{"id":6,"date":"2008-12-09T09:48:07","date_gmt":"2008-12-09T09:48:07","guid":{"rendered":"http:\/\/www.underealm.com\/code\/?p=6"},"modified":"2014-08-09T04:22:21","modified_gmt":"2014-08-09T02:22:21","slug":"seh-jump","status":"publish","type":"post","link":"http:\/\/www.underealm.com\/code\/2008\/12\/seh-jump\/","title":{"rendered":"SEH Jump"},"content":{"rendered":"<p>A little intro before the code. It is possible, working the way through a\u00a0<abbr title=\"Structured Exception Handler\">SEH<\/abbr>, to jump to another location instead of using a standard JMP. The advantage of this is the (eventual) obfuscation of the jump (if done properly), and although I&#8217;ve seen plenty of references around the web, I just couldn&#8217;t find anything on this matter, especially in the way I wanted it.<\/p>\n<p>What you are going to find about <abbr title=\"Structured Exception Handler\">SEH<\/abbr> around the web (including dirty tricks) are most likely:<\/p>\n<ol>\n<li>Standard way (no tricks at all, just standard behaviour)<\/li>\n<li>Jump &amp; Clean (jump to the <abbr title=\"Structured Exception Handler\">SEH<\/abbr>, never get back)<\/li>\n<li>Clean jump based on <abbr title=\"Structured Exception Handler\">SEH<\/abbr> hack (only here, searched a lot, and never found)<\/li>\n<\/ol>\n<p>About #1, I will let you seek through the <a href=\"http:\/\/www.google.com\/search?q=SEH+handler\">vast ASM\/C++ references<\/a>, no need to talk about it here.<\/p>\n<p>About #2, code snippet:<\/p>\n<pre lang=\"asm\"><code>.code\r\nassume fs:nothing\r\n\r\nstart:\r\npush @@SEH_Handler   ; Address of SEH\r\npush FS:[0]          ; Original SEH\r\nmov FS:[0], ESP      ; Install SEH\r\nxor eax, eax\r\nidiv eax             ; Generate exception\r\nint 3                ; Will never reach this\r\njmp @@Exit\r\n\r\n@@SEH_Handler:\r\nmov esp, [esp+8]     ; Restore pre-jump stack\r\npop FS:[0]           ; Reset Original Handler\r\nadd esp, 4           ; Remove SEH address from stack\r\n[...]                ; Code goes on as normal<\/code><\/pre>\n<p>This code works perfectly. But there&#8217;s a pretty grievous problem with it. That is, it <em>assumes<\/em> and <em>requires<\/em> that you are the <strong>author of both codes<\/strong> (pre and post jump) and that <strong>you can modify them<\/strong>. Which wasn&#8217;t my case.<\/p>\n<p>Example: while writing a packer, or a loader, or whatever you may want to, <em>you just can&#8217;t clean <abbr title=\"Structured Exception Handler\">SEH<\/abbr> handler and the stack<\/em> after the jump. Because, since the code isn&#8217;t yours and can&#8217;t be recoded, it won&#8217;t do it. And that&#8217;s bad. Imagine it doesn&#8217;t have an exception handler, and at every unhandled exception it \u201creturns\u201d to your <abbr title=\"Original Entry Point\">OEP<\/abbr>. Nasty, huh? And that&#8217;s the least of the problems actually.<\/p>\n<p>Nastier problem is having a &#8220;dirty&#8221; stack, and god only knows what else could happen. But there is a workaround, which is cleaning and resetting everything <strong>inside the <abbr title=\"Structured Exception Handler\">SEH<\/abbr> handler<\/strong>, with a bit of hacking and eventually some heuristic approach. At least mine had to be, I knew nothing about it.<\/p>\n<pre class=\"mark:14-16,23-25\" lang=\"asm\"><code>.code\r\nassume fs:nothing\r\n\r\nstart:\r\npush @@SEH_Handler          ; Address of SEH\r\npush FS:[0]                 ; Original SEH\r\nmov FS:[0], ESP             ; Install SEH\r\nxor eax, eax\r\nidiv eax                    ; Generate exception\r\nint 3                       ; Will never reach this\r\njmp @@Exit\r\n\r\n@@SEH_Handler:\r\nmov eax, [esp+C]            ; Pointer to SEH Data\r\nadd [eax+C4], 8             ; [1]\r\nmov [eax+B8], @@JustGoOn    ; [2]\r\nmov eax, [esp+8]\r\nmov eax, [eax]              ; Pointer to original Stack\r\nmov FS:[0], eax             ; Reset Original Handler\r\nxor eax, eax                ; Set to 0 to \"return\"\r\nret\r\n\r\n; [ ESP+C ]: SEH_Data\r\n; [ SEH_Data + C4 ]: Original Stack Address (pre-jump)\r\n; [ SEH_DATA + B8 ]: Return Point<\/code><\/pre>\n<p>Pointer to <abbr title=\"Structured Exception Handler\">SEH<\/abbr> data (<strong>[ESP+C]<\/strong>) points to a zone in the stack with lots of info, including hardware breakpoints and (between the other things) the exact stack address returned to you after the jump. And, of course, the address it will return to.<br \/>\nAdding 8 in point [1] makes the kernel return to the address with the stack pointer set to the original one (pre-jump) minus the two push instructions (first two instructions after the <em>start:<\/em>). Which also basically means, it will return from the <abbr title=\"Structured Exception Handler\">SEH<\/abbr> handler with the <strong>original stack pointer<\/strong>, just as if the code started from the return point.<\/p>\n<p>The point [2] should be fairly readable and intuitive: hacks the stack to &#8220;hack&#8221; the return point. Another approach, in case you wanted to continue right from the next instruction, would have been to add the size of the operand to the address (in this case the size of <strong>IDIV EAX<\/strong>). Just to remind you, the default <abbr title=\"Structured Exception Handler\">SEH<\/abbr> way is to return to the very same instruction that caused the exception.<\/p>\n<p>With this piece of code you achieve two things: the first and most important, you perfectly and seamlessly jump from one context to another, just as if there were two programs in the same executable; secondly you have the ability to easily obfuscate the jump, which in this case is pretty obvious, but that&#8217;s up to you, not me.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A little intro before the code. It is possible, working the way through a\u00a0SEH, to jump to another location instead of using a standard JMP. The advantage of this is the (eventual) obfuscation of the jump (if done properly), and although I&#8217;ve seen plenty of references around the web, I just couldn&#8217;t find anything on [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,3,4],"tags":[],"class_list":["post-6","post","type-post","status-publish","format-standard","hentry","category-assembly","category-black-magic","category-reverse-engineering"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/posts\/6"}],"collection":[{"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/comments?post=6"}],"version-history":[{"count":0,"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/posts\/6\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/media?parent=6"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/categories?post=6"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.underealm.com\/code\/wp-json\/wp\/v2\/tags?post=6"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}