• Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim)
• Allows backwards compatibility of software as the OS codebase changes
• Shim DB uses Hooking to redirect code as necessary in order to communicate with the OS
• List of shims currently installed
  • %WINDIR%\AppPatch\sysmain.sdb
  • HKLM\Software\Microsoft\Windows NT\currentversion\appcompatflags\installedsdb
• Custom DBs
  • %WINDIR%\AppPatch\custom
  • %WINDIR%\AppPatch\AppPatch64\Custom
  • hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom
• Must have Admin permissions to modify or install a SHIM
• Shim can be used to
  • Bypass UAC
  • Inject DLLS
  • Disable DEP
  • Disable SEH
  • Intercept memory addresses

sdbinst.exe -p <path to sdb> 

sdb-explorer -r <path to sdb> -a <application to be shimmed>

• https://www.youtube.com/watch?v=vs4eT20l3RY
• The following is only available in the 32bit version of the tool
  • Injectdll was missing in the 64bit version of the tool
• Install Application Compatibility Toolkit from the Windows Assessment and Deployment Kit
• %ProgramFiles(x86)\Windows Kits\10\Assessment and Deployment Kit\Application Compatibility Toolkit\Compatibility Administrator (xx-bit)\Compatadmin.exe
• launch with the /x command
• Select New Database
• Click Fix Icon
• Fill in basic fields - path to the executable to be shimmed needs to be valid
• The next dialog is the compatibility modes, these aren't relevant
• On the next field select InjectDLL
  • Takes a list of paths to DLLs to be loaded during application startup
  • Select malicious DLL
• On the next page select which properties will trigger an application match for the shim
  • Shim matching information must align with the program or the shim won't apply

https://github.com/jackson5-sec/ShimDB

https://github.com/evil-e/sdb-explorer

<https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

https://github.com/seastorm/PuttyRider