Tool to view and create Microsoft shim database files (SDB).
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
CVE-2013-3893.sdb
README.md added additional links to README May 11, 2017
cve-2014-0322.sdb
cve2012-4792.sdb Init code Mar 27, 2014
explorer.conf
extern.h
itab.h
libudis86-LICENSE
libudis86.lib
sample-target.c Init code Mar 27, 2014
sample-target.conf-hotpatch
sdb-explorer.c
sdb-explorer.sln
sdb-explorer.vcxproj
sdb-explorer.vcxproj.filters
sdb.c
sdb.h
syn.h - Created VS2013 solution file. Feb 17, 2015
types.h
udint.h
udis86.h

README.md

sdb-explorer

Overview

sdb-explorer is a tool that provides the ability to read and write Microsoft Fix-It In-memory patches, also known as SDB files.

Windows 10 Support

Note the version of apphelp.dll in Windows 10 does not include the function SeiApplyPatch. This was the function responsible for patching and flushing the instruction cache. It appears that Microsoft has removed support for this undocumented feature.

For more information see:

https://www.blackhat.com/asia-14/archives.html#Erickson

http://www.blackhat.com/docs/asia-14/materials/Erickson/WP-Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf

http://www.youtube.com/watch?v=Gx6OgCxPBIQ

Please see my slides from Codeblue 2014: http://sdb.io/erickson-codeblue.pdf

Use in the wild

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html