TZWorks LLC
System Analysis and Programming
www.tzworks.com
(Version 0.44)
TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.
The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.
The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.
ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.
The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.
shims is a command line tool that parses and extracts components from a Application Compatibility Database (reference here as a Shim Database or SDB file). This database is the configuration component used by the Window's Shim engine used to resolve compatibility issues between an application and how it interacts with Windows.
The Application Compatibility framework uses the Shim database to identify if, and how, an application or DLL should be shimmed during process startup and/or DLL load. The default Shim database is located at \Windows\AppPatch\sysmain.sdb and can contain thousands of entries for a normal Win7 box. In addition to the sysmain.sdb database, Windows can have other pre-installed databases and user defined custom databases
While the Window's Shim engine is used to enhance the user experience as well as resolve incompatibles between older binaries and operating systems they are running on, it can also be used (and has been used) as a launching point for malware. Specifically, the Application Compatibility framework allows installed applications on a Windows box to be patched 'on the fly' (eg. modified without a reboot). This patch can be used to spawn other processes and/or inject undesired DLLs into the patched application. Doing this offers the malware writer another way to achieve persistence across reboots. Therefore, understanding which Shim databases are on your system and subsequently parsing those databases to extract targeted patches per application are one of the primary purposes of this tool.
There are at least four different types of modifications that can be done with the Application Compatibility framework:
To target an application, or a family of applications, entries within the Shim Database can identify either specific internal parameters or very generic external parameters to the Application Compatibility matching algorithm. For example, below are some of the available options that can be seen when examining a Shim Database.
Below is the menu with the various options. Details of the main options can be found here.
Usage shims -listsdb = list SDB files on system volume shims -stats = pull stats from SDB files on system volume shims -sdb <DB> [opts] = target SDB file w/ specific option Enumerate options -apps = all apps (exes, packages, driverblocks,..) -exes = filter only exe tags -fixes = all types of fixes (shims, flags,..) -shims = filter only shim tag fixes -patches = filter only patch tag fixes -tag <#> = filter specific tag type -guids = enumerate guids -stringtable = enumerate stringtable Find Options -strings "str1 | str2 |.." = finds partial strings [case insensitive] -guid <guid to find> = syntax: 11111111-1111-1111-1111-111111111111 -tagids "id1 | id2 |.." = finds specified tagids -patchbytes "pattern" = find patch, hex bytes w/ space delimiters -match = use w/ -pe <PE file> to check for shims Additional Options -vss <index> = target Volume snapshop at index -partition <letter> = target Shim DB locations in this volume -pipe = use stdin to identify files to process -stats -sdb <file> = pull stats (on SDB File). [-reg <sw hive>] -stats -pe <file> = pull stats (on PE File) -enumsdb = list SDB files -filter <*partial*|*.ext> = filters stdin data from -pipe option General Examples shims -sdb <file> -apps = pull all apps from DB shims -sdb <file> -patches = pull all patches from DB shims -sdb <file> -stats = pull DB stats shims -pe <file> -stats = pull stats from PE file Pulling stats from multiple SDB's dir c:\windows\AppPatch\*.sdb /b /s | shims -stats -pipe -csv > out.csv shims -vss 2 -stats -csv > out.csv shims -partition c: -exes > out.txt
To extract general purpose information from one of these databases, use the -stats option. This gives summary information of what type of compatibility fixes are in the database as well as various timestamps associated with the database.
To search the database or find details about certain entries, one can use a variety of other options. This includes filtering on patches, shims, fixes, which are all different types of compatibility fixes, or just searching for specific target executables or DLL.
All the compatibility fixes will be rendered in XML output, while the statistics options can be done in either unformatted text or CSV output.
For more information on what the various options mean and examples of how to use them, look at the shims user's guide.
