Friday, 4 May 2012

Windows AppCompat Research Notes - Part 2

So to follow on from our last post a little bit more on this subject...

Additional files related to AppCompat
So there are some additional files we didn't cover last time. The first key one is NTDLL.dll which contains all the loader functions that call the shim engine. You have a call flow approximate to:
LdrInitializeThunk --> _LdrpInitialize --> __LdrpInitialize --> LdrpInitalizeProcess --> LdrpLoadShimEngine -{-> LdrpGetShimEngineInterface then LdrpRunShimEngineInitRoutine -}-> then calls into AppHelp.dll
or via the dynamic route (AppHelp.dll imports LdrInitShimEngineDynamic in the function SE_DynamicShim).

LdrInitShimEngineDynamic --> LdrpGetShimEngineInterface

The other thing we noted is that ShimEng.dll is just a shell of a DLL. If we look at the exports of ShimEng.dll we actually see the following (Windows 7):
SE_DllLoaded (forwarded to APPHELP.SE_DllLoaded)
SE_DllUnloaded (forwarded to APPHELP.SE_DllUnloaded)
SE_DynamicShim (forwarded to APPHELP.SE_DynamicShim)
SE_GetHookAPIs (forwarded to APPHELP.SE_GetHookAPIs)
SE_GetMaxShimCount (forwarded to APPHELP.SE_GetMaxShimCount)
SE_GetProcAddressIgnoreIncExc (forwarded to APPHELP.SE_GetProcAddressIgnoreIncExc)
SE_GetShimCount (forwarded to APPHELP.SE_GetShimCount)
SE_InstallAfterInit (forwarded to APPHELP.SE_InstallAfterInit)
SE_InstallBeforeInit (forwarded to APPHELP.SE_InstallBeforeInit)
SE_IsShimDll (forwarded to APPHELP.SE_IsShimDll)
SE_ProcessDying (forwarded to APPHELP.SE_ProcessDying)

So this identifies AppHelp.dll. AppHelp.dll's exports deal with a range of different functions related to the shim engine including the SDB (database) files as well as the other functions called by the loader. If we turn on 'Show loader snaps' (also a good read regarding loader snapshots) via gflags.exe (Global Flags) we see the following:

LdrGetProcedureAddressEx - INFO: Locating procedure "SE_InstallBeforeInit" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_InstallAfterInit" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_DllLoaded" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_DllUnloaded" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_LdrEntryRemoved" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_GetProcAddressLoad" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "SE_ProcessDying" by name

Later on, for the same EMET enabled process, we then see :

LdrpRunInitializeRoutines - INFO: Calling init routine 0000000072C57FE0 for DLL "C:\Windows\AppPatch\AppPatch64\EMET64.dll"
LdrpLoadDll - RETURN: Status: 0x00000000
LdrLoadDll - RETURN: Status: 0x00000000
LdrGetProcedureAddressEx - INFO: Locating procedure "NotifyShims" by name
LdrGetProcedureAddressEx - INFO: Locating procedure "GetHookAPIs" by name

Shim Debug Levels
So an interesting feature we noticed in AppHelp.dll was the shim debug levels. There is a function called GetShimDbgLevel() which returns an INT. This function simply returns the  value of environment variable SHIM_DEBUG_LEVEL. The story of our lives continued, using Google to search for this variable name turns up an interesting blog post from the Microsoft AppCompat guy from 2008 on enabling diagnostic output from shims.

