Re: overwriting SEH and debugging

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On Dec 20, 2007 12:36 PM, H D Moore <sflist () digitaloffense net> wrote:
> This occurs because of a feature known as "SafeSEH". This is a new
> compiler flag that creates a list of registered SEH handlers within each
> executable and DLL. If your target executable was compiled with /SafeSEH
> and you try to return into a module that has been also been compiled with
> this feature, but the address you chose is not in the list of registered
> handlers, then the exception handling code will not transfer execution.
>
> There are a few options to work around this:
>
> 1. On Windows 2003, prior to SP1, SafeSEH was essentially broken and you
> can return to DLLs such as "ATL.dll" and a few others without the
> registered list being checked.

Does ATL.dll and friends equate to the SEH version of XPSP2's
starforce.dll (where you can turn off DEP by invoking it), meaning
does calling them cancel out all SafeSEH security, or are they just
free from the SafeSEH restrictions by themselves?

I assume its the latter, but just thought I would ask...

-JP<who hopes DRM software needs the same coddling as video games>