,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground vxug@null.net

Well, this is a very simple tutorial about the Structured Exception Handler. When i saw SEH implemented in a virus, i thought "Well, it does a lot. Must be very hard to implement". So i simple skipped its use. But, as my Destiny made General Protection Faults running under NT, as i read in 0BFF70000h, i realized that i had to do something. And SEH was the only way. Well, we can do it very complex to understand, or very easy. Of course, i prefer to do it more easy :)

Setting up the SEH frame

Firstly we save it for our own safety with a simple text line.

        push    dword ptr fs:[0]

And now it's time to make the thingy to point to our handler (for example, imagine that we used a call for call the setup of the SEH, and our handler is just after that call instructions: we can use the offset of ret for make it point there)

        push    offset SEH_Handler
        mov     fs:[0],esp

Well, as easy as it gets. What about restore the original SEH? More easy. Simply do the opposite of the first instruction.

        pop     dword ptr fs:[0]

It's surprising that that very simple thing for implement if our Windoze viruses could do for us. For me (as it was the use of SEH i was searching) the most important one is that i can help us to avoid all that goddamn blue screens when we run our Win95 virus under NT enviroments. That goddamn blue screen appears everytime we try to make comparisons over our hardcoded Win95 kernel under NT.

Example of SEH use

Well, you can compile this with:

	tasm32 /m3 /ml sehtest,,;
	tlink32 /Tpe /aa sehtest,sehtest,,import32.lib
                .model  flat                    ; Good good... 32 bit r0x0r

                extrn   MessageBoxA:PROC        ; Defined APIs
                extrn   ExitProcess:PROC


szTitle         db      "Structured Exception Handler",0
szMessage       db      "Intercepted General Protection Fault!",0


                call    setupSEH                ; The call pushes the offset
                                                ; past it in the stack rigth?
                                                ; So we will use that :)

                mov     esp,[esp+8]             ; Put the original SEH offset
                                                ; Error gives us old ESP
                                                ; in [ESP+8]

                push    00000000h               ; Parameters for MessageBoxA
                push    offset szTitle
                push    offset szMessage
                push    00000000h
                call    MessageBoxA

                push    00000000h
                call    ExitProcess             ; Exit Application

                push    dword ptr fs:[0]        ; Push original SEH handler
                mov     fs:[0],esp              ; And put the new one (located
                                                ; after the first call)

                mov     ebx,0BFF70000h          ; Try to write in kernel (will
                mov     eax,012345678h          ; generate an exception)
                xchg    eax,[ebx]

end     start

Another possible thing to do: AntiDebugging

Jacky Qwerty's Win32.Cabanas uses SEH also for anti-debug features. Very easy to implement. You have to set up SEH, as showed above, generate an exception (the above code can be used) and then make the handler point to the continuation of the virus code, and restore old handler. Simple and effective :)

Final words

Hey, now you haven't any excuse for don't use SEH in your viruses! For what the hell are you waiting for? Well, as you can see, the use of SEH is very easy to understand, takes few lines of code, and can help us a lot.

Billy BelcebĂș,
mass killer and ass kicker.