Vulnerability Development mailing list archives
Re: overwriting SEH and debugging
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sat, 22 Dec 2007 14:19:24 -0500
On Dec 20, 2007 12:36 PM, H D Moore <sflist () digitaloffense net> wrote:
This occurs because of a feature known as "SafeSEH". This is a new compiler flag that creates a list of registered SEH handlers within each executable and DLL. If your target executable was compiled with /SafeSEH and you try to return into a module that has been also been compiled with this feature, but the address you chose is not in the list of registered handlers, then the exception handling code will not transfer execution. There are a few options to work around this: 1. On Windows 2003, prior to SP1, SafeSEH was essentially broken and you can return to DLLs such as "ATL.dll" and a few others without the registered list being checked.
Does ATL.dll and friends equate to the SEH version of XPSP2's starforce.dll (where you can turn off DEP by invoking it), meaning does calling them cancel out all SafeSEH security, or are they just free from the SafeSEH restrictions by themselves? I assume its the latter, but just thought I would ask... -JP<who hopes DRM software needs the same coddling as video games>
Current thread:
- overwriting SEH and debugging opexoc (Dec 20)
- Re: overwriting SEH and debugging H D Moore (Dec 21)
- Re: overwriting SEH and debugging Dude VanWinkle (Dec 24)
- Re: overwriting SEH and debugging H D Moore (Dec 24)
- Re: overwriting SEH and debugging Dude VanWinkle (Dec 24)
- Re: overwriting SEH and debugging H D Moore (Dec 21)