Jump to content

Kaine

Staff
  • Content Count

    8
  • Joined

  • Last visited

Posts posted by Kaine


  1. Hi hake,

    DEP Bypass Protection prevents the stack from being marked as executable. Return to libc techniques will be blocked by the CALL ROP Gadget detection feature. 

    Return to libc techniques don't require an executable stack, that's the reason we also check some critical functions are really called and not "ret into".

    Regards,


  2. No problem hake ! :)

     

    If you really wish to use MBAE with EMET (and that seems to be the case even if it's not recommended !), I suggest you to disable all the ROP mitigations: SimExecFlow, Stack Pivot, Caller, MemProt, LoadLib, Banned Functions, Deep Hooks and Anti Détours. That's the only way to get something stable with both products installed on your computer. You can now enjoy 100 % of the benefits of MBAE without any crash.


  3. I didn't know about Her Majesty's Prison initials, I'm sorry hake.

     

    Indeed I've worked on the last MBAE Beta release to make it work with EMET for private use (I hope you don't mind Pedro !), as promised I'll contact you privately asap.

    Applying these modifications to the first non beta version should not be a problem...

     

    I would like to congratulate MBAE team for their first non beta release that introduces many new exploit mitigations technologies and also really improves the existing ones.

    Keep up the good work !


  4. Hello,

     

    MBAE, EMET and HMP Alert simply can't work together. EMET and MBAE try to apply similar mitigations, that's the cause of the conflict (even with the beta version). MBAE's team  is aware of this issue and has warned the users regarding EMET compatibility.

     

    FYI running also EMET alongside HMP will ruin the benefits of using HMP, due to internal conflicts, so don't expect to make these 3 programs run together. Chose simply one of them and you'll be fine.


  5. Hello,

     

    I have not Windows 8 so I am not able to reproduce this issue.

    Anyway, with Nevisos informations, I may have an idea about what's going wrong.

     

    If you enable one of the five ROP mitigations (LoadLib, MemProt, Caller, SimExecFlow or StackPivot)  , EMET will start hooking critical functions in Kernel32, KernelBase and Ntdll.

    Disabling all the ROP mitigations will let the code untouched, so we can deduce it's probably a hooking conflict between EMET and MBAE.

     

    We know that the crash occurs in KernelBase.dll, so I've listed all the KernelBase functions hooked by both EMET and MBAE:

     

    VirtualAllocEx
    VirtualProtectEx
    WriteProcessMemory
    CreateFileW 

     

    One of these hooks makes IE 11 crash with EMET+MBAE and given the issues I've had previsouly with CreatefileW when running IE, I would bet on this one.

     

    I hope it will help.

     

    Kaine

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.