Copy Link
Add to Bookmark
Report

Using Structured Exception Handler (SEH)

H0l0kausT Issue 1

eZine's profile picture
Published in 
H0l0kausT
 · 1 year ago

Billy Belcebu/DDT


Well, this is a very simple tutorial about the Structured Exception Handler. When i saw SEH implemented in a virus, i thought "Well, it does a lot. Must be very hard to implement". So i simple skipped its use. But, as my Destiny made General Protection Faults running under NT, as i read in 0BFF70000h, i realized that i had to do something. And SEH was the only way. Well, we can do it very complex to understand, or very easy. Of course, i prefer to do it more easy :)

Setting up the SEH frame

Firstly we save it for our own safety with a simple text line.

                push    dword ptr fs:[0]

And now it's time to make the thingy to point to our handler (for example, imagine that we used a call for call the setup of the SEH, and our handler is just after that call instructions: we can use the offset of ret for make it point there)

                push    offset SEH_Handler 
mov fs:[0],esp

Well, as easy as it gets. What about restore the original SEH? More easy. Simply do the opposite of the first instruction.

                pop     dword ptr fs:[0]

It's surprising that that very simple thing for implement if our Windoze viruses could do for us. For me (as it was the use of SEH i was searching) the most important one is that i can help us to avoid all that goddamn blue screens when we run our Win95 virus under NT enviroments. That goddamn blue screen appears everytime we try to make comparisons over our hardcoded Win95 kernel under NT.

Example of SEH use

Well, you can compile this with:

 tasm32 /m3 /ml sehtest,,; 
tlink32 /Tpe /aa sehtest,sehtest,,import32.lib


.386p
.model flat ; Good good... 32 bit r0x0r

extrn MessageBoxA:PROC ; Defined APIs
extrn ExitProcess:PROC

.data

szTitle db "Structured Exception Handler",0
szMessage db "Intercepted General Protection Fault!",0

.code

start:
call setupSEH ; The call pushes the offset
; past it in the stack rigth?
; So we will use that :)
errorhandler:

mov esp,[esp+8] ; Put the original SEH offset
; Error gives us old ESP
; in [ESP+8]

push 00000000h ; Parameters for MessageBoxA
push offset szTitle
push offset szMessage
push 00000000h
call MessageBoxA

push 00000000h
call ExitProcess ; Exit Application

setupSEH:
push dword ptr fs:[0] ; Push original SEH handler
mov fs:[0],esp ; And put the new one (located
; after the first call)

mov ebx,0BFF70000h ; Try to write in kernel (will
mov eax,012345678h ; generate an exception)
xchg eax,[ebx]

end start

Another possible thing to do : AntiDebugging

Jacky Qwerty's Win32.Cabanas uses SEH also for anti-debug features. Very easy to implement. You have to set up SEH, as showed above, generate an exception (the above code can be used) and then make the handler point to the continuation of the virus code, and restore old handler. Simple and effective :)

Final words

Hey, now you haven't any excuse for don't use SEH in your viruses! For what the hell are you waiting for? Well, as you can see, the use of SEH is very easy to understand, takes few lines of code, and can help us a lot.

Billy Belcebu,
mass killer and ass kicker.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT