SEH based buffer overflow vulnerability exploitation
0 likes258 views
The document provides an overview of Structured Exception Handling (SEH) in Windows, detailing how exception handlers work within an application to manage errors. It explains the structure of exception records and the process of exception handling from the application's perspective, stressing the importance of using specific exception handlers over relying solely on the default Windows handler. The author acknowledges personal inspirations and expresses a commitment to ethical practices in developing exploits.
1 of 17
Download to read offline
![SEH DS
typedef struct _EXCEPTION_RECORD {
DWORD ExceptionCode;
DWORD ExceptionFlags;
struct _EXCEPTION_RECORD *ExceptionRecord;
PVOID ExceptionAddress;
DWORD NumberParameters;
ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
} EXCEPTION_RECORD, *PEXCEPTION_RECORD;](https://image.slidesharecdn.com/sehexploits-170401125631/85/SEH-based-buffer-overflow-vulnerability-exploitation-7-320.jpg)
![FS:[0]
• At the top of main structure, TEB or TIB there’s a pointer to top of SEH chain
which points to the first EXCEPTION_REGISTRATION_RECORD which often calls
FS:[0] chain
MOV DWORD PTR FS:[0]
• This ensures that the exception handler is set up for the thread and will be
able to catch errors when they occur
• The opcode for this instruction is 64A100000000. If you cannot find this
opcode in TEB/TIB, the application/thread may not have exception handling
at all, but remember there’s always windows default exception handler](https://image.slidesharecdn.com/sehexploits-170401125631/85/SEH-based-buffer-overflow-vulnerability-exploitation-14-320.jpg)
Ad
Recommended
Dive into exploit development
Dive into exploit developmentPayampardaz The document provides an introduction to exploit development. It discusses preparing a virtual lab with tools like Immunity Debugger, Mona.py, pvefindaddr.py and Metasploit. It covers basic buffer overflow exploitation techniques like overwriting EIP and using RETURN oriented programming. The document demonstrates a basic stack-based buffer overflow exploit against the FreeFloat FTP server as a tutorial, covering steps like generating a cyclic pattern, finding the offset and using mona to find a JMP ESP instruction to redirect execution. It also discusses using msfpayload to generate Windows bind shellcode and msfencode to escape bad characters before testing the proof of concept exploit.
Basic buffer overflow part1
Basic buffer overflow part1Payampardaz The document provides a comprehensive guide on creating exploits, particularly focusing on buffer overflows. It details the process from identifying vulnerabilities in applications to crafting shellcode and controlling the application's flow, using a specific target application as an example. Ethical considerations are emphasized, including disclosing vulnerabilities responsibly before making them public.
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community The document provides information about a reversing and malware analysis training program. It begins with a disclaimer stating that the views expressed are solely of the trainer and not the company. It then acknowledges those who supported the training program. It states that the presentation is part of a reversing and malware analysis training program currently only offered locally for free. It introduces the two trainers and provides their backgrounds and contact information. It outlines topics that will be covered including x86 assembly, instructions, stack operations, and calling conventions. It notes that a demonstration will be included.
Exploit techniques and mitigation
Exploit techniques and mitigationYaniv Shani This document discusses various exploit techniques such as stack overflow, heap overflow, and return oriented programming that leverage application vulnerabilities. It also covers mitigation techniques including stack protection, safeSEH, heap protection, data execution prevention, and address space layout randomization. The document recommends automated malware protection solutions that can protect against zero-day attacks as the most effective approach compared to anti-virus blacklists or sandboxing solutions.
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsD4rk357 a The document discusses writing buffer overflow exploits. It explains how buffer overflows occur when a program writes more data than the buffer allocated. By controlling the EIP (instruction pointer) register, an exploit can be executed. The document then demonstrates, step-by-step, how to create a buffer overflow exploit against a vulnerable Windows application, including determining the offset to overwrite EIP, finding shellcode to execute a bind shell, and testing the working exploit.
CNIT 127 Ch 4: Introduction to format string bugs
CNIT 127 Ch 4: Introduction to format string bugsSam Bowne This document discusses format string vulnerabilities. It explains that format strings can be used to read arbitrary memory locations on the stack, allowing information disclosure. It also describes how uncontrolled format strings can be exploited to write to arbitrary memory addresses, enabling denial of service attacks or potentially remote code execution. The key steps of a format string exploit are outlined: controlling a write operation, finding a target memory location like the return address or GOT, writing shellcode to memory, and changing the target location to point to the shellcode.
Tranning-2
Tranning-2Ali Hussain This document discusses software exploitation techniques such as buffer overflows. It aims to give readers a deep understanding of exploitation mechanics and teach skills like custom shellcode writing. Several examples are provided, including overwriting a program's return address to execute arbitrary code and using shellcode injected into a buffer. The document explains stack layout, how to craft shellcode that avoids null bytes and is position independent, and how to construct a payload that injects shellcode and controls program flow to achieve remote code execution.
OTP application (with gen server child) - simple example
OTP application (with gen server child) - simple exampleYangJerng Hwa The document provides an overview of a quick demo application in Erlang/OTP that uses a Gen_server example to demonstrate starting an OTP application with a supervision tree containing a Gen_server process. It details the files and code used in the demo application, walking through starting the application and calling a function on the Gen_server process that implements the Gen_server behavior.
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein The document discusses various types of shellcodes used in reverse engineering, including local shellcodes, remote shellcodes like reverse shellcodes and bindshell shellcodes, and other less common types. It provides details on the different techniques shellcodes use, such as staged shellcodes that download additional code in stages. The document also introduces the msfpayload command used to generate shellcodes in Metasploit and provides examples of configuring options and outputting shellcode in various formats.
