Reverse Engineering code of SEHOP Chain Validation by x90c (geinblues@gmail.com) --[ sehop_chain_validation.c ]-- typedef struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler; } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; /* first E_R struct of ebx[E_R->Next] to search */ register _EXCEPTION_REGISTRATION_RECORD *E_R = first_E_R_struct; SEHOP_CHAIN_VALIDATION: { /* E_R and E_R->scopetable(E_R+8) isn't in the stack area? */ if(E_R < stack_bottom || E_R->scopetable > stack_top) SEHOP_validation_error(); /* E_R struct isn't 4-byte alignment ? */ if(!(E_R & 0x3)) SEHOP_validation_error(); /* * E_R->Handler isn't in the stack area(0x12c000 ~ 0x130000)? * If stack ASLR then the address range will be changed. */ if(E_R->Handler < stack_bottom || E_R->Handler > stack_top)) SEHOP_validation_error(); else E_R->Handler(); E_R = E_R->Next; /* Move to next chain record */ /* * Next is the symbolic record(last chain record)? * The symbolic record(last chain record) can be final exception registration record * for ntdll!FinalExceptionHandler. */ if(E_R != 0xFFFFFFFF) goto SEHOP_CHAIN_VALIDATION; } -- [ eoc ] -- Disassemble In Win Vista UltimateK sp1 running on VMware. 76e40d9c 8b1b mov ebx,dword ptr [ebx] ; ebx = E_R->Next 76e40d6d 3b5df8 cmp ebx,dword ptr [ebp-8] ; <-- (1) ebx = E_R struct < 12c000 ? 76e40d70 0f829ad1feff jb ntdll!RtlDispatchException+0x19d (76e2df10) 76e40d76 8d4308 lea eax,[ebx+8] ; eax = E_R+8 (scopetable) 76e40d79 3b45f4 cmp eax,dword ptr [ebp-0Ch] 76e40d7c 0f878ed1feff ja ntdll!RtlDispatchException+0x19d (76e2df10) ; 12e5dc > [12db00] ( 130000 ) 76e40d82 f6c303 test bl,3 ; bl & 3 ( Not 4-byte alignment ? ) 76e40d85 0f8585d1feff jne ntdll!RtlDispatchException+0x19d (76e2df10) ; not 4-byte alignment? 76e40d8b 8b4304 mov eax,dword ptr [ebx+4] ; eax = [E_R+4] (_exception_handler) 76e40d8e 3b45f8 cmp eax,dword ptr [ebp-8] 76e40d91 7209 jb ntdll!RtlDispatchException+0x96 (76e40d9c) ; exception handler < 0012c000 ? 76e40d93 3b45f4 cmp eax,dword ptr [ebp-0Ch] 76e40d96 0f8274d1feff jb ntdll!RtlDispatchException+0x19d (76e2df10) ; exception handler < 00130000 ? 76e40d9e 3bdf cmp ebx,edi 76e40da0 75cb jne ntdll!RtlDispatchException+0x67 (76e40d6d) ; ebx != FFFFFFFFh ?