Using EMET to Disable EMET (opens in new tab)

(fireeye.com)

41 pointslkowalcz10y ago7 comments

7 comments

In summary, they found out that in spite of EMET protecting a wide variety of functions, EMET has a function and a global variable that turns off EMET. So they can call it or set the variable and EMET is bypassed.

Why bother with all the fancy tricks to get around the various protections when you can just ask EMET to turn them off for you?

1 more reply

vardump10y ago

So how does EMET prevent me from setting up the registers and directly calling NT kernel by executing SYSENTER/SYSCALL instruction, completely bypassing ntdll.dll and other (native) libraries?

I'm sure there's some sort of mitigation, curious to learn what. Otherwise EMET would be pretty useless, right?

"x86 Instruction Set Reference, SYSENTER, Fast System Call":

http://x86.renejeschke.de/html/file_module_x86_id_313.html

xenophonf10y ago

That's a very interesting question. I did a little searching and found the following but haven't had time to understand it completely:

http://expdev-kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/

Edited to add - this also mentions sysenter in the context of ASLR/DEP bypass exploits:

https://www.exploit-db.com/docs/17914.pdf

Edited once again - it's old, but it goes into writing shell code for 32-bit Windows that uses system calls:

http://www.piotrbania.com/all/articles/windows_syscall_shell...

I guess system call numbers change between Windows versions, so shellcode that uses system calls wouldn't be portable. The author of that last paper also says that this would drastically increase the size of the shellcode.

tbirdz10y ago

It's even more unstable than that. The system call numbers change on every build of Windows, not just every version.

tetraverse10y ago

"EMET injects emet.dll or emet64.dll .. into every protected process, which installs Windows API hooks"

This is what the Enhanced Mitigation Experience Toolkit consists of - a DLL injection hack!

RachelF10y ago

Probably the worst thing about the new EMET is the speed hit. The new functions (EAF+) in EMET 5.5 can slow application loading from ~2 seconds to around 30.

I'm starting to wonder if Microsoft actually tests anything before releasing it these days.

For more read here: https://social.technet.microsoft.com/Forums/itmanagement/en-...

ars10y ago

Completely unrelated, but EMET means truth in Hebrew :)

j / k navigate · click thread line to collapse