Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan

Function or Parent Registers an Exception Handler

One of the unique exploitation vectors that exists in 32-bit programs that run on Windows is known as an SEH overwrite[5]. An SEH overwrite makes it possible to gain control of execution flow by overwriting an exception registration record on the stack. From an exploitation perspective, the act of registering an exception handler within a function opens up the possibility of making use of an SEH overwrite. Since exception handlers are chained, the act of registering an exception handler also implicates any functions that are children of a function that registers the exception handler. This makes it possible to define an exploitation property that illustrates the possibility of an SEH overwrite being abused within the scope of a specific set of functions. Detecting this property can be as simple as signaturing the compiler generated code that is used to generate and register an exception handler within a function. An example of two functions, $ f$ and $ g$ , that would meet this criteria can be seen below:

void f() {
   __try {

void g() {

In addition to this information being useful from an SEH overwrite perspective, it may also benefit an attacker in situations where an exception handler simply swallows any exceptions that are dispatched without crashing the process[1]. In the example given above, any exception that occurs in the context of $ {g}$ will be swallowed by $ {f}$ without necessarily crashing the process. This behavior may allow an attacker to retry their exploitation attempt multiple times, thus enabling a bruteforce attack that would otherwise not be feasible. This can make defeating ASLR more feasible.