Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep


Like most security solutions, there are always compatibility problems that must be considered. As it relates to the solution described in this paper, there are a couple of important things to keep in mind.

The first compatibility issue that might happen in the real world is a scenario where an application invalidates the exception handler chain in a legitimate fashion. The author is not currently aware of situations where an application would legitimately need to do this, but it has been observed that some applications, such as cygwin, will do funny things with the exception handler chain that are not likely to play nice with this form of protection. In the event that an application invalidates the exception handler chain, the solution described in this paper may inadvertently detect that an SEH overwrite has occurred simply because it is no longer able to reach the validation frame.

Another compatibility issue that may occur centers around the fact that the implementation described in this paper relies on the hooking of functions. In almost every situation it is a bad idea to use function hooking, but there are often situations where there is no alternative, especially in closed source environments. The use of function hooking can lead to compatibility problems with other applications that also hook ntdll!KiUserExceptionDispatcher. There may also be instances of security products that detect the hooking of ntdll!KiUserExceptionDispatcher and classify it as malware-like behavior. In any case, these compatibility concerns center less around the fundamental concept and more around the specific implementation that would be required of a third-party.