The Enhanced Mitigation Experience Toolkit (EMET) is an application developed by Microsoft which adds an additional layer of security to applications to prevent attackers exploiting vulnerabilities in them. It can be used to globally enable system mitigation techniques such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) or Structured Exception Handler Overwrite Protection (SEHOP). In addition special per-process protections can be added such as various Return-Oriented-Programming (ROP) protections (LoadLibrary, MemProt, Caller, SimExecFlow, StackPivot), Export Address Table Access Filtering (EAF and EAF+) to prevent execution of shellcode, pre-allocations to defeat heap spraying and kernel exploitation, additional randomization (bottom-up randomization and mandatory ASLR) and advanced mitigations (deep hooks, anti detours and banned functions) to prevent different types of attacks. If an application supports DEP together with full ASLR the difficulty to write a reliable exploit increases dramatically. The typical approach to defeat DEP is to use ROP to disable it. ROP builds on the idea to return (or jump) to small so-called gadgets (which are equal to already existing code from the code-section which end with a return or jump instruction) to chain these gadgets together to build new logic (like logic to disable DEP). If ASLR is supported by all modules of the application this approach can’t be applied because the address of such gadgets is randomized by ASLR and thus unknown by the attacker. In such a case the vulnerability must be turned into an information disclosure vulnerability to first disclose an address to defeat ASLR. Techniques to accomplish this (e.g. partial overwrites, overwriting the length field of strings, …) have already been discussed in the past and thus will not be focus of this talk. Instead further techniques will be discussed which can be used to bypass the additional per-process protections of EMET. To apply these techniques a vulnerability which allows code execution as well as leaking information (to bypass ASLR) is required. These requirements are satisfied per default because otherwise writing an exploit for a not-EMET protected application would be impossible. The aim of this talk is to demonstrate new and more reliable exploitation techniques as well as discussing in which situations already existing techniques can be applied in a reliable way.