Topic created on: April 18, 2007 03:57 CDT by madiyaan .
I am very much a newbie when it comes to disassembling executables. I read a few interesting articles on OpenRCE which were very educational, I must admit (thank you for those articles).
In some articles, I've read that using SEH, programs can defeat debuggers. I guess I don't know how/why that statement is true. Let me elaborate:
When a program runs under a debugger, the debugger can single step through the program by injecting 0xcc in place of instructions. Now if a program does something like modify the default SEH by changing fs:0 (if I'm correct) and then does something like write to memory location 0, execution goes to the debugger, right? (A question I have in mind is how does the execution go to the debugger when really the exception should be managed by the pointer the executable just put in by modifying fs:0?) Assuming execution goes to the debugger, can't the debugger simply look at the next exception handler in the chain (I'm assuming that that would be the executable's own handler) and insert a breakpoint there?
Several articles I've seen people say that using SEH handlers, executables can make debuggers detach from them. My question is how? Can anyone explain to a newbie like myself exactly how (with maybe a timeline or snapshot in time how the SEH frame looks like etc.) this magical detach happen? (I've seen an popup box in OllyDbg say that "control might be lost"). My question is how (and how is this non-deterministic (Olly uses the phrase "might be")). Under what circumstances will control be lost, and under what circumstances will control not be lost?
Can anyone elucidate.
Thank you very much for your time,