EMET 4.0 / SimExecFlow

Discussion in 'other anti-malware software' started by Kyle_Katarn, Aug 4, 2013.

Thread Status:
Not open for further replies.
  1. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
    EMET 4.0 blocking SUMo due to SimExecFlow with no more details...

    Error message is

    EMET detected SimExecFlow mitigation and will close application : SUMo.exe

    I'm the developper of SUMo and some users are reporting this screen being displayed and blocking my software.

    What did i do wrong ? How can this be fixed ?
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  3. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This is a ROP mitigation and as such only applies to x86 processes.

    Per the EMET 4 user manual "This feature tries to detect ROP gadgets following a call to a critical function. Like the "Caller checks"."
     
  5. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
    Yes but how can i find out which part of my code is going wrong ?
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Use a debugger? I assume you can get a stack trace and track the code that caused this.
     
    Last edited: Aug 7, 2013
  7. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
    But what can i use as a trigger to get the fauly line of code ?
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No idea, if I could answer that you wouldn't need the debugger.
     
  9. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    Perhaps try also to ask on kernelmode.info
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    In the applications settings for EMET, change to audit only. It might give you a bit more info in the EMET log.
     
  11. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
    ... how do you install EMET ?
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  13. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    If I remember correctly it doesnt happen automatically, only when you add sumo to the apps list and enable manually.
     
  14. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
    OK, i'll try right now.

    Thanks !
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Take a hard look at all the ROP mitigation one of which is simulate execution flow. The others are load library checks, memory protection checks, caller checks and stack pivot.

    The ROP mitigations are the big difference between EMET 3.0 and 4.0. They only apply to x86 processes. W.O.T. has been acting up on my PC ever since I installed EMET 4.0. Finally traced it back to the load library checks mitigation which monitors all calls to API loadlibrary and also prevents loading of libraries from UNC path. It is the latter that I strongly suspect was hanging W.O.T. in IE9.

    Once you find out which mitigation is hanging your software, you will have to instruct your users to turn it of for your app. You can also report your findings in the EMET user forum. You will also have to contact Microsoft to see if the problem can be fixed in the next EMET release.
     
  16. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
    I've been unable to track the faulty line of code : EMET blocks before my first line of code, therefore, debugger is of little help...

    Where can i report my case to EMET support ?
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I would just tell your users to turn off the SimExecFlow mitigation for your application and leave it at that. You have already posted the problem in the EMET forum.

    EMET is the category of optional security software as far as Microsoft is concerned. In other words, "you take it or leave it." To date, they have fixed known issues with each new release of the product but no guarantees.
     
  18. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
    ok, thanks !
     
Loading...
Similar Threads
  1. emmjay
    Replies:
    5
    Views:
    771
  2. Victek
    Replies:
    14
    Views:
    960
  3. lodore
    Replies:
    3
    Views:
    653
Thread Status:
Not open for further replies.