Defending Against Malicious Application Compatibility Shims

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration).

The Application Compatibility Toolkit (ACT) is an important component of the Microsoft Application Compatibility ecosystem and holds a position of considerable tactical value on modern computer systems, but it is currently not well-known to those in the security industry. Microsoft specifically designed the ACT to intercept application API calls, alter the Portable Executable (PE) file loading process, and subvert the integrity of a number of key systems which ironically is the type of functionality seen in advanced rootkits. In my talk, I will demonstrate how the ACT is used to create Shim Database Files (sdb files / shims) which are simple to produce, easy to install, flexible, and stealthy. While the ACT offers an excellent post-exploitation avenue for novice attackers, a number of sophisticated actors have been observed leveraging the Application Compatibility Framework for advanced persistence and privilege escalation. I will go on to show far more advanced techniques such as in-memory patching, malware obfuscation, evasion, and system integrity subversion using malicious shims. To aid defenders, I have released a number of tools that detect and prevent shimming. I will also demonstrate the offensive capabilities of malicious shims, along with numerous examples of how defenders can employ my publicly available countermeasures. These tools can be used by enterprise wide defenders/responders, single host administrators, and application developers to better protect their environments. I will also demonstrate triage techniques that defenders can use for quick analysis via publicly available tools to determine an sdb file's general functionality.


Presenters:

  • Sean Pierce - iSIGHT Partners
    Sean Pierce is a Technical Intelligence Analyst for iSIGHT Partners. Sean currently specializes in reverse engineering malware and threat emulation and in the past has worked on incident response, botnet tracking, security research, automation, and quality control. Prior to working at iSIGHT Partners, he was an academic researcher and part time lecturer at the University of Texas at Arlington where he earned a Bachelors of Computer Engineering with a minor in Math. Sean also does freelance consulting, penetration testing, forensics, and computer security education. He is an Eagle Scout and enjoys learning how things work.

Links:

Similar Presentations: