Details of bypassing safeseh mechanism by using modules that do not enable safeseh

SafeSEH Introduction to mechanism and bypass method
1.SafeSEH A copy of the addresses of all exception handling functions used by the program will be saved when the program is compiled
As listing
table[0]:0x40000100 handler1
table[1]:0x40000200 handler2
table[2]:0x40000300 handler3
2. And it will detect when handling exceptions handle The address is PE The address table of the exception handling function of the file
Because only open SafeSEH Option compiled PE The file will have this safe address table , So when 1.exe In the handler Point to other 2.dll Space address
It is impossible to say that the system is 1.exe Query this address in the address table of , because 1.exe Definitely not 2.dll The address of the space , So the system will query handler Point to the PE Address list of documents （ And if handler Point to 2.dll Space , System query 2.dll Did not open SafeSEH, The release ）, To bypass SafeSEH Mechanism

Use SEH Attack execution Shellcode It is usually used when "jmp 06 pop pop ret" Cover SEH structure , The online description is not very detailed

SEH The structure in the stack ：
xxx
NEXT The pointer -------> Next this structure
handler The pointer ------> Handle function address
xxx

If we have a chance to overflow attack coverage from next Pointer up （ The stack grows down ） Region , So direct coverage handler Point to his next sentence , At this time, the stack structure is
xxx
Destroyed NEXT The pointer ------->???
handler The pointer ------>Shellcode Starting position
Shellcode Starting position
…
If an exception is encountered at this time, it will be executed directly to Shellcode Starting position , But because of SafeSEH Mechanism ,Shellcode The space where the starting position is located is 1.exe Space , Inquire about 1.exe The security exception handler address table found this address not in it , Refuse to enforce

So our attack methods need to be changed to jmp 06 pop pop ret The way , Stack space coverage is ：
xxx
EB 06------>jmp Shellcode Starting position
handler The pointer ------>2.dll Medium pop pop ret Command string position
Shellcode Starting position
…
hypothesis 2.dll Contains this instruction string
pop eax
pop ecx
ret
that handler The pointer points to 2.dll Did not open SafeSEH, Successfully bypassed SafeSEH Mechanism , Then the question is how to control EIP Go to the original NEXT The pointer （ present EB 06 It's about ） To enter Shellcode

What we use is pop pop ret

First, you need to know the form of exception handling function ：
EXCEPTION_DISPOSITION __cdecl _except_handler (
EXCEPTION_RECORD *ExceptionRecord,
EXCEPTION_REGISTRATION_RECORD *EstablisherFrame,
CONTEXT *pContext,
PVOID pValue
);
Return value EXCEPTION_DISPOSITION It's an enumeration type （0/1/2/3）
The exception distribution function is responsible for calling exception handling functions
push pValue
push *pContext
push *EstablisherFrame
push *ExceptionRecord
call _except_handler
Get into _except_handler Function will make the stack space layout as follows
call The resulting return EIP
*ExceptionRecord
*EstablisherFrame------> Point to SEH Origin of chain NEXT The pointer （ present EB 06 It's about ）
*pContext
pValue
So the two one. pop One ret The transfer is completed shellcode work