Microsoft has released a nifty FREE security ‘suite’ to protect just about any existing .exe file, this is done by hardening the existing compiled .exe file by adding DEP and other neat protection features (overflow protection etc) – for the “full” description see link at the bottom.

The documentation is sadly very poor, but here is a quick guide to getting started.

The concept would be something like this;

Download; http://go.microsoft.com/fwlink/?LinkID=162309

Install/copy the files to;

 C:\windows\system32

Find an exefile you want to protect (eg. notepad.exe)

Start a command prompt and type;

C:\>EMET_conf.exe --add c:\windows\notepad.exe

This is the output;

EMET 1.0.2 Adding c:\windows\notepad.exe to EMET-ized processes: Ok

Type;

EMET_conf.exe --list

to list all protected applications.

Once the above is done the application is protected, protected against what?  Well protected by among other DEPwhich will greatly improve security against buffer overflows etc. plus a few other protection schemes.  The cool thing is that this is done without modifying the application, and hence just about any application can be protected.  Note, not all applications may work when protected, if you protect an application that afterwards no longer work then unprotect it from a command prompt by typing

C:\>EMET_conf.exe --delete <application file> (eg. c:\windows\notepad.exe)

Warning!!!

Do not remove the EMET files from c:\windows\system32 before unprotecting the .exe files, the protected applications WILL NOT RUN without these files (they will still work on another machine, the .exe files are not modified).

Links;
http://blogs.technet.com/srd/archive/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit.aspx

http://go.microsoft.com/fwlink/?LinkID=162309

Update Nov 5th 2009;

After working a bit with this EMET I contacted their technical dept. to get some info on how it works (as mentioned the documentation is fairly superficial), and I actually got something useful back;

The protection is ‘obtained’ by setting a debug code that launches the application via the EMET launcher (EMET_launcher.exe), this is done by creating a key for the protected application under “Image File Execution Options” in registry “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options” .  Thus every time you launch the protected application the execution is intercepted by “Image File Execution Options” and passed on to “EMET_launcher.exe” and launched in a shielded environment.

An interesting detail is that if you include a path when adding an application (EMET_conf.exe –add c:\windows\notepad.exe) then this will only affect this one file (eg. c:\windows\notepad.exe), but if you only protect like this; EMET_conf.exe –add notepad.exe then ALL instances of notepad.exe will be protected (no matter where they are on the disk)..  Renaming a protected file will remove the protection, it only works by file name.

The latter might sound like fairly poor protection and/or easy to bypass, however keep in mind this is not an antivirus solution it is an additional shielding against known and unknown buffer overflow (and more)  for existing applications, so with this in mind I think it is ok..  EMET is an easy to implement additional security feature.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.