Using DebugView but without a debugger attached we see:
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(ExePath(C:\Windows\system32\notepad.exe))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(MMDDYYYY(05/04/2012 12:56))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStart(0))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(ApplicationName(EMET_Apps))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(DBGuid({e1c810aa-f7cc-4aaf-ada1-181863075f9b}))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(ExeGuid({355ad468-8834-479e-b73d-c4473deaf89e}))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(ShimName(EMET_Shim))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStop(0))
[58768] SHIMVIEW: PID(58768) Level(MSG) Exe(notepad.exe) ShimInfo(Complete)


But if we have a debugger attached we see different text in DebugView:
[57456] SHIMVIEW:[pid: 0x0000e070][Warn][SdbpCheckExe        ] ++++ Successful match for App: 'EMET_Apps', Exe: 'notepad.exe', Mode: 0x0002 [Mode: Additive
[57456] SHIMVIEW:[pid: 0x0000e070][Warn][SdbpSearchDB        ] + Final match is App: "EMET_Apps", exe: "notepad.exe".
[57456] SHIMVIEW:[pid: 0x0000e070][Info][SdbPackAppCompatData] 
[57456] SHIMVIEW:dwFlags    0x1
[57456] SHIMVIEW:dwMagic    0xAC0DEDAB
[57456] SHIMVIEW:trExe      0x300001D0
[57456] SHIMVIEW:trLayer    0x0
[57456] SHIMVIEW:[pid: 0x0000e070][Info][SdbPackAppcompatData] Database List
[57456] SHIMVIEW:[pid: 0x0000e070][Info][SdbPackAppcompatData] 0x30000000 {e1c810aa-f7cc-4aaf-ada1-181863075f9b} 
[57456] SHIMVIEW:[pid: 0x0000e070][Info][SdbPackAppcompatData] Exe   0x300001d0

While in WinDbg we see:

[Info][SdbOpenDatabase     ] Failed to get the database ID.
18db4:181b0 @ 1847768412 - LdrpFindLoadedDll - RETURN: Status: 0x00000000
18db4:181b0 @ 1847768412 - LdrGetDllHandleEx - RETURN: Status: 0x00000000
18db4:181b0 @ 1847768412 - LdrGetProcedureAddressEx - INFO: Locating procedure "RtlGetProductInfo" by name
[Info][SdbUnpackAppCompatData] Appcompat Data for "C:\Windows\System32\notepad.exe":
dwFlags    0x1
dwMagic    0xAC0DEDAB
trExe      0x300001D0
trLayer    0x0
[Info][SdbOpenDatabase     ] Failed to get the database ID.
[Err ][SdbpTraceFixGroupItem] Failed to locate fix ID.
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(ExePath(C:\Windows\System32\notepad.exe))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(MMDDYYYY(05/04/2012 14:10))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStart(0))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(ApplicationName(EMET_Apps))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(DBGuid({e1c810aa-f7cc-4aaf-ada1-181863075f9b}))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(ExeGuid({355ad468-8834-479e-b73d-c4473deaf89e}))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(ShimName(EMET_Shim))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStop(0))
SHIMVIEW: PID(101812) Level(MSG) Exe(notepad.exe) ShimInfo(Complete)
[Info][SdbGetDllPath       ] Opening file "C:\Windows\AppPatch\AppPatch64\EMET64.dll".
[Info][SdbGetDllPath       ] Using DLL "C:\Windows\AppPatch\AppPatch64\EMET64.dll".

On Windows 7 at least we couldn't get the log files work and it appears the code may of changed as we couldn't see that environment variable in NTDLL.DLL.



Shim Engine Debug Levels
The big one to set is the environment variable SHIMENG_DEBUG_LEVEL (set it to 9) Setting this leads to an explosion of information in DebugView (without a debugger attached).


