└── readme.md


/readme.md:
--------------------------------------------------------------------------------
  1 | # PayloadRestrictions
  2 | 
  3 | PayloadRestrictions is the new name under which EMET is integrated into Windows 10 Insider. In the past EMET was delivered via the SHIM database and was called EMET.dll, but now its functionality is replaced by PayloadRestrictions.dll. This DLL is not anymore injected into a process via SHIM but in another way which is more tightly integrated into Windows.
  4 | 
  5 | 
  6 | This tighter integration can be spotted by looking at the new mitigation flags in the EPROCESS structure:
  7 | 
  8 | ```
  9 | +0x828 MitigationFlagsValues : <unnamed-tag>
 10 |    +0x000 ControlFlowGuardEnabled : Pos 0, 1 Bit
 11 |    +0x000 ControlFlowGuardExportSuppressionEnabled : Pos 1, 1 Bit
 12 |    +0x000 ControlFlowGuardStrict : Pos 2, 1 Bit
 13 |    +0x000 DisallowStrippedImages : Pos 3, 1 Bit
 14 |    +0x000 ForceRelocateImages : Pos 4, 1 Bit
 15 |    +0x000 HighEntropyASLREnabled : Pos 5, 1 Bit
 16 |    +0x000 StackRandomizationDisabled : Pos 6, 1 Bit
 17 |    +0x000 ExtensionPointDisable : Pos 7, 1 Bit
 18 |    +0x000 DisableDynamicCode : Pos 8, 1 Bit
 19 |    +0x000 DisableDynamicCodeAllowOptOut : Pos 9, 1 Bit
 20 |    +0x000 DisableDynamicCodeAllowRemoteDowngrade : Pos 10, 1 Bit
 21 |    +0x000 AuditDisableDynamicCode : Pos 11, 1 Bit
 22 |    +0x000 DisallowWin32kSystemCalls : Pos 12, 1 Bit
 23 |    +0x000 AuditDisallowWin32kSystemCalls : Pos 13, 1 Bit
 24 |    +0x000 EnableFilteredWin32kAPIs : Pos 14, 1 Bit
 25 |    +0x000 AuditFilteredWin32kAPIs : Pos 15, 1 Bit
 26 |    +0x000 DisableNonSystemFonts : Pos 16, 1 Bit
 27 |    +0x000 AuditNonSystemFontLoading : Pos 17, 1 Bit
 28 |    +0x000 PreferSystem32Images : Pos 18, 1 Bit
 29 |    +0x000 ProhibitRemoteImageMap : Pos 19, 1 Bit
 30 |    +0x000 AuditProhibitRemoteImageMap : Pos 20, 1 Bit
 31 |    +0x000 ProhibitLowILImageMap : Pos 21, 1 Bit
 32 |    +0x000 AuditProhibitLowILImageMap : Pos 22, 1 Bit
 33 |    +0x000 SignatureMitigationOptIn : Pos 23, 1 Bit
 34 |    +0x000 AuditBlockNonMicrosoftBinaries : Pos 24, 1 Bit
 35 |    +0x000 AuditBlockNonMicrosoftBinariesAllowStore : Pos 25, 1 Bit
 36 |    +0x000 LoaderIntegrityContinuityEnabled : Pos 26, 1 Bit
 37 |    +0x000 AuditLoaderIntegrityContinuity : Pos 27, 1 Bit
 38 |    +0x000 EnableModuleTamperingProtection : Pos 28, 1 Bit
 39 |    +0x000 EnableModuleTamperingProtectionNoInherit : Pos 29, 1 Bit
 40 | +0x82c MitigationFlags2 : Uint4B
 41 | +0x82c MitigationFlags2Values : <unnamed-tag>
 42 |    +0x000 EnableExportAddressFilter : Pos 0, 1 Bit
 43 |    +0x000 AuditExportAddressFilter : Pos 1, 1 Bit
 44 |    +0x000 EnableExportAddressFilterPlus : Pos 2, 1 Bit
 45 |    +0x000 AuditExportAddressFilterPlus : Pos 3, 1 Bit
 46 |    +0x000 EnableRopStackPivot : Pos 4, 1 Bit
 47 |    +0x000 AuditRopStackPivot : Pos 5, 1 Bit
 48 |    +0x000 EnableRopCallerCheck : Pos 6, 1 Bit
 49 |    +0x000 AuditRopCallerCheck : Pos 7, 1 Bit
 50 |    +0x000 EnableRopSimExec : Pos 8, 1 Bit
 51 |    +0x000 AuditRopSimExec  : Pos 9, 1 Bit
 52 |    +0x000 EnableImportAddressFilter : Pos 10, 1 Bit
 53 |    +0x000 AuditImportAddressFilter : Pos 11, 1 Bit
 54 |    ```
 55 | 
 56 | But how is the PayloadRestrictions DLL loaded into a process?
