- seh node must be on stack (thanks JPassing.com)
- seh handler must be on non-stack (thanks JPassing.com)
- seh handler nodes must appear in-order on the stack (imagine deeper functions' frames going up the stack, towards lower (less quantity) addresses) (thanks roxfan and Clandestiny post on woodmann)
- seh handler must exist in safeseh list (if it exists, see IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTable which is the IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG directory entry in IMAGE_OPTIONAL_HANDLER)
- handler addresses in the safeseh list must be sorted ascending
- IMAGE_OPTIONAL_HEADER.DllCharacteristics must not have flag set IMAGE_DLLCHARACTERISTICS_NO_SEH (this is set by default for Visual Studio when compiling with /SafeSEH:no and no other handlers present (yes even for exe's) ...caught by RtlCaptureImageExceptionValues() WARNING: LET ME RETRACT THIS, NOT ALWAYS)
As Ivanlef0u commented, analysis of RtlIsValidHandler() itself trumps any type of listing we could possibly do. Check his links:
- http://www.eeye.com/html/resources/newsletters/vice/VI20060830.html
- http://sf-freedom.blogspot.com/2007/07/ms07-029-series-part-2-exploiting-dns.html
Yo,
ReplyDeleteOther old infos about RtlIsValidHandler() :
http://www.eeye.com/html/resources/newsletters/vice/VI20060830.html http://sf-freedom.blogspot.com/2007/07/ms07-029-series-part-2-exploiting-dns.html
wow, the writers of these links did some deep work... thanks Ivanlef0u!
ReplyDelete