForceAdminAccess Shim for IsUserAnAdmin:
return TRUE;
LocalMappedObject
SymptomsCan’t create in Global namespace
Fix descriptionCreates in Local namespace
VirtualizeDeleteFile
SymptomsCan’t delete files
Fix descriptionPretends to delete files
VirtualizeHKCRLite
SymptomsCan’t register COM components
Fix descriptionRegisters them per-user
SUA Mitigationsdemo
UAC Manifests
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" processorArchitecture="*" version="1.0.0.0" name="MyApplication.exe"/> <description>My totally sweet Vista application</description> <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-
com:asm.v2"> <ms_asmv2:security> <ms_asmv2:requestedPrivileges> <ms_asmv2:requestedExecutionLevel level="asInvoker || highestAvailable || requireAdministrator"/> </ms_asmv2:requestedPrivileges> </ms_asmv2:security> </ms_asmv2:trustInfo></assembly>
Installer Detection
Legacy installers / updaters
SpecificInstaller
GenericInstaller
SpecificNonInstaller
RunAsAdmin
SymptomsRequires admin
Fix descriptionPrompts for elevation
RunAsHighest
SymptomsHad both admin and standard user views
Fix descriptionProvides most powerful token
RunAsInvoker
SymptomsPrompting unnecessarily
Fix descriptionNo more prompt
SpecificInstaller
SymptomsNot fixed as a legacy setup
Fix descriptionFlags it as a legacy setup
SpecificNonInstaller
SymptomsFlagged as a legacy setup inappropriately
Fix descriptionNo longer flagged as a legacy setup
Run Level Specificationdemo
VirtualizeRegisterTypeLib
SymptomsRegistering type library fails
Fix descriptionRegisters type library per-user
Shims for File and Registry Paths
VirtualRegistry
SymptomsProblem reading/writing registry value
Fix descriptionReturns a different registry value
Command line parameters...
VirtualRegistry Generic Fix
AddRedirect ( HKLM\Key ^ HKCU\Key ^ HKLM\Key2 ^ HKCU\Key2)
VirtualRegistrydemo
CorrectFilePaths
SymptomsProblem reading/writing a file
Fix descriptionRedirects to a different file
CorrectFilePathsdemo
Shims for User Interface Process Isolation
UIPIEnableStandardMessages
SymptomsWindow messages not delivered
Fix descriptionAdds the message to the filter
ParametersMessageID1 MessageID2 MessageID3
Example:1055 1056 1057 1058 1069
UIPIEnableCustomMessages
SymptomsCustom window messages not delivered
Fix descriptionAdds the custom window message to the allowed filter
ParametersMessageString1 MessageString2
User Interface Process Isolationdemo
Shims for Windows Resource Protection
Shims for
WRPMitigation
SymptomsWriting protected operating system file / registry key
Fix descriptionLies
WRPDllRegister
SymptomsRegistering protected OS component
Fix descriptionNew DllRegisterServer
Parameterscomponet1.dll;component2.dll
Example:hhctrl.ocx;itircl.dll;itss.dll
WRPRegDeleteKey
SymptomsCan’t delete protected OS registry key
Fix descriptionLies
Windows Resource Protectiondemo
Shims for Operating System Version
I Can't Find the > Key…Operating System Version Number Release Date
Windows 1.0 1.04 1985
Windows 2.0 2.11 1987
Windows 3.0 3.00 1990
Windows NT 3.1 3.10.528 1993
Windows for Workgroups 3.11 3.11 1993
Windows NT Workstation 3.5 3.5.807 1994
Windows NT Workstation 3.51 3.51.1057 1995
Windows 95 4.0.950 1995
Windows NT Workstation 4.0 4.0.1381 1996
Windows 98 4.1.1998 1998
Windows 98 Second Edition 4.1.2222 1999
Windows Me 4.90.3000 2000
Windows 2000 Professional 5.0.2195 2000
Windows XP 5.1.2600 2001
Windows Vista 6.0.6000 2006
xxxVersionLie
Symptoms“Unsupported operating system”
Fix descriptionLies
