flat assembler
Message board for the users of flat assembler.

Index > Windows > [SOLVED] SEH Code to bypass Privileged instruction exception

Author
Thread Post new topic Reply to topic
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 03 Mar 2012, 11:52
Is it possible to jump over this IN AL, DX. I tried this but it just closes the app.

Code:
        PUSH    Handler
     PUSH DWORD PTR FS:[0]
   MOV DWORD PTR FS:[0],ESP
     
        IN  AL, DX   ; This block contains code that runs in a system dll and therefore triggers the exception.
jmp No_Exception
        Handler:
                MOV   EAX, [ESP+4]  ; ???
           INC   EAX
           JMP   EAX
No_Exception:

    


Doesn't seem to work.Any suggestions ?


Last edited by typedef on 05 Mar 2012, 19:42; edited 1 time in total
Post 03 Mar 2012, 11:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 03 Mar 2012, 12:13
SEH handlers are executed in the context of an exception. You must properly return back through the exception mechanism to restart the app. If you want to skip an instruction then you must alter the CONTEXT record in your SEH handler and then return back to the OS exception handler to clean up and restart the app. If you try to cheat it like above then it won't work because any further exception will cause the app to quit without warning.
Post 03 Mar 2012, 12:13
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 03 Mar 2012, 19:01
I'm reading this article for now http://www.microsoft.com/msj/0197/exception/exception.aspx


I'll get back at you rev.
Post 03 Mar 2012, 19:01
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 03 Mar 2012, 20:20
You can try the _exceptions.inc macros from FreshLib.


The code is following:
Code:
        beginTry
        in al, dx
        onException
          Ignore         ; or Retry, or Next
        endTry
    


There is a good example about exceptions in the Fresh examples directory.
Post 03 Mar 2012, 20:20
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 04 Mar 2012, 00:50
The app is in C I'm just using inline Assembly. It seems like there's no way of getting past it since even debuggers lose control of it and the app either closes or crashes.

It does crash when there's no user specified handler but when I provide one it terminates.


Last edited by typedef on 04 Mar 2012, 02:01; edited 1 time in total
Post 04 Mar 2012, 00:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 04 Mar 2012, 01:09
typedef wrote:
It does crash when there's no user specified handler but when I provide one it terminates.
That is because your handler is wrong. You have to use the CONTEXT record, adjust the EIP field, and return properly back to the OS if you want to achieve anything other than premature termination.
Post 04 Mar 2012, 01:09
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 04 Mar 2012, 02:21
typedef wrote:
So would Get/SetThreadContext work in the handler section ?
No.

Perhaps this will help:
Code:
generic_handler:
      virtual at esp+4
      .pExcept        dd      ?
   .pFrame         dd      ?
   .pContext       dd      ?
   .pDispatch      dd      ?
      end virtual
      mov     eax,[.pContext]
     mov     edx,[eax+CONTEXT.Eip]
       ;do something
       mov     [eax+CONTEXT.Eip],edx
       xor     eax,eax
     ret     16    
Post 04 Mar 2012, 02:21
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 04 Mar 2012, 02:21
Working with this API for now. It seems like I;m getting there.

SetUnhandledExceptionFilter
Post 04 Mar 2012, 02:21
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 04 Mar 2012, 02:25
typedef wrote:
Working with this API for now. It seems like I;m getting there.

SetUnhandledExceptionFilter
That is for exceptions that your handler above cannot process. But it works in the same way as the FS:0 handler code.
Post 04 Mar 2012, 02:25
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 04 Mar 2012, 02:52
@rev

Here's how I set it up.

Can you show me what you mean. The following still produces the same effect.

Code:

static LONG WINAPI Handler(PEXCEPTION_POINTERS pExceptionInfo)
{    

        PCONTEXT ContextRecord = pExceptionInfo->ContextRecord;

      char buff[100]={0};

   wsprintf(buff,"Exception busted\nEIP: 0x%X",ContextRecord->Eip);

A:        //ContextRecord->Eip++;      // JMP over 0xEC [ IN AL, DX ]

B:    //SetThreadContext(GetCurrentThread(),ContextRecord); //
    
    //MessageBoxA(0,buff,"Ups, Error...",MB_OK);

return -1; // -1 = EXECUTION_CONTINUE_EXECUTION
}

    


Un-comment line A and B and the app will terminate ungratefully.

That code will hang the app the the exception keeps occuring and
Post 04 Mar 2012, 02:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 04 Mar 2012, 02:56
That code is for the C wrapper handler. I have no idea what that wrapper does. See the code I posted above, it works for the Win API even with the simple:
Code:
       pushd   generic_handler
     pushd   dword[fs:0]
     mov     [fs:0],esp    
Post 04 Mar 2012, 02:56
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 04 Mar 2012, 05:21
Yeah I'm sorry I just realized I posted before I read your posts. I was on the same page the whole day without refreshing it.

Thanks revolution. I was doing something terribly wrong in my code and it ended up getting into system DLL space. (Glitch ?) This is where the library contains IN AL, DX.

But now it's fixed without the need for SEH.
Post 04 Mar 2012, 05:21
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.