Buffer overflow attacks
Buffer overflow attacksJapneet Singh This document discusses buffer overflow attacks. It begins with an overview of the topics that will be covered, including vulnerabilities, exploits, and buffer overflows. It then provides definitions for key terms and describes different types of memory corruption vulnerabilities. The bulk of the document focuses on stack-based buffer overflows, explaining how they work by overwriting the return address on the stack to point to injected shellcode. It includes diagrams of stack layout and function prologue and epilogue. The document concludes with a demonstration of a buffer overflow and discusses some mitigations like stack cookies and ASLR.
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen The presentation by Rob Gillen details the anatomy of a buffer overflow attack, focusing on its technical aspects and the responsibilities associated with knowledge in cybersecurity. It covers scenarios involving vulnerabilities, fuzzing, shellcode, and the exploitation process, emphasizing the importance of bounds checking and responsible testing. The session aims to educate attendees about real attack methods on systems they have explicit permission to test.
CNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsSam Bowne The document discusses format string vulnerabilities in programming, explaining how format strings can lead to memory disclosure and exploitation, including potential remote code execution. It outlines various exploitation techniques and defenses, detailing how attackers manipulate function parameters to overwrite memory and control execution flow. The text also covers countermeasures, code analysis tools, and the significance of format string bugs across various output functions.
Concurrency in Elixir with OTP
Concurrency in Elixir with OTPJustin Reese The document discusses concurrency in Elixir using OTP (Open Telecom Platform). OTP provides libraries and design principles for writing concurrent applications in Erlang/Elixir. It includes components like supervisors, applications, agents, tasks and GenServers that help manage concurrency. Supervisors oversee worker processes in a supervision tree, restarting them based on configured restart strategies if they fail. State is managed by agents and GenServers. This allows applications to have many concurrent processes that are fault tolerant and can seamlessly spread across machines.
Task parallel library presentation
Task parallel library presentationahmed sayed The document provides an agenda for a presentation on the Task Parallel Library (TPL) and async/await in .NET. The presentation covers topics like threads and blocking vs non-blocking code, asynchronous programming models before async/await, the lifecycle of async operations, common misconceptions about async/await, differences between CPU-bound and I/O-bound work, exception handling, progress/cancellation, unit testing, combinators like WhenAll and WhenAny, and tips/tricks for async programming.
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingSam Bowne Chapter 13 of the practical malware analysis discusses various data encoding techniques used by malware to obfuscate information and avoid detection. It covers simple ciphers, XOR encoding, base64 encoding, and strong cryptographic algorithms, detailing their implementation and implications for malware analysis. The chapter also explores methods for identifying and reversing these encoding schemes, using tools like IDA Pro and various plugins to analyze entropy and detect malicious patterns.
Seh based attack
Seh based attackMihir Shah The document explains Structured Exception Handling (SEH) in programming, detailing how exceptions are managed through a set of exception registration records and linked lists. It discusses how the operating system identifies and executes exception handlers, along with the mechanics of exploiting buffer overflows in SEH. Additionally, it mentions the introduction of protections like SafeSEH by Microsoft to prevent exploitation of SEH vulnerabilities.
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.
Gift-VT Tools Development Overview
Gift-VT Tools Development Overviewstn_tkiller The document provides an overview of the GIFT-VT tools framework. It describes the different levels and types of tools, the classes and inheritance used to implement tools, modules and services, how tools are executed by the server by loading the shared library and calling functions, and examples of tool configuration files and Makefiles.
Elixir and OTP
Elixir and OTPPedro Medeiros The document provides an introduction to Elixir and OTP (Open Telecom Platform). It discusses key aspects of Elixir including its functional and meta-programming capabilities. It also covers OTP including processes as the concurrency model, and common behaviors like GenServer, Supervisor, and Application. GenServer is used for building servers, Supervisor supervises child processes, and Application initializes everything at the top level. Overall the document serves as a high-level overview of the Elixir language and OTP framework for building distributed, fault-tolerant applications.
Using OTP and gen_server Effectively
Using OTP and gen_server EffectivelyKen Pratt This document discusses using OTP (Open Telecom Platform) and the gen_server behavior in Erlang. It begins with an overview of OTP and behaviors, then describes gen_server for client-server interactions. It provides an example stopwatch app in vanilla Erlang and using gen_server. It also discusses other OTP components like supervisor trees, gen_fsm, gen_event and application packaging. Finally, it provides some tips on tools and books related to OTP.
Python Basics
Python Basicsprimeteacher32 Python is an interpreted, open source programming language that is simple, powerful, and preinstalled on many systems. It has less syntax than other languages and a plethora of penetration testing tools have already been created in Python. Python code is translated and executed by an interpreter one statement at a time, allowing it to be run from the command prompt, through command prompt files, or in an integrated development environment. The language uses whitespace and comments to make code more readable. It can perform basic operations like printing, taking user input, performing conditionals and loops, defining reusable functions, and importing additional modules.
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles This document provides an overview of buffer overflow exploits on Windows 32-bit systems. It discusses the lab environment that will be used, basic assembly concepts like registers and instructions, the Windows 32 memory layout, how the stack works, and the general steps for exploit development. These include causing a crash, identifying the offset, determining bad characters, locating space for shellcode, generating shellcode, and redirecting execution to the shellcode. The document concludes by listing some hands-on exercises that will be covered, and recommending additional learning materials on exploit writing.
Structured Exception Handler Exploitation
Structured Exception Handler ExploitationHigh-Tech Bridge SA (HTBridge) This document discusses structured exception handling (SEH) exploitation on Windows. It explains how SEH works, the data structures involved like the exception registration record and thread information block. It describes how abusing SEH by overwriting pointers allows gaining code execution. The document provides steps to create a proof of concept exploit against a vulnerable ActiveX control by overflowing a buffer, overwriting the SEH pointers and injecting shellcode.