Version Lie ShimsWin95VersionLieWinNT4SP5VersionLieWin98VersionLieWin2000VersionLieWin2000SP1VersionLieWin2000SP2VersionLie
Win2000SP3VersionLieWinXPVersionLieWinXPSP1VersionLieWinXPSP2VersionLieWin2K3RTMVersionLieWin2K3SP1VersionLieVistaRTMVersionLie
Version Lie LayersWin95NT4SP5Win98Win2000Win2000SP2Win2000SP3
WinXPWinXPSP1WinXPSP2WinXPSP2VersionLieWinSrv03WinSrv03SP1VistaRTM
Shims and Layers
Windows
Shim
Application Child Application
Layer
Layers: More Than Version LiesXPSP2 Layer:
DirectXVersionLieElevateCreateProcessEmulateSortingEnableLegacyExceptionHandlingInOLEFailObsoleteShellAPIsGlobalMemoryStatus2GB
HandleBadPtrHardwareAudioMixerLoadLibraryCWDNoGhostRedirectMP3CodecVirtualRegistryWinXPSP2VersionLie
Operating System Versiondemo
How to INSTALL Custom Shim Databases
sdbinst.exe
%windir%\system32\sdbinst.exe
sdbinst Command Line
-q Quiet mode-u Uninstall-g Guid (uninstall only)-n Internal name (uninstall only)
Deployment Options
Per enterprise
Per application
Installing Custom Shim Databasesdemo
API Hooking Option #1
Overwriting code
Locate the address of the function
Save the first few bytes
Overwrite with JMP
Overwriting Code: Hooking
USER32!MessageBoxA:mov edi,edi ;nop for hot patchingpush ebp ;set up stack framemov ebp,esp ;””
Overwriting Code: Hooking
USER32!MessageBoxA:jmp rel8 ;short jump to hookpush ebp ;we never get heremov ebp,esp ;””
Overwriting Code: Challenges
CPU dependent
JUMP instructions vary between x86, x64, IA-64
Not thread safe
“…it is the programmer’s responsibility to ensure that no other threads are executing in the address space while a detour is inserted or removed.”
API Hooking Option #2
Module import section
Modify address
No CPU dependency
No thread synchronization
IAT Modification: Data Structures
MS-DOS Header
NT Headers
Section Headers
Section Images
PE Signature
File Headers
Optional Headers
Data Directories
Export Table
Import Table
Resource Table
Exception Table
...
Original First Thunk
Time Date Stamp
Forwarder Chain
Imported DLL Name
First Thunk
...
IAT Modification: Import Table
0x1034
0x1047
...
GetModuleHandleA
LoadLibrary
...
kernel32.dll
user32.dll
advapi32.dll
...
IAT Modification: Sample CodeRichter & Nasarre, 2008ULONG ulSize;PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;__try { pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);} __except (InvalidReadExceptionFilter(GetExceptionInformation())) {}if (pImportDesc == NULL) return;for (; pImportDesc->Name; pImportDesc++) { PSTR pszModName=(PSTR)((PBYTE)hmodCaller + pImportDesc->Name); if (lstrcmpiA(pszModName, pszCalleeModName) == 0) { PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller + pImportDesc->FirstThunk); for (; pThunk->u1.Function; pThunk++) { PROC* ppfn = (PROC*)&pThunk->u1.Function; BOOL bFound = (*ppfn == pfnCurrent); if (bFound) { if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError())) { DWORD dwOldProtect; if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect)) { WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL); VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect); } } return; } } }}
Security: the Good
Application
Shim
Security: Something to Think About
Crack resources to locate dialog item IDImplement hook for GetDlgItemTextTrick user into installing itYour user-mode API interception can now harvest passwords
API Hookingdemo
Compatibility Administrator
/x switch
SearchNot perfect
Query
Shim Debug Spew
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags]
"ShowDebugInfo"=dword:00000009
Debugger, DebugView, etc.
