Native EMET third-party graphical interface

MessageBoxA:
Thanks for all the interesting information.
I hope you release a version that allows use of nemet in SP2 machines.
Personally, I have not upgraded to SP3 due to some programs not working with it.
As for being protected, sandboxie and returnil (+ macrium) have served me well.
I believe that nemet would be a useful addition.

 

ROP is kinda like a return-to-libc, you work with what's already there. Libc is more specific in that it's going for a System() call in C (almost always) and is after a BO.

I like the analogy though =p

 

Originally Posted by MessageBoxA

Ohh err Interesting I understand why you're doing that, but obviously as you don't have other protection in place as, i do & others, that's why they get owned, as i'm sure you know

I used to have WehnTrust installed a few years ago, after reading about it on here. That was on a previous XP comp, & i can't remember why i didn't install this time round ? I might install it again now you've mentioned it I do know they invented ASLR long before MS thought of doing it

I only have one comp to work on, so your Computer-A etc idea is a no go for me right now i'm afraid But it made me think that i could "possibly" use Universal Extractor to extract the files, which i did



Are All of those what i need, or is something/s missing ? If so how do i proceed from here & also incorporate your App with it at the same time ?

If not what are your thoughts about what i could do with what i've grabbed & your App ?

TIA

 

CloneRanger, this morning I done some basic testing inside a VM with WindowsXP at unpatched service pack 2 and the DLL is unfortunately not loading into the processes via the AppCompat engine.

I have not dedicated any time into debugging the cause of the problem. Unfortunately there will be no support for the deprecated SP2 at this time.

Heh, I still recommend that you update your Windows XP to SP3 and become patched and up-to-date.

-MessageBoxA

 

@ MessageBoxA

Hi, just logged in & seen your post !

Thanks for taking the time to do that Oh well, if it can't be done

All the best anyway

Regards

 

This is a case of "It's broken, fix it."

That's what updates and service packs are for.

 

Nice feature Not many apps offers such option...I know only one - Rising FW. It can create installer with own user's setting, updates, rules, etc.

 

I'll be excited to try out the new .dll. If I can create a redeployment package that would be great.

 

Blah Blah Blah

Don't need em, nicely secure here

 

Ok then.

 

Will it retain my current EMET settings? If I install this, do I need to remove EMET? Any steps? I'm sorry for the questions if it is already answered, I'm kinda lazy today.

 

Will it retain current EMET settings? Yes.
No installation is required, it's portable.
No, you do not need to remove EMET. In fact you need to have EMET installed first.

Try running it and see if you still have questions.

 

Cool, I'll try it later.

 

heh. I might try running Win XP SP2 unpatched... looks fun

 

I was also hoping to see this work on SP2, and without net framework. Maybe in time?

Only if you run with a conventional default-permit security package. With a default-deny policy in place, it's as boring as ever. Nothing ever happens.

 

If he gets his own .dll it'll remove the EMET dependency entirely (I assume) and unless there's something in SP2 that would stop it from working (possible, it's a dozen years old) it should be fine.

Not to speak for him, keep in mind I know none of the code behind it and I'm making an assumption based on what I've seen.

 

I'll have to remember to check this thread more often. For some reason I keep thinking this is just for Vista and 7, forgetting it also works on XP. I'd have to check if I still have an image of SP3 laying around that I can load as a virtual system.

 

He already has his own authored his own .dll, Dave just hasn't released it yet. Part of the point of him creating the .dll is to remove dependency of EMET.

 

I noticed in the screenshot that ASLR is set to always on. Is it safe to do that?

 

When I set to Always On I can't boot up.

Makes sense.

 

Hi,

As previously stated; I am currently in the testing phase on a replacement DLL which will completely remove the EMET dependency.

Regarding ASLR set to 'Always On':

Those of you having ASLR 'Always On' problems could be using ATI video cards. For some reason there are some companies out there... hard-coding physical memory offsets within their device drivers... For those of you whom are not software engineers... that is a huge WTF... you should never do that... ever, period.

The video card market is extremely competitive... they probably gain a few more FPS by doing this... but are committing an engineering cardinal sin in the process.

There could be more hardware vendors doing the same crap... I do not have a complete list of incompatibilities. I have considered adding a white/black list of known hardware/software incompatibilities. Maybe I should add a warning before allowing the user to set ASLR to 'Always On'.

Technically... it might also be possible for me to scan usermode binaries and detect potential problems... for example the EAF mitigation requires DR0-DR7 debug register usage... I could potentially scan usermode binaries and look for instructions accessing the debug registers. Skype and Netflix are examples of software packages incompatible with EAF. Heh, I guess it really depends on how much time I want to invest into scanning for incompatibilities. Not really sure if it is worth it.

-MessageBoxA

 

Yeah I have an ATI card and I know the MS incompatibility list (All of 3 apps on i think) has ATI cards on it.

Thanks for the more indepth info.

 

Waiting for the new .dll.
I also just found out that my EMET can set ASLR as Opt in and disable only. Is that normal?

 

Yes Skudo, that's normal. You can use a registry tweak to enable "Always On" but it will very possibly stop your computer from booting.

There is no Opt-Out for ASLR because... well I don't really know. Devs are too lazy?

 

Yes its normal. ASLR always on is not an option by default.