Kaine

Hi hake, DEP Bypass Protection prevents the stack from being marked as executable. Return to libc techniques will be blocked by the CALL ROP Gadget detection feature. Return to libc techniques don't require an executable stack, that's the reason we also check some critical functions are really called and not "ret into". Regards,

Hello marjamar, Have you Kaspersky Internet Security installed on your computer ? If yes could you try to uninstall it and check if Firefox is running ? There is a thread talking about the incompatibility between both products: https://forums.malwarebytes.org/index.php?/topic/171078-browsers-not-opening-with-mbae-kaskpersky-16/page-3 Regards,

No problem hake ! If you really wish to use MBAE with EMET (and that seems to be the case even if it's not recommended !), I suggest you to disable all the ROP mitigations: SimExecFlow, Stack Pivot, Caller, MemProt, LoadLib, Banned Functions, Deep Hooks and Anti Détours. That's the only way to get something stable with both products installed on your computer. You can now enjoy 100 % of the benefits of MBAE without any crash.

I didn't know about Her Majesty's Prison initials, I'm sorry hake. Indeed I've worked on the last MBAE Beta release to make it work with EMET for private use (I hope you don't mind Pedro !), as promised I'll contact you privately asap. Applying these modifications to the first non beta version should not be a problem... I would like to congratulate MBAE team for their first non beta release that introduces many new exploit mitigations technologies and also really improves the existing ones. Keep up the good work !

Hello, MBAE, EMET and HMP Alert simply can't work together. EMET and MBAE try to apply similar mitigations, that's the cause of the conflict (even with the beta version). MBAE's team is aware of this issue and has warned the users regarding EMET compatibility. FYI running also EMET alongside HMP will ruin the benefits of using HMP, due to internal conflicts, so don't expect to make these 3 programs run together. Chose simply one of them and you'll be fine.

Hello Pedro, Yes I know there are other kernelbase hooked functions like the CreateProcess family but EMET hooks them at kernel32 and ntdll level. As far as I know MBAE is much more stable than EMET (especially the very buggy 5.0 TP) and it does the job. I enjoy both products and it would be great to find a way to make them work together. Regards, Kaine

Hello, I have not Windows 8 so I am not able to reproduce this issue. Anyway, with Nevisos informations, I may have an idea about what's going wrong. If you enable one of the five ROP mitigations (LoadLib, MemProt, Caller, SimExecFlow or StackPivot) , EMET will start hooking critical functions in Kernel32, KernelBase and Ntdll. Disabling all the ROP mitigations will let the code untouched, so we can deduce it's probably a hooking conflict between EMET and MBAE. We know that the crash occurs in KernelBase.dll, so I've listed all the KernelBase functions hooked by both EMET and MBAE: VirtualAllocEx VirtualProtectEx WriteProcessMemory CreateFileW One of these hooks makes IE 11 crash with EMET+MBAE and given the issues I've had previsouly with CreatefileW when running IE, I would bet on this one. I hope it will help. Kaine

Hello, You should disable SimExecFlow mitigation, it simply can't work with MBAE. There are many other powerful mitigations techniques in EMET that work fine with MBAE. I suggest you don't disable Deep Hooks, which was a well known weakness in 4.x, probably the easiest way to bypass EMET. Regards, Kaine