Option | Description |
---|---|
-apps | Enumerate application category entries. This includes, but is not limited to, the following types: exe, packages, msi_packages. |
-exes | Enumerate executable category entries (TAG_EXE) |
-fixes | Enumerate the various types of fixes, including but not limited to: shims, patches, flags, layers, etc. |
-shims | Enumerate shim category entries (TAG_SHIM). |
-patches | Enumerate patch category entries (TAG_PATCH). |
-tag | Enumerate the specified tag. Needs to be of type TAG_LIST_LIST. The syntax is -tag <#>. |
-guids | Enumerate all GUIDs in the database along with name associated with the GUID. |
-stringtable | Enumerate all the strings in the string table. |
Option | Description |
---|---|
-strings | Search for the specified partial strings. If more than one partial string is listed, then use a pipe delimiter between each string and enclose the entire set of strings between double quotes. Will search using case-insensitive logic and will look for partial strings. |
-guid | Search for the specified GUID. The GUID syntax is 11111111-1111-1111-1111-111111111111. |
-tagids | Search for the specified tagid's. More than one tagid can be searched on as long as the entire set of tag identifiers are enclosed in quotes and delimited by the pipe character. |
-patchbytes | Search for the specified byte pattern in the available patches. |
-match | Experimental. Used in conjunction with the -pe <PE File> option, to search the specified Shim DB for possible shims to the specified PE file |
Option | Description |
---|---|
-vss | Experimental. Parse SDB artifacts from Volume Shadow. The syntax is -vss <index number of shadow copy>. Only applies to Windows Vista, Win7, Win8 and beyond. Does not apply to Windows XP. |
-stats | Output a set of summary statistics about the Shim DB. Syntax is -sdb <db> -stats. This option also is aware of the following sub-options (see below). |
-pe | Specifies the target file is a PE file vice a Shim DB file. Used in conjunction with the -stats option (eg. -pe <file> -stats.) and the -match option (eg. -pe <file> -sdb <Shim DB>). |
-pipe | Used to pipe files into the tool via STDIN (standard input). Each file passed in is parsed in sequence. |
-enumdir | Experimental. Used to process files within a folder and/or subfolders. Each file is parsed in sequence. The syntax is -enumdir <"folder"> -num_subdirs <#>. |
-filter | Filters data passed in via stdin via the -pipe option. The syntax is -filter <"*.ext | *partialname* | ...">. The wildcard character '*' is restricted to either before the name or after the name. |
Option | Description |
---|---|
-reg | Pull Application Compatibility data related to custom shim databases from the specified Software hive. Syntax is -reg <sw hive> |
-csv | Outputs the data fields delimited by commas. |
-csvl2t | Outputs the data fields in accordance with the log2timeline format. |
-csv_separator | Used in conjunction with the -csv option to change the CSV separator from the default comma to something else. Syntax is -csv_separator "|" to change the CSV separator to the pipe character. |
-no_whitespace | Used in conjunction with -csv option to remove any whitespace between the field value and the CSV separator. |
-hostname | Option is used to populate the output records with a specified hostname. The syntax is -hostname <name to use>. |
-dateformat | Output the date using the specified format. Default behavior is -dateformat "yyyy-mm-dd". Using this option allows one to adjust the format to mm/dd/yy, dd/mm/yy, etc. The restriction with this option is the forward slash (/) or dash (-) symbol needs to separate month, day and year and the month is in digit (1-12) form versus abbreviated name form. |
-timeformat | Output the time using the specified format. Default behavior is -timeformat "hh:mm:ss.xxx" One can adjust the format to microseconds, via "hh:mm:ss.xxxxxx" or nanoseconds, via "hh:mm:ss.xxxxxxxxx", or no fractional seconds, via "hh:mm:ss". The restrictions with this option is that a colon (:) symbol needs to separate hours, minutes and seconds, a period (.) symbol needs to separate the seconds and fractional seconds, and the repeating symbol 'x' is used to represent number of fractional seconds. (Note: the fractional seconds applies only to those time formats that have the appropriate precision available. The Windows internal filetime has, for example, 100 nsec unit precision available. |
-utf8_bom | All output is in Unicode UTF-8 format. If desired, one can prefix an UTF-8 byte order mark to the output using this option. |
This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).
The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.
The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.