EMET 3.5 Is Out – ROP Mitigations

See the 3.5 guide here:



EMET 3.5 Tech Preview is out. Installation and setup go exactly like they did before but now you get a fancy ROP tab for Microsofts latest mitigation techniques.

This is a big update. I’m super busy lately but I’m excited to blog about this.

See this link for setting up EMET 3.0 and get EMET 3.5 here. The 3.0 guide still applies you just need to manually set the ROP page.

I’ll write a guide when the final version is released.

ROP page shown here:


The new ROP mitigations are from the BlueHat competition that Microsoft used to fund research. I wrote it about it when they came out and explained that I saw some issues. Microsoft actually sees the same issues and they write about it in the TechNet article. I articulated it terribly at the time but the general idea is that these listen to specific instructions and an attacker can just use other instructions. It makes things harder, not impossible. My wording was something like “It’s detecting x but an attacker can use y” and Microsoft puts it much nicer:


Known limitations

As stated above, as long as one of the critical functions is called then ROP checks will take place. It is possible for the attacker to circumvent this by not calling any of the hooked functions (for example directly calling into NTDLL and not kernel32) or just circumventing the hook.

Again, super busy. But I’m excited and you should be too.

Try out EMET 3.5 for a more robust and hardened system. It’s well worth installing.

Leave a Reply

Your email address will not be published. Required fields are marked *