 57 | 
 58 | First we have to look into ntoskrnl.exe.
 59 | 
 60 | From **PsAllocateProcess** we may see 2 functions being called:
 61 | 
 62 | ```
 63 | PAGE:00000001404E0FFF                 lea     rdx, [rsp+488h+var_198]
 64 | PAGE:00000001404E1007                 mov     rcx, r13
 65 | PAGE:00000001404E100A                 call    PspReadIFEOMitigationOptions
 66 | PAGE:00000001404E100F                 movaps  xmm0, [rsp+488h+var_198]
 67 | PAGE:00000001404E1017                 movdqa  [rsp+488h+var_2A8], xmm0
 68 | PAGE:00000001404E1020                 movups  xmm0, cs:PspSystemMitigationOptions
 69 | PAGE:00000001404E1027                 movups  [rsp+488h+var_298], xmm0
 70 | PAGE:00000001404E102F                 lea     r8, [rsp+488h+var_198]
 71 | PAGE:00000001404E1037                 lea     rdx, [rsp+488h+var_2A8]
 72 | PAGE:00000001404E103F                 lea     rcx, [rsp+488h+var_298]
 73 | PAGE:00000001404E1047                 call    PspInheritMitigationOptions
 74 | PAGE:00000001404E104C                 xor     eax, eax
 75 | PAGE:00000001404E104E                 mov     qword ptr [rsp+488h+var_318], rax
 76 | PAGE:00000001404E1056                 mov     qword ptr [rsp+488h+var_318+8], rax
 77 | PAGE:00000001404E105E                 lea     rdx, [rsp+488h+var_318]
 78 | PAGE:00000001404E1066                 mov     rcx, r13
 79 | PAGE:00000001404E1069                 call    PspReadIFEOMitigationAuditOptions
 80 | PAGE:00000001404E106E                 movaps  xmm0, [rsp+488h+var_318]
 81 | PAGE:00000001404E1076                 movdqa  [rsp+488h+var_288], xmm0
 82 | PAGE:00000001404E107F                 movups  xmm0, cs:PspSystemMitigationAuditOptions
 83 | PAGE:00000001404E1086                 movups  [rsp+488h+var_278], xmm0
 84 | PAGE:00000001404E108E                 lea     r8, [rsp+488h+var_318]
 85 | PAGE:00000001404E1096                 lea     rdx, [rsp+488h+var_288]
 86 | PAGE:00000001404E109E                 lea     rcx, [rsp+488h+var_278]
 87 | PAGE:00000001404E10A6                 call    PspInheritMitigationAuditOptions
 88 | ```
 89 | 
 90 | The 2 functions which we are interested into are **PspReadIFEOMitigationAuditOptions** and **PspReadIFEOMitigationOptions**. These functions will read the **Image File Execution Options** from the registry key  **HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options**. These mitigations can be set through **Windows Defender** by going to "App & Browser control -> Exploit Protection Settings -> Program settings". From there it's possible to set various mitigation options which will be encoded inside of **Image File Execution Options** as two binary values **MitigationOptions** and **MitigationAuditOptions** which are stored under the above mentioned key.
