LdrpIsImageSEHValidationCompatible

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3.  
4. At process startup, if the PE header of the main executable does not have
5. the "IMAGE_DLLCHARACTERISTICS_NX_COMPAT" bit flag set, then the
6. "LdrpIsImageSEHValidationCompatible" function is called to determine if
7. the current executable should be exempted/Opted-Out of the "SEH overwrite
8. protection" a.k.a SEHOP.
9.  
10. One typical example of executables that are not compatible with SEHOP is
11. Armadillo-protected files.
12.  
13. The function takes the "MajorLinkerVersion" and "MinorLinkerVersion" fields
14. as sign of these executables, where they have the values of 0x53 and 0x52
15. respectively.
16.  
17. If 0x53 and 0x52 are found, then the function returns false and a global ntdll
18. variable called "_RtlpProcessECVDisabled" is set to 1. The function is of no
19. use unless the SEHOP is enabled system-wide.
20.  
21. Later on, this "_RtlpProcessECVDisabled" variable is checked for the value "1" and
22. if found, the "ZwSetInformationProcess" function is called with the
23. "ProcessInformationClass" parameter set to 0x22 (ProcessExecuteFlags). This ZwSet-
24. InformationProcess call ends up setting the "DisableExceptionChainValidation" bit flag
25. of the "_KEXECUTE_OPTIONS" structure in corresponding "_KPROCESS" structure.
26.  
27. Demo:
28. http://goo.gl/CFPfs