June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
3.4.4 Analyzing The Shim Database
To shim an application, an attacker installs the shim database (.sdb), which resides somewhere on the victim's filesystem. Assuming that you have identified the .sdb file used in the malicious activity, you can investigate the .sdb file by using a tool such as sdb-explorer (https://github.com/evil-e/sdb-explorer) or python-sdb (https://github.com/williballenthin/python-sdb).
In the following example, python-sdb tool was used to investigate the shim database (.sdb) file that we created earlier. Running python-sdb on the shim database displays its elements as shown here:
$ python sdb_dump_database.py notepad.sdb<DATABASE> <TIME type='integer'>0x1d3928964805b25</TIME> <COMPILER_VERSION type='stringref'>2.1.0.3</COMPILER_VERSION> ...