Seh and safeseh

 

Seh and safeseh

1. seh exception triggered
Make the target program read/write Invalid Address. If the memory adjacent to the bottom of the stack is read-only, try to overwrite the bottom of the stack

2. How to Find the seh to be overwritten
Od Syntax: dd FS: [0]
SoftICE Syntax: dd FS: 0

3. Redirect address to be filled when seh is overwritten
You need to find a successfully redirected
Pop?
Pop?
Retn
.
Od Syntax: Ctrl + B/L 5? 5? C3
SoftICE Syntax: S-a addr-l Length 5? 5? C3
Among them, "5? "Represents any value between" 58-5f"

4, NTDLL! Kiuserexceptiondispatcher () Process
Veh <-- WINXP only available
Bytes
Seh <-- Win2000 starts from here
Bytes
Uef when the program is debugged, unhandledexceptionfilter () setunhandledexceptionfilter ()

5, NTDLL! Kiuserexceptiondispatcher () checks the seh handler process
1) check whether the handler is within the stack range specified by the thread Teb (FS: [4] ~ FS: [8]). If so, execution is denied.
2) check whether the handler is in the list of loaded modules (exe and DLL). If the handler is not within the address range of these modules, execute.
3) If handler is within the module address range, check the list of registered exception handlers.
Check process:
--------------
A) if (dllcharacteristics & 0xff00) = 0x0400), refuse to execute (no seh); otherwise, continue to check.
B) if the load configuration directory address is 0 (that is, the load configuration directory structure does not exist, indicating that the/safeseh option is not set during compilation), stop the check and execute.
The load configuration directory structure exists. Check again:
+ 00 h directory_size // The Directory length is between [0, 0x48). Stop the check and execute.
...
+ 40 h handlers [] // seh handler array pointer (element is seh handler RVA address), if (handlers [] = 0), stop the check and execute.
+ 44 h handler_num // seh handler array element count, if (handler_num = 0), stop the check and execute.

C) then start matching one by one to find and call. No matching is found and calls are rejected.

6. About datadirectory [image_directory_entry_load_config]
This is the definition in winnt. h.
Typedef struct {
DWORD size;
DWORD timedatestamp;
Word majorversion;
Word minorversion;
DWORD globalflagsclear;
DWORD globalflagsset;
DWORD criticalsectiondefaulttimeout;
DWORD decommitfreeblockthreshold;
DWORD decommittotalfreethreshold;
DWORD lockprefixtable; // va
DWORD maximumallocationsize;
DWORD virtualmemorythreshold;
DWORD processheapflags;
DWORD processaffinitymask;
Word csdversion;
Word reserved1;
DWORD editlist; // va
DWORD securitycookie; // va
DWORD sehandlertable; // va
DWORD sehandlercount;
} Image_load_config_directory32, * pimage_load_config_directory32;
Sehandlertable is a table that points to a seh processing function RVA. Sehandlercount is the length of the table. If this table exists, only the seh processing function in this table is a valid processing function. If the processing function in FS: [0] is sequentially searched and executed when an exception occurs, if the current function is deemed invalid, seh cannot continue execution and the program will be suspended. And the unhandledexceptionfilter cannot be executed. Unless the PE is being debugged, It is restored by the debugger.
Each PE has a separate table. For example, kernel32.dll and user32.dll have their own tables. When a PE is loaded, its base address, size, sehandlertable (Table address), and sehandlercount (length) are stored in a table. When an exception occurs, the system checks the base address and size of each PE of the current seh processing function, and obtains the corresponding table address and length. Because it is taken out at the time of loading, after loading, sehandlertable and sehandlercount are useless, and it is of course useless to modify it. However, modification to the table content is valid.
If the seh is in the dynamically applied memory and is not in any PE image, there is no limit on the Seh. Otherwise, if it is not in the corresponding table, the PE will be aborted. The seh processing functions such as try .. catch of Visual C ++ are automatically added to the table. However, if you use inline ASM to operate FS: [0] and add Seh, it is invalid. If an exception occurs, it will only cause the PE to stop.
Currently, basically all shell software deletes loadconfig, which has no effect on the PE. If you want to retain the data, you need to add the seh processing function in PE image to the table. Microsoft calls the processing function "Safe handler" in this table ",
Disable safe handler and add/safeseh: no to liker | CommandLine.
Try to dynamically modify the sehandlertable in the memory, and except_handler gets control smoothly.

7. Methods for breaking through the seh handler address of win2003/WINXP SP2
1) not in the stack, in heap.
For IE and other browsers, use JS and other heapspray to allocate a heap and overwrite seh handler with the heap address.

2) out of the range of loaded modules.
Jump address using the code page, such as 0x7ffa1571 (Win2000/XP/2003 CHS common address)

3) in the system DLL, it is the exception handling function registered by the DLL.
Using registered seh handler is not very useful.

8. OD safeseh plugin ollysseh
Use the analysis module to check which DLL is/safeseh off:
/Safeseh on can only select the registered seh handler address.
/Safeseh off you can select the address (POP/RET address) to skip.
No Seh (dllcharacteristics & 0xff00) = 0x0400, cannot skip.
: Http://www.openrce.org/downloads/details/244/OllySSEH