0x16/7ton

 photo doc155602017_152116624_zpsa322a969.gif

среда, 3 октября 2012 г.

A little about shims engine

I begin with such lines from book Windows Internals,Sixth Edition (Mark Russinovich,David A. Solomon,Alex Ionescu) :
"...Additionally,allowing mechanisms such as the shim engine to use its usual hooking and memory-patching techniques on a protected process would result in a security hole if someone could figure how to insert arbitrary shims that modify the behavior of the protected process. Additionally, because the Shim Engine is installed by the parent process, which might not have access to its child protected process,even legitimate shimming cannot work...."
So i am write article about untraditional use shims,read it here: AVkillingWithShims

Good analysis of internals shims may read here:
http://www.alex-ionescu.com/?m=200705
Some additional info.
How work function IsShimInfrastructureDisabled:
It is simple quering reg key,if at least one of the values exist shims engine would not work:
<\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option>
    OptionValue
<\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility>
    DisableAppCompat
<\Registry\MACHINE\Software\Policies\Microsoft\Windows\AppCompat>
    DisableEngine


Комментариев нет:

Отправить комментарий