About SEH (2) by SSSA2000
Ma Jiajue was arrested, and the heart was extremely painful. Aaah said that I am poisonous, mydoom, I got a special killing tool, didn't find it, now I am very vigilant, even the Rundll32 is turned off. Question.
1. First, how to use SEH Yesterday we said that C is sealed, now we are in touch with naked SEH.
SEH works is to pre-set the function of the abnormality, and then if there is an exception first, to use SEH, you must first set the callback function of the abnormality.
How to set it? Very simple, 3 sentences can be done:
Pushing the address of the callback function into the stack Push Offset _Handler Push FS: [0] Push FS: [0] Deposit ESP in FS: [0] MOV FS: [0], ESP
Why has to be this way? This is going to talk about Tib. Win32 defines a thread information block TIB for each thread. This structure has an ExceptionList's pointer, which is the link in the SEH.
This pointer points to an Exception_registration structure, defined as follows: Exception_registration Struct Prev DD?; The first EXCEPTION_REGISTRATION address HANDLER DD?; The address of the callback function Exception_Registration Ends
With this structure, you can connect a lot of SEH into a chain, pay attention, is the basic feature, there are other additional data on many other information, which is the most basic, the most basic, these two .
Now that the three sentences in front are due to TIB always load fs: [0], FS [0] points to what exceptionList points to the thing, which is Exception_Registration.
Push fs: [0] put fs: [0] into the stack, this time the ESP will point to the crowd, why? First review the compilation. [ESP] is the address of this Exception_Registration. At this time, [ESP 0] is the prev field [ESP 4] is the address of the callback function
MOV FS: [0], ESP ESP is placed in FS: [0]. We know that the current fs: [0] is prev, he has not been added. The current ESP is put on the address required for prev, what we have to do is to put prev = ESP
Ok, is it feeling a bit bad? If you first contact, then you can still let go of Push Offset_Handler Push Fs: [0] MOV FS: [0], ESP this 3 sentence, just need to turn the name of the callback function, with the future Learn, you will be familiar, don't worry.
Look at Luo Yunbin's code:
.386 .Model flat, Stdcall Option Casemap: None; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> Include Windows.Include User32.incinCludelib User32.libinclude kernel32.includeLudelib kernel32.lib; >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Folder >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>. Constszmsg DB 'Abnormal occlusion location:% 08X, abnormal code:% 08X, logo:% 08X', 0Szsafe DB 'returns to safe place!', 0Szcaption DB 'SEH example' 0
.code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Folding handler; >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Folder , _lpDispatcherContext local @szBuffer [256]: bytepushad mov esi, _lpExceptionRecord mov edi, _lpContext assume esi: ptr EXCEPTION_RECORD, edi: ptr CONTEXT invoke wsprintf, addr @ szBuffer, addr szMsg, / [edi] .regEip, [esi] .ExceptionCode [ESI] .ExceptionFlags Invoke MessageBox, Null, Addr @ Szbuffer, NULL, MB_OK; ******************************** ****************************; pointing EIP to a secure location and restores stack; ** *********************************************************** **************** MOV EAX, _LPSEH PUSH [EAX 8] POP [EDI] .Regeip Push [EAX 0CH] POP [EDI] .regEBP PUSH EAX POP [EDI] .reme ESI: Nothing, EDI: Nothing Popad Mov Eax, ExceptionContinueexecution Ret
_Handler Endp; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> - Test Proc
*********************************************************** ************; constructed an Exception_Registration structure in the stack; ********************* *********************************************************************** ASSUME FS: Nothing PUSH EBP PUSH OFFSET _SAFEPLACE PUSH OFFSET _HANDLER PUSH FS: [0] MOV FS: [0], ESP; ******************************* *******************************; will trigger an exception instruction; ** *********************************************************** **************** PUSHAD XOR EBP, EBP XOR EAX, EAX MOV DWORD PTR [EAX], 0 popad; this sentence will not be executed _SAFEPLACE: Invoke Messagebox, Null, Addr Szsafe, addr szcaption, mb_ok; **************************************************** **********************; Restore the original SEH chain; ***************** *********************************************************** POP FS: [0] Add ESP, 0CH RET_TEST ENDP; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> START: Invoke_Test Invoke EXITPROCESS, NULL; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>-START
I don't explain this code. Some I have to talk about it. I don't know how to write down, I think about it, the next lecture is mainly telling questions about SEH's callback function.
Ok, now I will enter Ring0 and enter our goal, huh, huh, although the technology is a bit outdated, it is still very useful for us, I am also written while learning, CIH enters Ring0 code, I have a few days. Carry, look at it, huh, huh. In fact, I wrote such a little bit, I was afraid that I couldn't write it out, slightly below, huh, huh.