Results 1 to 4 of 4

Thread: Looking for information on Shims

  1. #1
    why06
    Guest

    Looking for information on Shims

    Hi I'm new guy #10678, good too meet you all.

    So long story short. Shim Engine is a DLL (shimeng.dll) used by Microsoft Application Compatibility Interface. This interface is used to provide compatibility for certain older applications that relied on faulty deprecated, or replaced API's to still function in newer versions of Windows like Win 7, Vista, and beyond. What it does is take these API's and replace them with it's own code to some extent.

    references:
    http://www.woodmann.com/forum/archive/index.php/t-11058.html
    http://en.wikipedia.org/wiki/Shim_%28computing%29
    http://hi.baidu.com/007ware/blog/item/dcbcc11acc52b9138618bfda.html
    http://myitforum.com/cs2/blogs/kkaminski/archive/2010/01/30/app-v-and-application-compatibility-shims.aspx

    I came across this phenomenon of shimming trying out Lena's Reversing for Newbies http://tuts4you.com/download.php?list.17. I started off going through the tutorials pretty easily, it wasn't until I got to the unpacking tutorials (halfway through) that I began experiencing a lot of problems. I would notice that even after unpacking and fixing the imports that there would be 1 or 2 imports that were still off, I noticed calls to a module called shimeng.dll, I ignored this at first thinking it was some unidentified packer utility Lena just forgot to tell me about, but as I progressed I kept seeing the same phenomenon pop up again and again, then in not just one, but multiple packers. Finally I had enough. I couldn't understand what was going on! The packer wasn't the code changing the addresses, and it was being done before the app even loaded. So I started an app normally and attached to it, then I started the same app in Olly. One had the Shim Engine loaded and the other did not. I immediately my buddy up to take a look too, and he helped me find some of the links I posted and helped me figure out this is all part of the ACI.

    Now I'm trying to find more out about it, I have some general ideas how it works, but am looking for some real documentation by MS on why and how it triggers all the way down to how the API's are overwritten. Somehow these hooks are even working on packed IAT's before the program even unpacks. Now that seems like a powerful tool for some really advanced hooking, but I have no idea how it works. I could try reversing, but I'm a novice as you see and these modules are loaded before the EntryPoint is even broken on when Olly loads the App. So I came across this forum, in my search and thought maybe someone here knows about the ACI.

    So I'm looking to you guys. Any advice on how I might try reversing the ACI based on the links I posted or any links to MS Documentation of the ACI.

    EDIT: Sorry I can't get the links to work for some reason.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    load shimeng.dll into olly?...:}

    http://www.alex-ionescu.com/?m=200705 ..but it seems you want the 'roots'..

    I've no clue why the 'forum' underlined this..but 'it' could be my '.. continuations..' :[ sorry..
    Last edited by BanMe; February 22nd, 2011 at 22:15.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,129
    Blog Entries
    5
    Hi, welcome to the board. Embedded links don't work on the forum, and external links aren't clickable, this is by design.

    Interesting stuff, I never really paid much attention to that before. Unfortunately Alex Ionescu never finished the series on the Shim Engine or released his Compatibility Database Dumper.

    After a brief look though I'm thinking that the dumper is based on using the Application Compatibility Database API's available in apphelp.dll.
    http://msdn.microsoft.com/en-us/library/bb432182(v=VS.85).aspx

    I might suggest that the best way to start understanding this is to code a similar dumper using that infrastructure. For example, in looking at /%windir%/AppPatch/sysmain.sdb in a hex editor I can see the same dump output as listed in one of Alex's blogs

    NAME="AddProcessParametersFlags"
    DLLFILE="AcGenral.DLL"
    DESCRIPTION="Add flags to Peb-ProcessParameter-Flags. The flags are a ULONG. Specify it as a hex number (so at most 8 digits)."



    Of course there's also the whole Application Compatibility Toolkit to go through for any useful information there.

    I also noticed the involvement of the Compatibility Database Installer tool (Sdbinst.exe), which might be able to be used for "practical" reversing purposes.

    You can use Sdbinst.exe to register a custom database that you create with the Compatibility Administration tool.
    http://support.microsoft.com/kb/308235


    Thanks for bringing this up again, perhaps some might be interested in a community involvement to take up where Alex Ionescu's blog left off on this topic.

    Kayaker

  4. #4
    why06
    Guest
    Quote Originally Posted by Kayaker View Post
    I might suggest that the best way to start understanding this is to code a similar dumper using that infrastructure.

    You can use Sdbinst.exe to register a custom database that you create with the Compatibility Administration tool.
    http://support.microsoft.com/kb/308235
    I think your right, I looked around on the msdn pages under Application Compatibility and a lot of stuff came up. I think the best way would be to create my own custom AC database.

    I found this article which explains on a reverse engineering level exactly what a compatibility fix does: http://technet.microsoft.com/en-us/library/cc794689%28WS.10%29.aspx
    The API: http://msdn.microsoft.com/en-us/library/bb432182%28v=VS.85%29.aspx
    and a tool for seeing the databases
    http://blogs.msdn.com/heaths/pages/sdb2xml.aspx

    A bit sleepy now, but I might look into this tomorrow, nice meeting you all.

    EDIT: Wow why am I up @ 2:00AM? Well I found an awesome video from the guys the do the shimming. http://channel9.msdn.com/shows/Developer+Meet+Server/Application-Compatibility-Debugging/
    Last edited by why06; February 23rd, 2011 at 02:51.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. IDA Pro, obtaining class information.
    By RCE in forum The Newbie Forum
    Replies: 6
    Last Post: April 14th, 2011, 13:16
  2. Looking for information about ProtectDisc
    By Darkelf in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: August 31st, 2010, 05:27
  3. Only for my information.
    By apollo28 in forum Off Topic
    Replies: 8
    Last Post: August 23rd, 2006, 08:59
  4. Hey, Im looking for some information regarding Ollybg
    By Andrew in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 5th, 2005, 11:34
  5. How can I get an information for a certain thread?
    By dive2code in forum The Newbie Forum
    Replies: 4
    Last Post: July 20th, 2004, 21:24

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •