Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

Prevent Execution of non-image UEF

Like preventing the setting of a non-image UEF, it may also be possible to to modify kernel32!UnhandledExceptionFilter to prevent execution of the top-level UEF if it points to a non-image region. While this seems like it would be a useful check and should solve the issue, the fact is that it does not. Consider the scenario where a top-level UEF is set to an invalid address due to asymmetric deregistration. Following that, the top-level UEF is set to a new value which is the location of a valid function. After this point, if an unhandled exception is dispatched, kernel32!UnhandledExceptionFilter will see that the top-level UEF points to a valid image region and as such will call it. However, the top-level UEF may be implemented in such a way that it will pass exceptions that it cannot handle onto the previously registered top-level UEF. When this occurs, the invalid UEF is called which may point to arbitrary code at the time that it's executed. The fact that kernel32!UnhandledExceptionFilter can filter non-image regions does not solve the fact that uncontrolled UEFs may pass exceptions on up the chain.