[v] Deep Hooks
[v] Anti Detour
[v] Banned Function

[x] Stop on expoit

All options for explorer.exe checked

=> Crash

WinDbg as the postmortem debugger:

0:024> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
FAULTING_IP: 
EMET64!EMETSendCert+2442
000007fe`f2704ece 48832300        and     qword ptr [rbx],0

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fef2704ece (EMET64!EMETSendCert+0x0000000000002442)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000120800
Attempt to write to address 0000000000120800

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=00000000003a7c70 rbx=0000000000120800 rcx=0000000000000038
rdx=00000000aa1a1088 rsi=00000000001220b4 rdi=00000000003a7c70
rip=000007fef2704ece rsp=000000000736e940 rbp=000000000736eab0
 r8=000000000736e8f8  r9=000000000736eab0 r10=0000000000000000
r11=0000000000000286 r12=0000000000000000 r13=0000000000000033
r14=0000000000000033 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
EMET64!EMETSendCert+0x2442:
000007fe`f2704ece 48832300        and     qword ptr [rbx],0 ds:00000000`00120800=0000000004a90000

FAULTING_THREAD:  0000000000000b74

PROCESS_NAME:  Explorer.EXE

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000000000120800

WRITE_ADDRESS:  0000000000120800 

FOLLOWUP_IP: 
EMET64!EMETSendCert+2442
000007fe`f2704ece 48832300        and     qword ptr [rbx],0

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

APP:  explorer.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE_EXPLOITABLE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE

LAST_CONTROL_TRANSFER:  from 000007fef2705215 to 000007fef2704ece

STACK_TEXT:  
00000000`0736e940 000007fe`f2705215 : 00000000`0736eb00 00000000`00000010 00000000`00000010 00000000`00010000 : EMET64!EMETSendCert+0x2442
00000000`0736e9a0 000007fe`f2703871 : 00000000`00300002 00000000`aa1a1088 00000000`c00b0007 00000000`000000c9 : EMET64!EMETSendCert+0x2789
00000000`0736ea30 000007fe`f26fa004 : 00000000`00000000 00000000`00000000 00000000`04a90000 000007ff`fff9c000 : EMET64!EMETSendCert+0xde5
00000000`0736eae0 000007fe`fd46403e : ffffffff`ffffffff 00000000`04a90000 00000000`00000001 00000000`02dd7790 : EMET64!GetHookAPIs+0x4c0
00000000`0736ebf0 00000000`770e2edf : 00000000`04a90002 00000000`00000000 00000000`00000022 00000000`0736ecfa : KERNELBASE!FreeLibrary+0xa4
00000000`0736ec20 000007fe`fea17414 : 00000000`08c808c8 00000000`04c1fbf0 00000000`02080052 00000000`0736f4a0 : USER32!PrivateExtractIconsW+0x34b
00000000`0736f140 000007fe`fea233a9 : 00000000`00331dec 00000000`00000000 00000000`00000000 00000000`00000000 : SHELL32!SHPrivateExtractIcons+0x393
00000000`0736f410 000007fe`fe8d2a8c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SHELL32!SHDefExtractIconW+0x157
00000000`0736f700 000007fe`fe8d28a8 : 00000000`003e3d60 000007fe`fd4d44e7 00000000`0641c4d0 00000000`003e3d60 : SHELL32!CIconCache::ExtractIconW+0x1d8
00000000`0736f7a0 000007fe`fbb19570 : 00000000`003e3d60 00000000`00000001 00000000`003e3d60 00000000`000000d8 : SHELL32!CSparseCallback::ForceImagePresent+0x48
00000000`0736f810 000007fe`fbb1968e : 00000000`0736f900 000007fe`fbb1d7de 00000000`003e3d60 00000000`00000001 : comctl32!CSparseImageList::_Callback_ForceImagePresent+0x74
00000000`0736f860 000007fe`fbb1b14f : 00000000`00000001 00000000`00000000 00000000`000000d8 00000000`06402c30 : comctl32!CSparseImageList::_Virt2Real+0xc6
00000000`0736f890 000007fe`fe9db1cc : 00000000`064059b0 00000000`04e031a0 00000000`064059b0 00000000`0643b6c0 : comctl32!CSparseImageList::ForceImagePresent+0x57
00000000`0736f8d0 000007fe`fe8dc54c : 00000000`0641e660 00000000`06402c30 00000000`00000000 00000000`00000000 : SHELL32!CLoadSystemIconTask::InternalResumeRT+0x164
00000000`0736f960 000007fe`fe90efcb : 80000000`01000000 00000000`0736f9f0 00000000`0641e660 00000000`0000000a : SHELL32!CRunnableTask::Run+0xda
00000000`0736f990 000007fe`fe912b56 : 00000000`0641e660 00000000`00000000 00000000`0641e660 00000000`00000002 : SHELL32!CShellTask::TT_Run+0x124
00000000`0736f9c0 000007fe`fe912cb2 : 00000000`04f7c8f0 00000000`04f7c8f0 00000000`00000000 00000000`003e1a28 : SHELL32!CShellTaskThread::ThreadProc+0x1d2
00000000`0736fa60 000007fe`fd4d3843 : 000007ff`fff9c000 00000000`02e9a890 00000000`02df0d70 00000000`003e1a28 : SHELL32!CShellTaskThread::s_ThreadProc+0x22
00000000`0736fa90 00000000`773115db : 00000000`04e805e0 00000000`04e805e0 00000000`00000001 00000000`00000006 : SHLWAPI!ExecuteWorkItemThreadProc+0xf
00000000`0736fac0 00000000`77310c56 : 00000000`00000000 00000000`04f7c910 00000000`02df0d70 00000000`02e9fef8 : ntdll!RtlpTpWorkCallback+0x16b
00000000`0736fba0 00000000`771e59ed : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x5ff
00000000`0736fea0 00000000`7731c541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0736fed0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d


