ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Using Structured Exception Handler (SEH) ³ Billy Belceb£/DDT ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Well, this is a very simple tutorial about the Structured Exception Handler. When i saw SEH implemented in a virus, i thought "Well, it does a lot. Must be very hard to implement". So i simple skipped its use. But, as my Destiny made General Protection Faults running under NT, as i read in 0BFF70000h, i realized that i had to do something. And SEH was the only way. Well, we can do it very complex to understand, or very easy. Of course, i prefer to do it more easy :) % Setting up the SEH frame % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Firstly we save it for our own safety with a simple text line. push dword ptr fs:[0] And now it's time to make the thingy to point to our handler (for example, imagine that we used a call for call the setup of the SEH, and our handler is just after that call instructions: we can use the offset of ret for make it point there) push offset SEH_Handler mov fs:[0],esp Well, as easy as it gets. What about restore the original SEH? More easy. Simply do the opposite of the first instruction. pop dword ptr fs:[0] It's surprising that that very simple thing for implement if our Windoze vi- ruses could do for us. For me (as it was the use of SEH i was searching) the most important one is that i can help us to avoid all that goddamn blue screens when we run our Win95 virus under NT enviroments. That goddamn blue screen appears everytime we try to make comparisons over our hardcoded Win95 kernel under NT. % Example of SEH use % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Well, you can compile this with: tasm32 /m3 /ml sehtest,,; tlink32 /Tpe /aa sehtest,sehtest,,import32.lib .386p .model flat ; Good good... 32 bit r0x0r extrn MessageBoxA:PROC ; Defined APIs extrn ExitProcess:PROC .data szTitle db "Structured Exception Handler",0 szMessage db "Intercepted General Protection Fault!",0 .code start: call setupSEH ; The call pushes the offset ; past it in the stack rigth? ; So we will use that :) errorhandler: mov esp,[esp+8] ; Put the original SEH offset ; Error gives us old ESP ; in [ESP+8] push 00000000h ; Parameters for MessageBoxA push offset szTitle push offset szMessage push 00000000h call MessageBoxA push 00000000h call ExitProcess ; Exit Application setupSEH: push dword ptr fs:[0] ; Push original SEH handler mov fs:[0],esp ; And put the new one (located ; after the first call) mov ebx,0BFF70000h ; Try to write in kernel (will mov eax,012345678h ; generate an exception) xchg eax,[ebx] end start % Another possible thing to do : AntiDebugging % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Jacky Qwerty's Win32.Cabanas uses SEH also for anti-debug features. Very easy to implement. You have to set up SEH, as showed above, generate an exception (the above code can be used) and then make the handler point to the continuation of the virus code, and restore old handler. Simple and effective :) % Final words % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Hey, now you haven't any excuse for don't use SEH in your viruses! For what the hell are you waiting for? Well, as you can see, the use of SEH is very easy to understand, takes few lines of code, and can help us a lot. Billy Belceb£, mass killer and ass kicker.