locked
EMET 4.0 Beta incompatible with QIP 2012 RRS feed

  • Question

  • I've got QIP 2012 build 8921 (internet messenger) and EMET 4.0 installed (DEP=Opt Out, SEHOP=OptIn, ASLR=Opt In). There were every rule for qip.exe enabled which made it fail to start.

    Faulting application name: qip.exe, version: 4.0.0.8921, time stamp: 0x2a425e19
    Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
    Exception code: 0xc00000fd
    Fault offset: 0x000470ef
    Faulting process id: 0xb10
    Faulting application start time: 0x01ce45b0622902ae
    Faulting application path: C:\Program Files\QIP 2012\qip.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: a0269cd8-b1a3-11e2-aa92-0050fcf93e54

    I wasn't able to figure out which check was failing by disabling checks one by one because qip was failing even when all checks were disabled. Only after removing the rule, it could start.

    Why disabling all checks is not effectively the same as remove rule in EMET?

    Friday, May 3, 2013 2:36 PM

All replies

  • Hi hypothesis,

    Welcome to the EMET Support forum.

    Thanks for reporting this incompatibility. You mentioned that you disabled all of the mitigations for qip.exe, presumably this included all of the ROP mitigations? Since the ROP mitigations also now include mitigations such as Deep hooks, Anti Detours and Banned functions which only apply when at least one of the ROP mitigations are active.

    The only other explanation would be a system wide settings such as DEP or SEHOP but since removing the application rule resolved the issue for you, this rules that out that cause.

    Since as you pointed out “Why disabling all checks is not effectively the same as remove rule in EMET” I would suggest sending an email to the EMET 4.0 Beta feedback address as mentioned in the final paragraph of the following blog post since turning off all mitigations should allow the program to start (unless it is a bug in the beta version). This should allow the EMET team to investigate:

    http://blogs.technet.com/b/srd/archive/2013/04/18/introducing-emet-v4-beta.aspx

    I hope this helps. Thank you.

    • Edited by JamesC_836 Friday, May 3, 2013 2:59 PM
    Friday, May 3, 2013 2:57 PM
  • Thank you for response!

    Yes I've just tried once again after switch DEP to Opt In and reboot.
    1) added qip.exe with checks by default, it failed
    2) disabled all checks, rerun qip.exe, it failed again
    3) removed the rule, it started fine.

    I'll report to srd as you suggest. Thanks again.

    Btw, there was interesting SimExecFlow error in QIP 2010 (previous version of QIP) which is obsoleted and not easily available for download.

    Friday, May 3, 2013 3:09 PM
  • Hi hypothesis,

    Thanks for your update and I am glad I was able to be of some assistance.

    From the additional information that you have provided, this does sound like a bug that requires further investigation.

    There have been changes to the ROP mitigations of EMET 4.0 Beta to make them more compatible with applications. If you can still reproduce the issue with QIP 2010 and EMET 4.0 Beta, free feel to also pass that info onto the SRD / EMET team.

    Thank you.

    Friday, May 3, 2013 3:35 PM
  • Hi James,
    Do you think QIP 2010 SimExecFlow check is worth reporting? It might be very well bug in QIP itself. I can run it fine with this check disabled. Moreover it is obsoleted version of QIP. If you think it is worth reporting, I'll have it done.
    Thank you!

    Friday, May 3, 2013 3:41 PM
  • Hi James,
    Do you think QIP 2010 SimExecFlow check is worth reporting? It might be very well bug in QIP itself. I can run it fine with this check disabled. Moreover it is obsoleted version of QIP. If you think it is worth reporting, I'll have it done.
    Thank you!

    Hi hypothesis,

    I understand, since it is an obsolete version, then you don’t need to report it especially since disabling Simulate Execution Flow (SimExecFlow) fixes it.

    Apologies for any confusion that I caused. Thank you.

    Friday, May 3, 2013 4:02 PM