Thursday, 25 October 2012

Upcoming Events


We're excited to be presenting at the UKOUG Apex SIG on November 6th in London. This time we'll be covering the often confusing world of Item Protection. We will start by exploiting a simple vulnerability that we frequently see in Apex applications; then demonstrate how the Item Protection settings in Apex can be applied to mitigate the risk.

A month on in December, we're presenting at the UKOUG Conference in Birmingham, talking about the different types of security risks that Apex applications face. We'll also have updated statistics and trends derived from the work we've performed in 2012 assessing client applications.

Come and say hello and feel free to bring your Apex application exports. We'll be happy to talk you through an ApexSec security analysis of your code.

Keeping the momentum up, we've also submitted four separate presentations into KScope13 and we're hoping to get over to New Orleans next summer to catch up with all our American friends and customers.

Friday, 15 June 2012

QuoteVine Gains ApexSec Seal of Assurance


We have to congratulate Quotevine on gaining our 'seal of assurance' for their Apex application. The team over at Quotevine are clearly very passionate about securing their products and place data security as one of the core drivers for their business.

It gave us great pleasure to be recognised as being the best in the business of securing Oracle Apex applications and furthermore to have been asked to put our name on the site in the form of an official stamp of assurance.

We are working very hard to ensure that Apex applications are hardened enough to withstand current cyber-attacks and using our unique detection engine are able to accurately identify areas of concern.

If you are interested in gaining a seal for your own site or are interested about securing your Oracle Apex application then please contact us.

Wednesday, 9 May 2012

Forwarded DLL Exports and an Interesting Loader Behaviour

Before we begin this really doesn't have any security impact other than potential uses in obfuscation when doing static analysis. However it was relatively interesting to us, hence a quick post.

Forwarded Exports
As a really quick primer Windows DLLs can support forwarded exports. Example:

C:\>dumpbin /exports c:\windows\system32\shimeng.dll
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file c:\windows\system32\shimeng.dll

File Type: DLL

  Section contains the following exports for ShimEng.dll

    00000000 characteristics
    4A5BC16F time date stamp Tue Jul 14 00:21:19 2009
        0.00 version
           1 ordinal base
          11 number of functions
          11 number of names

    ordinal hint RVA      name

          1    0          SE_DllLoaded (forwarded to APPHELP.SE_DllLoaded)
          2    1          SE_DllUnloaded (forwarded to APPHELP.SE_DllUnloaded)
          3    2          SE_DynamicShim (forwarded to APPHELP.SE_DynamicShim)
          4    3          SE_GetHookAPIs (forwarded to APPHELP.SE_GetHookAPIs)
          5    4          SE_GetMaxShimCount (forwarded to APPHELP.SE_GetMaxShim

Interesting Loader Behaviour
We were playing around with the pragma to define these forwarded exports i.e.:
#pragma comment(linker, "/export:ExportedFunction=SomeRandomDLL.Export") 

If we then look at the exports from the file we see:
1    1          ExportedFunction (forwarded to SomeRandomDLL.Export)

All well and good. So while playing around with malformed DLL names:
#pragma comment(linker, "/export:SafeFunction=..\\..\\..\\..\\Exe-N-DLL.Export") 

Which looks OK with dumpbin:
1    1          SafeFunction (forwarded to ..\..\..\..\Exe-N-DLL.Export)

