Application shimming is a Windows Application Compatibility framework that Windows created to allow programs to run on versions of the OS that they were not initially created to run on. Most applications that used to run on Windows XP can today run on Windows 10 due to this framework. The operation of the framework is quite simple: it creates a shim to buffer between a legacy program and the operating system. During execution of programs, the shim cache is referenced to find out whether they will need to use the shim database. If so, the shim database will use an API to ensure that the program's codes are redirected effectively, so as to communicate with the OS. Since shims are in direct communication with the OS, Windows decided to add a safety feature where they are designed to run in user mode.
Without admin privileges, the shims cannot modify the kernel. However, attackers have been able to create custom shims that can bypass user account control, inject DLLs into running processes, and meddle with memory addresses. These shims can enable an attacker to run their own malicious programs with elevated privileges. They can also be used to turn off security software, especially the Windows Defender.
The following diagram illustrates the use of a custom shim against a new version of the Windows OS:
It is good to look at an example of how a shim is created. First, you need to start the Compatibility Administrator from the Microsoft Application Compatibility Toolkit.
This following figure shows Microsoft's application compatibility toolkit (12):
Next, you have to create a new database in Custom Databases by right-clicking on the New Database(1) option and selecting to create a new application fix.
The following figure shows the process of creating a new application fix (12):
The next step is to give details of the particular program you want to create a shim for:
Next, you have to select the version of Windows that the shim is being created for. After selecting the Windows version, a number of compatibility fixes will be shown for the particular program. You are at liberty to choose the fixes that you want:
After clicking on Next, all the fixes you've chosen will be shown and you can click on Finish to end the process. The shim will be stored in the new database. To apply it, you need to right-click on the new database and click on install. Once this is done, the program will be run with all the compatibility fixes you've selected in your shim:
