You are here: PSPad forum > Bug report / Hlášení chyb > Incompatibility with EMET 5.2 ?

Incompatibility with EMET 5.2 ?

#1 Incompatibility with EMET 5.2 ?

Posted by: @msterdam | Date: 2015-03-16 22:05 | IP: IP Logged

I am using Microsoft EMET, and recently upgraded to version 5.2
As a test I added all the apps that I often use to the EMET Apps list.
So also PSPad (latest beta version 2653).
With the default settings of EMET (Maximum security settings) PSPad is blocked with the following message:
"EMET detected SimExecFlow mitigation and will close the application: PSPad.exe".
When deactivating the SimExecFlow option for PSPad it starts normally.

Although this very likely is a false positive, it might be good to have a look at it.

Options: Reply | Quote | Up ^


#2 Re: Incompatibility with EMET 5.2 ?

Posted by: pspad | Date: 2015-03-17 06:06 | IP: IP Logged

EMET 5.2. and IE 11:
social.technet.microsoft.com
I found problem with EMET and Office, FireFox, Thunderbird, Adobe Reader, ...

I don't know EMET and honestly, I have no time to spend hours by studying EMET deep insights now to fix problem what can be brought by EMET itself and can be fixed by next EMET version.

Is there any debug list or LOG what EMET provide with details what causes problem with PSPad?

Options: Reply | Quote | Up ^


#3 Re: Incompatibility with EMET 5.2 ?

Posted by: pspad | Date: 2015-03-17 06:11 | IP: IP Logged

PSPad from version 4.5.9 is code signed with COMODO issued certificate. Maybe there is some problem with EMET and certificate?

When I made quick research, I found that there can be a problem with TLS. Can you try to remove libssl32.dll and libeay32.dll from PSPad folder?
This is a part of OpenSSL and it's used to FTP secure connection

Options: Reply | Quote | Up ^


#4 Re: Incompatibility with EMET 5.2 ?

Posted by: @msterdam | Date: 2015-03-17 22:26 | IP: IP Logged

Hi Jan,

Thanks for your reply.
The problem as described in the Technet forum article you gave seems to be not related: this is about CERTIFICATE PINNING, and in my case it is related to SimExecFlow. I dont have problems with any of the other applications that are mentioned in the Technet article.

In the EMET 5.2 User Guide SimExecFlow is described as "Simulate execution flow: This feature tries to detect ROP gadgets following a call to a critical function" and ROP is "Return Oriented Programming".

There are some Windows Application Events logged when EMET blocks PSPad:
xxxxxxxxxxxxxxxxxx
Logboeknaam: Application
Bron: EMET
Datum: 16-03-15 22:45:38
Gebeurtenis-id:2
Taakcategorie: Geen
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: W7SSD
Beschrijving:
EMET detected SimExecFlow mitigation and will close the application: PSPad.exe

SimExecFlow check failed:
Application : C:\Program Files (x86)\PSPad editor\PSPad.exe
User Name : W7SSD\Ed
Session ID : 1
PID : 0x1134 (4404)
TID : 0x107C (4220)
CodeAddress : 0x006FCBAA
CodeStackPtr : 0x38F9C8
CalledAddress : 0x76D54327
API name : kernel32.VirtualProtect
StackPtr : 0x0038F9B4
FramePtr : 0x38F9DC
xxxxxxxxxxxxxxxxx
Logboeknaam: Application
Bron: Application Error
Datum: 16-03-15 22:45:40
Gebeurtenis-id:1000
Taakcategorie: (100)
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: W7SSD
Beschrijving:
Naam van toepassing met fout: PSPad.exe, versie: 4.6.0.2653, tijdstempel: 0x54fd83dd
Naam van module met fout: unknown, versie: 0.0.0.0, tijdstempel: 0x00000000
Uitzonderingscode: 0xc000001d
Foutoffset: 0x00000000
Id van proces met fout: 0x1134
Starttijd van toepassing met fout: 0x01d060328a70ca9d
Pad naar toepassing met fout: C:\Program Files (x86)\PSPad editor\PSPad.exe
Pad naar module met fout: unknown
Rapport-id: c94e05a0-cc25-11e4-b5a0-001cc0fac263
xxxxxxxxxxxxxxx
This is on a Dutch language version of Windows 7, so some Event wording is in Dutch. If you need it, I can translate it into English.

Regarding the OpenSSL dlls: I already removed these before, because I don't need them for PSPad, and you already mentioned that PSPad starts faster without them.
As a test I copied them back in the PSPad folder (OpenSSL version 1.0.2), but it does not make a difference.

Of course I can understand that you don't have the time to study this in depth, and it is simple to solve by disabling the SynExecFlow option in EMET.
But if you want me to do some testing, please let me know.

Options: Reply | Quote | Up ^


#5 Re: Incompatibility with EMET 5.2 ?

Posted by: pspad | Date: 2015-03-18 06:09 | IP: IP Logged

I will try to find a reason for PSPad-EMET problem, but it will take some time.

Options: Reply | Quote | Up ^






Editor PSPad - freeware editor, © 2001 - 2024 Jan Fiala, Hosted by Webhosting TOJEONO.CZ, design by WebDesign PAY & SOFT, code Petr Dvořák, Privacy policy and GDPR