SafeSEH (Safe Structured Exception Handlers) is a Windows binary protection mechanism for 32-bit executables that has been around for a while now. When the option is enabled, the linker creates a list of valid exception handler addresses in the SEHandlerTable when the binary is being built. This protection prevents the execution of corrupted exception handlers which is a common exploitation technique. When an exception is thrown and the address of a handler is controlled by the attacker, they have limited choices in which addresses they can use. Due to DEP (Data Execution Prevention), which is on all modern operating systems, the address that the attacker selects must be executable and typically these are limited to addresses within the .text sections of executable modules. When an address is selected within a module where SafeSEH is enabled, it is compared to the list of valid addresses in the SEHandlerTable and it will not be executed unless it is found.
The safeseh_inspect tool can be used to analyze 32-bit PE files (SafeSEH is not applicable to 64-bit binaries) to inspect their SEHandlerTable. This allows the valid handlers to be easily identified so they can be investigated as possible addresses for an attacker to use. The code of each handler is also disassembled so that a researcher can more easily eliminate handlers which may not be useful given the exploit scenario.
Example output from safeseh_inspect:
[13:16:51 Python]% python safeseh_inspect.py ~/Downloads/icuuc30.dll
[*] loading pe file...
[*] SEHandlerTable VA: 0x4a885ed0 SEHandlerCount: 164
[*] 0000: RVA: 0x00059e2a VA: 0x4a859e2a
4a859e2a push esi
4a859e2b cld
4a859e2c mov esi, dword ptr [esp+0xc]
4a859e30 mov ecx, dword ptr [esi+0x8]
4a859e33 xor ecx, esi
4a859e35 call icuuc30.4a859707
4a859e3a push 0x0
4a859e3c push esi
4a859e3d push dword ptr [esi+0x14]
4a859e40 push dword ptr [esi+0xc]
[*] 0001: RVA: 0x00059f2f VA: 0x4a859f2f
4a859f2f push ebp
4a859f30 mov ebp, esp
4a859f32 push ecx
4a859f33 push ebx
4a859f34 cld
4a859f35 mov eax, dword ptr [ebp+0xc]
4a859f38 mov ecx, dword ptr [eax+0x8]
4a859f3b xor ecx, dword ptr [ebp+0xc]
4a859f3e call icuuc30.4a859707
4a859f43 mov eax, dword ptr [ebp+0x8]
[*] 0002: RVA: 0x0005f1b0 VA: 0x4a85f1b0
4a85f1b0 sub esp, 0x14
4a85f1b3 push ebx
4a85f1b4 mov ebx, dword ptr [esp+0x20]
4a85f1b8 push ebp
4a85f1b9 push esi
4a85f1ba mov esi, dword ptr [ebx+0x8]
4a85f1bd xor esi, dword ptr [0x4a89c5b8]
4a85f1c3 push edi
4a85f1c4 mov eax, dword ptr [esi]
4a85f1c6 cmp eax, 0xfffffffe
safeseh_inspect can be found here.
