Defending Against Malicious Application Compatibility Shims

Explore the often-overlooked Application Compatibility Toolkit (ACT) and its potential for both malicious exploitation and robust defense in this comprehensive Black Hat conference talk. Delve into the creation of Shim Database Files (sdb files) and their ability to intercept API calls, alter PE file loading, and subvert key system processes. Discover how sophisticated actors leverage the Application Compatibility Framework for advanced persistence and privilege escalation. Learn about advanced techniques such as in-memory patching, malware obfuscation, evasion, and system integrity subversion using malicious shims. Gain valuable insights into defensive strategies, including the use of publicly available tools for detection, prevention, and quick triage analysis of sdb files. Equip yourself with knowledge to protect enterprise environments, individual hosts, and applications against these stealthy and flexible attack vectors.