Shimming uses Windows Application Compatibility framework to inject DLLs into processes — legitimate for compatibility but abused for malware persistence and API hooking.
Malicious shims survive reboots and OS updates (installed via legitimate mechanisms). Detection: monitor for unusual shim database modifications. Sdbinst.exe installs shims — alert on its unexpected execution. Used by nation-state malware for persistence.