/-----------------------------\ | Xine - issue #3 - Phile 102 | \-----------------------------/ ; ; ; ; SIMPLE TEST OF THE SEH METHOD IN WIN32 ; Written by Murkry/IkX ; ; ; Works restore the regs to original when done. ;Object it to have a exception occur and catch it restore the stack to just ;b4 we installed the handler. ;very simple aplication and I am sure I am missing something, ;but since JQ did not illuminate with his virus I figure the least I could ;do was throw some code together that let people play with this neat ;feature. The best thing I can think of here is setting up a seh then ;do things that if the error occurs you know your in NT of win95 and can ;act accordingling. Say you get API addrress routine if SEH gets hit ;exit out graceful from the virus. If you think about it the the possiblities ;are endless. BTW in JQ Cabanas virus he restores his stack to just ;after he did a pusha so he can then do a popa and have his regs in a ;known values. ; ; ; Compiling the sample: ; tasm32 /ml /m3 sehtest,,; ; tlink32 /Tpe /aa /c sehtest,sehtest,, import32.lib ;Murkry .386 .RADIX 16 locals jumps .model flat ,stdcall extrn ExitProcess:PROC extrn MessageBoxA:PROC ;note in the user32.dll .data ;the data area title1 db 'this is a title',0 storage dd 4 dup(0) last db 'SEH TESTER',0 db 0Bh db 0 t db '0_______________' mess dd ? dd ? db ? db '4_______________' ;OLD EXCEPTION HANDLER dd ? dd ? db ? db '8_______________' dd ? dd ? db ? db 'C_______________' dd ? dd ? db ? db '10______________' dd ? dd ? db ? db '14______________' dd ? dd ? db ? db '18______________' dd ? dd ? db ? db '1c______________' dd ? dd ? db ? db '20______________' dd ? dd ? db ? db '24______________' dd ? dd ? db ? db '28______________' dd ? dd ? db ? db '2c______________' dd ? dd ? db ? db '30______________' dd ? dd ? db ? db '34______________' dd ? dd ? db ? db '38______________' dd ? dd ? db ? db '3c______________' dd ? dd ? db ? db '40______________' dd ? dd ? db ? db '44______________' dd ? dd ? db ? db '48______________' dd ? dd ? db ? db '4c______________' dd ? dd ? db ? db '50______________' db 0 .code ;executable code starts here HOST: Push Offset seh ;Set up the SEH push dword ptr fs:[0] mov fs:[0],esp xchg eax,[ebx] ;crash JMP NO_SEH seh: ;IF WE GET HERE THEN AN EXCEPTION HAS OCCURED MOV esp,[ESP + 08] ;gets the ESP when SEH was set POP DWORD PTR FS:[0] ;Restores the SEH for us add esp,4 ;GETS RID OF OUR seh HANDLER NO_SEH: ;ok now just run through a routine to check our stack ;which should now be set to the stack at the start of the program MOV ebx ,(50h/4)+1 mov edi,offset mess LOOP1: mov cx,1ch digit_loop: pop eax push eax shr eax,Cl and ax,000fh sub cx,4 cmp al,9 jle number sub al,0ah add al,41h jmp letter number: or al,30h letter: stosb cmp cx,0fffCh jne digit_loop mov al,0dh stosb add edi,10H pop ecx DEC EBX jnz LOOP1 mov al,0 stosb ;now we call the MenuBox API ;------------------------------------------------------------------------ mov eax, 0 push eax mov eax, offset last ; push eax ; mov eax,offset t ; push eax ; mov eax,0 push eax call MessageBoxA fini: ;left over from a Teacher who use to teach me C++ push LARGE -1 ;call dword ptr edi ;when I used the routine to locate ;the ExitProcess address call ExitProcess ;this simply terminates the program end HOST