|
|
|
|
|
|
by vardump
3775 days ago
|
|
|
So how does EMET prevent me from setting up the registers and directly calling NT kernel by executing SYSENTER/SYSCALL instruction, completely bypassing ntdll.dll and other (native) libraries? I'm sure there's some sort of mitigation, curious to learn what. Otherwise EMET would be pretty useless, right? "x86 Instruction Set Reference, SYSENTER, Fast System Call": http://x86.renejeschke.de/html/file_module_x86_id_313.html |
|
|
http://expdev-kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/
Edited to add - this also mentions sysenter in the context of ASLR/DEP bypass exploits:
https://www.exploit-db.com/docs/17914.pdf
Edited once again - it's old, but it goes into writing shell code for 32-bit Windows that uses system calls:
http://www.piotrbania.com/all/articles/windows_syscall_shell...
I guess system call numbers change between Windows versions, so shellcode that uses system calls wouldn't be portable. The author of that last paper also says that this would drastically increase the size of the shellcode.