Bypassing EMET 3.5′s ROP Mitigations
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Bypassing EMET 3.5′s ROP Mitigations

EMET’s ROP mitigation works around hooking certain APIs (Like VirtualProtect) with Shim Engine and monitors their initialization.I have used SHARED_USER_DATA which mapped at fixed address “0x7FFE0000″ to find KiFastSystemCall address (SystemCallStub at “0x7FFE0300″), So I could call any syscall by now! By calling ZwProtectVirtualMemory’s SYSCALL “0x0D7″, I made shellcode’s memory address RWX. After this step I could execute any instruction I wanted. But to execute actual shellcode (with hooked APIs like “WinExec”) I did patched EMET to be deactivated completely.I also bypassed EMET ROP mitigations using another EMET’s implementation mistake. EMET team forget about the KernelBase.dll and left all its functions unprotected. so I used @antic0de‘s method for finding base address of kernelbase.dll at run-time, then I used VirtualProtect inside the kernelbase.dll, not ntdll.dll or krenel32.dll.

-Shahriyar Jalayeri ( @ponez )