Planet of the AOPs
Planet of the AOPsJames Ward This document discusses aspect-oriented programming (AOP) and how it can be implemented to modify bytecode and application behavior. It introduces Mixing Loom, an ActionScript library that allows patchers to modify SWF bytecode before and during loading to apply cross-cutting concerns. Sample patchers are provided to demonstrate accessing and modifying constant pools, tags, and classes. AOP is presented as an alternative to monkey patching that can be used to reveal private methods, fix bugs, and implement dependency injection.
Analytics tools and Instruments
Analytics tools and InstrumentsKrunal Soni The document discusses different tools for analyzing iOS code for bugs and performance issues. It describes the static analyzer as the first line of defense, which finds logic flaws and coding issues by analyzing code similar to a compiler. It then discusses using the Instruments tool on the simulator as the second line of defense for finding memory leaks and performance bottlenecks. Specific Instruments like Allocations, Leaks, and Time Profiler are described for analyzing different types of issues. Command line tools for configuring which static analyzer version is used are also overviewed.
Concurrency, Robustness & Elixir SoCraTes 2015
Concurrency, Robustness & Elixir SoCraTes 2015steffenbauer The document discusses concurrency in Elixir. It provides an overview of Erlang and how Elixir builds on Erlang by using the Erlang Virtual Machine but with a Ruby-inspired syntax for improved productivity. It then discusses how Elixir uses the actor model of concurrency where lightweight processes communicate asynchronously via message passing. Some key concurrency concepts in Elixir like tasks, agents, generic servers, supervision, events and finite state machines are also summarized.
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne The document discusses the importance of source code auditing to discover vulnerabilities and outlines various tools and methodologies for effective auditing. It highlights common types of vulnerabilities, such as buffer overflows, format string vulnerabilities, and use-after-free errors, while providing examples and explanations for each type. Additionally, it emphasizes the necessity of understanding code structure and employing a selective approach to audit specific, vulnerable sections of the code efficiently.
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community This document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided as-is without warranty. It then acknowledges those who supported the training program. The document introduces the trainer, Harsimran Walia, and their background and areas of expertise. It outlines that the training will discuss automation techniques using Python scripts and modules like PEfile for portable executable file analysis, PyDbg for debugging, and IDAPython for integrating Python scripts with IDA Pro.
CNIT 127: Ch 8: Windows overflows (Part 1)
CNIT 127: Ch 8: Windows overflows (Part 1)Sam Bowne This document discusses various aspects of exploit development, particularly focusing on Windows overflows and associated techniques. It covers topics such as the thread and process environment blocks, stack-based buffer overflows, and methods to defeat ASLR and set up exception handlers. Additionally, the document outlines defenses introduced in Windows Server 2008 against these exploits.
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)Sam Bowne This document discusses Windows stack-based buffer overflow exploitation techniques and defenses. It covers the Thread Environment Block (TEB) and Process Environment Block (PEB), which store thread and process-level data. Stack-based overflows are explained, including overwriting return addresses and structured exception handlers (SEH). Methods to defeat Address Space Layout Randomization (ASLR) are provided. Windows Server 2003 introduced protections, while Windows Server 2008 added further defenses like SEHOP and SAFESEH.
More Related Content
What's hot (20)
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein The document discusses various types of shellcodes used in reverse engineering, including local shellcodes, remote shellcodes like reverse shellcodes and bindshell shellcodes, and other less common types. It provides details on the different techniques shellcodes use, such as staged shellcodes that download additional code in stages. The document also introduces the msfpayload command used to generate shellcodes in Metasploit and provides examples of configuring options and outputting shellcode in various formats.
Buffer overflow attacks
Buffer overflow attacksJapneet Singh This document discusses buffer overflow attacks. It begins with an overview of the topics that will be covered, including vulnerabilities, exploits, and buffer overflows. It then provides definitions for key terms and describes different types of memory corruption vulnerabilities. The bulk of the document focuses on stack-based buffer overflows, explaining how they work by overwriting the return address on the stack to point to injected shellcode. It includes diagrams of stack layout and function prologue and epilogue. The document concludes with a demonstration of a buffer overflow and discusses some mitigations like stack cookies and ASLR.
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen The presentation by Rob Gillen details the anatomy of a buffer overflow attack, focusing on its technical aspects and the responsibilities associated with knowledge in cybersecurity. It covers scenarios involving vulnerabilities, fuzzing, shellcode, and the exploitation process, emphasizing the importance of bounds checking and responsible testing. The session aims to educate attendees about real attack methods on systems they have explicit permission to test.
CNIT 127: 4: Format string bugs
CNIT 127: 4: Format string bugsSam Bowne The document discusses format string vulnerabilities in programming, explaining how format strings can lead to memory disclosure and exploitation, including potential remote code execution. It outlines various exploitation techniques and defenses, detailing how attackers manipulate function parameters to overwrite memory and control execution flow. The text also covers countermeasures, code analysis tools, and the significance of format string bugs across various output functions.
Concurrency in Elixir with OTP
Concurrency in Elixir with OTPJustin Reese The document discusses concurrency in Elixir using OTP (Open Telecom Platform). OTP provides libraries and design principles for writing concurrent applications in Erlang/Elixir. It includes components like supervisors, applications, agents, tasks and GenServers that help manage concurrency. Supervisors oversee worker processes in a supervision tree, restarting them based on configured restart strategies if they fail. State is managed by agents and GenServers. This allows applications to have many concurrent processes that are fault tolerant and can seamlessly spread across machines.
Task parallel library presentation
Task parallel library presentationahmed sayed The document provides an agenda for a presentation on the Task Parallel Library (TPL) and async/await in .NET. The presentation covers topics like threads and blocking vs non-blocking code, asynchronous programming models before async/await, the lifecycle of async operations, common misconceptions about async/await, differences between CPU-bound and I/O-bound work, exception handling, progress/cancellation, unit testing, combinators like WhenAll and WhenAny, and tips/tricks for async programming.
