自己做了一个SEH相关的一个小程序,顺便在调试的时候观察一下
0:000> g $exentry ModLoad: 75a90000 75ab5000 C:\Windows\SysWOW64\IMM32.DLL eax=001bf840 ebx=00300000 ecx=00851010 edx=00851010 esi=00851010 edi=00851010 eip=00851010 esp=001bf7e8 ebp=001bf7f4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 Project1!_Start: 00851010 6764a10000 mov eax,dword ptr fs:[00000000h] fs:0053:00000000=001bf840
_Start: assume fs:nothing mov eax,fs:[0] ;<---IP push offset myHandler push fs:[0] mov fs:[0],esp mov ecx,-1 mov [eax],ecx xor eax,eax mov [eax],eax retn END _Start
_0:000> !exchain 001bf840: ntdll!_except_handler4+0 (775da040) CRT scope 0, filter: ntdll!__RtlUserThreadStart+3ad46 (7760293b) func: ntdll!__RtlUserThreadStart+3addf (776029d4) 001bf858: ntdll!FinalExceptionHandlerPad54+0 (775e8ff6) Invalid exception stack at ffffffff
_Start: assume fs:nothing mov eax,fs:[0] push offset myHandler push fs:[0] mov fs:[0],esp mov ecx,-1 ;<---IP mov [eax],ecx xor eax,eax mov [eax],eax retn END _Start
0:000> !exchain 001bf7e0: Project1!_Start+fffffffffffffff0 (00851000) 001bf840: ntdll!_except_handler4+0 (775da040) CRT scope 0, filter: ntdll!__RtlUserThreadStart+3ad46 (7760293b) func: ntdll!__RtlUserThreadStart+3addf (776029d4) 001bf858: ntdll!FinalExceptionHandlerPad54+0 (775e8ff6) Invalid exception stack at ffffffff
发现handler函数在0x00851000处,反汇编一下
0:000> u 00851000 Project1!_Start+0xffffffff`fffffff0 [D:\seh\Project1\KillSeh.asm @ 24]: 00851000 6a04 push 4 00851002 6a00 push 0 00851004 6803408500 push offset Project1!messuc (00854003) 00851009 6a00 push 0 0085100b e82e000000 call Project1!MessageBoxA (0085103e) Project1!_Start [D:\seh\Project1\KillSeh.asm @ 34]: 00851010 6764a10000 mov eax,dword ptr fs:[00000000h] 00851015 6800108500 push offset Project1!_Start+0xffffffff`fffffff0 (00851000) 0085101a 6764ff360000 push dword ptr fs:[0000h]
然后发现我这个程序没有返回,由于在汇编中我写在start前面,所以会错上加错,在ash链上的函数应该返回一个EXCEPTION_CONTINUE让程序继续搜索下一个异常处理程序(excep_handler4)
于是乎我定义了一下ExceptionContinueSearch = 1(估计库里面也有)
mov eax,ExceptionContinueSearch
retn
再继续调试,这次终于找到元凶了
ntdll!_except_handler4: 775da040 8bff mov edi,edi 775da042 55 push ebp 775da043 8bec mov ebp,esp 775da045 ff7514 push dword ptr [ebp+14h] 775da048 ff7510 push dword ptr [ebp+10h] 775da04b ff750c push dword ptr [ebp+0Ch] 775da04e ff7508 push dword ptr [ebp+8] 775da051 68603f5d77 push offset ntdll!__security_check_cookie (775d3f60) 775da056 6860336877 push offset ntdll!__security_cookie (77683360) 775da05b e870bcffff call ntdll!_except_handler4_common (775d5cd0) 775da060 83c418 add esp,18h 775da063 5d pop ebp 775da064 c3 ret
又是security_check,这玩意一般是防止栈溢出用的,这里我也没调过,接着看下一个函数
ntdll!_except_handler4_common
发现了一个函数用来调用seh链上的异常处理函数
ntdll!ExecuteHandler2: 775e8e4c 55 push ebp 775e8e4d 8bec mov ebp,esp 775e8e4f ff750c push dword ptr [ebp+0Ch] 775e8e52 52 push edx ;难道用栈改seh这么常见吗,分分钟被hook掉(bushi),有空可以试一试 775e8e53 64ff3500000000 push dword ptr fs:[0] 775e8e5a 64892500000000 mov dword ptr fs:[0],esp 775e8e61 ff7514 push dword ptr [ebp+14h] 775e8e64 ff7510 push dword ptr [ebp+10h] 775e8e67 ff750c push dword ptr [ebp+0Ch] 775e8e6a ff7508 push dword ptr [ebp+8] 775e8e6d 8b4d18 mov ecx,dword ptr [ebp+18h] 775e8e70 ffd1 call ecx 775e8e72 648b2500000000 mov esp,dword ptr fs:[0] 775e8e79 648f0500000000 pop dword ptr fs:[0] 775e8e80 8be5 mov esp,ebp 775e8e82 5d pop ebp 775e8e83 c21400 ret 14h
再上一级函数
;ntdll!RtlpExecuteHandlerForException ntdll!ExecuteHandler: 775e8e20 53 push ebx 775e8e21 56 push esi 775e8e22 57 push edi 775e8e23 33c0 xor eax,eax 775e8e25 33db xor ebx,ebx 775e8e27 33f6 xor esi,esi 775e8e29 33ff xor edi,edi 775e8e2b ff742420 push dword ptr [esp+20h] 775e8e2f ff742420 push dword ptr [esp+20h] 775e8e33 ff742420 push dword ptr [esp+20h] 775e8e37 ff742420 push dword ptr [esp+20h] 775e8e3b ff742420 push dword ptr [esp+20h] 775e8e3f e808000000 call ntdll!ExecuteHandler2 (775e8e4c) 775e8e44 5f pop edi 775e8e45 5e pop esi 775e8e46 5b pop ebx 775e8e47 c21400 ret 14h
再上一级
ntdll!RtlDispatchException: 775c80cc 8bff mov edi,edi 775c80ce 55 push ebp 775c80cf 8bec mov ebp,esp 775c80d1 83e4f8 and esp,0FFFFFFF8h 775c80d4 83ec7c sub esp,7Ch 775c80d7 a160336877 mov eax,dword ptr [ntdll!__security_cookie (77683360)] 775c80dc 33c4 xor eax,esp 775c80de 89442478 mov dword ptr [esp+78h],eax 775c80e2 8b550c mov edx,dword ptr [ebp+0Ch] 775c80e5 53 push ebx 775c80e6 56 push esi 775c80e7 8b7508 mov esi,dword ptr [ebp+8] 775c80ea 33db xor ebx,ebx 775c80ec 57 push edi 775c80ed 89542410 mov dword ptr [esp+10h],edx 775c80f1 885c240f mov byte ptr [esp+0Fh],bl 775c80f5 813e060000c0 cmp dword ptr [esi],0C0000006h 775c80fb 7410 je ntdll!RtlDispatchException+0x41 (775c810d) 775c80fd 8b4e0c mov ecx,dword ptr [esi+0Ch] 775c8100 e826030000 call ntdll!RtlpIsUserCallTargetBitMapCheckFault (775c842b) 775c8105 84c0 test al,al 775c8107 0f85f6a90300 jne ntdll!RtlDispatchException+0x3aa37 (77602b03) 775c810d 64a130000000 mov eax,dword ptr fs:[00000030h] 775c8113 f7406800008000 test dword ptr [eax+68h],800000h 775c811a 0f8504aa0300 jne ntdll!RtlDispatchException+0x3aa58 (77602b24) 775c8120 e80b65fcff call ntdll!LdrControlFlowGuardEnforced (7758e630) 775c8125 8b7c2410 mov edi,dword ptr [esp+10h] 775c8129 85c0 test eax,eax 775c812b 0f852c010000 jne ntdll!RtlDispatchException+0x191 (775c825d) 775c8131 53 push ebx 775c8132 8bd7 mov edx,edi 775c8134 8bce mov ecx,esi 