SESSION CODE WCL 301 Aaron Margosis Principal Consultant

SESSION CODE: WCL 301 Aaron Margosis Principal Consultant Microsoft Corporation

(*) Names of apps and vendors have been removed to protect the guilty

What does the vendor say?

How did that happen?

C: Program Files[app name removed]ProgramOptions. xml %userprofile%Options. xml

1. 2. C: Program Files[app name removed]ProgramOptions. xml 3.

Process App. exe IAT • Create. File Shim DLL Correct. File. Paths implementation IAT IAT • Create. File Kernel 32. dll Create. File. W implementation

API Family Intercepted APIs Create. Process Routines (4) Create. Process[AW], Win. Exec, Shell. Execute[AW], Shell. Execute. Ex[AW] Profile (Ini-File) Routines (8) Get. Private. Profile. Int[AW], Get. Private. Profile. Section. Names[AW], Get. Private. Profile. String[AW], Get. Private. Profile. Struct[AW], Write. Private. Profile. Section[AW], Write. Private. Profile. String[AW], Write. Private. Profile. Struct[AW] File Routines (22) Copy. File[AW], Copy. File. Ex[AW], Create. Directory. Ex[AW], Create. File[AW], Delete. File[AW], Find. First. File. Ex[AW], Get. Binary. Type[AW], Get. File. Attributes. Ex[AW], Set. File. Attributes[AW], Get. Temp. File. Name[AW], Get. Long. Path. Name[AW], Move. File. Ex[AW], Move. File. With. Progress[AW], Remove. Directory[AW], Set. Current. Directory[AW], Open. File, _lopen, _lcreat Shell. Link Routines (4) IShell. Link[AW]: : Set. Path, IShell. Link[AW]: : Set. Arguments, IShell. Link[AW]: : Set. Icon. Location, IPersist. File: : Save Load. Image Routines (1) Load. Image. A

http: //blogs. msdn. com/aaron_margosis/pages/Lua. Buglight. aspx

blogs. msdn. com/cjacks blogs. msdn. com/aaron_margosis http: //blogs. msdn. com/aaron_margosis/archive/2006/06/19/638148. aspx blogs. technet. com/fdcc

What is the Springboard Series? Inside of Microsoft we are • A turnkey IT pro engagement platform for depth and breadth • The program to mobilize MS marketing and field to focus on desktop OS IT pros DISCOVER Virtual Roundtable Events EXPLORE Straight-talk Monthly Feature Articles and Overview Guides To the IT pro, our goal is • Be the definitive resource for Desktop IT pros • Open, honest; show don’t tell • Information at right time, right level across Adoption Lifecycle PILOT Springboard Technical Experts Panel Event Support and Resources DEPLOY Talking. About. Windows Video Blogs MANAGE one-Windows Tech. Center in 10 languages

www. microsoft. com/teched www. microsoft. com/learning http: //microsoft. com/technet http: //microsoft. com/msdn

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st http: //northamerica. msteched. com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

App. Y. exe v 2. 3. 4. 5 Windows loads app. Checks App. Compat DB(s). Match found: Selected API calls intercepted and modified. Windows APIs • Advapi 32 App. Y. exe v 2. 3. 4. 5 • Kernel 32 • User 32 • Ole. Aut 32 • …

Problem Type Invalid Windows version check Admin rights issue Security configuration New platform Symptoms Says “This app requires Windows XP” Says “Requires admin rights”, or Fails non-elevated, works elevated (Caveat about testing elevated) Works when Group Policy or security template setting is removed Works with Windows Classic theme

Problem Type Shim Bad Windows version checks Version Lie Shims (e. g. , Win. XPSP 3 Version. Lie) Writing to HKCR at runtime Virtualize. HKCRLite Unnecessary checks for “am I admin? ” Force. Admin. Access Writing to WRP-protected keys and files WRPMitigation WRPDll. Register WRPReg. Delete. Key Windows thinks your app is an installer Specific. Non. Installer Writing to protected folder and registry locations Correct. File. Paths Virtual. Registry Using kernel object in global space Local. Mapped. Object