EMET 5.0 -> explorer.exe -> INVALID_POINTER_WRITE_EXPLOITABLE

[v] Deep Hooks
[v] Anti Detour
[v] Banned Function

[x] Stop on expoit

All options for explorer.exe checked

=> Crash

WinDbg as the postmortem debugger:

0:024> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
FAULTING_IP:
EMET64!EMETSendCert+2442
000007fe`f2704ece 48832300        and     qword ptr [rbx],0

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fef2704ece (EMET64!EMETSendCert+0x0000000000002442)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000120800
Attempt to write to address 0000000000120800

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=00000000003a7c70 rbx=0000000000120800 rcx=0000000000000038
rdx=00000000aa1a1088 rsi=00000000001220b4 rdi=00000000003a7c70
rip=000007fef2704ece rsp=000000000736e940 rbp=000000000736eab0
 r8=000000000736e8f8  r9=000000000736eab0 r10=0000000000000000
r11=0000000000000286 r12=0000000000000000 r13=0000000000000033
r14=0000000000000033 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
EMET64!EMETSendCert+0x2442:
000007fe`f2704ece 48832300        and     qword ptr [rbx],0 ds:00000000`00120800=0000000004a90000

FAULTING_THREAD:  0000000000000b74

PROCESS_NAME:  Explorer.EXE

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000000000120800

WRITE_ADDRESS:  0000000000120800

FOLLOWUP_IP:
EMET64!EMETSendCert+2442
000007fe`f2704ece 48832300        and     qword ptr [rbx],0

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

APP:  explorer.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE_EXPLOITABLE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE

LAST_CONTROL_TRANSFER:  from 000007fef2705215 to 000007fef2704ece

STACK_TEXT:
00000000`0736e940 000007fe`f2705215 : 00000000`0736eb00 00000000`00000010 00000000`00000010 00000000`00010000 : EMET64!EMETSendCert+0x2442
00000000`0736e9a0 000007fe`f2703871 : 00000000`00300002 00000000`aa1a1088 00000000`c00b0007 00000000`000000c9 : EMET64!EMETSendCert+0x2789
00000000`0736ea30 000007fe`f26fa004 : 00000000`00000000 00000000`00000000 00000000`04a90000 000007ff`fff9c000 : EMET64!EMETSendCert+0xde5
00000000`0736eae0 000007fe`fd46403e : ffffffff`ffffffff 00000000`04a90000 00000000`00000001 00000000`02dd7790 : EMET64!GetHookAPIs+0x4c0
00000000`0736ebf0 00000000`770e2edf : 00000000`04a90002 00000000`00000000 00000000`00000022 00000000`0736ecfa : KERNELBASE!FreeLibrary+0xa4
00000000`0736ec20 000007fe`fea17414 : 00000000`08c808c8 00000000`04c1fbf0 00000000`02080052 00000000`0736f4a0 : USER32!PrivateExtractIconsW+0x34b
00000000`0736f140 000007fe`fea233a9 : 00000000`00331dec 00000000`00000000 00000000`00000000 00000000`00000000 : SHELL32!SHPrivateExtractIcons+0x393
00000000`0736f410 000007fe`fe8d2a8c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SHELL32!SHDefExtractIconW+0x157
00000000`0736f700 000007fe`fe8d28a8 : 00000000`003e3d60 000007fe`fd4d44e7 00000000`0641c4d0 00000000`003e3d60 : SHELL32!CIconCache::ExtractIconW+0x1d8
00000000`0736f7a0 000007fe`fbb19570 : 00000000`003e3d60 00000000`00000001 00000000`003e3d60 00000000`000000d8 : SHELL32!CSparseCallback::ForceImagePresent+0x48
00000000`0736f810 000007fe`fbb1968e : 00000000`0736f900 000007fe`fbb1d7de 00000000`003e3d60 00000000`00000001 : comctl32!CSparseImageList::_Callback_ForceImagePresent+0x74
00000000`0736f860 000007fe`fbb1b14f : 00000000`00000001 00000000`00000000 00000000`000000d8 00000000`06402c30 : comctl32!CSparseImageList::_Virt2Real+0xc6
00000000`0736f890 000007fe`fe9db1cc : 00000000`064059b0 00000000`04e031a0 00000000`064059b0 00000000`0643b6c0 : comctl32!CSparseImageList::ForceImagePresent+0x57
00000000`0736f8d0 000007fe`fe8dc54c : 00000000`0641e660 00000000`06402c30 00000000`00000000 00000000`00000000 : SHELL32!CLoadSystemIconTask::InternalResumeRT+0x164
00000000`0736f960 000007fe`fe90efcb : 80000000`01000000 00000000`0736f9f0 00000000`0641e660 00000000`0000000a : SHELL32!CRunnableTask::Run+0xda
00000000`0736f990 000007fe`fe912b56 : 00000000`0641e660 00000000`00000000 00000000`0641e660 00000000`00000002 : SHELL32!CShellTask::TT_Run+0x124
00000000`0736f9c0 000007fe`fe912cb2 : 00000000`04f7c8f0 00000000`04f7c8f0 00000000`00000000 00000000`003e1a28 : SHELL32!CShellTaskThread::ThreadProc+0x1d2
00000000`0736fa60 000007fe`fd4d3843 : 000007ff`fff9c000 00000000`02e9a890 00000000`02df0d70 00000000`003e1a28 : SHELL32!CShellTaskThread::s_ThreadProc+0x22
00000000`0736fa90 00000000`773115db : 00000000`04e805e0 00000000`04e805e0 00000000`00000001 00000000`00000006 : SHLWAPI!ExecuteWorkItemThreadProc+0xf
00000000`0736fac0 00000000`77310c56 : 00000000`00000000 00000000`04f7c910 00000000`02df0d70 00000000`02e9fef8 : ntdll!RtlpTpWorkCallback+0x16b
00000000`0736fba0 00000000`771e59ed : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x5ff
00000000`0736fea0 00000000`7731c541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0736fed0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d


