A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #22921  by rkhunter
 Mon May 19, 2014 9:22 am
v.4.1 Update 1 (Release) [tool + MS PDF doc]
http://www.microsoft.com/en-us/download ... x?id=41138

v.5.0 Technical Preview [tool + MS PDF doc]
http://www.microsoft.com/en-us/download ... x?id=41963

Inside EMET 4.0 by MSRC (Elias Bachaalany)
http://recon.cx/2013/slides/Recon2013-E ... ET%204.pdf

EMET 4.1 Uncovered by Dabbadoo
http://0xdabbad00.com/wp-content/upload ... overed.pdf

Bypassing EMET v.4.1 by Bromium Labs
http://bromiumlabs.files.wordpress.com/ ... et-4-1.pdf

Announcing EMET 5.0 Technical Preview by MSRC
http://blogs.technet.com/b/srd/archive/ ... eview.aspx

EMET 4.0's Certificate Trust Feature by MSRC
http://blogs.technet.com/b/srd/archive/ ... ature.aspx

EMET, preventing the exploitation and unobvious settings [RU] by ESET Russia

Exploits in targeted attacks vs. EMET in 2013 by Andreas Lindh

EMET vs. CVE-2014-1776 by MSRC
http://blogs.technet.com/b/srd/archive/ ... -0day.aspx
 #25573  by Juggl3r
 Fri Apr 03, 2015 1:55 pm
you can find my research to the topic at:

When EMET 5.2 was released I had a very quick look at it. Basically all my exploits worked without any modifications.
The only think which should change stuff is CFG. Only EMET.dll (which gets injected into all protected applications) is now compiled with CFG support.
That means that indirect calls are now checked. E.g. if we have "call eax" eax will be verified to point a whitelisted location.
However, I didn't had an in-depth look at the stuff because everything worked without a modification.
In my slides I mention that I'm using a "call eax" gadget to bypass caller/simexec flow from EMET.dll. This ensures maximum reliability but the address must be specified for all EMET versions.
You can also use a "call eax" from the application itself instead (e.g. mozjs.dll in my case of firefox). Since I'm using the "call eax" from firefox and not from the protected EMET.dll file CFG will change nothing.
That's why my exploit still works (I only had to modify the code which finds the start of EMET.dll which was 1 LoC).

So from my point of view there is no additional security, you just have to use the "call r32" from the app instead.
 #28273  by rkhunter
 Mon Apr 11, 2016 10:37 am
Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available (2 feb, 2016)

[+] Windows 10 compatibility
[+] Improved configuration of various mitigations via GPO
[+] Improved writing of the mitigations to the registry, making it easier to leverage existing tools to manage EMET mitigations via GPO
[+] EAF/EAF+ pseudo-mitigation performance improvements
[+] Support for untrusted fonts mitigation in Windows 10

https://blogs.technet.microsoft.com/srd ... available/
Download: https://www.microsoft.com/en-us/downloa ... x?id=50766