date: 2015-11-19
Download and extract to %windir%\system32 listdlls.exe from https://technet.microsoft.com/en-gb/sysinternals/bb896656.aspx
open notepad protected by emet5.5, note the pid from task manager or emet console.
run following command, changing pid for one noted
c:\Windows\System32>Listdlls.exe [PID] > z:\emetProtectedNotepad.txt
remove the emet protection by deleteing notepad from apps list in emet console.
rerun the following command after closing notepad and restarting it noting the new pid and using in following command.
c:\Windows\System32>Listdlls.exe [PID] > z:\notProtectedNotepad.txt
Open the two files in winmerge highlights the following dlls different.
C:\Windows\system32\apphelp.dll 334kb
C:\Windows\AppPatch\AppPatch64\EMET64.dll 1053kb
will assume that the following is for 32bit apps;
C:\Windows\AppPatch\EMET.dll 745kb
Now open visual studio developer command window.
run;
C:\Program Files (x86)\Microsoft Visual Studio 14.0>dumpbin /export C:\Windows\system32\apphelp.dll > “z:\Emet Reverse engineering\apphelpdll.dumpbin.txt”
C:\Program Files (x86)\Microsoft Visual Studio 14.0>dumpbin /exports C:\Windows\AppPatch\AppPatch64\EMET64.dll > “z:\Emet Reverse engineering\EMET64.dumpbin.txt”
C:\Program Files (x86)\Microsoft Visual Studio 14.0>dumpbin /exports C:\Windows\AppPatch\EMET.dll > “z:\Emet Reverse engineering\EMET.dumpbin.txt”
These files list the following;
Microsoft (R) COFF/PE Dumper Version 14.00.23026.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\system32\apphelp.dll
File Type: DLL
Section contains the following exports for apphelp.dll
00000000 characteristics
56324A6A time date stamp Thu Oct 29 16:33:46 2015
0.00 version
1 ordinal base
195 number of functions
195 number of names
ordinal hint RVA name
1 0 0001C07C AllowPermLayer
2 1 00011574 ApphelpCheckExe
3 2 0001A3D0 ApphelpCheckIME
4 3 0001A8B0 ApphelpCheckInstallShieldPackage
5 4 000073C0 ApphelpCheckModule
6 5 0001AC4C ApphelpCheckMsiPackage
7 6 0001A810 ApphelpCheckRunApp
8 7 0000B3F0 ApphelpCheckRunAppEx
9 8 0000726C ApphelpCheckShellObject
10 9 00001010 ApphelpCreateAppcompatData
11 A 0001AF90 ApphelpFixMsiPackage
12 B 0001B274 ApphelpFixMsiPackageExe
13 C 0001C5B4 ApphelpFreeFileAttributes
14 D 0001C5A8 ApphelpGetFileAttributes
15 E 0001BB98 ApphelpGetMsiProperties
16 F 0001A3F8 ApphelpGetNTVDMInfo
17 10 0001C5DC ApphelpGetShimDebugLevel
18 11 0001BD00 ApphelpParseModuleData
19 12 0001BCD0 ApphelpQueryModuleData
20 13 0001BE78 ApphelpQueryModuleDataEx
21 14 0001C578 ApphelpShowDialog
22 15 0001C1D8 ApphelpUpdateCacheEntry
23 16 0001C528 GetPermLayers
24 17 00006A18 SE_DllLoaded
25 18 000017C4 SE_DllUnloaded
26 19 0001CF90 SE_DynamicShim
27 1A 0001D020 SE_GetHookAPIs
28 1B 0001D190 SE_GetMaxShimCount
29 1C 0001CDB8 SE_GetProcAddressIgnoreIncExc
30 1D 0001CE10 SE_GetProcAddressLoad
31 1E 0001D1A0 SE_GetShimCount
32 1F 00001820 SE_InstallAfterInit
33 20 00005C7C SE_InstallBeforeInit
34 21 00005978 SE_IsShimDll
35 22 0000980C SE_LdrEntryRemoved
36 23 00001C94 SE_ProcessDying
37 24 0001F958 SdbAddLayerTagRefToQuery
38 25 00021AAC SdbApphelpNotify
39 26 000219B0 SdbApphelpNotifyEx
40 27 000218E0 SdbApphelpNotifyEx2
41 28 000237F8 SdbBeginWriteListTag
42 29 000270B0 SdbBuildCompatEnvVariables
43 2A 00022554 SdbCloseApphelpInformation
44 2B 0000F680 SdbCloseDatabase
45 2C 000242E8 SdbCloseDatabaseWrite
46 2D 00027DCC SdbCloseLocalDatabase
