![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_xp_1.png\"){kind=spacer}
<\/a><\/figure><\/div>\n\n\n\nSo, if you happen to name your executable one of these:<\/p>\n\n\n\n
- WindowsXPAppsHelpMechanismBlockedTestApp.exe<\/li>
- WindowsXPAppsHelpMechanismTestApp.exe<\/li><\/ul>\n\n\n\n
you can immediately see their effect after you try to run them on XP:<\/p>\n\n\n\n
WindowsXPAppsHelpMechanismBlockedTestApp.exe <\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_xp_2.png\")
<\/a><\/figure><\/div>\n\n\n\nWindowsXPAppsHelpMechanismTestApp.exe<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_xp_3.png\")
<\/a><\/figure><\/div>\n\n\n\nOn Win7 we got a few more:<\/p>\n\n\n\n
- AppsHelpMechanismTestAppBadMsg.exe<\/li>
- AppsHelpMechanismTestAppBadMsgBlocked.exe<\/li>
- WindowsXPAppsHelpMechanismBlockedTestApp.exe<\/li>
- WindowsXPAppsHelpMechanismTestApp.exe<\/li><\/ul>\n\n\n\n
The first one runs with no issues.<\/p>\n\n\n\n
The second one is blocked without any indication.<\/p>\n\n\n\n
The visible messages are as follows:<\/p>\n\n\n\n
WindowsXPAppsHelpMechanismBlockedTestApp.exe<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_7_3.png\")
<\/a><\/figure><\/div>\n\n\n\nWindowsXPAppsHelpMechanismTestApp.exe <\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_7_4.png\")
<\/a><\/figure><\/div>\n\n\n\nFinally, on Win10 it goes as follows:<\/p>\n\n\n\n
- AppsHelpMechanismTestAppBadMsg.exe<\/li>
- AppsHelpMechanismTestAppBadMsgBlocked.exe<\/li>
- BlockedTestApp_AMD64.exe<\/li>
- BlockedTestApp_AMD64_ANY.exe<\/li>
- BlockedTestApp_WOW64.exe<\/li>
- BlockedTestApp_X86_AMD64.exe<\/li>
- BlockedTestApp_X86_ANY.exe<\/li>
- BlockedTestApp_X86_WOW.exe<\/li>
- WindowsXPAppsHelpMechanismBlockedTestApp.exe<\/li>
- WindowsXPAppsHelpMechanismBlockedTestApp2.exe<\/li>
- WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe<\/li><\/ul>\n\n\n\n
and visible outputs are:<\/p>\n\n\n\n
AppsHelpMechanismTestAppBadMsgBlocked.exe <\/strong>\/
BlockedTestApp_WOW64.exe \/ <\/strong>
BlockedTestApp_X86_AMD64.exe <\/strong>\/
BlockedTestApp_X86_ANY.exe<\/strong> \/
BlockedTestApp_X86_WOW.exe<\/strong> \/
WindowsXPAppsHelpMechanismBlockedTestApp.exe<\/strong> \/
WindowsXPAppsHelpMechanismBlockedTestApp2.exe<\/strong> \/
WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe<\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/shim_10_5.png\")
<\/a><\/figure><\/div>\n\n\n\nOkay. That’s it.<\/p>\n\n\n\n
Hmm not really… digging through internals of SDB on Windows 10 one more time I gathered the following (and hopefully complete) list of all the the test suite items:<\/p>\n\n\n\n
- AppsHelpMechanismTestAppBadMsg.exe<\/li>
- AppsHelpMechanismTestAppBadMsgBlocked.exe<\/li>
- BlockedTestApp_AMD64.exe<\/li>
- BlockedTestApp_AMD64_ANY.exe<\/li>
- BlockedTestApp_WOW64.exe<\/li>
- BlockedTestApp_X86_AMD64.exe<\/li>
- BlockedTestApp_X86_ANY.exe<\/li>
- BlockedTestApp_X86_WOW.exe<\/li>
- WICAMockAppReinstallUpgrade.exe<\/li>
- WICAMockAppReinstallUpgrade2.exe<\/li>
- WICAMockAppReinstallUpgrade3.exe<\/li>
- WICAMockAppReinstallUpgradeInfo.exe<\/li>
- WICAMockAppReinstallUpgradeWarn.exe<\/li>
- WICAMockAppReinstallUpgradeWarnBackup.exe<\/li>
- WindowsTH_BlockedSetupTestApp.exe<\/li>
- WindowsTH_TestApp_HardBlock_FWLink.exe<\/li>
- WindowsTH_TestApp_HardBlock_KBArticle.exe<\/li>
- WindowsTH_TestApp_HardBlock_NoInfo.exe<\/li>
- WindowsTH_TestApp_HardBlock_StoreId.exe<\/li>
- WindowsTH_TestApp_HardBlock_Wildcard1.exe<\/li>
- WindowsTH_TestApp_HardBlock_Wildcard2.exe<\/li>
- WindowsTH_TestApp_SoftBlock_FWLink.exe<\/li>
- WindowsTH_TestApp_SoftBlock_KBArticle.exe<\/li>
- WindowsTH_TestApp_SoftBlock_NoInfo.exe<\/li>
- WindowsTH_TestApp_SoftBlock_StoreId.exe<\/li>
- WindowsXPAppsHelpMechanismBlockedTestApp.exe<\/li>
- WindowsXPAppsHelpMechanismBlockedTestApp2.exe<\/li>
- WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe<\/li>
- WindowsXPAppsHelpMechanismTestApp.exe<\/li>
- WindowsXPAppsHelpMechanismTestApp2.exe<\/li>
- WindowsXPAppsHelpMechanismTestAppSpecific.exe<\/li><\/ul>\n\n\n\n
So, how could you use it for malicious purposes? I dunno… One thought I have is about emulators. If you created a child process using one of these names (creation of such process should fail by SHIM design), could you use the successful exitcode from that process to detect an emulator?<\/p>\n","protected":false},"excerpt":{"rendered":"
This part is more about archaeology than anything else. The built-in SHIM database includes a number of test shims, which I will cover below. On Windows XP, you will find these two: So, if you happen to name your executable … Continue reading