STACK_COMMAND:  .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  emet64!EMETSendCert+2442

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: EMET64

IMAGE_NAME:  EMET64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  53d99f01

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_EMET64.dll!EMETSendCert

BUCKET_ID:  X64_APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_emet64!EMETSendCert+2442

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_exploitable_c0000005_emet64.dll!emetsendcert

FAILURE_ID_HASH:  {f7d2108f-d68f-6bd5-d4b8-073af5241c2e}

Followup: MachineOwner
---------

0:024> lm vm EMET64
start             end                 module name
000007fe`f26d0000 000007fe`f279f000   EMET64     (export symbols)       C:\Windows\AppPatch\AppPatch64\EMET64.dll
    Loaded symbol image file: C:\Windows\AppPatch\AppPatch64\EMET64.dll
    Image path: C:\Windows\AppPatch\AppPatch64\EMET64.dll
    Image name: EMET64.dll
    Timestamp:        Thu Jul 31 05:42:25 2014 (53D99F01)
    CheckSum:         000CE0A3
    ImageSize:        000CF000
    File version:     5.0.0.0
    Product version:  5.0.0.0
    File flags:       0 (Mask 0)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Enhanced Mitigation Experience Toolkit
    ProductVersion:   5.0.0.0
    FileVersion:      5.0.0.0
    FileDescription:  EMET SHIM
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

0:024> lm vm explorer
start             end                 module name
00000000`ff220000 00000000`ff4e0000   Explorer   (pdb symbols)          x:\symbols\explorer.pdb\A1D0A380BD3C489DB80F0E8273C9719A2\explorer.pdb
    Loaded symbol image file: C:\Windows\Explorer.EXE
    Image path: C:\Windows\Explorer.EXE
    Image name: Explorer.EXE
    Timestamp:        Fri Feb 25 08:24:04 2011 (4D672EE4)
    CheckSum:         002C8AF6
    ImageSize:        002C0000
    File version:     6.1.7601.17567
    Product version:  6.1.7601.17567
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     explorer
    OriginalFilename: EXPLORER.EXE
    ProductVersion:   6.1.7601.17567
    FileVersion:      6.1.7601.17567 (win7sp1_gdr.110224-1502)
    FileDescription:  Windows Explorer
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

0:024> vertarget
Windows 7 Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
kernel32.dll version: 6.1.7601.18409 (win7sp1_gdr.140303-2144)
Debug session time: Tue Sep  2 14:36:19.923 2014 (UTC + 4:00)
System Uptime: 0 days 0:15:08.322
Process Uptime: 0 days 0:13:53.826
  Kernel time: 0 days 0:00:03.385
  User time: 0 days 0:00:04.290