Using EMET to Disable EMET
fireeye.comIn summary, they found out that in spite of EMET protecting a wide variety of functions, EMET has a function and a global variable that turns off EMET. So they can call it or set the variable and EMET is bypassed.
Why bother with all the fancy tricks to get around the various protections when you can just ask EMET to turn them off for you?
So how does EMET prevent me from setting up the registers and directly calling NT kernel by executing SYSENTER/SYSCALL instruction, completely bypassing ntdll.dll and other (native) libraries?
I'm sure there's some sort of mitigation, curious to learn what. Otherwise EMET would be pretty useless, right?
"x86 Instruction Set Reference, SYSENTER, Fast System Call":
That's a very interesting question. I did a little searching and found the following but haven't had time to understand it completely:
http://expdev-kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/
Edited to add - this also mentions sysenter in the context of ASLR/DEP bypass exploits:
https://www.exploit-db.com/docs/17914.pdf
Edited once again - it's old, but it goes into writing shell code for 32-bit Windows that uses system calls:
http://www.piotrbania.com/all/articles/windows_syscall_shell...
I guess system call numbers change between Windows versions, so shellcode that uses system calls wouldn't be portable. The author of that last paper also says that this would drastically increase the size of the shellcode.
It's even more unstable than that. The system call numbers change on every build of Windows, not just every version.
"EMET injects emet.dll or emet64.dll .. into every protected process, which installs Windows API hooks"
This is what the Enhanced Mitigation Experience Toolkit consists of - a DLL injection hack!
Probably the worst thing about the new EMET is the speed hit. The new functions (EAF+) in EMET 5.5 can slow application loading from ~2 seconds to around 30.
I'm starting to wonder if Microsoft actually tests anything before releasing it these days.
For more read here: https://social.technet.microsoft.com/Forums/itmanagement/en-...
Completely unrelated, but EMET means truth in Hebrew :)