
Using EMET to Disable EMET - lkowalcz
https://www.fireeye.com/blog/threat-research/2016/02/using_emet_to_disabl.html
======
kevin_b_er
In summary, they found out that in spite of EMET protecting a wide variety of
functions, EMET has a function and a global variable that turns off EMET. So
they can call it or set the variable and EMET is bypassed.

Why bother with all the fancy tricks to get around the various protections
when you can just ask EMET to turn them off for you?

------
vardump
So how does EMET prevent me from setting up the registers and directly calling
NT kernel by executing SYSENTER/SYSCALL instruction, completely bypassing
ntdll.dll and other (native) libraries?

I'm sure there's some sort of mitigation, curious to learn what. Otherwise
EMET would be pretty useless, right?

"x86 Instruction Set Reference, SYSENTER, Fast System Call":

[http://x86.renejeschke.de/html/file_module_x86_id_313.html](http://x86.renejeschke.de/html/file_module_x86_id_313.html)

~~~
xenophonf
That's a very interesting question. I did a little searching and found the
following but haven't had time to understand it completely:

[http://expdev-kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/](http://expdev-
kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/)

Edited to add - this also mentions sysenter in the context of ASLR/DEP bypass
exploits:

[https://www.exploit-db.com/docs/17914.pdf](https://www.exploit-
db.com/docs/17914.pdf)

Edited once again - it's old, but it goes into writing shell code for 32-bit
Windows that uses system calls:

[http://www.piotrbania.com/all/articles/windows_syscall_shell...](http://www.piotrbania.com/all/articles/windows_syscall_shellcode.pdf)

I guess system call numbers change between Windows versions, so shellcode that
uses system calls wouldn't be portable. The author of that last paper also
says that this would drastically increase the size of the shellcode.

~~~
tbirdz
It's even more unstable than that. The system call numbers change on every
build of Windows, not just every version.

------
tetraverse
"EMET injects emet.dll or emet64.dll .. into every protected process, which
installs Windows API hooks"

This is what the Enhanced Mitigation Experience Toolkit consists of - a DLL
injection hack!

~~~
RachelF
Probably the worst thing about the new EMET is the speed hit. The new
functions (EAF+) in EMET 5.5 can slow application loading from ~2 seconds to
around 30.

I'm starting to wonder if Microsoft actually tests anything before releasing
it these days.

For more read here:
[https://social.technet.microsoft.com/Forums/itmanagement/en-...](https://social.technet.microsoft.com/Forums/itmanagement/en-
US/39d1f465-61f1-4c38-ae02-bc4ca268751a/emet-55-eaf-performance?forum=emet)

------
ars
Completely unrelated, but EMET means truth in Hebrew :)