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingSam Bowne Chapter 13 of the practical malware analysis discusses various data encoding techniques used by malware to obfuscate information and avoid detection. It covers simple ciphers, XOR encoding, base64 encoding, and strong cryptographic algorithms, detailing their implementation and implications for malware analysis. The chapter also explores methods for identifying and reversing these encoding schemes, using tools like IDA Pro and various plugins to analyze entropy and detect malicious patterns.
Seh based attack
Seh based attackMihir Shah The document explains Structured Exception Handling (SEH) in programming, detailing how exceptions are managed through a set of exception registration records and linked lists. It discusses how the operating system identifies and executes exception handlers, along with the mechanics of exploiting buffer overflows in SEH. Additionally, it mentions the introduction of protections like SafeSEH by Microsoft to prevent exploitation of SEH vulnerabilities.
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.
Gift-VT Tools Development Overview
Gift-VT Tools Development Overviewstn_tkiller The document provides an overview of the GIFT-VT tools framework. It describes the different levels and types of tools, the classes and inheritance used to implement tools, modules and services, how tools are executed by the server by loading the shared library and calling functions, and examples of tool configuration files and Makefiles.
Elixir and OTP
Elixir and OTPPedro Medeiros The document provides an introduction to Elixir and OTP (Open Telecom Platform). It discusses key aspects of Elixir including its functional and meta-programming capabilities. It also covers OTP including processes as the concurrency model, and common behaviors like GenServer, Supervisor, and Application. GenServer is used for building servers, Supervisor supervises child processes, and Application initializes everything at the top level. Overall the document serves as a high-level overview of the Elixir language and OTP framework for building distributed, fault-tolerant applications.
Using OTP and gen_server Effectively
Using OTP and gen_server EffectivelyKen Pratt This document discusses using OTP (Open Telecom Platform) and the gen_server behavior in Erlang. It begins with an overview of OTP and behaviors, then describes gen_server for client-server interactions. It provides an example stopwatch app in vanilla Erlang and using gen_server. It also discusses other OTP components like supervisor trees, gen_fsm, gen_event and application packaging. Finally, it provides some tips on tools and books related to OTP.
Python Basics
Python Basicsprimeteacher32 Python is an interpreted, open source programming language that is simple, powerful, and preinstalled on many systems. It has less syntax than other languages and a plethora of penetration testing tools have already been created in Python. Python code is translated and executed by an interpreter one statement at a time, allowing it to be run from the command prompt, through command prompt files, or in an integrated development environment. The language uses whitespace and comments to make code more readable. It can perform basic operations like printing, taking user input, performing conditionals and loops, defining reusable functions, and importing additional modules.
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles This document provides an overview of buffer overflow exploits on Windows 32-bit systems. It discusses the lab environment that will be used, basic assembly concepts like registers and instructions, the Windows 32 memory layout, how the stack works, and the general steps for exploit development. These include causing a crash, identifying the offset, determining bad characters, locating space for shellcode, generating shellcode, and redirecting execution to the shellcode. The document concludes by listing some hands-on exercises that will be covered, and recommending additional learning materials on exploit writing.
Structured Exception Handler Exploitation
Structured Exception Handler ExploitationHigh-Tech Bridge SA (HTBridge) This document discusses structured exception handling (SEH) exploitation on Windows. It explains how SEH works, the data structures involved like the exception registration record and thread information block. It describes how abusing SEH by overwriting pointers allows gaining code execution. The document provides steps to create a proof of concept exploit against a vulnerable ActiveX control by overflowing a buffer, overwriting the SEH pointers and injecting shellcode.
Planet of the AOPs
Planet of the AOPsJames Ward This document discusses aspect-oriented programming (AOP) and how it can be implemented to modify bytecode and application behavior. It introduces Mixing Loom, an ActionScript library that allows patchers to modify SWF bytecode before and during loading to apply cross-cutting concerns. Sample patchers are provided to demonstrate accessing and modifying constant pools, tags, and classes. AOP is presented as an alternative to monkey patching that can be used to reveal private methods, fix bugs, and implement dependency injection.
Analytics tools and Instruments
Analytics tools and InstrumentsKrunal Soni The document discusses different tools for analyzing iOS code for bugs and performance issues. It describes the static analyzer as the first line of defense, which finds logic flaws and coding issues by analyzing code similar to a compiler. It then discusses using the Instruments tool on the simulator as the second line of defense for finding memory leaks and performance bottlenecks. Specific Instruments like Allocations, Leaks, and Time Profiler are described for analyzing different types of issues. Command line tools for configuring which static analyzer version is used are also overviewed.
Concurrency, Robustness & Elixir SoCraTes 2015
Concurrency, Robustness & Elixir SoCraTes 2015steffenbauer The document discusses concurrency in Elixir. It provides an overview of Erlang and how Elixir builds on Erlang by using the Erlang Virtual Machine but with a Ruby-inspired syntax for improved productivity. It then discusses how Elixir uses the actor model of concurrency where lightweight processes communicate asynchronously via message passing. Some key concurrency concepts in Elixir like tasks, agents, generic servers, supervision, events and finite state machines are also summarized.
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne The document discusses the importance of source code auditing to discover vulnerabilities and outlines various tools and methodologies for effective auditing. It highlights common types of vulnerabilities, such as buffer overflows, format string vulnerabilities, and use-after-free errors, while providing examples and explanations for each type. Additionally, it emphasizes the necessity of understanding code structure and employing a selective approach to audit specific, vulnerable sections of the code efficiently.
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community This document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided as-is without warranty. It then acknowledges those who supported the training program. The document introduces the trainer, Harsimran Walia, and their background and areas of expertise. It outlines that the training will discuss automation techniques using Python scripts and modules like PEfile for portable executable file analysis, PyDbg for debugging, and IDAPython for integrating Python scripts with IDA Pro.
