Vuln Dev
overwriting SEH and debugging Dec 20 2007 04:05PM
opexoc gmail com (1 replies)
Re: overwriting SEH and debugging Dec 20 2007 05:36PM
H D Moore (sflist digitaloffense net) (1 replies)
Re: overwriting SEH and debugging Dec 22 2007 07:19PM
Dude VanWinkle (dudevanwinkle gmail com) (1 replies)
On Dec 20, 2007 12:36 PM, H D Moore <sflist (at) digitaloffense (dot) net [email concealed]> wrote:
> This occurs because of a feature known as "SafeSEH". This is a new
> compiler flag that creates a list of registered SEH handlers within each
> executable and DLL. If your target executable was compiled with /SafeSEH
> and you try to return into a module that has been also been compiled with
> this feature, but the address you chose is not in the list of registered
> handlers, then the exception handling code will not transfer execution.
>
> There are a few options to work around this:
>
> 1. On Windows 2003, prior to SP1, SafeSEH was essentially broken and you
> can return to DLLs such as "ATL.dll" and a few others without the
> registered list being checked.

Does ATL.dll and friends equate to the SEH version of XPSP2's
starforce.dll (where you can turn off DEP by invoking it), meaning
does calling them cancel out all SafeSEH security, or are they just
free from the SafeSEH restrictions by themselves?

I assume its the latter, but just thought I would ask...

-JP<who hopes DRM software needs the same coddling as video games>

[ reply ]
Re: overwriting SEH and debugging Dec 22 2007 07:35PM
H D Moore (sflist digitaloffense net)


 

Privacy Statement
Copyright 2010, SecurityFocus