{"id":7017,"date":"2020-03-18T00:52:20","date_gmt":"2020-03-18T00:52:20","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=7017"},"modified":"2020-03-20T18:09:49","modified_gmt":"2020-03-20T18:09:49","slug":"shimbad-the-sailor","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/03\/18\/shimbad-the-sailor\/","title":{"rendered":"ShimBad the Sailor"},"content":{"rendered":"\n<p>Application Shims have been extensively covered by security researchers &#8211; a very comprehensive overview of the available techniques was presented at <a href=\"https:\/\/www.blackhat.com\/docs\/eu-15\/materials\/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf\">BH2015<\/a> (PDF warning) by Sean Pierce (<a href=\"https:\/\/twitter.com\/secure_sean\">@secure_sean<\/a> who also happens to host a page dedicated to the subject at <a href=\"https:\/\/sdb.tools\/\">https:\/\/sdb.tools\/<\/a>).<\/p>\n\n\n\n<p>I wondered if we could look at shims from a slightly different perspective, and this post is about it.<\/p>\n\n\n\n<p>What if&#8230;<\/p>\n\n\n\n<p>&#8230;we didn&#8217;t change anything, didn&#8217;t add any new entries, no custom databases etc.<\/p>\n\n\n\n<p>What if&#8230;<\/p>\n\n\n\n<p>We analyzed the existing shims and identified some that could do some interesting things for us? We would then need to fulfill the conditions required for shim to be triggered, and voila&#8230; we could now do things via a covert channel &#8211; that is, shim engine could be doing the dirty deed and a casual observer would be none the wiser.<\/p>\n\n\n\n<p>Demo time.<\/p>\n\n\n\n<p>On Windows 7, AOL Instant Messenger can be loaded via <em>aim.exe<\/em> with following versioninfo properties:<\/p>\n\n\n\n<ul><li>CompanyName = America Online, Inc.<\/li><li>ProductName = AOL Instant Messenger<\/li><\/ul>\n\n\n\n<p>When system detects such program it applies a SHIM:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_3-1.png\"><img decoding=\"async\" loading=\"lazy\" width=\"315\" height=\"145\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_3-1.png\" alt=\"\" class=\"wp-image-7024\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_3-1.png 315w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_3-1-300x138.png 300w\" sizes=\"(max-width: 315px) 100vw, 315px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>The shim loads a library <em>rtvideo.dll<\/em>.<\/p>\n\n\n\n<p>I took a basic example from masm32 package and changed the properties of the file accordingly: <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_2.png\"><img decoding=\"async\" loading=\"lazy\" width=\"431\" height=\"142\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_2.png\" alt=\"\" class=\"wp-image-7021\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_2.png 431w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_2-300x99.png 300w\" sizes=\"(max-width: 431px) 100vw, 431px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>and then compiled, renamed to aim.exe and the phantom DLL was added to the program by the shim engine.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_1.png\"><img decoding=\"async\" loading=\"lazy\" width=\"442\" height=\"149\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_1.png\" alt=\"\" class=\"wp-image-7018\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_1.png 442w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_1-300x101.png 300w\" sizes=\"(max-width: 442px) 100vw, 442px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>This is just a basic example of what is possible\/available.<\/p>\n\n\n\n<p>Some of the shims create files, rename them, modify stack, fake reading files, etc. etc. . This offers a gamut of possibilities that are worth considering from various perspectives:<\/p>\n\n\n\n<ul><li>anti-sandbox, anti-analysis tricks<\/li><li>capture the flag tricks<\/li><li>after building a repo of shim gadgets one could potentially deliver a lot of functionality by using dummy, non-malicious files ran in a proper sequence<ul><li>copy files<\/li><li>patch bytes (&lt;win10)<\/li><li>load DLLs<\/li><li>run executables<\/li><\/ul><\/li><li>the example with <em>aim.exe<\/em> is truly fascinating as it represents a possibly novelty type of code injection: phantom sideloading<ul><li>we sideload that DLL with a predetermined name w\/o calling any obvious function inside the .exe<\/li><li>in the example I am using a custom <em>aim.exe<\/em> that is just quick &amp; dirty piece of test code; one could potentially find that legitimate, original <em>aim.exe<\/em> and play with that<\/li><li>the latter could be potentially signed <\/li><li>and even better, could be not even directly referring to <em>rtvideo.dll<\/em> <\/li><li>as such, it could be a signed .exe phantom sideloading a DLL with a predetermined name &#8212; and in some cases becoming a potential phantom lolbin as well<\/li><\/ul><\/li><li>persistence is there too to consider<\/li><\/ul>\n\n\n\n<p>Now, this might have sounded a bit rosy, but reality is that analysing shims is a bit of a pain &amp; options they offer are still pretty limited. Yes, the number of really useful shims is pretty low, let alone these that could be meeting all the cool requirements I listed above&#8230; As such, defenders shouldn&#8217;t worry about this trick too much&#8230; Until this topic is explored a bit more \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Application Shims have been extensively covered by security researchers &#8211; a very comprehensive overview of the available techniques was presented at BH2015 (PDF warning) by Sean Pierce (@secure_sean who also happens to host a page dedicated to the subject at &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/03\/18\/shimbad-the-sailor\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,57,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7017"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7017"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7017\/revisions"}],"predecessor-version":[{"id":7028,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7017\/revisions\/7028"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7017"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}