Similar to SEH based buffer overflow vulnerability exploitation (20)
CNIT 127: Ch 8: Windows overflows (Part 1)
CNIT 127: Ch 8: Windows overflows (Part 1)Sam Bowne This document discusses various aspects of exploit development, particularly focusing on Windows overflows and associated techniques. It covers topics such as the thread and process environment blocks, stack-based buffer overflows, and methods to defeat ASLR and set up exception handlers. Additionally, the document outlines defenses introduced in Windows Server 2008 against these exploits.
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)Sam Bowne This document discusses Windows stack-based buffer overflow exploitation techniques and defenses. It covers the Thread Environment Block (TEB) and Process Environment Block (PEB), which store thread and process-level data. Stack-based overflows are explained, including overwriting return addresses and structured exception handlers (SEH). Methods to defeat Address Space Layout Randomization (ASLR) are provided. Windows Server 2003 introduced protections, while Windows Server 2008 added further defenses like SEHOP and SAFESEH.
Post-mortem Debugging of Windows Applications
Post-mortem Debugging of Windows ApplicationsGlobalLogic Ukraine The document provides an overview of post-mortem debugging for Windows applications, outlining techniques for handling application errors and structured exception handling (SEH). It discusses the importance of utilizing Windows Error Reporting (WER) and custom error reporting to analyze application failures effectively. Additionally, the document reviews practical implementations for capturing error data and emphasizes the necessity of having the correct symbols and binaries for effective post-mortem analysis.
Abusing SEH For Fun
Abusing SEH For FunDigital Echidna This document discusses stack-based buffer overflows using structured exception handling (SEH). It begins by explaining what SEH is and how it works, describing the SEH structure and chain. It then covers protections like SafeSEH and how to abuse SEH by overwriting pointers to bypass these protections and redirect execution to shellcode. Specifically, it explains causing an exception to trigger the SEH handler, overwriting the next SEH pointer to point to jumpcode, and overwriting the SE handler to return to the jumpcode and then the shellcode.
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregoryzakiakhmad The document discusses exploit development using Python, focusing on concepts like stack/buffer overflow, structured exception handlers (SEH), and egghunters. It explains memory layout, how SEH works, and potential protections against SEH abuses, alongside providing skeleton code examples for creating exploits. The content is technical and intended for individuals familiar with programming and cybersecurity concepts.
Exploit Development with Python
Exploit Development with PythonThomas Gregory The document outlines various techniques for exploit development using Python, including stack buffer overflow, structured exception handling (SEH), and evasive shellcode techniques like egghunter. It details memory layout, how stack growth occurs, and protections against SEH exploitation, such as DEP and SafeSEH. Additionally, it provides skeleton code for different exploit scenarios demonstrating the exploitation process.
Seh based exploitation
Seh based exploitationRaghunath G This document discusses structured exception handling (SEH) and exploitation techniques. It provides background on SEH, how it is used to handle exceptions in Windows, and protections like SafeSEH. It then describes exploiting a vulnerability found through fuzzing the BigAnt Messenger Server application by overwriting SEH pointers and injecting shellcode. Exploitation steps include understanding the application, finding a crash through fuzzing, removing bad characters, and developing an exploit to gain control.
SEH overwrite and its exploitability
SEH overwrite and its exploitabilityFFRI, Inc. The document discusses SEH (structured exception handling) overwrites and techniques to bypass protections against them. It explains that SEH overwrites can be used to exploit Windows software by overwriting exception handlers. Common protections like SafeSEH, software DEP, hardware DEP, and SEHOP aim to prevent this. However, the document demonstrates that under certain conditions, it is possible to bypass all of these protections simultaneously. Specifically, if an attacker knows addresses needed to recreate the SEH chain and has a non-SafeSEH module containing suitable "add esp, ret" instructions, they can exploit a buffer overflow to execute arbitrary code despite all protections. The document provides a detailed example of this technique on Windows 7.
Low Level Exploits
Low Level Exploitshughpearse This document discusses various low-level exploits, beginning with creating shellcode by extracting opcodes from a compiled C program. It then covers stack-based buffer overflows, including return-to-stack exploits and return-to-libc. Next it discusses heap overflows using the unlink technique, integer overflows, and format string vulnerabilities. The document provides code examples and explanations of the techniques.
eh
ehMorten M. Christensen This document is a thesis on methods for handling exceptions in object-oriented programming languages. It discusses the requirements for exception handling models, designs, and implementations. It also covers requirements imposed by programming language features like objects, modules, and scopes. The thesis examines alternative designs for exception handling mechanisms, focusing on how they transfer control, cleanup objects, and identify exceptions. It then details the specific exception handling method used in the compiler for the MEHL programming language, including how it uses static tables, cleans up objects, and addresses local environments.
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Donato Onofri This document discusses using vectored exception handlers and hardware breakpoints to bypass security products like EDR tools. It describes how attackers can register vectored exception handlers to programmatically handle exceptions raised by hardware breakpoints. This allows attackers to intercept function calls and manipulate execution flow without directly patching memory. The document analyzes real malware samples that use these techniques, and explores ways security researchers can trace the use of hardware breakpoints through ETW logging of the NtSetContextThread system call.
exploiting heap overflows
exploiting heap overflowsprimelude The document discusses exploiting heap overflows on the Windows platform. It describes the Windows heap structure and design, how heap overflows corrupt the heap control information, and several techniques for exploiting heap overflows including repairing the heap, using the unhandled exception filter, vectored exception handling, overwriting pointers in the process environment block, and overwriting the thread environment block exception handler pointer.
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar This document discusses the history and techniques of buffer overflow exploits. It begins with an overview of stack-based and heap-based buffer overflows and vulnerable code. It then details the history of buffer overflow exploitation from 1961 to present day. The rest of the document explains techniques used to exploit buffer overflows such as DEP/NX, ASLR, stack canaries, NOP sleds, return-to-libc, egg hunting, heap spraying, and return-oriented programming. It also discusses defenses implemented by operating systems like SEHOP, SafeSEH, and safe functions.
