SEH (3)
Going to the suburbs tomorrow to go to the spring tour, I am very excited.
The last post is posted, the callback function inside has a long stroke parameter, explain it now:
_Handler proc _lpexception, _lpseh, _lpContext, _lpdispatcherContext
_lpexceptionRecord points to the Exception_Record structure.
_lpContext points to a context structure. This structure saves the value of all registers when an exception occurs. This structure is more commonly used in Regeip. He used to learn about the abnormal position. If you want to fix the value in a register, you can modify this field.
_LPseh points to the address of the Exception_Registration structure used when the registration callback function is registered. If the exception handler can be encapsulated inside the subroutine, this parameter is essential, if not, it is useless.
Talk about the development of operation.
What is the development?
Expand is unwinding. It is assumed that there is an abnormality, and there are multiple callback functions on the SEH chain, but there is no function to handle it. The system will call each callback function once. At this time, the exception code specified in the parameter is Exception_unwind.
Ok, we have to apply now, what can SEH can do? This is actually the first first, we can't learn, you have to choose. So this should be the first question we look at this article.
In addition to making our program more robust, you can do some bad things, such as entering Ring0, anti-tracking, get the address of kernel32, etc., this is the purpose I learned SEH. I am also a few days recently learned SEH. I also have a lot of places that I didn't understand during the learning process. I hope to discuss with you.
Now let's take a preheating:
CIH Points Handler in its own program. There is the following code at its entrance:
MyvirusStart:
; RING3 code entry point
Push EBP
**********************************************
; * Let's modify structured exception *
; * Handing, prevent exception error *
; * Occurrence, especially in nt. *
**********************************************
Lea Eax, [ESP-04H * 2]
In the stack allocated 8 bytes of storage _exception_registration structure, equivalent to data based on the stack, ie the local variable (completed in the C compiler) This EAX is pointed to the _exception_registration, but this time the _exception_registration structure is not initialized; Specific implementation mechanism can be read through the compilation principle books and Matt Pietrek master articles
XOR EBX, EBX
XCHG Eax, FS: [EBX]; FS: [0] -> EAX
At this time, EAX stores the original exception handling code, fs: [0] points to ExceptionList in the TEB (FS points to teb, ExceptionList offset is 0, ie fs: [0])
Call @ 0
@ 0:
POP EBX
This three lines calculate the code entry. At this time, EBX is the address of @ 0. If you don't understand, please refer to the tutorial about the virus.
Lea Ecx, StoptorUnviruscode- @ 0 [EBX]
; Pointing ECX to its own internal code
Push ECX
; Handler, filling_exception_registration structure
When an abnormality occurs, the operating system will be called automatically, and this time is CIH code.
Push EAX
EAX is the original exception handling code
Fill the _EXCEPTION_REGISTRATION structure of Prev.
.
.
This post-CIH call INT 3 makes the system abnormally, and can still enter their own code.
INT 3;
INT3 is Breakpoint in the crack, huh, huh, I have learned some time to use it.
Oh, how is it, is it hard to think?
Here, I don't know if you have a problem. This question has always existed from me to the CIH code. That is, why can SEH come into Ring0, SEH is real to break through the blocking 进 进? My heart is a little concept, but I wrote it, but I know, if I know, please advise.
Ok, next time we have to start an exciting journey.