Explore techniques for bypassing Microsoft's Enhanced Mitigation Experience Toolkit (EMET) in this 52-minute Black Hat conference talk. Delve into EMET's security mitigations for user mode programs and learn how attackers can potentially evade these protections. Examine methods for disabling EMET and similar endpoint security products that rely on DLL injection. Discover targeted EMET evasion strategies and their applicability to other enterprise security solutions. Gain insights into the limitations of address space-based exploit prevention techniques and the importance of custom exploit prevention methods. Includes a demonstration of exploit implementation and discusses Microsoft's patch addressing these vulnerabilities in EMET 5.5.
Overview
Syllabus
Introduction
Who am I
Amit
Lost the battery
Funny story
Load Library
EMET protections
Antidote
Previous Technique
Evaluation Techniques
Stackable Check
Custom Class Check
College Check
Call Register Return Gadget
Return into Shell Code
Same Exit Flow
Using EMET in MS HTML
Using EMET in Import Address Table
Targeted Evasion
Assumptions
API Address
Relative Jump
The Problem
Main Highlights
New Technique
DLL Main Prototype
Data Structures
Loading Library
Setting Context Thread
Exploit Implementation
Exploit Gadgets
How did Microsoft fix it
Importance of custom exploit prevention techniques
Demo
Taught by
Black Hat