Exception handling
Exception handlingAbhishek Pachisia Exceptions indicate problems during program execution and can be handled to allow programs to continue running or notify users. There are different levels where exceptions can occur including hardware, operating systems, languages, and within programs. Exception handling uses try, catch, and throw blocks. A try block encloses code that could throw an exception. If an exception occurs, control transfers to the matching catch block. The catch block handles the exception to resolve it. Exceptions not caught will terminate the program.
Exception handling in c programming
Exception handling in c programmingRaza Najam The document outlines an end semester presentation by Group C on the topic of algorithms and computing labs. It includes the contents of the presentation which cover errors and exception handling basics, examples of exception occurrence and handling methods, and three example programs of increasing difficulty. It lists the group members and how presentation tasks were divided among them. It also includes details on grading criteria and a question/answer session.
Heap overflows for humans – 101
Heap overflows for humans – 101Craft Symbol This document discusses exploiting heap overflows on Windows XP using vectored exception handling. It begins by explaining how the Windows heap works and how heap overflow vulnerabilities can be used to arbitrarily overwrite memory. It then presents a proof-of-concept C program that triggers a heap overflow and calls an exception handler. By overwriting pointers in the vectored exception handling data structures, execution can be redirected to shellcode placed in the heap buffer. The document provides step-by-step instructions for analyzing the vulnerability in a debugger, calculating offsets, and crafting an exploit to launch calc.exe via the heap overflow.
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory The document discusses a cybersecurity exploit found in Cyberlink LabelPrint 2.5, which is commonly bundled with various laptop brands. The exploit involves a stack overflow vulnerability that allows an attacker to overwrite the Structured Exception Handler (SEH) using Unicode-based payloads. It outlines the technical processes and code snippets necessary for exploiting the vulnerability for educational purposes in a cybersecurity context.
Exploring the x64
Exploring the x64FFRI, Inc. The document discusses exploring the x64 architecture, covering topics such as the x64 application binary interface, memory layout differences between x86 and x64, API hooking and code injection techniques for x64, and differences in system calls between x86 and x64. It provides an overview of key technical details and concepts for developers working with x64 platforms.
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)Sam Bowne This document discusses exploit development for Windows, focusing on stack protection and heap-based buffer overflows. It describes the function of security cookies, techniques to predict them, and various methods to exploit heap overflows including vulnerability in COM objects. Furthermore, it mentions different strategies to overwrite important pointers and handle exceptions during exploitation.
CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne Chapter 8 of CNIT 127 covers Windows overflow vulnerabilities, focusing on stack protections like security cookies, heap-based buffer overflows, and how to manipulate them. It explains various heap operations, potential exploitation techniques, including overwriting exception handler pointers, and discusses the use of COM objects on the heap. Additionally, it addresses other overflow vulnerabilities in the .data section and TEB/PEB, indicating a lack of public examples for such exploits.
Ad
Recently uploaded (20)
Raman Bhaumik - Passionate Tech Enthusiast
Raman Bhaumik - Passionate Tech EnthusiastRaman Bhaumik A Junior Software Developer with a flair for innovation, Raman Bhaumik excels in delivering scalable web solutions. With three years of experience and a solid foundation in Java, Python, JavaScript, and SQL, she has streamlined task tracking by 20% and improved application stability.
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdf
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdfbiswajitbanerjee38 Russia is one of the most aggressive nations when it comes to state coordinated cyberattacks — and Ukraine has been at the center of their crosshairs for 3 years. This report, provided the State Service of Special Communications and Information Protection of Ukraine contains an incredible amount of cybersecurity insights, showcasing the coordinated aggressive cyberwarfare campaigns of Russia against Ukraine.
It brings to the forefront that understanding your adversary, especially an aggressive nation state, is important for cyber defense. Knowing their motivations, capabilities, and tactics becomes an advantage when allocating resources for maximum impact.
Intelligence shows Russia is on a cyber rampage, leveraging FSB, SVR, and GRU resources to professionally target Ukraine’s critical infrastructures, military, and international diplomacy support efforts.
The number of total incidents against Ukraine, originating from Russia, has steadily increased from 1350 in 2021 to 4315 in 2024, but the number of actual critical incidents has been managed down from a high of 1048 in 2022 to a mere 59 in 2024 — showcasing how the rapid detection and response to cyberattacks has been impacted by Ukraine’s improved cyber resilience.
Even against a much larger adversary, Ukraine is showcasing outstanding cybersecurity, enabled by strong strategies and sound tactics. There are lessons to learn for any enterprise that could potentially be targeted by aggressive nation states.
Definitely worth the read!
ENERGY CONSUMPTION CALCULATION IN ENERGY-EFFICIENT AIR CONDITIONER.pdf
ENERGY CONSUMPTION CALCULATION IN ENERGY-EFFICIENT AIR CONDITIONER.pdfMuhammad Rizwan Akram DC Inverter Air Conditioners are revolutionizing the cooling industry by delivering affordable,
energy-efficient, and environmentally sustainable climate control solutions. Unlike conventional
fixed-speed air conditioners, DC inverter systems operate with variable-speed compressors that
modulate cooling output based on demand, significantly reducing energy consumption and
extending the lifespan of the appliance.
These systems are critical in reducing electricity usage, lowering greenhouse gas emissions, and
promoting eco-friendly technologies in residential and commercial sectors. With advancements in
compressor control, refrigerant efficiency, and smart energy management, DC inverter air conditioners
have become a benchmark in sustainable climate control solutions
No-Code Workflows for CAD & 3D Data: Scaling AI-Driven Infrastructure
No-Code Workflows for CAD & 3D Data: Scaling AI-Driven InfrastructureSafe Software When projects depend on fast, reliable spatial data, every minute counts.
