ms-dos header nt headers section headers section images pe signature file headers optional headers...
TRANSCRIPT
Chris Jackson“The App Compat Guy”Microsoft Corporation
Application Remediation
Windows Applications
Utilize tools
Start heavy debugging
Verify the bug is fixed
Duplicate the bug
Describe the bug
Assume the bug is in your
app
The Debugging Process
Divide and conquer
Think creatively
Learn and share
IAT Modification: Data Structures
MS-DOS HeaderNT HeadersSection HeadersSection Images
PE Signature
File HeadersOptional HeadersData Directories
Export Table
Import Table
Resource TableException Table...
Original First ThunkTime Date StampForwarder ChainImported DLL NameFirst Thunk
...
IAT Modification: Import Table
0x1034
0x1047
...
GetModuleHandleALoadLibrary
...
kernel32.dll
user32.dll
advapi32.dll
...
IAT Modification: Sample CodeRichter & Nasarre, 2008
ULONG ulSize;PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;__try { pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);} __except (InvalidReadExceptionFilter(GetExceptionInformation())) {}if (pImportDesc == NULL) return;for (; pImportDesc->Name; pImportDesc++) { PSTR pszModName=(PSTR)((PBYTE)hmodCaller + pImportDesc->Name); if (lstrcmpiA(pszModName, pszCalleeModName) == 0) { PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller + pImportDesc->FirstThunk); for (; pThunk->u1.Function; pThunk++) { PROC* ppfn = (PROC*)&pThunk->u1.Function; BOOL bFound = (*ppfn == pfnCurrent); if (bFound) { if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError())) { DWORD dwOldProtect; if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect)) { WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL); VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect); } } return; } } }}
Shim Application• Implements Windows API
hooks• Shim engine is responsible for
applying the shims
Load the
shim DLL
Retrieve the APIs
which should
be hooke
d
Review the
import table of
the applicatio
n to determine
where hooks
should be placed
Overwrite the
addresses of
the API calls
with the address in the shim
How Shims are Loaded• Shims are applied per
executable
Run initialization routines
Shim engine applies
API hooks
Loader maps executable
and statically linked DLLs into memory
Process
Kernel32.dllCreateFileWimplementation
Shim DLLCorrectFilePathsimplementation
Shim Includes and Excludes
App.exe
IAT• CreateFile
Custom1.dll
IAT• CreateFile
Custom2.dll
IAT• CreateFile
Crypt32.dll
IAT• CreateFile
Msxml3.dll
IAT• CreateFile
Urlmon.dll
IAT• CreateFile
• Called by Kernel32!CreateProcessInternalW• Compares file attributes of the exe:• Product Name• Product Version• Company Name• Size• Checksum• Etc.
• DLLs: shims GetProcAddress
Determining Shims to Load
Matching Information
• Collection of shims to address scenarios• Emulating a specific OS• Compatibility condition
• Some shown on the compatibility tab
Compatibility Modes (Layers)
• Application matching information• Known compatibility issues:• Shipped with Windows• Updated via Windows Update
• System sdb: %windir%\apppatch• Custom sdbs: %windir%\apppatch\custom
Shim Databases
• Copy the SDB to the target machine• Startup script• Group policy• File copy
• Call %windir%\system32\sdbinst.exe• sdbinst [-?] [-q] [-u] [-g] [-p]
[-n[:WIN32|WIN64]] foo.sdb | {guid} | "name“• -p - Allow SDBs containing patches.• -q - Quiet mode. No message boxes will appear.• -u - Uninstall.• -g {guid} - GUID of file (uninstall only).• -n "name" - Internal name of file (uninstall only).
Deploying Custom SDBs
• [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags]
"ShowDebugInfo"=dword:00000009
• Debugger, DebugView, etc.
Shim Debug Spew
• Environment variables:• reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
Environment" /v SHIM_DEBUG_LEVEL /t REG_SZ /d 9 /f
• reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v SHIM_FILE_LOG /t REG_SZ /d logfile.txt /f
• %appdata%\logfile.txt
Shim Logging
demo
Web Applications
Compatibility View in IE10
IE5 Quirks IE6 Std. IE7 Std. IE8 Std. IE9 Std. Interop Quirks IE10 Std.
IE5
IE6
IE7
IE8
IE9
IE10
demo
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.