We noticed an interesting loader behaviour (note this was observed in WinDbg after turning on 'Show loader snaps' in 'Global Flags' (gflags.exe):
1fa48:245e0 @ -2023778443 - LdrGetProcedureAddressEx - INFO: Locating procedure "Export" by name
1fa48:245e0 @ -2023778443 - LdrGetProcedureAddressEx - INFO: Locating procedure "SafeFunction" by name
1fa48:245e0 @ -2023778443 - LdrpLoadDll - ENTER: DLL name:  DLL path: 
1fa48:245e0 @ -2023778443 - LdrpFindOrMapDll - ENTER: DLL name: .DLL DLL path: 
1fa48:245e0 @ -2023778443 - LdrpFindKnownDll - ENTER: DLL name: .DLL
1fa48:245e0 @ -2023778443 - LdrpFindKnownDll - RETURN: Status: 0xc0000135
1fa48:245e0 @ -2023778427 - LdrpSearchPath - ENTER: DLL name: .DLL DLL path: 
1fa48:245e0 @ -2023778427 - LdrpResolveFileName - ENTER: DLL name: C:\Data\Recx.Code\OllieSlop\Exe-n-DLL\Debug\.DLL
1fa48:245e0 @ -2023778427 - LdrpResolveFileName - RETURN: Status: 0x00000000
1fa48:245e0 @ -2023778427 - LdrpResolveDllName - ENTER: DLL name: C:\Data\Recx.Code\OllieSlop\Exe-n-DLL\Debug\.DLL
1fa48:245e0 @ -2023778427 - LdrpResolveDllName - RETURN: Status: 0x00000000
1fa48:245e0 @ -2023778427 - LdrpSearchPath - RETURN: Status: 0x00000000
1fa48:245e0 @ -2023778427 - LdrpMapViewOfSection - ENTER: DLL name: C:\Data\Recx.Code\OllieSlop\Exe-n-DLL\Debug\.DLL
ModLoad: 013b0000 013cb000   C:\Data\Recx.Code\OllieSlop\Exe-n-DLL\Debug\.DLL
1fa48:245e0 @ -2023778427 - LdrpMapViewOfSection - RETURN: Status: 0x00000000
1fa48:245e0 @ -2023778427 - LdrpFindOrMapDll - RETURN: Status: 0x00000000
1fa48:245e0 @ -2023778427 - LdrpLoadDll - RETURN: Status: 0x00000000
1fa48:245e0 @ -2023778427 - LdrGetProcedureAddressEx - INFO: Locating procedure ".\..\..\..\Exe-N-DLL.Export" by name
1fa48:245e0 @ -2023778427 - LdrpUnloadDll - INFO: Unmapping DLL "C:\Data\Recx.Code\OllieSlop\Exe-n-DLL\Debug\.DLL"

What we see in the above output is that:

  • It tries to load a DLL simply called .DLL
  • It then tries to resolve a function by the name of .\..\..\..\Exe-N-DLL.Export

If we compare this with a well formed pragma:
#pragma comment(linker, "/export:SafeFunction=MyDLL.Export") 

We then see the correct behaviour i.e.:
1c338:1dc18 @ -2022703643 - LdrGetProcedureAddressEx - INFO: Locating procedure "Export" by name

So the root cause looks like a simple a parsing error where dots exist in the exported function name.

Yes It Does Do What You Would Expect
No doubt by now some of you will be asking what happens if you have circular references i.e.:
#pragma comment(linker, "/export:Export2=MyDLL.SafeFunction") 
#pragma comment(linker, "/export:SafeFunction=MyDLL.Export2") 

... Yes the loader does blow up in LdrpLoadDll in NTDLL.DLL after a while...


Friday, 4 May 2012

Windows AppCompat Research Notes - Part 2

So to follow on from our last post a little bit more on this subject...

Additional files related to AppCompat
So there are some additional files we didn't cover last time. The first key one is NTDLL.dll which contains all the loader functions that call the shim engine. You have a call flow approximate to:
LdrInitializeThunk --> _LdrpInitialize --> __LdrpInitialize --> LdrpInitalizeProcess --> LdrpLoadShimEngine -{-> LdrpGetShimEngineInterface then LdrpRunShimEngineInitRoutine -}-> then calls into AppHelp.dll
or via the dynamic route (AppHelp.dll imports LdrInitShimEngineDynamic in the function SE_DynamicShim).