47 2E 00024650 SdbCommitIndexes
48 2F 00023584 SdbCreateDatabase
49 30 00022EEC SdbCreateHelpCenterURL
50 31 00028B64 SdbCreateMsiTransformFile
51 32 000242F4 SdbDeclareIndex
52 33 000253B8 SdbDeletePermLayerKeys
53 34 000278E0 SdbDumpSearchPathPartCaches
54 35 00023870 SdbEndWriteListTag
55 36 0002867C SdbEnumMsiTransforms
56 37 00021DD0 SdbEscapeApphelpURL
57 38 00028EF4 SdbFindCustomActionForPackage
58 39 000290E0 SdbFindFirstDWORDIndexedTag
59 3A 00028FD8 SdbFindFirstGUIDIndexedTag
60 3B 000284F0 SdbFindFirstMsiPackage
61 3C 00028464 SdbFindFirstMsiPackage_Str
62 3D 00029410 SdbFindFirstNamedTag
63 3E 0000D1F0 SdbFindFirstStringIndexedTag
64 3F 000035E0 SdbFindFirstTag
65 40 0000B2C0 SdbFindFirstTagRef
66 41 00028E6C SdbFindMsiPackageByID
67 42 000291A4 SdbFindNextDWORDIndexedTag
68 43 000290A4 SdbFindNextGUIDIndexedTag
69 44 00028560 SdbFindNextMsiPackage
70 45 00002910 SdbFindNextStringIndexedTag
71 46 00003B98 SdbFindNextTag
72 47 000071C0 SdbFindNextTagRef
73 48 00010C04 SdbFormatAttribute
74 49 00027720 SdbFreeDatabaseInformation
75 4A 00010A50 SdbFreeFileAttributes
76 4B 00007610 SdbFreeFileInfo
77 4C 0001E914 SdbFreeFlagInfo
78 4D 00029A70 SdbGUIDFromString
79 4E 00002CC8 SdbGUIDToString
80 4F 000257D4 SdbGetAppCompatDataSize
81 50 000257C0 SdbGetAppPatchDir
82 51 0000EAA0 SdbGetBinaryTagData
83 52 0001E81C SdbGetDatabaseGUID
84 53 0000F7B8 SdbGetDatabaseID
85 54 00007EE0 SdbGetDatabaseInformation
86 55 00027740 SdbGetDatabaseInformationByName
87 56 00029EDC SdbGetDatabaseMatch
88 57 000275E0 SdbGetDatabaseVersion
89 58 0000EE40 SdbGetDllPath
90 59 00010708 SdbGetEntryFlags
91 5A 00010EE0 SdbGetFileAttributes
92 5B 000297B0 SdbGetFileImageType
93 5C 000298FC SdbGetFileImageTypeEx
94 5D 0000523C SdbGetFileInfo
95 5E 00006984 SdbGetFirstChild
96 5F 00027910 SdbGetImageType
97 60 00006D0C SdbGetIndex
98 61 0000E940 SdbGetItemFromItemRef
99 62 00026FE8 SdbGetLayerName
100 63 0001F550 SdbGetLayerTagRef
101 64 0001E7D8 SdbGetLocalPDB
102 65 0001F820 SdbGetMatchingExe
103 66 00028CD8 SdbGetMsiPackageInformation
104 67 0001F4CC SdbGetNamedLayer
105 68 00005A50 SdbGetNextChild
106 69 0000F33C SdbGetNthUserSdb
107 6A 0000F1BC SdbGetPDBFromGUID
108 6B 000089F0 SdbGetPermLayerKeys
109 6C 00009D1C SdbGetShowDebugInfoOption
110 6D 00020268 SdbGetShowDebugInfoOptionValue
111 6E 000267B0 SdbGetStandardDatabaseGUID
112 6F 00007FB0 SdbGetStringTagPtr
113 70 00003020 SdbGetTagDataSize
114 71 000094C0 SdbGetTagFromTagID
115 72 0002B7B0 SdbGrabMatchingInfo
116 73 0002B7DC SdbGrabMatchingInfoEx
117 74 0001BC60 SdbInitDatabase
118 75 000076B0 SdbInitDatabaseEx
119 76 0000FD50 SdbIsNullGUID
120 77 00026734 SdbIsStandardDatabase
121 78 0001E804 SdbIsTagrefFromLocalDB
122 79 0001E7EC SdbIsTagrefFromMainDB
123 7A 0002039C SdbLoadString
124 7B 00002A30 SdbMakeIndexKeyFromString
125 7C 00021FE0 SdbOpenApphelpDetailsDatabase
126 7D 00022084 SdbOpenApphelpDetailsDatabaseSP
127 7E 00022318 SdbOpenApphelpInformation
128 7F 000221C4 SdbOpenApphelpInformationByID
129 80 0002049C SdbOpenApphelpResourceFile
130 81 000095C8 SdbOpenDatabase
131 82 000202B0 SdbOpenDbFromGuid
132 83 00027D9C SdbOpenLocalDatabase
133 84 00008534 SdbPackAppCompatData
134 85 00022824 SdbQueryApphelpInformation
135 86 0001EAC4 SdbQueryBlockUpgrade
136 87 00001CCC SdbQueryContext
137 88 0002A09C SdbQueryData
138 89 0002A704 SdbQueryDataEx
139 8A 0002A0CC SdbQueryDataExTagID
140 8B 0001E8D0 SdbQueryFlagInfo
141 8C 0000B1E0 SdbQueryFlagMask
142 8D 0002BF08 SdbQueryName
143 8E 0001EB60 SdbQueryReinstallUpgrade
144 8F 00002090 SdbReadApphelpData
145 90 00020B88 SdbReadApphelpDetailsData
146 91 00029AAC SdbReadBYTETag
147 92 00029B54 SdbReadBYTETagRef
148 93 0000F864 SdbReadBinaryTag
149 94 0000EA28 SdbReadDWORDTag
150 95 00029C20 SdbReadDWORDTagRef
151 96 0002A7F0 SdbReadEntryInformation
152 97 00028850 SdbReadMsiTransformInfo
153 98 00027EB0 SdbReadPatchBits
154 99 00010280 SdbReadQWORDTag
155 9A 00010230 SdbReadQWORDTagRef
156 9B 0000E838 SdbReadStringTag
157 9C 0000E7E0 SdbReadStringTagRef
158 9D 00002D90 SdbReadWORDTag
159 9E 00029BB8 SdbReadWORDTagRef
160 9F 00026580 SdbRegisterDatabase
161 A0 00025ED8 SdbRegisterDatabaseEx
162 A1 00007598 SdbReleaseDatabase
163 A2 0001FAE0 SdbReleaseMatchingExe
164 A3 00026A94 SdbResolveDatabase
165 A4 00022700 SdbSetApphelpDebugParameters
166 A5 000256A8 SdbSetEntryFlags
167 A6 00027920 SdbSetImageType
168 A7 00024DBC SdbSetPermLayerKeys
169 A8 00021BD0 SdbShowApphelpDialog
170 A9 0000E53C SdbShowApphelpFromQuery
171 AA 0002469C SdbStartIndexing
172 AB 000246C0 SdbStopIndexing
173 AC 0001EFC8 SdbStringDuplicate
174 AD 0001F088 SdbStringReplace
175 AE 0001F2D4 SdbStringReplaceArray
176 AF 0000B350 SdbTagIDToTagRef
177 B0 0000A6D0 SdbTagRefToTagID
178 B1 00010B58 SdbTagToString
179 B2 0000F08C SdbUnpackAppCompatData
180 B3 00026590 SdbUnregisterDatabase
181 B4 00023A38 SdbWriteBYTETag
182 B5 00023BD8 SdbWriteBinaryTag
183 B6 00023C14 SdbWriteBinaryTagFromFile
184 B7 00023AD0 SdbWriteDWORDTag
185 B8 000239F8 SdbWriteNULLTag
186 B9 00023B1C SdbWriteQWORDTag
187 BA 00023E30 SdbWriteStringRefTag
188 BB 00023B68 SdbWriteStringTag
189 BC 00023E7C SdbWriteStringTagDirect
190 BD 00023A84 SdbWriteWORDTag
191 BE 0001C534 SetPermLayerState
192 BF 0001C4BC SetPermLayers
193 C0 000096CC ShimDbgPrint
194 C1 0001C5D0 ShimDumpCache
195 C2 0001C5C0 ShimFlushCache
Summary
4000 .data
3000 .pdata
14000 .rdata
1000 .reloc
9000 .rsrc
31000 .text
Microsoft (R) COFF/PE Dumper Version 14.00.23026.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\AppPatch\AppPatch64\EMET64.dll
File Type: DLL
Section contains the following exports for EMET64.dll
00000000 characteristics
55F897DF time date stamp Tue Sep 15 23:12:47 2015
0.00 version
1 ordinal base
3 number of functions
3 number of names
ordinal hint RVA name
1 0 00086AB0 EMETSendCert
2 1 000481B0 GetHookAPIs
3 2 00048140 NotifyShims
Summary
20000 .data
20000 .detourc
20000 .detourd
20000 .didat
20000 .pdata
80000 .rdata
20000 .reloc
20000 .rsrc
80000 .text
Microsoft (R) COFF/PE Dumper Version 14.00.23026.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\AppPatch\EMET.dll
File Type: DLL
Section contains the following exports for EMET.dll
00000000 characteristics
55F8975B time date stamp Tue Sep 15 23:10:35 2015
0.00 version
1 ordinal base
3 number of functions
3 number of names
ordinal hint RVA name
1 0 00060F20 EMETSendCert
2 1 00028B30 GetHookAPIs
3 2 00028AE0 NotifyShims
Summary
20000 .data
20000 .detourc
20000 .detourd
20000 .didat
60000 .rdata
20000 .reloc
20000 .rsrc
60000 .text
We haven’t discovered too much here but one could try including the .dll into a console app to try and reveal more or disassemble it to pseudo c code.
Once that’s done one might understand the hooks and detours used to ruin an exploits day.