 91 | 
 92 | As already mentioned by https://twitter.com/ivanlef0u/status/895610764521766913 EMET is implemented as **PayloadRestrictions.dll** which is loaded into a process via the verifier.dll. This task is performed by the following code in verifier.dll:
 93 | 
 94 | ```
 95 | .text:000000018000A0BA                 lea     rdx, aPayloadrestric ; "PayloadRestrictions.dll"
 96 | .text:000000018000A0C1                 lea     rcx, [rsp+78h+DestinationString] ; DestinationString
 97 | .text:000000018000A0C6                 call    cs:__imp_RtlInitUnicodeString
 98 | .text:000000018000A0CC                 lea     r9, MitLibHandle
 99 | .text:000000018000A0D3                 xor     edx, edx
100 | .text:000000018000A0D5                 lea     r8, [rsp+78h+DestinationString]
101 | .text:000000018000A0DA                 mov     ecx, 4081h
102 | .text:000000018000A0DF                 call    cs:__imp_LdrLoadDll
103 | ```
104 | From ntdll.dll we can see that if the mitigations are enabled on a certain process, it will initialize verifier.dll. It's up to verifier.dll to process the mitigation options.
105 | 
106 | The structure **ntdll!LdrSystemDllInitBlock** is initialized among other values also with **MitigationOptions** and **MitigationAuditOptions**.
107 | 
108 | The relevant code from the stack trace:
109 | ```
110 | 00 ffffdf83`6c2c2890 fffff801`d96f186c nt!PspPrepareSystemDllInitBlock+0x11f
111 | 01 ffffdf83`6c2c2910 fffff801`d96f5423 nt!PspSetupUserProcessAddressSpace+0x164
112 | 02 ffffdf83`6c2c29c0 fffff801`d96cc31f nt!PspAllocateProcess+0xf5f
113 | ```
114 | 
115 | and the disassembled code which stores **MitigationOptions** and **MitigationAuditOptions** into **ntdll!LdrSystemDllInitBlock**:
116 | 
117 | ```
118 | PAGE:00000001404DDA56                                         ; PspPrepareSystemDllInitBlock+10Bj
119 | PAGE:00000001404DDA56                 movups  xmm0, [rsp+78h+var_50]
120 | PAGE:00000001404DDA5B                 movdqu  xmmword ptr [rdi+0A0h], xmm0
121 | PAGE:00000001404DDA63                 movups  xmm1, xmmword ptr [rsp+78h+var_40]
122 | PAGE:00000001404DDA68                 movdqu  xmmword ptr [rdi+0D0h], xmm1
123 | ```
124 | 
125 | The flow from now on is straightforward:
126 | 
127 | **LdrInitializeProcess** calls **LdrpInitializeExecutionOptions** which in turn checks 2 things: whether verifier is enabled or whether the mitigations are enabled:
128 | 
129 | ```
130 | .text:00000001800D1CFB                 test    dword ptr [r14+0BCh], 2000100h   <-- PEB.NtGlobalFlag check for FLG_HEAP_PAGE_ALLOCS | FLAG_APPLICATION_HEAP_PAGE
131 | .text:00000001800D1D06                 jnz     loc_1800D1DA2
132 | .text:00000001800D1D0C                 call    LdrpPayloadRestrictionMitigationsEnabled
133 | .text:00000001800D1D11                 test    al, al
134 | .text:00000001800D1D13                 jnz     loc_1800D1DA2
135 | ...
136 | .text:00000001800D1DA2                 mov     rax, [rbp+1250h+var_1258]
137 | .text:00000001800D1DA6                 movzx   r8d, r12b
138 | .text:00000001800D1DAA                 mov     r9, [rbp+1250h+var_12B8]
139 | .text:00000001800D1DAE                 mov     rdx, r14
140 | .text:00000001800D1DB1                 mov     [rsp+1350h+var_1328], rax
141 | .text:00000001800D1DB6                 mov     rcx, r13
142 | .text:00000001800D1DB9                 mov     rax, [rbp+1250h+var_1250]
143 | .text:00000001800D1DBD                 mov     [rsp+1350h+var_1330], rax
144 | .text:00000001800D1DC2                 call    LdrpInitializeApplicationVerifierPackage
145 | ```
146 | 
147 | If verifier is enabled, it will initialize **verifier.dll**, and if the mitigations are enabled, it will also cause **verifier.dll** to be initialized by calling **LdrpInitializeApplicationVerifierPackage**. Then **verifier.dll** will load **PayloadRestrictions.dll** and this is how the system loads EMET.
148 | 


--------------------------------------------------------------------------------