[Tigzy]

Hello

Nice PoC!
What if we register a DLL that not exists in a process's database?
Will this leads to a crash of the process?

As a result, you cannot use shims to bypass any security mechanisms present in Windows

Uh, wait...

[0x16/7ton]

Hello

Nice PoC!
What if we register a DLL that not exists in a process's database?
Will this leads to a crash of the process?

As a result, you cannot use shims to bypass any security mechanisms present in Windows

Uh, wait...

process would be work without crash)

[pentest0r]

Nice find !!! you made AV gus crazy

[EP_X0FF]

x4r0r post moved into separate topic Kaspersky Antivirus 2013 bypass and full unload from memory.

[SomeUnusedName]

In case someone is interested in more detail regarding shims, this is a good article:

Secrets of the Application Compatilibity Database (SDB) – Part 1 (Alex Ionescu's blog)

Edit:

Even better: Secrets of the Application Compatilibity Database (SDB) – Part 2

Check these shims:

Code: Select all

NAME="TerminateExe"
DLLFILE="AcGenral.DLL"
DESCRIPTION="This compatibility fix terminates an executable (.EXE) immediately upon launch."

NAME="RedirectEXE"
DLLFILE="AcGenral.DLL"
DESCRIPTION="This compatibility fix calls WinExec on the passed command line, and then terminates the caller process. The command line can contain any environment variables that need to be passed to the executable."

Instead of using DllInjection, you might as well use the TerminateExe shim on AV processes, so no DLL drop needed!