775c8136 e8463a0000 call ntdll!RtlpCallVectoredHandlers (775cbb81) 775c813b 84c0 test al,al 775c813d 0f85f2000000 jne ntdll!RtlDispatchException+0x169 (775c8235) 775c8143 8d542420 lea edx,[esp+20h] 775c8147 8d4c241c lea ecx,[esp+1Ch] 775c814b e8af020000 call ntdll!RtlpGetStackLimits (775c83ff) 775c8150 648b3d00000000 mov edi,dword ptr fs:[0] 775c8157 8d442418 lea eax,[esp+18h] 775c815b 53 push ebx 775c815c 6a04 push 4 775c815e 50 push eax 775c815f 6a22 push 22h 775c8161 6aff push 0FFFFFFFFh 775c8163 897c2428 mov dword ptr [esp+28h],edi 775c8167 895c242c mov dword ptr [esp+2Ch],ebx 775c816b e8209e0000 call ntdll!NtQueryInformationProcess (775d1f90) 775c8170 85c0 test eax,eax 775c8172 0f88bda90300 js ntdll!RtlDispatchException+0x3aa69 (77602b35) 775c8178 f644241840 test byte ptr [esp+18h],40h 775c817d 7518 jne ntdll!RtlDispatchException+0xcb (775c8197) 775c817f 8b54241c mov edx,dword ptr [esp+1Ch] 775c8183 51 push ecx 775c8184 ff742424 push dword ptr [esp+24h] 775c8188 8bcf mov ecx,edi 775c818a e805020000 call ntdll!RtlpIsValidExceptionChain (775c8394) 775c818f 84c0 test al,al 775c8191 0f84a7a90300 je ntdll!RtlDispatchException+0x3aa72 (77602b3e) 775c8197 8b4c2414 mov ecx,dword ptr [esp+14h] 775c819b 895c2424 mov dword ptr [esp+24h],ebx 775c819f 83f9ff cmp ecx,0FFFFFFFFh 775c81a2 0f848f000000 je ntdll!RtlDispatchException+0x16b (775c8237) 775c81a8 3b4c241c cmp ecx,dword ptr [esp+1Ch] 775c81ac 0f82eb000000 jb ntdll!RtlDispatchException+0x1d1 (775c829d) 775c81b2 8d4108 lea eax,[ecx+8] 775c81b5 3b442420 cmp eax,dword ptr [esp+20h] 775c81b9 0f87de000000 ja ntdll!RtlDispatchException+0x1d1 (775c829d) 775c81bf f6c103 test cl,3 775c81c2 0f85d5000000 jne ntdll!RtlDispatchException+0x1d1 (775c829d) 775c81c8 8b4904 mov ecx,dword ptr [ecx+4] 775c81cb 3b4c2420 cmp ecx,dword ptr [esp+20h] 775c81cf 0f82be000000 jb ntdll!RtlDispatchException+0x1c7 (775c8293) 775c81d5 ff742410 push dword ptr [esp+10h] 775c81d9 8b54241c mov edx,dword ptr [esp+1Ch] 775c81dd e8c1000000 call ntdll!RtlIsValidHandler (775c82a3) 775c81e2 84c0 test al,al 775c81e4 0f84b3000000 je ntdll!RtlDispatchException+0x1d1 (775c829d) 775c81ea 8b7c2414 mov edi,dword ptr [esp+14h] 775c81ee 895c2428 mov dword ptr [esp+28h],ebx 775c81f2 385c240f cmp byte ptr [esp+0Fh],bl 775c81f6 0f8579a90300 jne ntdll!RtlDispatchException+0x3aaa9 (77602b75) 775c81fc ff7704 push dword ptr [edi+4] 775c81ff 8d442430 lea eax,[esp+30h] 775c8203 50 push eax 775c8204 ff742418 push dword ptr [esp+18h] 775c8208 57 push edi 775c8209 56 push esi ;################################################################ 775c820a e8010c0200 call ntdll!RtlpExecuteHandlerForException (775e8e10) ;##########################目前ip在此############################# 775c820f 8b4c2428 mov ecx,dword ptr [esp+28h] 775c8213 85c9 test ecx,ecx 775c8215 0f8572a90300 jne ntdll!RtlDispatchException+0x3aac1 (77602b8d) 775c821b 8b542424 mov edx,dword ptr [esp+24h] 775c821f 3bd7 cmp edx,edi 775c8221 0f8471a90300 je ntdll!RtlDispatchException+0x3aacc (77602b98) 775c8227 2bc3 sub eax,ebx 775c8229 754a jne ntdll!RtlDispatchException+0x1a9 (775c8275) 775c822b 40 inc eax 775c822c 844604 test byte ptr [esi+4],al 775c822f 0f85b9a90300 jne ntdll!RtlDispatchException+0x3ab22 (77602bee) 775c8235 b301 mov bl,1 775c8237 8b542410 mov edx,dword ptr [esp+10h] 775c823b 8bce mov ecx,esi 775c823d 6a01 push 1 775c823f e83d390000 call ntdll!RtlpCallVectoredHandlers (775cbb81) ;下次有空看看这个函数 775c8244 8ac3 mov al,bl 775c8246 8b8c2484000000 mov ecx,dword ptr [esp+84h] 775c824d 5f pop edi 775c824e 5e pop esi 775c824f 5b pop ebx 775c8250 33cc xor ecx,esp 775c8252 e809bd0000 call ntdll!__security_check_cookie (775d3f60) 775c8257 8be5 mov esp,ebp 775c8259 5d pop ebp 775c825a c20800 ret 8
再上一级
ntdll!KiUserExceptionDispatcher: 775d42b0 833d4ce9677700 cmp dword ptr [ntdll!LdrDelegatedKiUserExceptionDispatcher (7767e94c)],0 775d42b7 740e je ntdll!KiUserExceptionDispatcher+0x17 (775d42c7) 775d42b9 8b0d4ce96777 mov ecx,dword ptr [ntdll!LdrDelegatedKiUserExceptionDispatcher (7767e94c)] 775d42bf ff15e0116877 call dword ptr [ntdll!__guard_check_icall_fptr (776811e0)] 775d42c5 ffe1 jmp ecx 775d42c7 fc cld 775d42c8 8b4c2404 mov ecx,dword ptr [esp+4] 775d42cc 8b1c24 mov ebx,dword ptr [esp] 775d42cf 51 push ecx 775d42d0 53 push ebx ;############################################################################### 775d42d1 e8f63dffff call ntdll!RtlDispatchException (775c80cc) ;##########################目前ip在此############################################ 775d42d6 0ac0 or al,al 775d42d8 740c je ntdll!KiUserExceptionDispatcher+0x36 (775d42e6) 775d42da 5b pop ebx 775d42db 59 pop ecx 775d42dc 6a00 push 0 775d42de 51 push ecx 775d42df e86cdfffff call ntdll!NtContinue (775d2250) 775d42e4 eb0b jmp ntdll!KiUserExceptionDispatcher+0x41 (775d42f1) 775d42e6 5b pop ebx 775d42e7 59 pop ecx 775d42e8 6a00 push 0 775d42ea 51 push ecx 775d42eb 53 push ebx 775d42ec e82ff1ffff call ntdll!NtRaiseException (775d3420) 775d42f1 83c4ec add esp,0FFFFFFECh 775d42f4 890424 mov dword ptr [esp],eax 775d42f7 c744240401000000 mov dword ptr [esp+4],1 775d42ff 895c2408 mov dword ptr [esp+8],ebx 775d4303 c744241000000000 mov dword ptr [esp+10h],0 775d430b 54 push esp 775d430c e8ff4c0100 call ntdll!RtlRaiseException (775e9010) 775d4311 c20800 ret 8
如果用ida可以的话就方便多了,下次找找ida的可行调试方法,ida调试老是报错不知道为啥