- Sep 15, 2008
- 5,056
- 199
- 116
EMET 5.5 Released
- Thread starter Chiefcrowe
- Start date
Puffnstuff
Lifer
- Mar 9, 2005
- 16,256
- 4,930
- 136
Thanks for the heads up chief. I've never used it before but, what the hey, now's a good a time as any to give it a whirl.
- Sep 15, 2008
- 5,056
- 199
- 116
I've never used appguard, what does it do?
I think it's pretty good and since it's made by MS it seems to protect windows well.
I think it's pretty good and since it's made by MS it seems to protect windows well.
smakme7757
Golden Member
- Nov 20, 2010
- 1,487
- 1
- 81
- Sep 15, 2008
- 5,056
- 199
- 116
Attackers can turn Microsoft's exploit defense tool EMET against itself
http://www.pcworld.com/article/3037...exploit-defense-tool-emet-against-itself.html
http://www.pcworld.com/article/3037...exploit-defense-tool-emet-against-itself.html
Puffnstuff
Lifer
- Mar 9, 2005
- 16,256
- 4,930
- 136
Most of the mitigations save the EAF/EAF+ and ROP one's are all built into Windows and can actually be enabled without the use of EMET (using IFEO and the MitigationOptions QWORD registry value provided you understand the format). The system wide settings can also be enabled without the use of EMET.
I won't go so far as to say EMET is now obsolete and useless but to be fair it just doesn't offer as much as it did before (as is evident in their blog post where they list the Windows 10 features and why there is no profile for Edge).
I still have it installed and use it since it does offer a few protections beyond what Windows offers.
Edit: The format for MitigationOptions QWORD is as follows:
Take this example for chrome.exe which gets added by EMET with the popular/recommended software settings (I can't remember which one, popular I think).
Each digit is for a seperate option broken up into 4-bit sections. The first few are documented in the EMET 4.1 uncovered paper[1] and others (at least what they do) are documented in the SetProcessMitigationPolicy page on msdn (although it does not document that you can change those through the registry).
In general 1 enables an option, 0 acts as a NOP (i.e. it won't enable or disable an option and will leave it to the program), 5 is apparently for always on and 6 is force off. For the Force ALSR option (3rd from the right) 1 enables it but won't complain if a module can't be relocated, 3 will refuse to start a program if everything can't be relocated.
From RIGHT to LEFT:
They also added an additional option since I last looked into it for controlling Control Flow Guard. I don't know if that's simply the next digit in line or not (it would be easy enough to test I guess but I can't atm).
Then skip a few digits and the 6 in my example is for the untrusted font mitigation[3]. 6 means it's off and was added by EMET automagically (it's disabled globally by default so I assume that's why).
Thanks Microsoft for not documenting this, it's fun not knowing what your SECURITY features do. It's not like that's important or anything right?
[1] http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf (page 15)
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx
[3] https://technet.microsoft.com/en-us/library/dn985836(v=vs.85).aspx
I won't go so far as to say EMET is now obsolete and useless but to be fair it just doesn't offer as much as it did before (as is evident in their blog post where they list the Windows 10 features and why there is no profile for Edge).
I still have it installed and use it since it does offer a few protections beyond what Windows offers.
Edit: The format for MitigationOptions QWORD is as follows:
Take this example for chrome.exe which gets added by EMET with the popular/recommended software settings (I can't remember which one, popular I think).
Code:
HKLM/Software/Microsoft/Windows NT/Image File Executable Options/chrome.exe
MitigationOptions QWORD 6000000010111Each digit is for a seperate option broken up into 4-bit sections. The first few are documented in the EMET 4.1 uncovered paper[1] and others (at least what they do) are documented in the SetProcessMitigationPolicy page on msdn (although it does not document that you can change those through the registry).
In general 1 enables an option, 0 acts as a NOP (i.e. it won't enable or disable an option and will leave it to the program), 5 is apparently for always on and 6 is force off. For the Force ALSR option (3rd from the right) 1 enables it but won't complain if a module can't be relocated, 3 will refuse to start a program if everything can't be relocated.
From RIGHT to LEFT:
Code:
DEP
SEHOP
ASLR
Heap Terminate
Bottom-Up ASLR
High Entropy ASLR (HEASLR)
Strict Handle Check
Win32k System Call Disable
Extension Point DisableThey also added an additional option since I last looked into it for controlling Control Flow Guard. I don't know if that's simply the next digit in line or not (it would be easy enough to test I guess but I can't atm).
Then skip a few digits and the 6 in my example is for the untrusted font mitigation[3]. 6 means it's off and was added by EMET automagically (it's disabled globally by default so I assume that's why).
Thanks Microsoft for not documenting this, it's fun not knowing what your SECURITY features do. It's not like that's important or anything right?
[1] http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf (page 15)
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx
[3] https://technet.microsoft.com/en-us/library/dn985836(v=vs.85).aspx
Last edited:
13Gigatons
Diamond Member
- Apr 19, 2005
- 7,461
- 500
- 126
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
Facebook
Twitter