OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 14, 2005 09:03 CDT by terb .

Hey guys

First of all I wanna congratulate you on a cool site ;) Anyway, lets jump right to my question ....

I've been playing around with several anti-Olly/anti-SEH tricks lately and has become quite fond of the SetUnhandledExceptionFilter trick. However I'm not able to bypass it myself. I know there's a Olly plugin out there that can do the trick for you but I would like to know how to bypass I myself manually, so to speak... Does anyone know how to ???

Terb

anonymouse		August 14, 2005 10:13.46 CDT
when there is an unhandled exception usually the topmost handler that was set by the system is called which normally calls the an error has occured in your appliction it will be terminated messagebox and terminates the application now if you have inserted a SetUnhandledExceptionfilter code and you are NOT debugging the app it gets control and there you can do some real work and then cleanly terminate the application with your own code instead of having to use the system termintion routine but if you are debuggin the application this top level handler is never called but only per process or per thread handler is called ie the handler set with push handler push fs:[0] mov fs:[0],esp so basically if it is used as a trick then the code that is hidden within the unhandled() could never be executed becuse of the debugger if you want to take a look at the actual working and feel it try downloading goasm authour jeremy gordans a crash cource on structured exception handling except32.zip now double click the except1.exe and say yes first then no on second time and see how it works now load the same exe on ollydbg and say yes you should see the same behaviour as without but if you click no you would see that the UnhandledExceptionhandler code is never called but olly will always be in div ecx opcode :) also give the tut a reading few times :)

anonymouse		August 14, 2005 10:24.13 CDT
hi Pedram hey how to edit ?? i read that i can edit my post but i cant seem to find the pencil icon :) anywhere if i am logged in if i logout i can see the pencil i click on it and it says in red i can edit only the post that i own :) but i login and i simply cant find the edit button or anything do i miss some thing ?? to terb link to jeremy gordons tut http://www.jorgon.freeserve.co.uk/ExceptFrame.htm

smidgeonsoft		August 14, 2005 11:30.17 CDT
If you are not afraid of x86 assembler, you may wish to try the following: 1) when the exception fires, set a breakpoint on the exported API, UnhandledExceptionFilter, inside of Kernel32; 2) run until after the call to NtQueryInformationProcess inside of this API; 3) the last parameter to this call will hold the results of the call (which will be 0xFFFFFFFF if a debugger is attached); 4) change this value to zero - this tells the process that there is no debugger attached to the process and allows the application's exception handler to fire. Good luck!

terb		August 15, 2005 09:25.18 CDT
Maybe I wasn't specific enough :) I know quite well how SEH works, my only problem was that I couldn't figure out how to bypass the SetUnhandledExceptionFilter trick manually. However Smidgeonsoft gave me the solution (Thanks dude!). I do thank the two other guys for answering !!! Terb

NeOXQuiCk		March 10, 2007 20:17.58 CST
here... PUSH 248 <------------------------- UnhandledExceptionFilter function starts here. PUSH kernel32.7C8635E0 CALL kernel32.7C8024CB MOV EAX,DWORD PTR DS:[7C8836CC] MOV DWORD PTR SS:[EBP-1C],EAX MOV EBX,DWORD PTR SS:[EBP+8] MOV DWORD PTR SS:[EBP-178],EBX MOV DWORD PTR SS:[EBP-148],4 XOR EDI,EDI MOV DWORD PTR SS:[EBP-13C],EDI MOV DWORD PTR SS:[EBP-16C],EDI MOV EAX,DWORD PTR DS:[EBX] TEST BYTE PTR DS:[EAX+4],10 JE SHORT kernel32.7C862BD4 PUSH DWORD PTR DS:[EAX] PUSH -1 CALL DWORD PTR DS:[<&ntdll.NtTerminatePr>; ntdll.ZwTerminateProcess MOV EAX,DWORD PTR DS:[EBX] MOV ESI,C0000005 CMP DWORD PTR DS:[EAX],ESI JNZ SHORT kernel32.7C862BF9 CMP DWORD PTR DS:[EAX+14],1 JNZ SHORT kernel32.7C862BF9 PUSH DWORD PTR DS:[EAX+18] CALL kernel32.7C862874 CMP EAX,-1 JNZ SHORT kernel32.7C862BF9 OR EAX,EAX JMP kernel32.7C863458 MOV DWORD PTR SS:[EBP-124],EDI PUSH EDI PUSH 4 LEA EAX,DWORD PTR SS:[EBP-124] PUSH EAX PUSH 7 CALL kernel32.GetCurrentProcess <------------- Here is trick! This API returns FFFFFFFF. Change EAX to 0. PUSH EAX CALL DWORD PTR DS:[<&ntdll.NtQueryInform>; ntdll.ZwQueryInformationProcess TEST EAX,EAX bye

Note: Registration is required to post to the forums.

There are 31,322 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit