티스토리 뷰

보안/분석

[노트] SEH 관련 참조

NineKY 2010. 11. 14. 22:14
SEH 설치하는 코드가 어떻게 구성되는지 검색해본 결과를 노트한다.


SEH Macros
01 @TRY_BEGIN MACRO Handler
02     pushad                          ;;Save Current State
03     mov esioffset Handler         ;;Address of New Exception Handler
04     push esi                        ;;Save Old Exception Handler
05     push dword ptr fs:[0]           ;;Install New Handler
06     mov dword ptr fs:[0]esp
07 ENDM
08 @TRY_EXCEPT MACRO Handler
09     jmp NoException&;Handler         ;;No Exception Occured, so jump over
10 Handler:
11     mov esp, [esp 8]              ;;Exception Occured, Get old ESP
12     pop dword ptr fs:[0]            ;;Restore Old Exception Handler
13     add esp4                      ;;ESP value before SEH was set
14     popad                           ;;Restore Old State
15 ENDM
16 @TRY_END MACRO Handler
17     jmp ExceptionHandled&;Handler    ;;Exception was handled by @TRY_EXCEPT
18 NoException&;Handler:                ;;No Exception Occured
19     pop dword ptr fs:[0]            ;;Restore Old Exception Handler
20     add esp32 4                 ;;ESP value before SEH was set. 32 for pushad and ...
21 ExceptionHandled&;Handler:           ;;...4 for push offset Handler. (No Restore State)
22                                     ;;Exception has been handled, or no exception occured
23 ENDM


[ 실제 샘플에서 사용된 방식 ]

009BAB94 >  6A FF              PUSH -1
009BAB96    50                 PUSH EAX

009BAB97    64:A1 00000000     MOV EAX,DWORD PTR FS:[0]
009BAB9D    50                 PUSH EAX                      ; Install New Handler

009BAB9E    8B4424 0C          MOV EAX,DWORD PTR SS:[ESP+C]

009BABA2    64:8925 00000000   MOV DWORD PTR FS:[0],ESP

009BABA9    896C24 0C          MOV DWORD PTR SS:[ESP+C],EBP
009BABAD    8D6C24 0C          LEA EBP,DWORD PTR SS:[ESP+C]
009BABB1    50                 PUSH EAX
009BABB2    C3                 RETN


'보안 > 분석' 카테고리의 다른 글

0xBAADF00D 값은 뭐? ㅋㅋ  (0) 2010.11.28
[노트] 포인터에 대한 암/복호화  (0) 2010.11.14
[노트] 일부 정상 CLSID  (0) 2010.08.23
[노트] INTEL 명령어 검색 사이트  (0) 2010.03.31
[노트] LowRiskFileTypes  (0) 2010.03.19
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
글 보관함