aaron margosis principal consultant microsoft corporation session code: wcl301
Post on 18-Jan-2018
221 Views
Preview:
TRANSCRIPT
Case of the App Compat BugAaron MargosisPrincipal ConsultantMicrosoft Corporation
SESSION CODE: WCL301
Some Available Techniques
Get rid of the app!Update the application
Acquire new version from vendorFix compatibility bugs in the source code
Pre-install required files, registry keysModify the installer with transforms (e.g., remove Windows version checks)Let Windows handle it (file/reg virtualization)Apply shimsChange Permissions or PoliciesEmploy application or machine virtualization
Case of the…
FAILING FILE VIRTUALIZATION
Case # 420500 (*)
Fails when run as standard userTested on Windows 7, 32-bitError message about a file and then exit
File virtualization in effect?TaskMgr and Process Explorer say “yes”Some app files appearing in Virtual Store
But: access-denied on a config.dat under Program FilesWhy? (*.dat files should virtualize!)
(*) Names of apps and vendors have been removed to protect the guilty
Case of the Failing File VirtualizationFeatured Tools:Process MonitorLoggerCompatAdmin
DEMO
Case # 420500
Figure out what the app is doingLook at call stack in Process MonitorIdentify failing APIUse Logger to identify API parameters
Solve with VirtualizeDeleteFile shimUAC file virt does not fix attempted file deletions or in-place renames
Case of the…
FAILING CorrectFilePaths SHIM
Case # 73052
Writes to Options.xml in the Program Files folder, fails and exitsTested on Windows 7, 32-bit
What does the vendor say?
Case # 73052
Customer says “No!” to thatHooray for the customer!
Case # 73052
Why isn’t file virtualization kicking in?Check application manifest with SigCheckAha! The app is no longer a “legacy” app!How did that happen?
Because it was built with VS 2008!
Case # 73052
Consultant applied a CorrectFilePaths shim
Replaces instances of: C:\Program Files\[app name removed]\Program\Options.xmlWith: %userprofile%\Options.xml
And...The app still failed in the same way.
How Can CorrectFilePaths fail?
1. Does the target location exist?2. Exact text match, not actual file match
Example – shim configured to look forC:\Program Files\[app name removed]\Program\Options.xml
If program sets current directory and opens.\Program\Options.xml No match, shim not applied
3. Is the calling DLL getting hooked?What is the immediate calling DLL?
Verify 2 and 3 with LUA Buglight
Process
Kernel32.dll
CreateFileWimplementation
Shim DLLCorrectFilePathsimplementation
How Shims Work
App.exeIAT• CreateFile
Custom1.dll
IAT• CreateFile
Custom2.dll
IAT• CreateFile
Crypt32.dll
IAT• CreateFile
Msxml3.dll
IAT• CreateFile
Urlmon.dll
IAT• CreateFile
CorrectFilePaths Intercepted APIs
API Family Intercepted APIs
CreateProcess Routines (4) CreateProcess[AW], WinExec, ShellExecute[AW], ShellExecuteEx[AW]
Profile (Ini-File) Routines (8) GetPrivateProfileInt[AW], GetPrivateProfileSection[AW], GetPrivateProfileSectionNames[AW], GetPrivateProfileString[AW], GetPrivateProfileStruct[AW], WritePrivateProfileSection[AW], WritePrivateProfileString[AW], WritePrivateProfileStruct[AW]
File Routines (22) CopyFile[AW], CopyFileEx[AW], CreateDirectory[AW], CreateDirectoryEx[AW], CreateFile[AW], DeleteFile[AW], FindFirstFile[AW], FindFirstFileEx[AW], GetBinaryType[AW], GetFileAttributes[AW], GetFileAttributesEx[AW], SetFileAttributes[AW], GetTempFileName[AW], GetLongPathName[AW], MoveFile[AW], MoveFileEx[AW], MoveFileWithProgress[AW], RemoveDirectory[AW], SetCurrentDirectory[AW], OpenFile, _lopen, _lcreat
ShellLink Routines (4) IShellLink[AW]::SetPath, IShellLink[AW]::SetArguments, IShellLink[AW]::SetIconLocation, IPersistFile::Save
LoadImage Routines (1) LoadImageA
Case of the Failing CorrectFilePaths ShimFeatured Tools:LUA BuglightProcess Monitorwith customer logs
DEMO
Case # 73052
Verify inputs and modules with LUA BuglightConfigure shim for msxml3.dllApp still failedLook at Procmon traces with shim applied
Case # 73052
Options:Configure shim to intercept from all modulesChange permissions on Options.xml
