The initial release of my custom Windows appcompat shim development kit only supported 32-bit shim modules. Today I downloaded IDA 7, which became freely available recentlyish and supports 64-bit disassembly. I looked at the 64-bit versions of a couple of the official shim modules and the shim engine interface looked very familiar, keeping in mind that x64 has only one calling convention, reminiscent of fastcall. The 64-bit version of apphelp.dll seemed to have all the exports I used in my 32-bit shims.
So I optimistically compiled my apphelp import library in the x64 configuration, configured the CustomShim project to use it in the x64 configuration as well, and compiled the shim module as 64-bit. I addressed a few compiler warnings that resulted from assuming size_t is the same as int, then went to register my 64-bit shim module. Playing around with ShimDBC, I found that RUNTIME_PLATFORM attributes accept comma-separated lists of platforms, so I can indicate that a shim exists in both the 32-bit and 64-bit modules with X86_ANY,AMD64. It turns out that one SDB can apply fixes to both 32-bit and 64-bit executables - just leave off the -op switch when compiling in Custom mode to make one big SDB - and Windows accepts this, so it's not clear why there's an AppPatch64 directory or why the Compatibility Administrator comes in two versions.
After installing my new dual-bitness SDB and placing the 64-bit version of my shim module in System32, I observed my example shims applied to Sysinternals AccessChk64 and Autoruns64. The updates to the Visual Studio projects and documentation are live on GitHub.
No comments:
Post a Comment