Shim Logging
Environment variables:reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v SHIM_DEBUG_LEVEL /t REG_SZ /d 9 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v SHIM_FILE_LOG /t REG_SZ /d logfile.txt /f
%appdata%\logfile.txt
Shim Diagnostic Toolsdemo
When to Use Shims
Define standards:
Vender no longer in business
Internal applications
Support negotiable
Custom SDBs Management
Custom SDBs defined by GUID
Affects updates
Define and enforce policy / workflow
Test / mitigation deployment
Centralized resources
Custom SDB Deployment
Package with installer
Centralized enterprise SDB
Managing Shims in the Enterprise
http://go.microsoft.com/fwlink/?LinkId=107072
Custom SDB Deploymentdemo
(More) Shims for User Account Control
Symptom
Taskbar flasher
CorrectShellExecuteHWND
Fix description
Use the currently active HWND
RetryOpenServiceWithReadAccess
Symptoms
Access denied opening service
Fix description
Try again requesting fewer rights
RetryOpenSCManagerWithReadAccess
Symptoms
Access denied opening Service Control Manager
Fix description
Try again requesting fewer rights
(More) UAC Shimsdemo
Shims for User Interface Issues
DisableDWM
Symptoms
Not rendering correctly
Fix description
Turn off DWM when the app is running
FakeLunaTheme
Symptoms
Hard to read
Fix description
Use XP Luna theme colors
User Interface Shimsdemo
Shims for Miscellaneous Issues
EmulateSorting
Symptoms
Search functions fail
Fix description
Use legacy sorting tables
SessionShim
Symptoms
Unable to talk to service
Fix description
Global Local original API
Parameters\\ delimited list of object names, otherwise all objects shimmed
IgnoreAltTab
Symptoms
Alt-Tab or other special keys fail
Fix description
Filters out special keys
ParametersNOKEYS – doesn’t disable Filter Keys / Sticky Keys
OPENGL – do not shim if running in OpenGL
IgnoreException
Symptoms
Unhandled exception (typically crashes)
Fix description
Ignores the exceptionYes, this should make you nervous…
Parameters...
IgnoreException Parameters 1/2
EXCEPTION1_NAME:EXCEPTION1_LEVEL;EXCEPTION2_NAME:EXCEPTION2_LEVEL;…Exception names can be:
ACCESS_VIOLATION_READACCESS_VIOLATION_WRITEARRAY_BOUNDS_EXCEEDEDBREAKPOINTDATATYPE_MISALIGNMENTFLT_DENORMAL_OPERANDFLT_DIVIDE_BY_ZEROFLT_INEXACT_RESULTFLT_INVALID_OPERATIONFLT_OVERFLOWFLT_STACK_CHECK
FLT_UNDERFLOWILLEGAL_INSTRUCTIONIN_PAGE_ERRORINT_DIVIDE_BY_ZEROINT_OVERFLOWINVALID_DISPOSITIONNONCONTINUABLE_EXCEPTIONPRIV_INSTRUCTIONSINGLE_STEPSTACK_OVERFLOWINVALID_HANDLE
IgnoreException Parameters 2/2
Exception levels can be:0 - Don't ignore the exception1 - Ignore first chance exception2 - Ignore second chance exception3 - Exit process on second chance exception
IgnoreMessageBox
Symptoms
Extraneous message box
Fix descriptionIgnores the message box
ParametersMessageBoxText1,MessageBoxCaption1;MessageBoxText2,MessageBoxCaption2
Empty arguments match anythingSupports * and ? wildcardsEscape these characters: ? * , ; \
Miscellaneous Shimsdemo
Frequently Asked Questions
Managed code?
VB6 code?
msvbvm60.dll
16-bit code?
Top 10 System SDB Shims1. GameUX2. VirtualRegistry3. CorrectFilePaths4. Win95VersionLie5. WinXPSP2VersionLie6. IgnoreAltTab7. ShimViaEAT8. AOLFindBundledInstaller9. ElevateCreateProcess10.OpenDirectoryACL
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
Breakout Sessions (session codes and titles)WCL302 – Are You Breaking my Stuff Again? The Windows 7 App Compat StoryWCL304 – Fix Your Broken Applications: The Black Art of ShimsWCL401 – Not for the Faint of Heart: Hard Core App Compat Debugging
Track Resources→Want to find out which Windows Client sessions are best suited to help you in your deployment lifecycle? →Want to talk face-to-face with folks from the Windows Product Team?
Meet us today at the
Springboard Series Lounge, or visit us at www.microsoft.com/springboard
Springboard SeriesThe Springboard Series empowers you to select the right resources, at the right technical
level, at the right point in your Windows® Client adoption and management process. Come see why Springboard Series is your destination for Windows 7.
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.