Lesson 1: may need to look at more than failure casesLUA Buglight and Standard User Analyzer show only the failure casesProcmon filtered on “access denied” shows only failure cases
Lesson 2: CorrectFilePaths is a pain in the …
Case of the…
MISSING OR UNREGISTERED OCX
Case # 2011961
Run-Once bugs
No repro after app runs (as admin) one timeInstallation steps performed at runtimeTypical bugs:
Copy executable files into placeRegister a COM or .NET componentModify a required configuration file
Solving Run-Once Bugs
Know when future results compromisedTesting that can hide Run-Once bugs
“Try running it as admin”Test with LUA Buglight or Standard User Analyzer
How do you know it’s a Run-Once bug?Bug doesn’t repro at next standard user run
Need to be able to reimage quicklyVirtual machines (snapshots, undo disks)MDT deployment (e.g., PXE boot)
Best fix for Run-Once bugs: Augment the installation
Case of the…
UNSIGNED JAVA INSTALLER
Unsigned Packages
Packages that should be signed report as not signedE.g., latest Java installer from Java.com
Happens in locked-down environmentsFDCC/USGCB, DISA STIGs
“Root” cause:Turn off Automatic Root Certificates Update
REFERENCES
Utilities
Sysinternals Process MonitorLogger (Debugging Tools for Windows)Standard User Analyzer (App Compat Toolkit)LUA Buglight
v2.1 recently releasedIncludes support for Windows 7 and x64http://blogs.msdn.com/aaron_margosis/pages/LuaBuglight.aspx
References
Detailed shim documentationACT.chm in the App Compat ToolkitSame material on technet.microsoft.com
Chris Jackson’s blog: blogs.msdn.com/cjacksMy blog: blogs.msdn.com/aaron_margosis
See “Changing Permissions on Folders vs. Files”http://blogs.msdn.com/aaron_margosis/archive/2006/06/19/638148.aspx
FDCC blog: blogs.technet.com/fdcc
Weekly, Monthly and Quarterly Rhythm of Topical Content
What is the Springboard Series?
To the IT pro, our goal is• Be the definitive resource for Desktop IT pros• Open, honest; show don’t tell• Information at right time, right level across Adoption Lifecycle
Inside of Microsoft we are• A turnkey IT pro engagement platform for depth and breadth• The program to mobilize MS marketing and field to
focus on desktop OS IT pros
Visit the Springboard Series on TechNet at www.microsoft.com/springboard
The Springboard Series IT pro experience offers dynamic content and structured guidance across the adoption lifecycle
DEPLOYPILOT MANAGEEXPLOREDISCOVER
Is it worth the pain?How does it change
my work? Is our environment ready? Is the organization ready?How do I maintain
and optimize?
one-Windows TechCenter in 10 languagesVirtual Roundtable Events
Springboard Technical Experts Panel Event Support
and Resources
Straight-talk Monthly Feature Articles and Overview Guides
TalkingAboutWindowsVideo Blogs
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
BONUS TRACKS
When to Use Shims
Define standards for when to use this technique:Vendor no longer in businessInternal applicationsSupport negotiable
Shimming applications can be outsourced
When Shims Are Used
Windows APIs•Kernel32•User32
•Advapi32•OleAut32•…
AppY.exev 2.3.4.5
Windows loads app.
Checks AppCompat DB(s).
Match found:
Selected API calls intercepted and modified.
AppY.exev 2.3.4.5
How do I know what's wrong?
Problem Type SymptomsInvalid Windows version check Says “This app requires Windows XP”
Admin rights issueSays “Requires admin rights”, orFails non-elevated, works elevated(Caveat about testing elevated)
Security configuration Works when Group Policy or security template setting is removed
New platform Works with Windows Classic theme
Some Useful Shims
Problem Type Shim
Bad Windows version checks Version Lie Shims(e.g., WinXPSP3VersionLie)
Writing to HKCR at runtime VirtualizeHKCRLite
Unnecessary checks for “am I admin?” ForceAdminAccess
Writing to WRP-protected keys and filesWRPMitigationWRPDllRegisterWRPRegDeleteKey
Windows thinks your app is an installer SpecificNonInstaller
Writing to protected folder and registry locations CorrectFilePathsVirtualRegistry
Using kernel object in global space LocalMappedObject
JUNE 7-10, 2010 | NEW ORLEANS, LA
top related