Structured Exception Handling is a feature of windows OS for handling exceptional conditions that may occur during the running of a process.
The exceptions are related to
- Hardware, such as illegally accessing protected memory locations
- Software, such as attempting to write a file which is marked read only.
This feature allows process to handle errors easily rather than crashing.
SEH is enabled for every process and thread in the operating system but programmer should use it handle the exceptions
Every stack frame has a separate block for structured exception handling
And inside this block there is a list of exception registration records. There is one record or each exception handler registered for use in function.
In each record, the first block contains the memory address that points to next record in the list. This feature allows OS to programmatically move through the list when searching for the proper exception handling.
The second block points the exception handler in the code aka
If the function is not handling the exception, only the default exception registration record for default handler will be present in the seh block of the function stack frame
It actually helped BoF authors whose exploits tends to generate exceptions while dealing with protected resource.
The example which used this feature was CodeRed. It came in 2001 exploiting Microsoft Index Server used by Microsoft Internet Information Service.
It overwrites the Index Server’s SEH records triggering exception causes Windows to execute exploit code in the stack pointed by the overwritten SEH record.