The following steps describe the manner in which an attacker may shim an application and install it on a victim system:
- An attacker creates an application compatibility database (shim database) for the target application (such as notepad.exe, or any legitimate third-party application frequently used by the victim). An attacker can choose a single shim, such as InjectDll, or multiple shims.
- The attacker saves the shim database (.sdb file) created for the target application.
- The .sdb file is delivered and dropped on the victim system (mostly via malware), and it is installed, typically using the sdbinst utility.
- The attacker invokes the target application or waits for the user to execute the target application. ...