Using Structured Exception Handler (SEH)
H0l0kausT Issue 1
Billy Belcebu/DDT
Well, this is a very simple tutorial about the Structured Exception Handler. When i saw SEH implemented in a virus, i thought "Well, it does a lot. Must be very hard to implement". So i simple skipped its use. But, as my Destiny made General Protection Faults running under NT, as i read in 0BFF70000h, i realized that i had to do something. And SEH was the only way. Well, we can do it very complex to understand, or very easy. Of course, i prefer to do it more easy :)
Setting up the SEH frame
Firstly we save it for our own safety with a simple text line.
push dword ptr fs:[0]
And now it's time to make the thingy to point to our handler (for example, imagine that we used a call for call the setup of the SEH, and our handler is just after that call instructions: we can use the offset of ret for make it point there)
push offset SEH_Handler
mov fs:[0],esp
Well, as easy as it gets. What about restore the original SEH? More easy. Simply do the opposite of the first instruction.
pop dword ptr fs:[0]
It's surprising that that very simple thing for implement if our Windoze viruses could do for us. For me (as it was the use of SEH i was searching) the most important one is that i can help us to avoid all that goddamn blue screens when we run our Win95 virus under NT enviroments. That goddamn blue screen appears everytime we try to make comparisons over our hardcoded Win95 kernel under NT.
Example of SEH use
Well, you can compile this with:
tasm32 /m3 /ml sehtest,,;
tlink32 /Tpe /aa sehtest,sehtest,,import32.lib
.386p
.model flat ; Good good... 32 bit r0x0r
extrn MessageBoxA:PROC ; Defined APIs
extrn ExitProcess:PROC
.data
szTitle db "Structured Exception Handler",0
szMessage db "Intercepted General Protection Fault!",0
.code
start:
call setupSEH ; The call pushes the offset
; past it in the stack rigth?
; So we will use that :)
errorhandler:
mov esp,[esp+8] ; Put the original SEH offset
; Error gives us old ESP
; in [ESP+8]
push 00000000h ; Parameters for MessageBoxA
push offset szTitle
push offset szMessage
push 00000000h
call MessageBoxA
push 00000000h
call ExitProcess ; Exit Application
setupSEH:
push dword ptr fs:[0] ; Push original SEH handler
mov fs:[0],esp ; And put the new one (located
; after the first call)
mov ebx,0BFF70000h ; Try to write in kernel (will
mov eax,012345678h ; generate an exception)
xchg eax,[ebx]
end start
Another possible thing to do : AntiDebugging
Jacky Qwerty's Win32.Cabanas uses SEH also for anti-debug features. Very easy to implement. You have to set up SEH, as showed above, generate an exception (the above code can be used) and then make the handler point to the continuation of the virus code, and restore old handler. Simple and effective :)
Final words
Hey, now you haven't any excuse for don't use SEH in your viruses! For what the hell are you waiting for? Well, as you can see, the use of SEH is very easy to understand, takes few lines of code, and can help us a lot.
Billy Belcebu,
mass killer and ass kicker.