Prior Work

The earliest mention of shims relating to security was in 2007 when a software engineer named Alex Ionescu started to publish a number of blog posts titled, ‘Secrets of the Application Compatilibity Database (SDB)’. This was planned to be a 7 part series but unfortunately Ionescu stopped after the fourth post. In the years preceding and following, a small number of disparate bloggers posted various technical details and mentions of shims, but typically with the focus of application compatibility. Below is a general timeline of major shim references:

  1. June 2005. A Microsoft Employee named Chris Jackson’s started an MSDN blog called, ‘The App Compat Guy’. Around January 2007 he began posting information about the ACT and blogging about shims. http://blogs.msdn.com/b/cjacks/
  2. May 2007. Ionescu ‘Secrets of the Application Compatilibity Database (SDB)’ www.alex-ionescu.com/?p=39
  3. August 2008. A blogger with the handle ‘wedday’ posted some technical details about how the shim engine worked based on the shim engine’s debug output. http://wedday.blogspot.co.uk/2008/08/shimeng.html
  4. July 2009. Another Microsoft Employee named ‘Maarten van de Bospoort’ wrote a blog post titled ‘Disabling a Shim’. However his solution was to disable the shim engine via group policy which is not advised because Windows relies on the shim engine for EMET and Fixit patches (discussed later). (Bospoort, 2009) http://blogs.msdn.com/b/maartenb/archive/2009/07/24/disabling-a-shim.aspx
  5. February 2010. A developer who goes by the name, ‘Jochen Kalmbach’ posted a tool that will display the shims that would be activated by a particular file. http://blog.kalmbach-software.de/2010/02/22/the-shim-database/
  6. April 2012. A company named ‘Recx’ posted a compilation of research notes titled ‘Windows AppCompat Research Notes’ where deep technical insight and control flow of the shim engine was discussed. (Ollie, 2012) http://recxltd.blogspot.co.uk/2012/04/windows-appcompat-research-notes-part-1.html
  7. May 2012. Microsoft updated its Application Compatibility Toolkit (ACT) Technical Reference where background information is given on the ACT along with details of individual fixes. This article also links to the AppHelp.dll documentation. https://technet.microsoft.com/en-us/library/hh825181.aspx
  8. October 2013. Mark Baggett gave a talk at DerbyCon titled, ‘Windows – Own3d by Default’. He is the first to discuss the use of shims in a post exploitation context. http://www.irongeek.com/i.php?page=videos/derbycon3/4206-windows-0wn3d-by-default-mark-baggett
  9. March 2014. Jon Erickson presented at Black Hat Asia ‘Persist-It – Using and Abusing Microsoft Fix It Patches’ where he describes how Fixit patches work and how his tool can be used to analyze them. (Erickson, 2014) https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf https://www.blackhat.com/docs/asia-14/materials/Erickson/WP-Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
  10. May 2014. Graham Posts ‘Shimming your Way Past UAC’ (Graham, 2014). This provided the first public source code reference for how the ACT can be used to bypass a UAC prompt. http://blog.ddifrontline.com/4#more-4
  11. December 2014. Jon Erickson presents ‘The active use and exploitation of Microsoft's Application Compatibility Framework’ at SysScan 360 and CodeBlue in Japan. http://sdb.io/erickson-codeblue.pdf
  12. Jan 2015. Sean Pierce (me) Shmoocon Epilogue “Forensic Analysis of Advanced Persistence through the Application Compatibility Toolkit”

Paper Bibliography