Misusing Structured Exception Handlers

Created the Monday 13 June 2022. Updated 6 months, 3 weeks ago.

Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done is by using the FS segment register to gain access to the Thread Environment Block (TEB), which contains a pointer to the Structured Exception Handler (SEH) chain.

The SEH chain functions like a stack, with the most recently pushed function being the one that is executed when an exception occurs. By manipulating the SEH chain, malware authors can make it more difficult for analysts to understand the code and identify any potentially malicious behavior.

Technique Identifiers

U0218 B0032.016

Technique Tags

Structured Exception Handlers (SEH) Exception handling Thread Environment Block (TEB) Structured Exception Handler (SEH) chain FS segment register

Code Snippets

Description

In this code, the push_seh and pop_seh functions are used to manipulate the SEH chain. The handle_exception function is pushed onto the SEH chain, so that it will be executed when an exception occurs. When the exception is handled, the handle_exception function is popped off the SEH chain. This technique can be used by malware to make it more difficult for security analysts to understand the code and identify any potentially malicious behavior.

#include <Windows.h>
#include <stdio.h>

// Function to push a new function onto the SEH chain
void push_seh(LPVOID fn)
{
    // Use the FS segment register to gain access to the TEB
    __asm
    {
        mov eax, dword ptr fs:[0]
    }

    // The first structure in the TEB is the TIB,
    // which contains a pointer to the SEH chain
    __asm
    {
        mov eax, dword ptr[eax + 0x04]
    }

    // Push the new function onto the SEH chain
    __asm
    {
        push fn
        push dword ptr[eax]
        mov dword ptr[eax], esp
    }
}

// Function to pop a function off the SEH chain
void pop_seh()
{
    // Use the FS segment register to gain access to the TEB
    __asm
    {
        mov eax, dword ptr fs:[0]
    }

    // The first structure in the TEB is the TIB,
    // which contains a pointer to the SEH chain
    __asm
    {
        mov eax, dword ptr[eax + 0x04]
    }

    // Pop the top function off the SEH chain
    __asm
    {
        mov esp, dword ptr[eax]
        pop dword ptr[eax]
    }
}

// Function to handle exceptions
DWORD handle_exception(EXCEPTION_POINTERS *ep)
{
    // Print a message when an exception occurs
    printf("Exception occurred!\n");

    // Return the exception code to continue execution
    return ep->ExceptionRecord->ExceptionCode;
}

int main()
{
    // Push the handle_exception function onto the SEH chain
    push_seh(&handle_exception);

    // Cause an exception to occur
    __try
    {
        *(int*)0 = 0;
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        // Pop the handle_exception function off the SEH chain
        pop_seh();
    }

    return 0;
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0