LdrInitShimEngineDynamic --> LdrpGetShimEngineInterface

The other thing we noted is that ShimEng.dll is just a shell of a DLL. If we look at the exports of ShimEng.dll we actually see the following (Windows 7):
SE_DllLoaded (forwarded to APPHELP.SE_DllLoaded)
SE_DllUnloaded (forwarded to APPHELP.SE_DllUnloaded)
SE_DynamicShim (forwarded to APPHELP.SE_DynamicShim)
SE_GetHookAPIs (forwarded to APPHELP.SE_GetHookAPIs)
SE_GetMaxShimCount (forwarded to APPHELP.SE_GetMaxShimCount)
SE_GetProcAddressIgnoreIncExc (forwarded to APPHELP.SE_GetProcAddressIgnoreIncExc)
SE_GetShimCount (forwarded to APPHELP.SE_GetShimCount)
SE_InstallAfterInit (forwarded to APPHELP.SE_InstallAfterInit)
SE_InstallBeforeInit (forwarded to APPHELP.SE_InstallBeforeInit)
SE_IsShimDll (forwarded to APPHELP.SE_IsShimDll)
SE_ProcessDying (forwarded to APPHELP.SE_ProcessDying)

So this identifies AppHelp.dll. AppHelp.dll's exports deal with a range of different functions related to the shim engine including the SDB (database) files as well as the other functions called by the loader. If we turn on 'Show loader snaps' (also a good read regarding loader snapshots) via gflags.exe (Global Flags) we see the following:

LdrGetProcedureAddressEx - INFO: Locating procedure "SE_InstallBeforeInit" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_InstallAfterInit" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_DllLoaded" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_DllUnloaded" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_LdrEntryRemoved" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_GetProcAddressLoad" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_ProcessDying" by name

Later on, for the same EMET enabled process, we then see :

LdrpRunInitializeRoutines - INFO: Calling init routine 0000000072C57FE0 for DLL "C:\Windows\AppPatch\AppPatch64\EMET64.dll"
LdrpLoadDll - RETURN: Status: 0x00000000
LdrLoadDll - RETURN: Status: 0x00000000
LdrGetProcedureAddressEx - INFO: Locating procedure "NotifyShims" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "GetHookAPIs" by name

Shim Debug Levels
So an interesting feature we noticed in AppHelp.dll was the shim debug levels. There is a function called GetShimDbgLevel() which returns an INT. This function simply returns the  value of environment variable SHIM_DEBUG_LEVEL. The story of our lives continued, using Google to search for this variable name turns up an interesting blog post from the Microsoft AppCompat guy from 2008 on enabling diagnostic output from shims.

Using DebugView but without a debugger attached we see:
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(ExePath(C:\Windows\system32\notepad.exe))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(MMDDYYYY(05/04/2012 12:56))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStart(0))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(ApplicationName(EMET_Apps))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(DBGuid({e1c810aa-f7cc-4aaf-ada1-181863075f9b}))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(ExeGuid({355ad468-8834-479e-b73d-c4473deaf89e}))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(ShimName(EMET_Shim))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStop(0))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(Complete)


But if we have a debugger attached we see different text in DebugView:
[57456] SHIMVIEW:[pid: 0x0000e070][Warn][SdbpCheckExe        ] ++++ Successful match for App: 'EMET_Apps', Exe: 'notepad.exe', Mode: 0x0002 [Mode: Additive
[57456] SHIMVIEW:[pid: 0x0000e070][Warn][SdbpSearchDB        ] + Final match is App: "EMET_Apps", exe: "notepad.exe".
[57456] SHIMVIEW:[pid: 0x0000e070][Info][SdbPackAppCompatData] 
[57456] SHIMVIEW:dwFlags    0x1
[57456] SHIMVIEW:dwMagic    0xAC0DEDAB
[57456] SHIMVIEW:trExe      0x300001D0
[57456] SHIMVIEW:trLayer    0x0
[57456] SHIMVIEW:[pid: 0x0000e070][Info][SdbPackAppcompatData] Database List
[57456] SHIMVIEW:[pid: 0x0000e070][Info][SdbPackAppcompatData] 0x30000000 {e1c810aa-f7cc-4aaf-ada1-181863075f9b} 
[57456] SHIMVIEW:[pid: 0x0000e070][Info][SdbPackAppcompatData] Exe   0x300001d0

While in WinDbg we see:

[Info][SdbOpenDatabase     ] Failed to get the database ID.
18db4:181b0 @ 1847768412 - LdrpFindLoadedDll - RETURN: Status: 0x00000000
18db4:181b0 @ 1847768412 - LdrGetDllHandleEx - RETURN: Status: 0x00000000
18db4:181b0 @ 1847768412 - LdrGetProcedureAddressEx - INFO: Locating procedure "RtlGetProductInfo" by name
[Info][SdbUnpackAppCompatData] Appcompat Data for "C:\Windows\System32\notepad.exe":
dwFlags    0x1
dwMagic    0xAC0DEDAB
trExe      0x300001D0
trLayer    0x0
[Info][SdbOpenDatabase     ] Failed to get the database ID.
[Err ][SdbpTraceFixGroupItem] Failed to locate fix ID.
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(ExePath(C:\Windows\System32\notepad.exe))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(MMDDYYYY(05/04/2012 14:10))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStart(0))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(ApplicationName(EMET_Apps))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(DBGuid({e1c810aa-f7cc-4aaf-ada1-181863075f9b}))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(ExeGuid({355ad468-8834-479e-b73d-c4473deaf89e}))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(ShimName(EMET_Shim))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStop(0))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(Complete)
[Info][SdbGetDllPath       ] Opening file "C:\Windows\AppPatch\AppPatch64\EMET64.dll".
[Info][SdbGetDllPath       ] Using DLL "C:\Windows\AppPatch\AppPatch64\EMET64.dll".

On Windows 7 at least we couldn't get the log files work and it appears the code may of changed as we couldn't see that environment variable in NTDLL.DLL.



Shim Engine Debug Levels
The big one to set is the environment variable SHIMENG_DEBUG_LEVEL (set it to 9) Setting this leads to an explosion of information in DebugView (without a debugger attached).


[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiCheckComPlusImage] COM+ executable FALSE
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(ExePath(C:\Windows\system32\notepad.exe))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(MMDDYYYY(05/04/2012 14:34))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStart(0))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(ApplicationName(EMET_Apps))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(DBGuid({e1c810aa-f7cc-4aaf-ada1-181863075f9b}))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(ExeGuid({355ad468-8834-479e-b73d-c4473deaf89e}))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(ShimName(EMET_Shim))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStop(0))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(Complete)
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0x77710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFE080000 "apphelp.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiClearLayerEnvVar] Cleared env var __COMPAT_LAYER.
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] No apphack flags for this app "C:\Windows\system32\notepad.exe".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Global inclusion/exclusion list:
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Exclude "BLACKBOX.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "KERNEL32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFC42D.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFCO42D.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFCD42D.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFCN42D.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFC42ENU.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFCSUBS.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFC42.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFC40.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MSVCRT40.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MSVCRT20.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MSVCIRT.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MSVCRT.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "OLE32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] INIT. loading DLL "EMET64.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77810000 "kernel32.dll"
[4196] KeyboardProc
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE080000 "apphelp.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x73100000 "EMET64.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] Shim DLL 0x73100000 "C:\Windows\AppPatch\AppPatch64\EMET64.dll" loaded
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] Using SHIM "EMET64.dll!EMET_Shim"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] GetHookAPIs returns 0 hooks for DLL "C:\Windows\AppPatch\AppPatch64\EMET64.dll" SHIM "EMET_Shim"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] No patches for this app "C:\Windows\system32\notepad.exe".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "apphelp.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "EMET64.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "IMM32.DLL".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "CRYPTBASE.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "uxtheme.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "dwmapi.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC360000 "dwmapi.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "btmmhook.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC360000 "dwmapi.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000002470000 "btmmhook.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "PSAPI.DLL".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC360000 "dwmapi.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000002470000 "btmmhook.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077E60000 "PSAPI.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "CLBCatQ.DLL".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC360000 "dwmapi.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000002470000 "btmmhook.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077E60000 "PSAPI.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFF10000 "CLBCatQ.DLL"


Interesting Bit About NX Compatibility and Section Names in the NT Loader
While digging through NTDLL.dll we noticed the function _LdrpCheckNXCompatibility which among other things calls LdrpCheckNxIncompatibleDllSectionLdrpCheckNxIncompatibleDllSection checks if any of the sections are named:
  • .aspack
  • .pcle
  • .sforce
If any of the sections are present then the loader will disable NX for the process. As with all things, this finding isn't a revelation to the world it would appear. via a Google we found Costin G. Raiu of Kaspersky documented this feature of Windows in 2005 (Slide 15 onwards - originally discovered by Yury Mashevsky of Kasperky). It was later documented in again in Dowd's and Sotirov's BlackHat 2008 paper on browser memory protection bypass.

