EMET 3.5 Is Out – ROP Mitigations

See the 3.5 guide here:



EMET 3.5 Tech Preview is out. Installation and setup go exactly like they did before but now you get a fancy ROP tab for Microsofts latest mitigation techniques.

This is a big update. I’m super busy lately but I’m excited to blog about this.

See this link for setting up EMET 3.0 and get EMET 3.5 here. The 3.0 guide still applies you just need to manually set the ROP page.

I’ll write a guide when the final version is released.

ROP page shown here:


The new ROP mitigations are from the BlueHat competition that Microsoft used to fund research. I wrote it about it when they came out and explained that I saw some issues. Microsoft actually sees the same issues and they write about it in the TechNet article. I articulated it terribly at the time but the general idea is that these listen to specific instructions and an attacker can just use other instructions. It makes things harder, not impossible. My wording was something like “It’s detecting x but an attacker can use y” and Microsoft puts it much nicer:


Known limitations

As stated above, as long as one of the critical functions is called then ROP checks will take place. It is possible for the attacker to circumvent this by not calling any of the hooked functions (for example directly calling into NTDLL and not kernel32) or just circumventing the hook.

Again, super busy. But I’m excited and you should be too.

Try out EMET 3.5 for a more robust and hardened system. It’s well worth installing.

About these ads

Tags: , , ,

About insanitybit

Novice programmer interested in computer security. I'll use this blog when I'm bored to post about things I find interesting in that field.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: