|Informative Information for the Uninformed|
Next: Prevent Setting of non-image Up: Mitigation Techniques Previous: Mitigation Techniques Contents
One way in which Microsoft could solve this issue would be to change the behavior of kernel32!SetUnhandledExceptionFilter in a manner that allows it to support true registration and deregistration operations rather than implicit ones. This can be accomplished by making it possible for the function to determine whether a register operation is occurring or whether a deregister operation is occurring.
Under this model, when a registration operation occurs, kernel32!SetUnhandledExceptionFilter can return a dynamically generated context that merely calls the routine that is previous to the one that was registered. The fact that the context is dynamically generated makes it possible for the function to distinguish between registrations and deregistrations. When the function is called with a dynamically generated context, it can assume that a deregistration operation os occurring. Otherwise, it must assume that a registration operation is occurring.
To ensure that the underlying list of registered UEFs is not