AI Clearing needed a faster way to handle complex spatial data from drone surveys, CAD designs and 3D project models across construction sites. With FME Form, they built no-code workflows to clean, convert, integrate, and validate dozens of data formats – cutting analysis time from 5 hours to just 30 minutes.
Join us, our partner Globema, and customer AI Clearing to see how they:
-Automate processing of 2D, 3D, drone, spatial, and non-spatial data
-Analyze construction progress 10x faster and with fewer errors
-Handle diverse formats like DWG, KML, SHP, and PDF with ease
-Scale their workflows for international projects in solar, roads, and pipelines
If you work with complex data, join us to learn how to optimize your own processes and transform your results with FME.
OpenPOWER Foundation & Open-Source Core Innovations
OpenPOWER Foundation & Open-Source Core InnovationsIBM penPOWER offers a fully open, royalty-free CPU architecture for custom chip design.
It enables both lightweight FPGA cores (like Microwatt) and high-performance processors (like POWER10).
Developers have full access to source code, specs, and tools for end-to-end chip creation.
It supports AI, HPC, cloud, and embedded workloads with proven performance.
Backed by a global community, it fosters innovation, education, and collaboration.
OWASP Barcelona 2025 Threat Model Library
OWASP Barcelona 2025 Threat Model LibraryPetraVukmirovic Threat Model Library Launch at OWASP Barcelona 2025
https://owasp.org/www-project-threat-model-library/
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)
FME for Distribution & Transmission Integrity Management Program (DIMP & TIMP)Safe Software Peoples Gas in Chicago, IL has changed to a new Distribution & Transmission Integrity Management Program (DIMP & TIMP) software provider in recent years. In order to successfully deploy the new software we have created a series of ETL processes using FME Form to transform our gas facility data to meet the required DIMP & TIMP data specifications. This presentation will provide an overview of how we used FME to transform data from ESRI’s Utility Network and several other internal and external sources to meet the strict data specifications for the DIMP and TIMP software solutions.
9-1-1 Addressing: End-to-End Automation Using FME
9-1-1 Addressing: End-to-End Automation Using FMESafe Software This session will cover a common use case for local and state/provincial governments who create and/or maintain their 9-1-1 addressing data, particularly address points and road centerlines. In this session, you'll learn how FME has helped Shelby County 9-1-1 (TN) automate the 9-1-1 addressing process; including automatically assigning attributes from disparate sources, on-the-fly QAQC of said data, and reporting. The FME logic that this presentation will cover includes: Table joins using attributes and geometry, Looping in custom transformers, Working with lists and Change detection.
OpenACC and Open Hackathons Monthly Highlights June 2025
OpenACC and Open Hackathons Monthly Highlights June 2025OpenACC The OpenACC organization focuses on enhancing parallel computing skills and advancing interoperability in scientific applications through hackathons and training. The upcoming 2025 Open Accelerated Computing Summit (OACS) aims to explore the convergence of AI and HPC in scientific computing and foster knowledge sharing. This year's OACS welcomes talk submissions from a variety of topics, from Using Standard Language Parallelism to Computer Vision Applications. The document also highlights several open hackathons, a call to apply for NVIDIA Academic Grant Program and resources for optimizing scientific applications using OpenACC directives.
MuleSoft for AgentForce : Topic Center and API Catalog
MuleSoft for AgentForce : Topic Center and API Catalogshyamraj55 This presentation dives into how MuleSoft empowers AgentForce with organized API discovery and streamlined integration using Topic Center and the API Catalog. Learn how these tools help structure APIs around business needs, improve reusability, and simplify collaboration across teams. Ideal for developers, architects, and business stakeholders looking to build a connected and scalable API ecosystem within AgentForce.
You are not excused! How to avoid security blind spots on the way to production
You are not excused! How to avoid security blind spots on the way to productionMichele Leroux Bustamante We live in an ever evolving landscape for cyber threats creating security risk for your production systems. Mitigating these risks requires participation throughout all stages from development through production delivery - and by every role including architects, developers QA and DevOps engineers, product owners and leadership. No one is excused! This session will cover examples of common mistakes or missed opportunities that can lead to vulnerabilities in production - and ways to do better throughout the development lifecycle.
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...Edge AI and Vision Alliance For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2025/06/from-enterprise-to-makers-driving-vision-ai-innovation-at-the-extreme-edge-a-presentation-from-sony-semiconductor-solutions/
Amir Servi, Edge Deep Learning Product Manager at Sony Semiconductor Solutions, presents the “From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge” tutorial at the May 2025 Embedded Vision Summit.
Sony’s unique integrated sensor-processor technology is enabling ultra-efficient intelligence directly at the image source, transforming vision AI for enterprises and developers alike. In this presentation, Servi showcases how the AITRIOS platform simplifies vision AI for enterprises with tools for large-scale deployments and model management.
Servi also highlights his company’s collaboration with Ultralytics and Raspberry Pi, which brings YOLO models to the developer community, empowering grassroots innovation. Whether you’re scaling vision AI for industry or experimenting with cutting-edge tools, this presentation will demonstrate how Sony is accelerating high-performance, energy-efficient vision AI for all.
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptxFIDO Alliance FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptxFIDO Alliance FIDO Seminar: Perspectives on Passkeys & Consumer Adoption
The Future of Data, AI, and AR: Innovation Inspired by You.pdf
The Future of Data, AI, and AR: Innovation Inspired by You.pdfSafe Software The future of FME is inspired by you. We can't wait to show you what's ahead for FME and Safe Software.
Enabling BIM / GIS integrations with Other Systems with FME
Enabling BIM / GIS integrations with Other Systems with FMESafe Software Jacobs has successfully utilized FME to tackle the complexities of integrating diverse data sources in a confidential $1 billion campus improvement project. The project aimed to create a comprehensive digital twin by merging Building Information Modeling (BIM) data, Construction Operations Building Information Exchange (COBie) data, and various other data sources into a unified Geographic Information System (GIS) platform. The challenge lay in the disparate nature of these data sources, which were siloed and incompatible with each other, hindering efficient data management and decision-making processes.
