2010-05-14

SEH Checklist

Trying to collect here the requirements that windows (32-bit) enforces before calling back an SEH handler that you've manually written into the SEH chain. Please comment anything you know.

  • seh node must be on stack (thanks JPassing.com)
  • seh handler must be on non-stack (thanks JPassing.com)
  • seh handler nodes must appear in-order on the stack (imagine deeper functions' frames going up the stack, towards lower (less quantity) addresses) (thanks roxfan and Clandestiny post on woodmann)
  • seh handler must exist in safeseh list (if it exists, see IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTable which is the IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG directory entry in IMAGE_OPTIONAL_HANDLER)
  • handler addresses in the safeseh list must be sorted ascending
  • IMAGE_OPTIONAL_HEADER.DllCharacteristics must not have flag set IMAGE_DLLCHARACTERISTICS_NO_SEH (this is set by default for Visual Studio when compiling with /SafeSEH:no and no other handlers present (yes even for exe's) ...caught by RtlCaptureImageExceptionValues() WARNING: LET ME RETRACT THIS, NOT ALWAYS)
May 28th, 2010 EDIT:
As Ivanlef0u commented, analysis of RtlIsValidHandler() itself trumps any type of listing we could possibly do. Check his links:
  • http://www.eeye.com/html/resources/newsletters/vice/VI20060830.html
  • http://sf-freedom.blogspot.com/2007/07/ms07-029-series-part-2-exploiting-dns.html

    2 comments:

    1. Yo,

      Other old infos about RtlIsValidHandler() :
      http://www.eeye.com/html/resources/newsletters/vice/VI20060830.html http://sf-freedom.blogspot.com/2007/07/ms07-029-series-part-2-exploiting-dns.html

      ReplyDelete
    2. wow, the writers of these links did some deep work... thanks Ivanlef0u!

      ReplyDelete

    thanks for commenting!