The easiest solution for this problem is to change the executable name of NirLauncher to something else, but this kind of solution is really ridiculous.These wrong addresses caused the system process to crash immediately and restart the system after a minute. But… when an application is shimmed, GetProcAddress function returns the addresses of the shim layer instead of the real kernel addresses. These utilities use the API function addresses returned by GetProcAddress function to execute the desired code in a system process. Some of NirSoft utilities – ‘Network Password Recovery’, LSASecretsView, and LSASecretsDump use some code injection technique in order to extract the system data.However, if the utility requires elevation (To run as admin) while NirLauncher was executed without admin rights, the launched utility is not shimmed. When NirLauncher run a utility, the utility is also shimmed, probably because child applications automatically get the same treatment like the parent application.When any executable contains the word ‘launch’ (in my case, NirLauncher.exe), Windows Vista/7 automatically shim the application, which means that apphelp.dll and AcLayers.DLL are loaded into the process and replace the pointers to Windows API functions inside the export table.Here’s a small summary of the problem and the way that I solved it: You can read more about this problem in this post. This problem occurred only because the executable of NirLauncher contains the word ‘launch’.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |