asm in ntdll.dll
7C94A994 3B5D F8 CMP EBX,DWORD PTR SS:[EBP-8] ; 堆栈顶部
7C94A997 ^ 0F82 79F9FFFF JB ntdll.7C94A316
7C94A99D 8D43 08 LEA EAX,DWORD PTR DS:[EBX+8]
7C94A9A0 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C] ; 堆栈底部
7C94A9A3 ^ 0F87 6DF9FFFF JA ntdll.7C94A316
7C94A9A9 F6C3 03 TEST BL,3
7C94A9AC ^ 0F85 64F9FFFF JNZ ntdll.7C94A316
7C94A9B2 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4] ; 取出seh handler地址
7C94A9B5 3B45 F8 CMP EAX,DWORD PTR SS:[EBP-8] ; 堆栈顶部
7C94A9B8 72 09 JB SHORT ntdll.7C94A9C3
7C94A9BA 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C]
7C94A9BD ^ 0F82 53F9FFFF JB ntdll.7C94A316 ; seh handler地址不能在堆栈中
7C94A9C3 50 PUSH EAX
7C94A9C4 E8 67000000 CALL ntdll.7C94AA30 //检测的关键
7C94A9C9 84C0 TEST AL,AL
7C94A9CB ^ 0F84 45F9FFFF JE ntdll.7C94A316 ; 不能返回0
7C94A9D1 F605 FAB3997C 8>TEST BYTE PTR DS:[7C99B3FA],80
7C94A9D8 0F85 05390200 JNZ ntdll.7C96E2E3 ; 不能是0x80
7C94A9DE FF73 04 PUSH DWORD PTR DS:[EBX+4]
7C94A9E1 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
7C94A9E4 50 PUSH EAX
7C94A9E5 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C94A9E8 53 PUSH EBX
7C94A9E9 56 PUSH ESI
7C94A9EA E8 5888FDFF CALL ntdll.7C923247 ; 调用seh handler
7C94AA30 8BFF MOV EDI,EDI
7C94AA32 55 PUSH EBP
7C94AA33 8BEC MOV EBP,ESP
7C94AA35 83EC 34 SUB ESP,34
7C94AA38 A1 C8B0997C MOV EAX,DWORD PTR DS:[7C99B0C8]
7C94AA3D 53 PUSH EBX
7C94AA3E 56 PUSH ESI
7C94AA3F 57 PUSH EDI
7C94AA40 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] ; edi=seh handler
7C94AA43 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
7C94AA46 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
7C94AA49 50 PUSH EAX
7C94AA4A 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
7C94AA4D 50 PUSH EAX
7C94AA4E 33F6 XOR ESI,ESI
7C94AA50 57 PUSH EDI
7C94AA51 8975 F4 MOV DWORD PTR SS:[EBP-C],ESI
7C94AA54 E8 2B000000 CALL ntdll.7C94AA84
。。。。
7C94AAD8 3BC2 CMP EAX,EDX ; 判断seh handler是否在模块中
7C94AADA 0F84 F7B30000 JE ntdll.7C955ED7 ; 循环判断,不在任何模块中则跳走
7C94AAE0 8BC8 MOV ECX,EAX
7C94AAE2 8B71 18 MOV ESI,DWORD PTR DS:[ECX+18]
7C94AAE5 3BFE CMP EDI,ESI
7C94AAE7 8B00 MOV EAX,DWORD PTR DS:[EAX]
7C94AAE9 ^ 72 ED JB SHORT ntdll.7C94AAD8
7C94AAEB 8B49 20 MOV ECX,DWORD PTR DS:[ECX+20]
7C94AAEE 03CE ADD ECX,ESI
7C94AAF0 3BF9 CMP EDI,ECX
7C94AAF2 ^ 73 E4 JNB SHORT ntdll.7C94AAD8
如果在这个模块中的话则获取pe格式信息
7C94AB2D 8BFF MOV EDI,EDI
7C94AB2F 55 PUSH EBP
7C94AB30 8BEC MOV EBP,ESP
7C94AB32 51 PUSH ECX
7C94AB33 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C94AB36 E8 DE57FEFF CALL ntdll.RtlImageNtHeader ; 定位这个模块的pe头
7C94AB3B F640 5F 04 TEST BYTE PTR DS:[EAX+5F],4
7C94AB3F 0F85 DE430200 JNZ ntdll.7C96EF23
7C94AB45 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
7C94AB48 50 PUSH EAX
7C94AB49 6A 0A PUSH 0A
7C94AB4B 6A 01 PUSH 1
7C94AB4D FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C94AB50 E8 D157FEFF CALL ntdll.RtlImageDirectoryEntryToData ; 定位到0xa出的directory 貌似是Load COnfig Table pebase+offset
7C94AB55 85C0 TEST EAX,EAX
7C94AB57 0F84 51B30000 JE ntdll.7C955EAE
7C94AB5D 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
7C94AB60 85C9 TEST ECX,ECX
7C94AB62 0F84 46B30000 JE ntdll.7C955EAE
7C94AB68 83F9 40 CMP ECX,40
7C94AB6B 0F85 88010000 JNZ ntdll.7C94ACF9
7C94AB71 8338 48 CMP DWORD PTR DS:[EAX],48
7C94AB74 0F82 34B30000 JB ntdll.7C955EAE
7C94AB7A 8B48 40 MOV ECX,DWORD PTR DS:[EAX+40] //BASE+40
7C94AB7D 85C9 TEST ECX,ECX
7C94AB7F 0F84 29B30000 JE ntdll.7C955EAE
7C94AB85 8378 44 00 CMP DWORD PTR DS:[EAX+44],0
7C94AB89 0F84 1FB30000 JE ntdll.7C955EAE
7C94AB8F 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
7C94AB92 890A MOV DWORD PTR DS:[EDX],ECX
7C94AB94 8B40 44 MOV EAX,DWORD PTR DS:[EAX+44] //BASE+44 获取2个dword
7C94AB97 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
7C94AB9A 8901 MOV DWORD PTR DS:[ECX],EAX
7C94AB9C C9 LEAVE
7C94AB9D C2 0C00 RETN 0C
返回
7C96E276 2B7D EC SUB EDI,DWORD PTR SS:[EBP-14] ; seh handle -pe base
7C96E279 33D2 XOR EDX,EDX
7C96E27B 85C0 TEST EAX,EAX
7C96E27D 8BF0 MOV ESI,EAX
7C96E27F 7C 15 JL SHORT ntdll.7C96E296
7C96E281 8D0C16 LEA ECX,DWORD PTR DS:[ESI+EDX]
7C96E284 D1F9 SAR ECX,1 ; index=dword2 /2 是索引
7C96E286 8B048B MOV EAX,DWORD PTR DS:[EBX+ECX*4] ; dword1是数组基址
7C96E289 3BF8 CMP EDI,EAX edi是seh handler-base eax是从数组索引中取出来的 一个值
7C96E28B ^ 0F82 50CAFDFF JB ntdll.7C94ACE1
7C96E291 ^\E9 9EC6FDFF JMP ntdll.7C94A934 //edi大于的话,则继续index+1 继续比较
....
7C94A934 /0F87 22260000 JA ntdll.7C94CF5C 直到找到相等的
7C94A93A |B0 01 MOV AL,1
7C94A93C |8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
7C94A93F |5F POP EDI
7C94A940 |5E POP ESI
7C94A941 |5B POP EBX
7C94A942 |E8 1055FEFF CALL ntdll.7C92FE57
7C94A947 |C9 LEAVE
7C94A948 |C2 0400 RETN 4
直到从数组中找到和注册的seh handler相等时,就返回true 否则结束进程
检测是否在已注册的异常处理器
Load Config Director
04826068 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 H...............
04826078 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04826088 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04826098 00 00 00 00 00 00 00 00 00 00 00 00 F4 BE 82 04 ............艟?
048260A8 10 7F 82 04 2D 00 00 00 52 53 44 53 30 72 9E CA ?-...RSDS0r炇
safeseh的保护机制:
1 seh handler不能指向堆栈
2 如果不在任意模块中则可以直接执行
3 如果在模块中,则是否在已经注册的异常处理中,不在则直接结束进程