SHIM Me What You Got: Manipulating Shim and Office for Code Injection

This research (presented at DEF CON 32) describes two sophisticated attack chains: (1) abusing Office ClickToRun's RPC and Detours-based injection combined with directory-traversal and opportunistic locks to force SYSTEM-level DLL injection into suspended scheduled-task processes, and (2) a fileless, registry-less shim injection technique by reversing App Compat internals (NtApphelpCacheControl and SHIM_DATA) to load a malicious DLL into a suspended process before EDR hooks initialize. The report includes detailed reverse engineering, step-by-step PoCs, limitations, and suggested detection indicators.