• DFIR Tools
  • TZWorks Windows Shim Database (SDB) Parser (shims)

TZWorks Windows Shim Database (SDB) Parser (shims)


DFIR Tools

License Type
Malware Analysis
Misc Malware Tools

is a command line tool that targets the malware investigator, rather than the E-Discovery forensicator. The goal of the shims tool is to parse and extract components from an Application Compatibility Database (referenced here as Shim Database or SDB file) in view which applications are targeted for hot-patching, DLL injection or privilege escalation.

The Application Compatibility framework from Microsoft uses the Shim Database to identify if, and how, an application or DLL should be shimmed during process startup and/or DLL load. The default Shim Database is located at \Windows\AppPatch\sysmain.sdb and can contain thousands of entries for a normal Win7 box.

While the Window's Shim engine is used to enhance the user experience as well as resolve incompatibles between older binaries and operating systems they are running on, it can also be used (and has been used) as a launching point for malware. Specifically, the Application Compatibility framework allows installed applications on a Windows box to be patched 'on the fly' (ie. modified without a reboot), and this patch can be used to spawn other processes and/or inject undesired DLLs into the patched application. This functionality offers the malware writer another way to achieve persistence across reboots. Therefore, understanding which Shim Databases are on your system subsequently parsing those databases to extract targeted patches per application is one of the primary purposes of this tool.

User comments

There are no user comments for this listing.