In this article we will learn about Windows Exploit Mitigation Technology .
Overview[Windows Exploit Mitigation Technology ]:
The Enhanced Mitigation Experience Toolkit, or EMET, is essentially a shield or shell that runs over and protects Windows applications, regardless of how those applications have been authentically coded by their developer, to take advantage of the security guards that are built into Windows operating systems . System. EMET is a wrapper that enables and enforces a set of protections that, when used together, really improve a machine’s security posture and greatly reduce the chance that exploits can run against your machine and do any harm – most simply fail to be done thoroughly. . It’s especially helpful in protecting against exploits that haven’t yet been patched by the software developer, making it a key tool to have in your security arsenal.
In this article, we will explain EAF (Export Address Filtering), which prevents shellcode from running. This scenario comes into play if the attacker has somehow managed to bypass the previously mentioned exploit prevention mechanism. This technique prevents an attacker from executing some important parts of the shell code. This is protection for the entire application.
Inserts EMET.dll into the specified process to protect against shellcode execution.
Shellcodes locate the IAT using PEB.ldr. EAF prevents access to this location. EMET.dll places a hardware breakpoint on read at PEB.Ldr and catches the exception using an exception vector.
This exception handler is the first handler, meaning it will be called before any other exception vector handler.
The operator checks if the wrong address is in a different range than the loaded modules. In this way, EMET prevents IAT analysis.
A Vectored Exception Handler looks like this:
In order to test it, we can use the following c file that mentions PEB.LDR in the code.
xor edx, edx // zero edx
This code chunk to get InMemoryOrder Module will fail under EAF.
Heap spray protection
The heap spray technique has been used in browsers for so long. Bulk spraying is basically used to bypass ASLR (address space randomization). In this technique, a large piece of data is allocated to a range where it is easy to predict the address.
If we allocate a large buff, we only fill it with 0x04 and reach far beyond the address 0x04040404, and then if we land at 0x04040404, the following side effects occur:
MOV EAX,DWORD PTR DS:[ESI] << EAX == 0x04040404
CALL DWORD PTR DS:[EAX+10] << JMP 0x04040404 because [eax + 10] =0x04040404
Other addresses similar to NOP behavior are:
0x05050505 = ADD EAX,5050505 <<< works as a NOP
0x0c0c0c0c = OR AL, 0C << also works as a NOP
0x0d0d0d0d = OR EAX,0d0d0d0d
EMET protects against heap splash by allocating memory in these areas and filling them with random data.
This technique applies to the prevention of ROP. Prevents ROP attacks on a vulnerable application. This technique is based on the key observation that once exploited, it must use ROP code to exploit the attack, interacting with system calls in the process. Examples of such interaction include starting other processes, opening files, etc.
Using this information, we can define the concept of a critical function: A critical function is a function by which an attacker can modify the behavior of the system, either by modifying memory or the current process.
Some examples of critical functions include:
- 1 CreateProcess
- 2 VirtualProtect, VirtualAlloc, LoadLibrary –
- 3 Open the file
The ROP code will require at least one critical function call from the ROP code to be used successfully. Deep hooks use this observation to perform checks only when one of the critical functions is called: when a critical function is called, appropriate checks are made to determine whether the critical function was called from ROP code or as part of routine. program execution.
It is quite important to note that ROPGuard does not include a hard-coded list of critical features. Instead, critical functions are defined in the ROPGuard configuration file. In this way, critical functions can be integrated at any time to improve security, and even critical functions of a categorical process can be integrated. Similarly, critical functions can be abstracted to change system performance.
It should also be noted that the current prototype only improves the features in user mode. To prevent an attacker from bypassing these functions, the same protections could be integrated into the nuclear counterparts of the defined critical functions.
To demonstrate this, we will use the ROP exploit on a sample application protected with deep hooks. We will use FreeFloat FTP Server Buffer Overflow Exploit (DEP Bypass) by blake for the vulnerable application.