why06
February 22nd, 2011, 19:53
Hi I'm new guy #10678, good too meet you all.
So long story short. Shim Engine is a DLL (shimeng.dll) used by Microsoft Application Compatibility Interface. This interface is used to provide compatibility for certain older applications that relied on faulty deprecated, or replaced API's to still function in newer versions of Windows like Win 7, Vista, and beyond. What it does is take these API's and replace them with it's own code to some extent.
references:
t-11058.html
http://en.wikipedia.org/wiki/Shim_%28computing%29
http://hi.baidu.com/007ware/blog/item/dcbcc11acc52b9138618bfda.html
http://myitforum.com/cs2/blogs/kkaminski/archive/2010/01/30/app-v-and-application-compatibility-shims.aspx
I came across this phenomenon of shimming trying out Lena's Reversing for Newbies http://tuts4you.com/download.php?list.17. I started off going through the tutorials pretty easily, it wasn't until I got to the unpacking tutorials (halfway through) that I began experiencing a lot of problems. I would notice that even after unpacking and fixing the imports that there would be 1 or 2 imports that were still off, I noticed calls to a module called shimeng.dll, I ignored this at first thinking it was some unidentified packer utility Lena just forgot to tell me about, but as I progressed I kept seeing the same phenomenon pop up again and again, then in not just one, but multiple packers. Finally I had enough. I couldn't understand what was going on! The packer wasn't the code changing the addresses, and it was being done before the app even loaded. So I started an app normally and attached to it, then I started the same app in Olly. One had the Shim Engine loaded and the other did not. I immediately my buddy up to take a look too, and he helped me find some of the links I posted and helped me figure out this is all part of the ACI.
Now I'm trying to find more out about it, I have some general ideas how it works, but am looking for some real documentation by MS on why and how it triggers all the way down to how the API's are overwritten. Somehow these hooks are even working on packed IAT's before the program even unpacks. Now that seems like a powerful tool for some really advanced hooking, but I have no idea how it works. I could try reversing, but I'm a novice as you see and these modules are loaded before the EntryPoint is even broken on when Olly loads the App. So I came across this forum, in my search and thought maybe someone here knows about the ACI.
So I'm looking to you guys. Any advice on how I might try reversing the ACI based on the links I posted or any links to MS Documentation of the ACI.
EDIT: Sorry I can't get the links to work for some reason.
So long story short. Shim Engine is a DLL (shimeng.dll) used by Microsoft Application Compatibility Interface. This interface is used to provide compatibility for certain older applications that relied on faulty deprecated, or replaced API's to still function in newer versions of Windows like Win 7, Vista, and beyond. What it does is take these API's and replace them with it's own code to some extent.
references:
t-11058.html
http://en.wikipedia.org/wiki/Shim_%28computing%29
http://hi.baidu.com/007ware/blog/item/dcbcc11acc52b9138618bfda.html
http://myitforum.com/cs2/blogs/kkaminski/archive/2010/01/30/app-v-and-application-compatibility-shims.aspx
I came across this phenomenon of shimming trying out Lena's Reversing for Newbies http://tuts4you.com/download.php?list.17. I started off going through the tutorials pretty easily, it wasn't until I got to the unpacking tutorials (halfway through) that I began experiencing a lot of problems. I would notice that even after unpacking and fixing the imports that there would be 1 or 2 imports that were still off, I noticed calls to a module called shimeng.dll, I ignored this at first thinking it was some unidentified packer utility Lena just forgot to tell me about, but as I progressed I kept seeing the same phenomenon pop up again and again, then in not just one, but multiple packers. Finally I had enough. I couldn't understand what was going on! The packer wasn't the code changing the addresses, and it was being done before the app even loaded. So I started an app normally and attached to it, then I started the same app in Olly. One had the Shim Engine loaded and the other did not. I immediately my buddy up to take a look too, and he helped me find some of the links I posted and helped me figure out this is all part of the ACI.
Now I'm trying to find more out about it, I have some general ideas how it works, but am looking for some real documentation by MS on why and how it triggers all the way down to how the API's are overwritten. Somehow these hooks are even working on packed IAT's before the program even unpacks. Now that seems like a powerful tool for some really advanced hooking, but I have no idea how it works. I could try reversing, but I'm a novice as you see and these modules are loaded before the EntryPoint is even broken on when Olly loads the App. So I came across this forum, in my search and thought maybe someone here knows about the ACI.
So I'm looking to you guys. Any advice on how I might try reversing the ACI based on the links I posted or any links to MS Documentation of the ACI.
EDIT: Sorry I can't get the links to work for some reason.
