Transcript (*) (*) Names of apps and vendors have been removed to protect the guilty.

(*)
(*) Names of apps and vendors have been removed to protect the guilty
What does the vendor say?
How did that happen?
C:\Program Files\[app name removed]\Program\Options.xml
%userprofile%\Options.xml
1.
2.
C:\Program Files\[app name removed]\Program\Options.xml
.\Program\Options.xml

3.
Process
App.exe
IAT
IAT
IAT
• CreateFile
• CreateFile
IAT
IAT
IAT
• CreateFile
• CreateFile
• CreateFile
• CreateFile
Shim DLL
CorrectFilePaths
implementation
Kernel32.dll
CreateFileW
implementation
API Family
Intercepted APIs
CreateProcess Routines (4)
CreateProcess[AW], WinExec, ShellExecute[AW], ShellExecuteEx[AW]
Profile (Ini-File) Routines (8)
GetPrivateProfileInt[AW], GetPrivateProfileSection[AW],
GetPrivateProfileSectionNames[AW], GetPrivateProfileString[AW],
GetPrivateProfileStruct[AW], WritePrivateProfileSection[AW],
WritePrivateProfileString[AW], WritePrivateProfileStruct[AW]
File Routines (22)
CopyFile[AW], CopyFileEx[AW], CreateDirectory[AW], CreateDirectoryEx[AW],
CreateFile[AW], DeleteFile[AW], FindFirstFile[AW], FindFirstFileEx[AW],
GetBinaryType[AW], GetFileAttributes[AW], GetFileAttributesEx[AW],
SetFileAttributes[AW], GetTempFileName[AW], GetLongPathName[AW], MoveFile[AW],
MoveFileEx[AW], MoveFileWithProgress[AW], RemoveDirectory[AW],
SetCurrentDirectory[AW], OpenFile, _lopen, _lcreat
ShellLink Routines (4)
IShellLink[AW]::SetPath, IShellLink[AW]::SetArguments, IShellLink[AW]::SetIconLocation,
IPersistFile::Save
LoadImage Routines (1)
LoadImageA
http://blogs.msdn.com/aaron_margosis/pages/LuaBuglight.aspx
blogs.msdn.com/cjacks
blogs.msdn.com/aaron_margosis
http://blogs.msdn.com/aaron_margosis/archive/2006/06/19/638148.aspx
blogs.technet.com/fdcc
What is the Springboard Series?
Inside of Microsoft we are
To the IT pro, our goal is
• A turnkey IT pro engagement platform for depth and breadth
• The program to mobilize MS marketing and field to
focus on desktop OS IT pros
• Be the definitive resource for Desktop IT pros
• Open, honest; show don’t tell
• Information at right time, right level across Adoption Lifecycle
Virtual Roundtable Events
Straight-talk Monthly Feature
Articles and Overview Guides
Springboard Technical Experts
Panel Event Support
and Resources
TalkingAboutWindows
Video Blogs
one-Windows
TechCenter in 10 languages
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Sign up for Tech·Ed 2011 and save $500
starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registration
Join us in Atlanta next year
AppY.exe
v 2.3.4.5
Windows loads app.
Checks AppCompat DB(s).
Match found:
Selected API calls intercepted and
modified.
Windows APIs
AppY.exe
v 2.3.4.5
•Kernel32
•User32
•Advapi32
•OleAut32
•…
Problem Type
Invalid Windows version check
Admin rights issue
Security configuration
New platform
Symptoms
Says “This app requires Windows XP”
Says “Requires admin rights”, or
Fails non-elevated, works elevated
(Caveat about testing elevated)
Works when Group Policy or security template
setting is removed
Works with Windows Classic theme
Problem Type
Shim
Bad Windows version checks
Version Lie Shims
(e.g., WinXPSP3VersionLie)
Writing to HKCR at runtime
VirtualizeHKCRLite
Unnecessary checks for “am I admin?”
ForceAdminAccess
Writing to WRP-protected keys and files
WRPMitigation
WRPDllRegister
WRPRegDeleteKey
Windows thinks your app is an installer
SpecificNonInstaller
Writing to protected folder and registry locations
CorrectFilePaths
VirtualRegistry
Using kernel object in global space
LocalMappedObject