Recently I discussed Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a Windows security enhancement that adds buffer overflow prevention and protection to applications that may be vulnerable to stack and buffer overflow attacks and other techniques that malware uses to interact with the operating system. Version 2 of EMET added support for six mitigation techniques, including mandatory address space layout randomization and dyamic data execution prevention.
Vulnerable applications must be added by the system user or administrator to the toolkit via the EMET command line configuration tool (emet_conf.exe). To do so, the administrator is required to know the exact path to each executable. Once the file has been added to EMET, the processes created by the execution of that file will be protected by EMET's mitigation techniques.
Although discovering the file paths is not difficult, it can be time consuming if you need to apply the same protective settings to several systems. In this context, this is a perfect opportunity for some fundamental Windows shell scripting.
In this article, I'll show you how to create a simple batch file and the Windows shell's "For" command to:
- Iterate through a list of file names (e.g. "iexplore.exe").
- Find each occurrence of that file across the C drive.
- Add each of those specific files to EMET.
A batch file, for anyone not familiar with the term, is a list of commands in a file that Windows executes sequentially.
Let's begin by reviewing the EMET command line configuration tool -- "emet_conf.exe". EMET_conf.exe is well described in the EMET user guide and that document should be referenced by anyone using this tool. There are four commands for this tool; we'll want to familiarize ourselves with:
These commands do, in the context of adding or removing an application to EMET's coverage, exactly what the names imply. Figure 1 shows the command line output, when using the –list command when EMET is not protecting any applications.
Now, in Figure 2, we'll add a single program, the Firefox browser, to EMET and rerun the list command.
If we repeat the command to add Firefox, but replace "—add" with "–delete" that application will be removed from EMET. Lastly, "—delete_all" removes every application from EMET's configuration.
If all applications we want to protect are in a predictable location it would be trivial to create a batch file to run each of those commands on any system we want. However, since users sometimes change the installation path and Chrome gets installed in a user-specific profile directory, we may need a little more flexibility in our configuration process. That's where the EMET configuration script comes in.
Before I go any further in discussing the script, it's worth mentioning that there are many ways to script almost any task, and many languages to select. I am using the Windows shell for simplicity.
To start the script's creation, we'll create a list of files we want to protect, which I'll call high_risk_files.txt. The contents of that file represent Adobe Reader, Google Chrome, Firefox and Internet Explorer browsers. Figure 3 shows the exact contents of high_risk_files.txt.
Next, we need to iterate through the file system to find each executable. If I wanted to find any occurrence of "firefox.exe" on the file system I could run the command "dir /s firefox.exe", and the "/s" will make the directory listing recursively include all subdirectories. Running this from "c:\" will include everything on the C: drive. The addition of the "/b" argument to "dir" will show the full directory path for each file. Since we want to run the dir command for every file listed in high_risk_files.txt we need to use the For loop native to the Windows shell. We then want to save the output to a file to later process into EMET, so we need to redirect the output of "dir" to a file. We'll call the output of the "dir" commands files_found.txt. The command to do this is shown in Figure 4.
Let's look at this For command section by section in Figure 5.
We now have a file, files_found.txt, that contains every instance of each of the files specified by high_risk_files.txt. Partial contents of that file are shown in Figure 6.
Since we made the script search all of the C drive it will identify any instance of a file with that name, including files that are in Windows system locations, such as c:\Windows\$hf_mig$\, and not the normally executed version of that file. Extra logic could easily be added to the script to filter those locations out or to limit it to specific locations (such as c:\program files).
Finally, we need to iterate through the files_found.txt file and send each entry to emet_conf.exe as an argument for the --add command. The For loop is again used as shown in Figure 7, with the assumption that EMET was installed in the default location c:\program files\EMET. Plainly stated, this command says: "For each line in files_found.txt, run emet_conf.exe –add and append that line of text to this command." Because the full path of the files within "files_found.txt" may have spaces (e.g. "c:\program files\foo\") we use the "delims='" command to tell the For command not to treat the space character as a delimiter.
Once that command is run, we can run "emet_conf.exe --list" and see all of those files -- or more correctly the processes created by these files -- will now be protected by EMET.
Let's wrap this up by showing a batch file-based script, emet_script.cmd shown in Figure 8, which will perform all of these steps together. Please note that the variable name requires two %% when run within a batch file as opposed to just one % when run on the command line.
We can now simply execute the emet_script.cmd file and EMET will be configured to protect all of the files it finds. By adding the first three lines, you ensure the script runs from c:\ and the files_found.txt file doesn't already exist. This script could be improved by adding error handling or restrictions on what file paths are searched. We could also eliminate the list of specific files and instruct it to find every .exe file in c:\program files\.
I will conclude this short tutorial by showing a single command, Figure 9, that will perform all of these steps together, with one For loop embedded within another For loop.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.