Advertisement
waliedassar

LdrpIsImageSEHValidationCompatible

Jan 21st, 2013
568
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.29 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. At process startup, if the PE header of the main executable does not have
  5. the "IMAGE_DLLCHARACTERISTICS_NX_COMPAT" bit flag set, then the
  6. "LdrpIsImageSEHValidationCompatible" function is called to determine if
  7. the current executable should be exempted/Opted-Out of the "SEH overwrite
  8. protection" a.k.a SEHOP.
  9.  
  10. One typical example of executables that are not compatible with SEHOP is
  11. Armadillo-protected files.
  12.  
  13. The function takes the "MajorLinkerVersion" and "MinorLinkerVersion" fields
  14. as sign of these executables, where they have the values of 0x53 and 0x52
  15. respectively.
  16.  
  17. If 0x53 and 0x52 are found, then the function returns false and a global ntdll
  18. variable called "_RtlpProcessECVDisabled" is set to 1. The function is of no
  19. use unless the SEHOP is enabled system-wide.
  20.  
  21. Later on, this "_RtlpProcessECVDisabled" variable is checked for the value "1" and
  22. if found, the "ZwSetInformationProcess" function is called with the
  23. "ProcessInformationClass" parameter set to 0x22 (ProcessExecuteFlags). This ZwSet-
  24. InformationProcess call ends up setting the "DisableExceptionChainValidation" bit flag
  25. of the "_KEXECUTE_OPTIONS" structure in corresponding "_KPROCESS" structure.
  26.  
  27. Demo:
  28. http://goo.gl/CFPfs
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement