The Microsoft Windows application compatibility infrastructure/framework (application shim) is a feature that allows programs created for older versions of the operating system (such as Windows XP) to work with modern versions of the operating system (such as Windows 7 or Windows 10). This is achieved through application compatibility fixes (shims). The shims are provided by Microsoft to the developers so that they can apply fixes to their programs without rewriting the code. When a shim is applied to a program, and when the shimmed program is executed, the shim engine redirects the API call made by the shimmed program to shim code; this is done by replacing the pointer in the IAT with the address of the shim code. Details on how applications use the IAT were covered in section 2.1 Windows API call flow. In other words, it hooks the Windows API to redirect calls to the shim code instead of calling the API directly in the DLL. As a result of API redirection, the shim code can modify the parameters passed to the API, redirect the API, or modify the response from the Windows operating system. The following diagram should help you to understand the differences in interactions between the normal and shimmed applications in the Windows operating system:
To help you understand the functionality of a shim, let's look at an example. Suppose that a few years back (before the release of Windows 7), you wrote an application (xyz.exe) that checked the OS version, before performing some useful operation. Let's suppose that your application determined the OS version by calling the GetVersion() API in kernel32.dll. In short, the application did something useful only if the OS version was Windows XP. Now, if you take that application (xyz.exe) and run it on Windows 7, it will not do anything useful, because the OS version returned on Windows 7 by GetVersion() does not match with Windows XP. To make that application work on Windows 7, you can either fix the code and rebuild the program, or you can apply a shim called WinXPVersionLie to that application (xyz.exe).
After applying the shim, when the shimmed application (xyz.exe) is executed on Windows 7 and when it tries to determine the OS version by calling GetVersion(), the shim engine intercepts and returns a different version of Windows (Windows XP instead of Windows 7). To be more specific, when the shimmed application is executed, the shim engine modifies the IAT and redirects the GetVersion() API call to the shim code (instead of kernel32.dll). In other words, the WinXPVersionLie shim is tricking the application into believing it is running on Windows XP, without modifying the code in the application.
Microsoft provides hundreds of shims (like WinXPVersionLie) that can be applied to an application to alter its behavior. Some of these shims are abused by attackers to achieve persistence, to inject code, and for executing malicious code with elevated privileges.