Using Structured Exception Handler (SEH)

H0l0kausT Issue 1

eZine lover (@eZine)

Published in 

H0l0kausT

 · 5 Mar 2023

Billy Belcebu/DDT

Well, this is a very simple tutorial about the Structured Exception Handler. When i saw SEH implemented in a virus, i thought "Well, it does a lot. Must be very hard to implement". So i simple skipped its use. But, as my Destiny made General Protection Faults running under NT, as i read in 0BFF70000h, i realized that i had to do something. And SEH was the only way. Well, we can do it very complex to understand, or very easy. Of course, i prefer to do it more easy :)

Setting up the SEH frame

Firstly we save it for our own safety with a simple text line.

                push    dword ptr fs:[0]

And now it's time to make the thingy to point to our handler (for example, imagine that we used a call for call the setup of the SEH, and our handler is just after that call instructions: we can use the offset of ret for make it point there)

                push    offset SEH_Handler 
                mov     fs:[0],esp

Well, as easy as it gets. What about restore the original SEH? More easy. Simply do the opposite of the first instruction.

                pop     dword ptr fs:[0]

It's surprising that that very simple thing for implement if our Windoze viruses could do for us. For me (as it was the use of SEH i was searching) the most important one is that i can help us to avoid all that goddamn blue screens when we run our Win95 virus under NT enviroments. That goddamn blue screen appears everytime we try to make comparisons over our hardcoded Win95 kernel under NT.

Example of SEH use

Well, you can compile this with:

 tasm32 /m3 /ml sehtest,,; 
 tlink32 /Tpe /aa sehtest,sehtest,,import32.lib 

 
        .386p 
        .model  flat                            ; Good good... 32 bit r0x0r 

        extrn   MessageBoxA:PROC                ; Defined APIs 
        extrn   ExitProcess:PROC 

        .data 

 szTitle        db      "Structured Exception Handler",0 
 szMessage      db      "Intercepted General Protection Fault!",0 

        .code 

 start: 
        call    setupSEH                        ; The call pushes the offset 
                                                ; past it in the stack rigth? 
                                                ; So we will use that :) 
 errorhandler: 

        mov     esp,[esp+8]                     ; Put the original SEH offset 
                                                ; Error gives us old ESP 
                                                ; in [ESP+8] 

        push    00000000h                       ; Parameters for MessageBoxA 
        push    offset szTitle 
        push    offset szMessage 
        push    00000000h 
        call    MessageBoxA 

        push    00000000h 
        call    ExitProcess                     ; Exit Application 

 setupSEH: 
        push    dword ptr fs:[0]                ; Push original SEH handler 
        mov     fs:[0],esp                      ; And put the new one (located 
                                                ; after the first call) 

        mov     ebx,0BFF70000h                  ; Try to write in kernel (will 
        mov     eax,012345678h                  ; generate an exception) 
        xchg    eax,[ebx] 

 end    start

Another possible thing to do : AntiDebugging

Jacky Qwerty's Win32.Cabanas uses SEH also for anti-debug features. Very easy to implement. You have to set up SEH, as showed above, generate an exception (the above code can be used) and then make the handler point to the continuation of the virus code, and restore old handler. Simple and effective :)

Final words

Hey, now you haven't any excuse for don't use SEH in your viruses! For what the hell are you waiting for? Well, as you can see, the use of SEH is very easy to understand, takes few lines of code, and can help us a lot.

Billy Belcebu,
mass killer and ass kicker.