In front, we have learned the two processing methods of SEH, and now take a look at the practical application of SEH. SEH's most basic application is of course guaranteed
The robustness of the application. But in fact, it is difficult to fix if the application is abnormal! Although we can pass unusual code and limited
Abnormal information to analyze it, but it is not possible to ensure that the abnormal repair process will continue to work properly. Although we are very good in the routines in front
The repair is exception, but those exceptions are only artificial settings, which generally will not do this in practical applications. What we can do is only the end of the old age.
Remove the system resources allocated in the program, then end our app, of course, more friendly, write an exception information to the log
In the file, then restart the program, like the latest version of IE, it also requires sending an error report! M $ is really learning, an exception may be one
A vulnerability, if the program does not do an abnormal process, but translated to the system pops up the error message box, then when the user clicks on "Cancel" to start the debugger,
A new attack point may be discovered here, this is much more effective than looking for a loophole in IE!
One below I want to tell is related to encrypted anti-tracking, using SEH's callback characteristics, we disrupt the execution order, let
The transfer is unable to go smoothly. Here, it is necessary to use an exception that is unusual, my approach is to set a standard in the normal execution of the program.
As a function request, then trigger a single-step abnormality, and enter the exception handler After completing the required function according to the previous request. Thus,
If you use the debugger tracking code will never go to the function code, because the debugger will take over the exception handling of single-step debugging, exception handling routine
It will never be executed, and better practices are all encrypted all the function code in advance, and now decrypt execution in the exception handler, so
Static anti-compilation will not touch the mind. Not much to say nonsense, please see example.
*********************************************************** ********; Structured exception handling single-step application routine; in this case, the parameter context is used, pay attention to it; also, when it can be changed in the exception handler, CONTEXT; The value of the field is changed to modify the value of the register in the exception thread. *********************************************************** *********. 386.Model Flat
Include ../include/perelation.inc
Extrn MessageBoxa: Procextrn EXITPROCESS: Proc
.Data sztitle db "Title", 0 szmessage1 db "No good fortune falls, it seems to have gone.", 0 szmessage2 db "helpless, the wind is in the wind. Since people hate water Dongdong.", 0 szmessage3 dB " Falling flowers independent, slightly rainy swallow. At the time, Mingyue was in Mingyue, Zeng Yun returned. ", 0 .code_header: Assume Fs: Nothing push EBP; Mount Exception Processing Function Push Offset _ExceptionFilter Push DWORD PTR FS: [0] MOV FS: [ 0], ESP; set a single-step abnormality, the EFLAGS register TF position 1, trigger single-step exception PUSHFD or DWORD PTR [ESP], 0100H POPFD; the next instruction will trigger a single-step abnormality; request the EAX value to request the required execution Function; EAX = 0, execution function 1 xor eax, eax; eax = 1, execution function 2 inc Eax; eax = 2, execute function 3 Inc EAX; clear SEH node, restore the stack Pop DWORD PTR FS: [0] Add ESP 4 POP EBP PUSH 0 CALL EXITPROCESS; Exception Function_exceptionFilter Proc Mov Eax, ESP PUSHAD; Number Exception_Record Mov ESI, [EAX 4]
Number Context MOV EDI, [EAX 12]; Analysis of Exception Code MOV Eax, [ESI] .Exceptioncode; whether a single-step exception CMP Eax, 080000004H JE _issingLESTEP; other exceptions, transfer system processing Popad xor Eax, Eax incap Single-step abnormality processing _issingLESTEP:; obtains the value of the EAX register MOV EAX, [EDI] .c_eax; = 0 Execute 1 Test Eax, EAX JE _Function_i; = 1 Execute 2 DEC EAX JZ _Function_ii; = 2 Execute Function 3 DEC EAX JZ _Function_III; other, exit JMP _Filter_Exit _Function_I:; display szMessage1 PUSH MB_OK PUSH OFFSET szTitle PUSH OFFSET szMessage1 PUSH NULL CALL MessageBoxA; TF is set to 1, the single-step exception continue to trigger OR [EDI] .C_EFlags, 0100H JMP _Filter_Exit _Function_II :; display szMessage2 PUSH MB_OK PUSH OFFSET szTitle PUSH OFFSET szMessage2 PUSH NULL CALL MessageBoxA; TF is set to 1, the single-step exception continue to trigger OR [EDI] .C_EFlags, 0100H JMP _Filter_Exit _Function_III:; display szMessage3 PUSH MB_OK PUSH OFFSET szTitle PUSH OFFSET szMessage3 Push null call messageboxa; end, no longer trigger single-step exception _filter_exit: popad xor eax, eax return_exceptionFilter Endpend _Header
Compile the above code to generate an EXE file, try it, it pops up the three message boxes, but if you open with the debugger
