October 24, 2020

Structured Exception Handling

Structured Exception Handling is a feature of windows OS for handling exceptional conditions that may occur during the running of a process.

The exceptions are related to

  • Hardware, such as illegally accessing protected memory locations
  • Software, such as attempting to write a file which is marked read only.

This feature allows process to handle errors easily rather than crashing.

For example

SEH is enabled for every process and thread in the operating system but programmer should use it handle the exceptions

Every stack frame has a separate block for structured exception handling

And inside this block there is a list of exception registration records. There is one record or each exception handler registered for use in function.

In each record, the first block contains the memory address that points to next record in the list. This feature allows OS to programmatically move through the list when searching for the proper exception handling.

The second block points the exception handler in the code aka except block.

If the function is not handling the exception, only the default exception registration record for default handler will be present in the seh block of the function stack frame

It actually helped BoF authors whose exploits tends to generate exceptions while dealing with protected resource.

The example which used this feature was CodeRed. It came in 2001 exploiting Microsoft Index Server used by Microsoft Internet Information Service.

The red marked part is use to overflow the buffer and set IP to execute the exploit marked in green circle

It overwrites the Index Server’s SEH records triggering exception causes Windows to execute exploit code in the stack pointed by the overwritten SEH record.

Gurkirat

A developer and security enthusiast seeking for his bright future..

View all posts by Gurkirat →

One thought on “Structured Exception Handling

Leave a Reply