Re: Win32: Using SEH to search memory

• Previous message: Moran Zavdi: "argosoft ftp server buffer overflow."
• In reply to: Bob Askew: "Win32: Using SEH to search memory"
• Next in thread: dave_at_immunitysec.com: "Re: Win32: Using SEH to search memory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Sep 2003 14:48:33 +0200
To: Bob Askew <bdaskew@hotmail.com>, vuln-dev@securityfocus.com

Windows XP Exception Handler has new protections, such as :
- clearing registers before transferring control to the handler code
AND
- do not transfer control to a handler code located on the stack

Cf . http://std.dkuug.dk/jtc1/sc22/wg21/docs/papers/2003/n1462.pdf

If you run your code on a Windows 2000, it should work fine I guess.

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------

> I'm trying to search through memory using structured exception handling
> to avoid crashing when accessing bad memory. Various buffer overflow
> exploits have used this technique for locating the address of
> GetProcAdd() or for locating shellcode planted in memory.
>
> I have an example written in inline assembly and compiled with Visual
> Studio on XP. It implements seh and searches through memory just fine.
> My handler handles the memory access violations. (Example 1 code below)
> However, if I stick my handler on the stack, then Windows doesn't send
> the exception to my handler. (Example 2 code below)
>
> Does anyone have any suggestions as to what I might be doing wrong? Does
> Windows care where a handler lives in memory? Can anyone recommend a
> good reference for implementing seh in shellcode?
>
>
> Example 1:
> *****************************************
>
> #include<stdio.h>
>
> //simple test for SEH with handler
>
> void main()
> {
> unsigned int cint = 0;
>
> __asm{
>
> jmp gethandler
> start:
> xor ebx,ebx
> xor ecx,ecx
> push dword ptr fs:[ecx]
> mov dword ptr fs:[ecx],esp
> search:
> inc ebx
> cmp dword ptr[ebx],0x00000000 ;//causes exception
>
> //exception cleanup
> xor ecx,ecx ;
> mov eax,[ESP] ; // Get pointer to previous record
> mov FS:[ecx], eax ; // Install previous record
> add esp, 8 ; //clean handler & fs[0] off stack
> jmp printit
>
> gethandler:
> call start
> handler:
> push ebp
> mov ebp,esp
> push ebx
> mov ebx,[ebp+10h]
> add ebx,0xa4
> inc dword ptr[ebx] ;//increment ebx
> xor eax,eax
> pop ebx
> mov esp,ebp
> pop ebp
> ret
> printit:
> mov [cint],ebx
> }
> printf("Last ebx = %x\n",cint);
>
> }
>
> Example 2:
> *****************************************
>
> #include<stdio.h>
>
> //simple test for SEH with handler located on stack
>
> void main()
> {
> unsigned int cint = 0;
>
> char unsigned bytes[] =
> "\xEB\x1B" // jmp gethandler
> //start:
> "\x33\xDB" // xor ebx,ebx
> "\x33\xC9" // xor ecx,ecx
> "\x64\xFF\x31" // push dword ptr fs:[ecx]
> "\x64\x89\x21" // mov dword ptr fs:[ecx],esp
> //search:
> "\x43" // inc ebx
> "\x83\x3B\x00" // cmp dword ptr [ebx],0
> //SEH cleanup
> "\x33\xC9" // xor ecx,ecx
> "\x8B\x04\x24" // mov eax,dword ptr [esp]
> "\x64\x89\x01" // mov dword ptr fs:[ecx],eax
> "\x83\xC4\x08" // add esp,8
> "\xEB\x1B" // jmp printit
> //gethandler:
> "\xE8\xE0\xFF\xFF\xFF" // call start
> //handler:
> "\x55" // push ebp
> "\x8B\xEC" // mov ebp,esp
> "\x53" // push ebx
> "\x8B\x5D\x10" // mov ebx,dword ptr [ebp+10h]
> "\x81\xC3\xA4\x00\x00\x00"//add ebx,0A4h
> "\xFF\x03" // inc dword ptr [ebx]
> "\x33\xC0" // xor eax,eax
> "\x5B" // pop ebx
> "\x8B\xE5" // mov esp,ebp
> "\x5D" // pop ebp
> "\xC3" // ret
> //printit: (clean exit?)
> "\xff\xd2"; //jump edx
>
> __asm{
> lea eax,bytes
> lea edx,printit
> jmp eax
> printit:
> mov [cint],ebx
> }
>
> printf("Last ebx = %x\n",cint); //probably will never make it here.
>
> }
>
> _________________________________________________________________
> High-speed Internet access as low as $29.95/month (depending on the
> local service providers in your area). Click here.
> https://broadband.msn.com
>
>
>

• Previous message: Moran Zavdi: "argosoft ftp server buffer overflow."
• In reply to: Bob Askew: "Win32: Using SEH to search memory"
• Next in thread: dave_at_immunitysec.com: "Re: Win32: Using SEH to search memory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: reading mouse wheel rotation in VB6 ... gracefully and doesn't give Windows a hissy fit. ... the concept of subclassing should't be that daunting. ... Each object has their own message handler to interpret and handle ... ByVal uMsg As Long, _ ... (microsoft.public.vb.general.discussion) RE: Are domain/machine names required when specifying roles ... only one handler is used to process a request. ... Authorization handler that will eliminate the need ... ASP.NET HTTP Modules and HTTP Handlers Overview ... | access and allow windows integrated and basic ... (microsoft.public.dotnet.framework.aspnet.security) Re: Storing and Accessing email Addresses ... back to Windows, which will go about its business. ... You have written a handler for this occurence. ... you surrender control back to Windows. ... In fact, your program will also be a "state machine", with mCounter set at 27, ... (comp.lang.basic.visual.misc) Re: Win32: Using SEH to search memory ... //push the address of our exception handler ... //Now we have to adjust our thread information block to reflect we may be anywhere in memory ... //As of Windows XP SP1, you cannot have your exception handler itself on the stack - but most versions of windows check to make sure your exception blcck is on the stack. ... (Vuln-Dev) Re: object to object communication ... > If the objects are windows then via windows messages which you catch with ... > message handler. ... In addition to windows based messaging, which Alan mentions, the Delphi ... important thing is that the Delphi object model allows you to wrap and hide ... (comp.lang.pascal.delphi.misc)