Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June, 2008 1.

Slides:



Advertisements
Similar presentations
Link list/file stamps/clusters Odds and ends remaining for test 2.
Advertisements

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
Computer Organization And Assembly Language
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Conditional Loop Instructions LOOPZ and LOOPE LOOPNZ.
Chapter four – The 80x86 Instruction Set Principles of Microcomputers 2015年5月14日 2015年5月14日 2015年5月14日 2015年5月14日 2015年5月14日 2015年5月14日 1 Chapter Four.
All About Thumbnails Peter Ferrie Principal Anti-virus Researcher 11 March,
Target Processor Directives , When using.386, the program can only run on 386 and above processors.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
Ten debugging techniques. The execution process Execution proceeds in a standard series of steps Compute values of subexpressions first Then call value.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Chapter 4 H1 Assembly Language: Part 2. Direct instruction Contains the absolute address of the memory location it accesses. ld instruction:
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Defining and Using Procedures Creating Procedures.
Fundamentals of Programming in Visual Basic 3.1 Visual basic Objects Visual Basic programs display a Windows style screen (called a form) with boxes into.
Using Outlook Express Copyright: Nipawin School Division No.61, Box 2044 Nipawin, SK 2004.
Beginning Programming with the Visual Studio.NET Environment.
Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
Chapter 2 Software Tools and Assembly Language Syntax.
Presented by Mark Minasi SESSION CODE: SIA306.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Win32 Programming Lesson 24: More SEH That’s right… you’ll never generate an exception, will you?
Dynamically Linked Libraries. 2 What’s the goal? Each program you build consists of –Code you wrote –Pre-existing libraries your code accesses In early.
Chapter 3 Elements of Assembly Language. 3.1 Assembly Language Statements.
Bill's Amazing Content Rotator jQuery Content Rotator.
‘Tirgul’ # 7 Enterprise Development Using Visual Basic 6.0 Autumn 2002 Tirgul #7.
Lecture-1 Compilation process
Fun With Thread Local Storage (part 1) Peter Ferrie Senior Anti-virus Researcher 18 June,
CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.
Start Loading Form Codes IF Exit Unloading form codes Exit Event Handler Codes IF Exit End Note: From the Strokerreader Script, I came up with this skeleton.
5. Assembly Language. Basics of AL Program data Pseudo-ops Array Program structures Data, stack, code segments.
Arithmetic Flags and Instructions
Optimizing Your Computer To Run Faster Using Msconfig Technical Demonstration by: Chris Kilkenny.
Virtual Memory Lei Li CS147.
Sahar Mosleh California State University San MarcosPage 1 Nested Procedure calls and Flowcharts.
Writing a Run Time DLL The application loads the DLL using LoadLibrary() or LoadLibraryEx(). The standard search sequence is used by the operating system.
X86 Architecture.
Assembly Language. Symbol Table Variables.DATA var DW 0 sum DD 0 array TIMES 10 DW 0 message DB ’ Welcome ’,0 char1 DB ? Symbol Table Name Offset var.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.
Reverse Engineering Workshop
1 How to Install OpenGL u Software running under Microsoft Windows makes extensive use of "dynamic link libraries." A dynamic link library (DLL) is a set.
1 The Stack and Procedures Chapter 5. 2 A Process in Virtual Memory  This is how a process is placed into its virtual addressable space  The code is.
Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July,
17/02/2016S. Ponce / EP-LBC1 Debugging Under Linux Sebastien Ponce Friday, 8 March 2002.
How to Fix Binkw32.dll Error
Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun.
Lender Electronic Submission of Status Reports. Lenders can access the USDA LINC website at This is included in the.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Software Design– Unit Testing SIMPLE PRIMER ON Junit Junit is a free simple library that is added to Eclipse to all automated unit tests. The first step,
Assembly Programming Practical2. Initialising Variables (Recap) Initialising variables are done in the.data section Initialising variables are done in.
Chris Jackson The App Compat Guy Microsoft Corporation WCL401.
Assembly Language for Intel-Based Computers, 4 th Edition Lecture 22: Conditional Loops (c) Pearson Education, All rights reserved. You may modify.
How to Fix Missing WMVCore.dll Error in Windows 10
error-message-in-windows-10-upgrade.
HOW TO FIX MSVCR100. DLL IS MISSING ERROR? missing-error.
CSCE Student presentation LARRY PARKER
Static and dynamic analysis of binaries
Fun With Thread Local Storage (part 2)
Chapter 4 Data Movement Instructions
Malware Incident Response  Dynamic Analysis - 2
Error Handling Summary of the next few pages: Error Handling Cursors.
Computer Architecture and Assembly Language
Computer Organization and Assembly Language
1. Open Visual Studio 2008.
Chapter 10 And, Finally... The Stack
Multi-modules programming
Microprocessor and Assembly Language
X86 Assembly Review.
Low-Level Thread Dispatching on the x86
Computer Architecture and System Programming Laboratory
Presentation transcript:

Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June,

Corrupted! A program that causes this message to appear: would probably be considered corrupted and not worthy of attention. 2 Peter Ferrie, Microsoft Corporation

Empty! Especially if it looks like this… 3 Peter Ferrie, Microsoft Corporation

Empty! 4 Peter Ferrie, Microsoft Corporation Entry Point

Empty! 5 Peter Ferrie, Microsoft Corporation C3 RET

Empty! So the main file does nothing. If we assume that the structure is normal, then we could check the import table. Just in case. 6 Peter Ferrie, Microsoft Corporation

Empty! 7 Peter Ferrie, Microsoft Corporation SEH.DLL

Empty! 8 Peter Ferrie, Microsoft Corporation a

Empty! So the search moves to SEH.DLL, and the mysterious function called ‘a’. 9 Peter Ferrie, Microsoft Corporation

‘A’ function 10 Peter Ferrie, Microsoft Corporation

Failure To Launch CODE: push esi CODE: xor esi, esi CODE: lods dword ptr fs:[esi] CODE: inc eax CODE: CODE: loc_401006: CODE: dec eax CODE: xchg eax, esi CODE: lodsd CODE: inc eax CODE: A jnz short loc_ CODE: C mov dword ptr [esi], offset sub_ CODE: pop esi At this point, eax is zero, which means a load failure. A DLL that fails to load causes the message to appear. 11 Peter Ferrie, Microsoft Corporation

I’m OK, You’re OK But what happens when we click on ‘OK’? 12 Peter Ferrie, Microsoft Corporation

Surprise! 13 Peter Ferrie, Microsoft Corporation

Not OK The code runs. 14 Peter Ferrie, Microsoft Corporation

How Did That Happen? Let’s revisit the code: CODE: xor esi, esi CODE: lods dword ptr fs:[esi] CODE: inc eax CODE: CODE: loc_401006: CODE: dec eax CODE: xchg eax, esi CODE: lodsd CODE: inc eax CODE: A jnz short loc_ CODE: C mov dword ptr [esi], offset sub_ CODE: pop esi 15 Peter Ferrie, Microsoft Corporation

Not OK A standard search and replace of the topmost SEH handler. Why does it work? The secret is in what Windows does after the DLL refuses to load. First comes the call to NtRaiseHardError() to display the message. However, next comes a called to RtlRaiseStatus(). This is intended to notify a debugger of the problem. RtlRaiseStatus() calls NtRaiseException(). Which raises an exception. Which, without a debugger, calls the topmost SEH handler. Which is now inside the DLL that was supposed to have terminated. 16 Peter Ferrie, Microsoft Corporation

Not OK Nothing significant has changed in the process environment. So the DLL is free to run normally. So is the EXE, if it wants to. This technique works only for statically-linked DLLs. LoadLibrary() failures do not call the SEH handler. 17 Peter Ferrie, Microsoft Corporation

Really Not OK Just a little something to add to the workload. 18 Peter Ferrie, Microsoft Corporation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.