A similar check is in _LdrpCheckSafeDiscDll which checks if the DLL is named secserv.dll and a section named one of:
  • .txt
  • .txt2

Now we don't expect anyone to have these by accident, but it's something to keep in mind (and something we're adding to SDL Binary Assurance). 

Securing Oracle Apex - Plugin 'HTML Markup for APEX Tree'

It is always sad to find security problems in other peoples hard work, but we should all be aware of the risks in using a particular plugin so that it can be used efficiently and securely.

We were asked about the usage of this plugin recently: HTML Markup for APEX Tree so we decided to take a look.
This plugin enables HTML Markup within an APEX Tree Region which normally escapes all HTML Special characters. The idea is to use replacement characters for "<", ">" and "&" in the Tree SQL query and to configure these in the plugin. The plugin fires as a dynamic action after page load and uses some jQuery logic to activate the HTML markup by changing the replacement characters back to HTML syntax.
This appears to be very dangerous and indeed it is, by subverting the built-in protections of Apex this plugin significantly reduces the security of the APEX tree region. The example code contains the following.

case
when sal < 2500 then '[b style="color: green"]'||"ENAME"||'[/b] [img src="/i/Fndokay1.gif" height="12"]'
when sal < 4500 then '[b style="color: black"]'||"ENAME"||'[/b]'
else '[b style="color: red"]'||"ENAME"||'[/b]'
end as title,

As the javascript in the plugin replaces all '[' characters with '<' and all ']' characters with '>' then writing a Cross-Site scripting attack is done by replacing those characters in the payload. Simply by setting ENAME in the database with something like;

[script]alert('java')[/script]

Will result in the proof that code is being executed in the browser. If you absolutely must use this plugin then the data appearing in the tree must not be modifiable by any client side requests. 
ApexSec 2.2 has been updated with the check for this plugin.

Saturday, 28 April 2012

Windows AppCompat Research Notes - Part 1

These notes have be sitting around in a file for a while now. The reason we're publishing them is to both motivate ourselves and also to motivate others to continue documenting how AppCompat on Microsoft Windows works.

Overview
AppCompat is built into the Windows loader that provides a common infrastructure to patch the IAT (Import Address Table) of a process for shimming.  AppCompat at its core is made up of databases / DLLs that define which shims apply to which binaries.

Why do we care about AppCompat when we're security people? We'll there are several reasons. For example there is an AppCompat patch to use a 'Fault tolerant heap'. So even applications deployed on the latest and greatest Windows may not be able to use the default heap and revert to a less secure implementation due to 'compatibility reasons' (which is code for they corrupt their heap). Knowing this information allows us to better understand our exposure. 

We also see other applications for AppCompat to improve security using a Microsoft sanctioned patching mechanism. For example we think it would be great you could deploy via the AppCompat enterprise configuration VirtualAlloc replacements for all processes.

Prior Research / Database Structure
Alex Ionsecu looked into AppCompat and the database [1][2][3][4]. We're not going to repeat what he said so we encourage you to go and read that first. However his SDB tool from part 4 can be built using the Microsoft APIs

There is also interesting Chinese blog post from 2008 which details quite a bit about how stuff works (although via Google translate it's hard going).

Building Databases / Configuring Applications
If you want to see which fixes are available via a GUI and experiment Microsoft make a tool available called the Microsoft Application Compatibility Toolkit. This can be used to build new AppCompat databases and configurations. It can also be used to investigate the available fix if you don't want to implement a tool like Alex's.

