Windows 10 对SHIm的限制名称必须在下列列表中
经过IDA 分析 ,对使用自定义模块的SDB,在Win10不能注入进程,经过分析发现SdbIsKnownShimDll种会判断文件名
;NtApphelpCacheControl(x,x)
.text:78C810DC off_78C810DC dd offset aAcgenral_dll ; DATA XREF:SdbIsKnownShimDll(x):loc_78CB08C5r
.text:78C810DC ;"AcGenral.dll"
.text:78C810E0 dd offset aAclayers_dll ;"AcLayers.dll"
.text:78C810E4 dd offset aAcres_dll ; "AcRes.dll"
.text:78C810E8 dd offset aAcspecfc_dll ;"AcSpecfc.dll"
.text:78C810EC dd offset aAcwinrt_dll ; "AcWinRT.dll"
.text:78C810F0 dd offset aAcwow64_dll ; "acwow64.dll"
.text:78C810F4 dd offset aAcxtrnal_dll ;"AcXtrnal.dll"
.text:78C810F8 dd offset aKeyboardfilter ;"KeyboardFilterShim.dll"
.text:78C810FC dd offset aMastershim_dll ;"MasterShim.dll"
.text:78C81100 dd offset aDepdetct ; "depdetct"
.text:78C81104 dd offset aUacdetct ; "uacdetct"
.text:78C81108 dd offset aLuadgmgt_dll ;"luadgmgt.dll"
.text:78C8110C dd offset aLuapriv_dll ; "luapriv.dll"
.text:78C81110 dd offset aEmet_dll ; "EMET.dll"
.text:78C81114 dd offset aEmet64_dll ; "EMET64.dll"