ms-dos header nt headers section headers section images pe signature file headers optional headers...

Chris Jackson“The App Compat Guy”Microsoft Corporation

Application Remediation

Windows Applications

Utilize tools

Start heavy debugging

Verify the bug is fixed

Duplicate the bug

Describe the bug

Assume the bug is in your

app

The Debugging Process

Divide and conquer

Think creatively

Learn and share

IAT Modification: Data Structures

MS-DOS HeaderNT HeadersSection HeadersSection Images

PE Signature

File HeadersOptional HeadersData Directories

Export Table

Import Table

Resource TableException Table...

Original First ThunkTime Date StampForwarder ChainImported DLL NameFirst Thunk

...

IAT Modification: Import Table

0x1034

0x1047

...

GetModuleHandleALoadLibrary

...

kernel32.dll

user32.dll

advapi32.dll

...

IAT Modification: Sample CodeRichter & Nasarre, 2008

ULONG ulSize;PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;__try { pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);} __except (InvalidReadExceptionFilter(GetExceptionInformation())) {}if (pImportDesc == NULL) return;for (; pImportDesc->Name; pImportDesc++) { PSTR pszModName=(PSTR)((PBYTE)hmodCaller + pImportDesc->Name); if (lstrcmpiA(pszModName, pszCalleeModName) == 0) { PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller + pImportDesc->FirstThunk); for (; pThunk->u1.Function; pThunk++) { PROC* ppfn = (PROC*)&pThunk->u1.Function; BOOL bFound = (*ppfn == pfnCurrent); if (bFound) { if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError())) { DWORD dwOldProtect; if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect)) { WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL); VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect); } } return; } } }}

Shim Application• Implements Windows API

hooks• Shim engine is responsible for

applying the shims

Load the

shim DLL

Retrieve the APIs

which should

be hooke

d

Review the

import table of

the applicatio

n to determine

where hooks

should be placed

Overwrite the

addresses of

the API calls

with the address in the shim

How Shims are Loaded• Shims are applied per

executable

Run initialization routines

Shim engine applies

API hooks

Loader maps executable

and statically linked DLLs into memory

Process

Kernel32.dllCreateFileWimplementation

Shim DLLCorrectFilePathsimplementation

Shim Includes and Excludes

App.exe

IAT• CreateFile

Custom1.dll

IAT• CreateFile

Custom2.dll

IAT• CreateFile

Crypt32.dll

IAT• CreateFile

Msxml3.dll

IAT• CreateFile

Urlmon.dll

IAT• CreateFile

• Called by Kernel32!CreateProcessInternalW• Compares file attributes of the exe:• Product Name• Product Version• Company Name• Size• Checksum• Etc.

• DLLs: shims GetProcAddress

Determining Shims to Load

Matching Information

• Collection of shims to address scenarios• Emulating a specific OS• Compatibility condition

• Some shown on the compatibility tab

Compatibility Modes (Layers)

• Application matching information• Known compatibility issues:• Shipped with Windows• Updated via Windows Update

• System sdb: %windir%\apppatch• Custom sdbs: %windir%\apppatch\custom

Shim Databases

• Copy the SDB to the target machine• Startup script• Group policy• File copy

• Call %windir%\system32\sdbinst.exe• sdbinst [-?] [-q] [-u] [-g] [-p]

[-n[:WIN32|WIN64]] foo.sdb | {guid} | "name“• -p - Allow SDBs containing patches.• -q - Quiet mode. No message boxes will appear.• -u - Uninstall.• -g {guid} - GUID of file (uninstall only).• -n "name" - Internal name of file (uninstall only).

Deploying Custom SDBs

• [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags]

"ShowDebugInfo"=dword:00000009

• Debugger, DebugView, etc.

Shim Debug Spew

• Environment variables:• reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

Environment" /v SHIM_DEBUG_LEVEL /t REG_SZ /d 9 /f

• reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v SHIM_FILE_LOG /t REG_SZ /d logfile.txt /f

• %appdata%\logfile.txt

Shim Logging

demo

Web Applications

Compatibility View in IE10

IE5 Quirks IE6 Std. IE7 Std. IE8 Std. IE9 Std. Interop Quirks IE10 Std.

IE5

IE6

IE7

IE8

IE9

IE10

demo

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.