STACK_COMMAND:  .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  emet64!EMETSendCert+2442

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: EMET64

IMAGE_NAME:  EMET64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  53d99f01

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_EMET64.dll!EMETSendCert

BUCKET_ID:  X64_APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_emet64!EMETSendCert+2442

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_exploitable_c0000005_emet64.dll!emetsendcert

FAILURE_ID_HASH:  {f7d2108f-d68f-6bd5-d4b8-073af5241c2e}

Followup: MachineOwner
---------

0:024> lm vm EMET64
start             end                 module name
000007fe`f26d0000 000007fe`f279f000   EMET64     (export symbols)       C:\Windows\AppPatch\AppPatch64\EMET64.dll
    Loaded symbol image file: C:\Windows\AppPatch\AppPatch64\EMET64.dll
    Image path: C:\Windows\AppPatch\AppPatch64\EMET64.dll
    Image name: EMET64.dll
    Timestamp:        Thu Jul 31 05:42:25 2014 (53D99F01)
    CheckSum:         000CE0A3
    ImageSize:        000CF000
    File version:     5.0.0.0
    Product version:  5.0.0.0
    File flags:       0 (Mask 0)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Enhanced Mitigation Experience Toolkit
    ProductVersion:   5.0.0.0
    FileVersion:      5.0.0.0
    FileDescription:  EMET SHIM
    LegalCopyright:    Microsoft Corporation. All rights reserved.

0:024> lm vm explorer
start             end                 module name
00000000`ff220000 00000000`ff4e0000   Explorer   (pdb symbols)          x:\symbols\explorer.pdb\A1D0A380BD3C489DB80F0E8273C9719A2\explorer.pdb
    Loaded symbol image file: C:\Windows\Explorer.EXE
    Image path: C:\Windows\Explorer.EXE
    Image name: Explorer.EXE
    Timestamp:        Fri Feb 25 08:24:04 2011 (4D672EE4)
    CheckSum:         002C8AF6
    ImageSize:        002C0000
    File version:     6.1.7601.17567
    Product version:  6.1.7601.17567
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft Windows Operating System
    InternalName:     explorer
    OriginalFilename: EXPLORER.EXE
    ProductVersion:   6.1.7601.17567
    FileVersion:      6.1.7601.17567 (win7sp1_gdr.110224-1502)
    FileDescription:  Windows Explorer
    LegalCopyright:    Microsoft Corporation. All rights reserved.

0:024> vertarget
Windows 7 Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
kernel32.dll version: 6.1.7601.18409 (win7sp1_gdr.140303-2144)
Debug session time: Tue Sep  2 14:36:19.923 2014 (UTC + 4:00)
System Uptime: 0 days 0:15:08.322
Process Uptime: 0 days 0:13:53.826
  Kernel time: 0 days 0:00:03.385
  User time: 0 days 0:00:04.290

• Edited by EreTIk Friday, September 05, 2014 5:22 PM

Answer: "You should not enable EMET for explorer.exe"

Shell extension may be vulnerable :(

• Proposed as answer by W. Spu Saturday, September 06, 2014 11:04 AM

There's certainly something wrong with the EMET.DLL and it being

used with Windows Explorer. I get the access violation problem

fairly regularly on multiple Windows 7 Professional 32-bit systems.

By way of comparison, those same systems ran both EMET 4.0 and EMET 4.1

protecting Windows Explorer and never suffered any abends.

• Edited by AshleyST Thursday, September 11, 2014 1:24 PM Improve clarity

I think this problem may be resolved with EMET 5.1

I've been running various machines with EMET 5.1 for over two weeks now and have

had no occurrences of the C0000005 exception in explorer.exe.  

• Marked as answer by EreTIk Sunday, November 30, 2014 12:04 PM