Seh Frames Protection

GovernmentSecurity.org > System Security > Windows Systems

extreme

Jun 16 2005, 08:33 PM

Is there any tool or way(tutorial) to do this?? Someone told me that this is a nice way of making file "dynamic"..

nolimit

Jun 16 2005, 08:41 PM

could you perhaps explain what you want better? Their are SEH chains, established in stack frames. But what do you mean by keeping the file dynmic?

extreme

Jun 19 2005, 02:30 AM

I was exploring modifications of files to see which method bypasses which AVs, and I only got clue that SEH frames protection is the key for NOD bypass.. And I couldn't figure out how to get a result out of this clue

z0mbi3

Jun 19 2005, 06:56 AM

i was thinking what nolimit said

found these might be useful

http://www.madchat.org/vxdevl/papers/winsys/seh.txt

nolimit

Jun 21 2005, 09:35 PM

Maybe you mean using the default SEH as a method of starting code you've placed in the executable?

extreme

Jun 21 2005, 09:39 PM

Maybe you can give some live example?

z0mbi3

Jun 22 2005, 11:21 AM

QUOTE(extreme @ Jun 21 2005, 09:39 PM)

Maybe you can give some live example?

If thats to me,I don't know much about seh in files to bypass a/v's so i googled it and found that link.

nolimit

Jun 23 2005, 10:38 PM

ehh
find codecave in EXE,
write virus to code cave.
overwrite FS:[4] of main thread to point to the newly written code cave.

When an exception occurs in the main thread, KiUserExceptionDispatcher will dispatch to the default SEH handler, which you overwrote in FS:[4].

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Seh Frames Protection GovernmentSecurity.org > System Security > Windows Systems extreme Jun 16 2005, 08:33 PM Is there any tool or way(tutorial) to do this?? Someone told me that this is a nice way of making file "dynamic".. nolimit Jun 16 2005, 08:41 PM could you perhaps explain what you want better? Their are SEH chains, established in stack frames. But what do you mean by keeping the file dynmic? extreme Jun 19 2005, 02:30 AM I was exploring modifications of files to see which method bypasses which AVs, and I only got clue that SEH frames protection is the key for NOD bypass.. And I couldn't figure out how to get a result out of this clue z0mbi3 Jun 19 2005, 06:56 AM i was thinking what nolimit said found these might be useful http://www.madchat.org/vxdevl/papers/winsys/seh.txt nolimit Jun 21 2005, 09:35 PM Maybe you mean using the default SEH as a method of starting code you've placed in the executable? extreme Jun 21 2005, 09:39 PM Maybe you can give some live example? z0mbi3 Jun 22 2005, 11:21 AM QUOTE(extreme @ Jun 21 2005, 09:39 PM) Maybe you can give some live example? If thats to me,I don't know much about seh in files to bypass a/v's so i googled it and found that link. nolimit Jun 23 2005, 10:38 PM ehh find codecave in EXE, write virus to code cave. overwrite FS:[4] of main thread to point to the newly written code cave. When an exception occurs in the main thread, KiUserExceptionDispatcher will dispatch to the default SEH handler, which you overwrote in FS:[4]. This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.