Skip to main content

ShimCache (AppCompatCache) Internals

1. Overview

ShimCache (AppCompatCache) is artifact that exists in Windows SYSTEM registry. This artifact records program execution but not execution time. Nevertheless, it is valuable artifact on Windows Server hosts where prefetch is not recorded by default or Windows hosts where prefetch has been removed.

This article describes the following topics.
・Information in ShimCache (Forensics)
・Reverse engineering on ShimCache mechanism (Redteaming)

2. Information in ShimCache

Shimcache is recorded under following subkey.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache

Shimcache data is binary format and composed of 52 byte header and multiple entries in Windows 10 (ver 2004). The format of the entry is as follows.
FieldTypeOffsetDescription
SignatureDWORD0x0031 30 74 73 (10ts)
CRC32 HashDWORD0x04
Entry SizeDWORD0x08
Path SizeWORD0x0CPath field's data length
PathWString0x0EPE file path
Modified TimeFILETIMENTFS $SI modified time
Data SizeDWORD
DataBYTE[Data Size]The last four bytes indicate execution or not
AppCompatCacheParser is useful for parsing ShimCache. https://github.com/EricZimmerman/AppCompatCacheParser

The output of AppCompatCacheParser is shown as follows. Why is there executed column although ShimCache is execution artifact?
In fact, ShimCache records not only the executed files, but also the executable files in the folder has been browsed by explorer.exe. Therefore, it is important to note that not all of the executable entrys included in ShimCache were executed.
Even more important is when ShimCache is written to SYSTEM registry. ShimCache is not written when it is executed, but is collectively written to SYSTEM registry when the OS shuts down.
From the above, ShimCache has no evidence from the last boot time to execution time of artifact extractor when SYSTEM registry is obtained by artifact extractor such as Kape. There is the option to shutdown once to overcome this problem, but I don't think it is the good way because other evidence may be lost.
The better way is to get Shicache from memory. This way is implemented by plugin in Volatility, which allows acquisition of latest ShimCache without shutdown host.
https://github.com/mandiant/Volatility-Plugins/tree/master/shimcachemem

3. Reversing ShimCache

ShimCache mechanism is implemented in ahcache.sys. Writing ShimCache to SYSTEM registry at shutdown time is implemented as ioctl, as shown follows. Therefore, if the shutdown is not legitimate, such as VirtualBox power off, the ioctl may not be called and ShimCache may not be written to SYSTEM registry.

When are the entries written to SYSTEM registry added?
To understand this, let's look at the execution flow when CreateProcessW is called. CreateProcessInternalW in the execution flow calls each of the following two flows.
①Create process flow (-> NtCreateUserProcess)
②ShimCache operation flow (-> BasepQueryAppCompat -> CompatCacheLookupAndWriteToProcess -> NtApphelpCacheControl -> NtApphelpCacheControl)
This means that ShimCache operation flow is not required for process creation. Therefore, if process is created by function in ntdll.dll such as NtCreateUserProcess or NtCreateProcess, or by direct system call, NtApphelpCacheControl is not called. NtApphelpCacheControl looks up the executable entry from ShimCache and creates the entry if it does not exist, when opcode is 0x0b.Therefore, if NtApphelpCacheControl is not called, ShimCache is not recorded.

This means that, strictly speaking, even executables that do not have an entry in ShimCache could have been launched, and the forensic investigator should be careful about this.
Labels:

Comments

Post a Comment

Popular posts from this blog

.NET in JavaScript, Fake PDF Converter

1. Overview I found a site that distributes curious PDF converter. The executable file distributed at this site appears to be malicious and have several interesting features. ・ .NET Anti-Analysis ・ Execution of external JavaScript payload with WebView2 ・ .NET object manipulation from JavaScript code This post will mention these techniques. The execution flow of this executable is shown below. 2. .NET Anti-Analysis PdfConverters.exe analyzed in this article was created with .NET Core. .NET Core allows developer to embed runtime and libraries into a single executable file. This executable also contains a number of files, which are extracted at execution time into a folder under %TEMP%\PdfConverters. A good way to know the role of these files is to look at [AppName].deps.json. app.deps.json reveals that main functionality of this executable exists in app.dll. [app.deps.json] ... "app/1.0.0": { "dependencies": { "Microsoft....
Post a Comment
Read more

Return of Domen? Mysterious Zip file

1. Overview On March 17, Waseda University announced that its sports newspaper club's website(https://wasedasports[.]com/) had been infected with malware. At the time of my research the final payload was common malware called BitRAT, but there are several interesting points in its infection chain. A portion of the infection chain is shown below. The compromised site finally trigger download of the zip file. There is nothing interesting about the infection chain after this. You can refer to the IoC section for more information on infecting malware if necessary. Now, what is interesting? In my opinion, the interesting points of this attack are as follows. ・Using Domen social engineering toolkit: This toolkit was used around 2019-2020, but not recently. ・Mysteriously structured zip file: The file name in this zip file is depending on the archiver used for decompression. 2. Domen social engineering toolkit Domen is social engineering toolkit and was used for fake update ...
Post a Comment
Read more