SHIM me what you got - Manipulating Shim and Office for Code Injection

Presented at DEF CON 32 (2024), Aug. 10, 2024, 11 a.m. (45 minutes).

This talk brings back from the dead an attack surface that security vendors believed they had addressed a long time ago. We will introduce a novel and stealthy technique to apply malicious shims on a process that does not require registry modification or SDB files and leaves no traces on the disk. The reverse engineering of the shim infrastructure will be shown while focusing on undocumented API and the kernel driver of the infrastructure. The various operations offered by the infrastructure will be analyzed from an offensive point of view, and the course we took to achieve this unique technique will be presented. In addition, we will unveil an attack surface research that resulted in a noteworthy attack that manipulates 2 different OS components into performing DLL injection and privilege escalation. Researching the undocumented RPC interfaces of the service OfficeClickToRun.exe uncovered a method that can inject a DLL into another process running as “NT AUTHORITY\SYSTEM”, which achieves privilege escalation. For this to work, specific conditions had to be met. The conditions we tailored will be displayed as we abuse the Opportunistic Lock and App Compatibility (shim) mechanisms. 1. [link](https://learn.microsoft.com/en-us/windows/win32/fileio/opportunistic-locks) 2. [link](https://learn.microsoft.com/en-us/windows/win32/devnotes/application-compatibility-database) 3. [link](https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf) 4. [link](https://www.blackhat.com/docs/asia-14/materials/Erickson/WP-Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf)

Presenters:

• David Shandalov - Security Researcher at Deep Instinct
  David Shandalov works as a security researcher at Deep Instinct. His role involves researching and identifying new cyber threats and vulnerabilities, and developing tools for threat detection and analysis. David began his journey in cybersecurity as a Malware Researcher at Checkpoint and, prior to that, served in the IDF's intelligence corps. Outside of research, David enjoys flying and is currently working on obtaining his Private Pilot License.
• Ron Ben-Yizhak - Security Researcher at Deep Instinct
  Ron Ben-Yizhak is a security researcher at Deep Instinct. He is responsible for research of malware campaigns, attack surfaces and vectors and evasion techniques. His findings are used for developing new analysis, detection, and mitigation capabilities. Ron joined Deep Instinct in 2019 after serving as a security researcher and forensics specialist in one of the IDF's elite cyber units.

Similar Presentations:

• DEF CON 32 (2024) / Modem Operandi, or: How I Owned Hundreds of Millions of Broadband Basebands
• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Where’s the Money: Defeating ATM Disk Encryption