Files related to AppCompat
The files on Windows 7 at least which appear to make up AppCompat are (note: does not document the loader aspects):

Core Engine
  • ShimEng.dll
Miscellaneous files
  • AMX\amxread.dll
  • APILog\apilogen.dll
General AppCompat
  • AppPatch\AcGenral.dll
  • AppPatch\AcLayers.dll
  • AppPatch\AcRes.dll
  • AppPatch\AcSpecfc.dll
  • AppPatch\acwow64.dll
  • AppPatch\AcXtrnal.dll
  • AppPatch\apihex86.dll
  • AppPatch\AppPatch64\AcGenral.dll
  • AppPatch\AppPatch64\AcLayers.dll
  • AppPatch\AppPatch64\acspecfc.dll
  • AppPatch\AppPatch64\AcXtrnal.dll
  • AppPatch\AppPatch64\apihex64.dll
  • AppPatch\en-US\AcRes.dll.mui
Application Verifier (yes it too uses the AppCompat infrastructure)
  • AppVer\vfbasics.dll
  • AppVer\vfcompat.dll
  • AppVer\vfLuaPriv.dll
  • AppVer\vfpodbc.dll
  • AppVer\vfprint.dll
  • AppVer\vfprintpthelper.dll
  • AppVer\vfwwdm32.dll
  • AppVer\vrfcore.dll

AppCompat DLL Structure
As Alex noted it appears Microsoft use a C++ class (its called ShimLib::) internally when implementing AppCompat DLLs. AppCompat is used by Microsoft technologies such as EMET and Application Verifier. For example see EMET.dll in C:\Program Files (x86)\EMET and you'll see it has the standard AppCompat exports:
  • GetHookAPIs(char *,ushort *,ulong *)
  • NotifyShims(char *, unsigned __int16 *, unsigned __int32 *)
During our research we found a single DLL, apihex86.dll, that doesn't use the Microsoft C++ class (ShimLib::) that the others do. As a result it's this binary that we're focusing our efforts on in order to understand the interface so we can look at writing out own shims (also its tiny compared to the others).

Looking at GetHookAPIs we see it sets up an array of structures with both the original API and the new API to be called in its place before passing the array back to the caller. In short quite simple...

AppCompat Machine Deployment
When AppCompat is used on a machine the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags is populated. For example on my machine where I have deployed EMET against a process (we've previously mentioned EMET uses AppCompat) we see a custom AppCompat (SDB) database installed:

Click for larger version
Then a mapping between these two databases and the EMET configured process:
Click for larger version


Conclusions
You know you're looking at something interesting when you Google 'shimlib appcompat' and get 0 results and 'appcompat gethookapi' gets you 8. Anyway that's it for now...

Friday, 27 April 2012

Recx EMET Configuration Builder


Update May 16, 2012: Since originally posting this article Microsoft have released EMET v3.0 which further facilitates enterprise deployment. We encourage you to go and read the technet article.


It's Friday, so it means it's time for another higher-level defensive post. To follow up on our previous post Microsoft EMET in The Enterprise we wrote a small EMET automatic configuration builder. It's designed to allow you to quickly produce an EMET configuration XML for a specific machine. This XML file can then be imported into the EMET GUI. This is to facilitate mass EMET opt-in for binaries in a host default build.

What the configuration builder does is:
  • Checks a file is a PE file
  • Checks it's not a DLL
  • Checks if it's managed or not
  • Checks if the SEH properties warrant SEHOP opt-in
It then produces a configuration line for each file as appropriate in the EMET XML schema.

Step 1: Run EMET Config Builder
Run the Recx EMET Configuration Builder as so (or similar):

EMETConfigBuild "c:\Program Files (x86)" c:\data\EMETConfig.xml 

Click for larger version

Step 2: Load EMET / Select Config Apps

Click for larger version
Step 3: Import XML 

Click for larger version

Note: When importing a large number of files it may say the EMET GUI has become unresponsive. It will complete, just give it time. Also the list of program files will NOT update. You'll need to click 'OK' and then go back into 'Config Apps' to see the list.

Step 4: Test, test and test again
Now ensure you fully test the applications before rolling out on a wider basis.

Getting Recx EMET Config Builder
We make no warranties implied or otherwise. By downloading and using Recx EMET Configuration Builder you agree to take all responsibility for any instabilities its use may introduce into your environment.