1 / 18

Surprise Exception Handlers

Surprise Exception Handlers. Peter Ferrie Senior Anti-virus Researcher 11 June, 2008. 1. Corrupted!. A program that causes this message to appear: would probably be considered corrupted and not worthy of attention. 2. Peter Ferrie, Microsoft Corporation. Empty!.

stephen-david
Télécharger la présentation

Surprise Exception Handlers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June, 2008 1

  2. Corrupted! A program that causes this message to appear: would probably be considered corrupted and not worthy of attention. 2 Peter Ferrie, Microsoft Corporation

  3. Empty! Especially if it looks like this… 3 Peter Ferrie, Microsoft Corporation

  4. Empty! Entry Point 4 Peter Ferrie, Microsoft Corporation

  5. Empty! C3 RET 5 Peter Ferrie, Microsoft Corporation

  6. Empty! So the main file does nothing. If we assume that the structure is normal, then we could check the import table. Just in case. 6 Peter Ferrie, Microsoft Corporation

  7. Empty! SEH.DLL 7 Peter Ferrie, Microsoft Corporation

  8. Empty! a 8 Peter Ferrie, Microsoft Corporation

  9. Empty! So the search moves to SEH.DLL, and the mysterious function called ‘a’. 9 Peter Ferrie, Microsoft Corporation

  10. ‘A’ function 10 Peter Ferrie, Microsoft Corporation

  11. Failure To Launch CODE:00401000 push esi CODE:00401001 xor esi, esi CODE:00401003 lods dword ptr fs:[esi] CODE:00401005 inc eax CODE:00401006 CODE:00401006 loc_401006: CODE:00401006 dec eax CODE:00401007 xchg eax, esi CODE:00401008 lodsd CODE:00401009 inc eax CODE:0040100A jnz short loc_401006 CODE:0040100C mov dword ptr [esi], offset sub_401014 CODE:00401012 pop esi At this point, eax is zero, which means a load failure. A DLL that fails to load causes the message to appear. 11 Peter Ferrie, Microsoft Corporation

  12. I’m OK, You’re OK But what happens when we click on ‘OK’? 12 Peter Ferrie, Microsoft Corporation

  13. Surprise! 13 Peter Ferrie, Microsoft Corporation

  14. Not OK The code runs. 14 Peter Ferrie, Microsoft Corporation

  15. How Did That Happen? Let’s revisit the code: CODE:00401001 xor esi, esi CODE:00401003 lods dword ptr fs:[esi] CODE:00401005 inc eax CODE:00401006 CODE:00401006 loc_401006: CODE:00401006 dec eax CODE:00401007 xchg eax, esi CODE:00401008 lodsd CODE:00401009 inc eax CODE:0040100A jnz short loc_401006 CODE:0040100C mov dword ptr [esi], offset sub_401014 CODE:00401012 pop esi 15 Peter Ferrie, Microsoft Corporation

  16. Not OK A standard search and replace of the topmost SEH handler. Why does it work? The secret is in what Windows does after the DLL refuses to load. First comes the call to NtRaiseHardError() to display the message. However, next comes a called to RtlRaiseStatus(). This is intended to notify a debugger of the problem. RtlRaiseStatus() calls NtRaiseException(). Which raises an exception. Which, without a debugger, calls the topmost SEH handler. Which is now inside the DLL that was supposed to have terminated. 16 Peter Ferrie, Microsoft Corporation

  17. Not OK Nothing significant has changed in the process environment. So the DLL is free to run normally. So is the EXE, if it wants to. This technique works only for statically-linked DLLs. LoadLibrary() failures do not call the SEH handler. 17 Peter Ferrie, Microsoft Corporation

  18. Really Not OK Just a little something to add to the workload. 18 Peter Ferrie, Microsoft Corporation

More Related