To address this, Jacobs leveraged FME to automate the extraction, transformation, and loading (ETL) of data between ArcGIS Indoors and IBM Maximo. This process ensured accurate transfer of maintainable asset and work order data, creating a comprehensive 2D and 3D representation of the campus for Facility Management. FME's server capabilities enabled real-time updates and synchronization between ArcGIS Indoors and Maximo, facilitating automatic updates of asset information and work orders. Additionally, Survey123 forms allowed field personnel to capture and submit data directly from their mobile devices, triggering FME workflows via webhooks for real-time data updates. This seamless integration has significantly enhanced data management, improved decision-making processes, and ensured data consistency across the project lifecycle.
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdfcaoyixuan2019 A presentation at Internetware 2025.
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...Edge AI and Vision Alliance For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2025/06/key-requirements-to-successfully-implement-generative-ai-in-edge-devices-optimized-mapping-to-the-enhanced-npx6-neural-processing-unit-ip-a-presentation-from-synopsys/
Gordon Cooper, Principal Product Manager at Synopsys, presents the “Key Requirements to Successfully Implement Generative AI in Edge Devices—Optimized Mapping to the Enhanced NPX6 Neural Processing Unit IP” tutorial at the May 2025 Embedded Vision Summit.
In this talk, Cooper discusses emerging trends in generative AI for edge devices and the key role of transformer-based neural networks. He reviews the distinct attributes of transformers, their advantages over conventional convolutional neural networks and how they enable generative AI.
Cooper then covers key requirements that must be met for neural processing units (NPU) to support transformers and generative AI in edge device applications. He uses transformer-based generative AI examples to illustrate the efficient mapping of these workloads onto the enhanced Synopsys ARC NPX NPU IP family.
You are not excused! How to avoid security blind spots on the way to production
You are not excused! How to avoid security blind spots on the way to productionMichele Leroux Bustamante
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...Edge AI and Vision Alliance
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...Edge AI and Vision Alliance
Ad
SEH based buffer overflow vulnerability exploitation
- 1. SEH BASED BUFFER OVERFLOWS Mohsen Ahmadi My motto is : "Give a man an exploit and you make him a hacker for a day ; teach a man to exploit bugs and you make him a hacker for a lifetime."
- 2. DISCLAIMER If you’re someone that wants to build exploits to partake in illegal or immoral activity, please go elsewhere
- 3. ACKNOWLEDGMENTS • Nothing worthwhile in my life could be achieved without two very important people. A huge thank you to my beautiful fiancée, CMCM, for her inexhaustible support and immeasurable inspiration And also • My Mama, Without her continually showing that every life challenge is best confronted with a grin firmly planted from ear to ear, all obstacles would be so much greater.
- 4. WHAT IS EXCEPTION HANDLER? (CONT) • An exception handler is a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception Try{ //if exception occurs go to exception handler } Catch{ //run some code when exception occurs }
- 5. EXCEPTION HANDLER __try { // guarded body ... } __except (exception filter) { // exception handler ... }
- 6. SEH DS(CONT) typedef struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler; } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; EXCEPTION_DISPOSITION __cdecl _except_handler( struct _EXCEPTION_RECORD *ExceptionRecord, oid EstablisherFrame, struct _CONTEXT *ContextRecord, void * DispatcherContext );
- 7. SEH DS typedef struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD *ExceptionRecord; PVOID ExceptionAddress; DWORD NumberParameters; ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; } EXCEPTION_RECORD, *PEXCEPTION_RECORD;
- 8. DEPTH ANALYSIS • When an exception occurs, the OS starts at the top of the chain and checks the first _EXCEPTION_REGISTRATION_RECORD Handler function to see if it can handle the given error (based on the information passed in the ExceptionRecord and ContextRecord parameters) • If return value _except_handler equals ExceptionContinueSearch then it will move to the next _EXCEPTION_REGISTRATION_RECORD using the address pointed to by *Next • If return value _except_handler equals ExceptionContinueExecution then it will handle the exception successfully
- 9. DEFAULT EXCEPTION HANDLER WINDOWS • Windows places a default/generic exception handler at the end of the chain to help ensure the exception will be handled in some manner (represented by FFFFFFFF) at which point you’ll likely see the “…has encountered a problem and needs to close” message.
- 11. STACK VIEW OF SEH • “Address of exception handler” is just one part of a SEH record • If Windows catches an exception, you’ll see a “xxx has encountered a problem and needs to close” popup • To write stable software, one should try to use development language specific exception handlers, and only rely on the windows default SEH as a last resort • UnhandledExceptionFilter ~ Send Error Report to MS
- 12. FRAME BASED SHE(CONT) • Each function/procedure gets a stack frame • If an exception handler is implement in this function/procedure, the exception handler gets its own stack frame • Information about the frame-based exception handler is stored in an exception_registration structure on the stack • SEH record is 8 bytes and has 2 (4 byte) elements • Next SEH record • SE Handler • See SEH components…
- 13. SEH COMPONENTS
- 14. FS:[0] • At the top of main structure, TEB or TIB there’s a pointer to top of SEH chain which points to the first EXCEPTION_REGISTRATION_RECORD which often calls FS:[0] chain MOV DWORD PTR FS:[0] • This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur • The opcode for this instruction is 64A100000000. If you cannot find this opcode in TEB/TIB, the application/thread may not have exception handling at all, but remember there’s always windows default exception handler
- 15. SEE EXCEPTION REGISTRATION BLOCK • I wanna use OllyGraph plugin for OllyDBG to create a Function Flowchart • See an example in windbg
- 16. ANY QUESTION?!
- 17. THANK YOU