[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiCheckComPlusImage] COM+ executable FALSE
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(ExePath(C:\Windows\system32\notepad.exe))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(MMDDYYYY(05/04/2012 14:34))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStart(0))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(ApplicationName(EMET_Apps))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(DBGuid({e1c810aa-f7cc-4aaf-ada1-181863075f9b}))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(ExeGuid({355ad468-8834-479e-b73d-c4473deaf89e}))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(ShimName(EMET_Shim))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(DbEntryStop(0))
[113236] SHIMVIEW: PID(113236) Level(MSG) Exe(notepad.exe) ShimInfo(Complete)
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0x77710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Touching        0xFE080000 "apphelp.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiClearLayerEnvVar] Cleared env var __COMPAT_LAYER.
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] No apphack flags for this app "C:\Windows\system32\notepad.exe".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Global inclusion/exclusion list:
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Exclude "BLACKBOX.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "KERNEL32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFC42D.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFCO42D.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFCD42D.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFCN42D.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFC42ENU.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFCSUBS.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFC42.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MFC40.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MSVCRT40.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MSVCRT20.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MSVCIRT.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "MSVCRT.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiBuildGlobalInclExclList] Include "OLE32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] INIT. loading DLL "EMET64.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77810000 "kernel32.dll"
[4196] KeyboardProc
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x77710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0xFE080000 "apphelp.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiSetEntryProcessed] Don't mess with 0x73100000 "EMET64.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] Shim DLL 0x73100000 "C:\Windows\AppPatch\AppPatch64\EMET64.dll" loaded
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] Using SHIM "EMET64.dll!EMET_Shim"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] GetHookAPIs returns 0 hooks for DLL "C:\Windows\AppPatch\AppPatch64\EMET64.dll" SHIM "EMET_Shim"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiInit] No patches for this app "C:\Windows\system32\notepad.exe".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Resetting       "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "apphelp.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiResetEntryProcessed] Don't mess with "EMET64.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "IMM32.DLL".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "CRYPTBASE.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "uxtheme.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "dwmapi.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC360000 "dwmapi.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "btmmhook.dll".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC360000 "dwmapi.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000002470000 "btmmhook.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "PSAPI.DLL".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC360000 "dwmapi.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000002470000 "btmmhook.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077E60000 "PSAPI.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SE_DllLoaded] AFTER INIT. loading DLL "CLBCatQ.DLL".
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x00000000FF690000 "notepad.exe"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077CA0000 "ntdll.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077810000 "kernel32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE210000 "KERNELBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEB40000 "ADVAPI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAD0000 "msvcrt.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFEF0000 "sechost.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFD60000 "RPCRT4.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC10000 "GDI32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077710000 "USER32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFAC0000 "LPK.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE6E0000 "USP10.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE7B0000 "COMDLG32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEA60000 "SHLWAPI.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFCB30000 "COMCTL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFED30000 "SHELL32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFBC90000 "WINSPOOL.DRV"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE4D0000 "ole32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFC80000 "OLEAUT32.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFD1F0000 "VERSION.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFE850000 "IMM32.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFEC20000 "MSCTF.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFDF90000 "CRYPTBASE.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC810000 "uxtheme.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFC360000 "dwmapi.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000002470000 "btmmhook.dll"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x0000000077E60000 "PSAPI.DLL"
[113236] SHIMVIEW: PID(113236) Level(INFO) Exe(notepad.exe) [SeiHookImports] Hooking module 0x000007FEFFF10000 "CLBCatQ.DLL"


Interesting Bit About NX Compatibility and Section Names in the NT Loader
While digging through NTDLL.dll we noticed the function _LdrpCheckNXCompatibility which among other things calls LdrpCheckNxIncompatibleDllSectionLdrpCheckNxIncompatibleDllSection checks if any of the sections are named:
  • .aspack
  • .pcle
  • .sforce
If any of the sections are present then the loader will disable NX for the process. As with all things, this finding isn't a revelation to the world it would appear. via a Google we found Costin G. Raiu of Kaspersky documented this feature of Windows in 2005 (Slide 15 onwards - originally discovered by Yury Mashevsky of Kasperky). It was later documented in again in Dowd's and Sotirov's BlackHat 2008 paper on browser memory protection bypass.

A similar check is in _LdrpCheckSafeDiscDll which checks if the DLL is named secserv.dll and a section named one of:
  • .txt
  • .txt2

Now we don't expect anyone to have these by accident, but it's something to keep in mind (and something we're adding to SDL Binary Assurance). 

No comments:

Post a Comment