Full Disclosure mailing list archives

Re: Fuzzing and SEH

From: Gynvael Coldwind <gynvael () coldwind pl>
Date: Fri, 5 Nov 2010 09:28:12 +0100

Hey,

("SEH" --> I assume we're talking MS Windows)

A debugger attached is one solution (since a debugger is notified of
an exception before SEH is executed). PyDbg seems like a good idea,
but it can be done easily using the debugger API of Win32API too (just
forward all events except exceptions to the app).
However, this method won't work to well with apps that are protected
(anti-reverse engineering, anti-debugging, etc).

Personally I've used kernel-based exception detection, since It's not
detectable from a user app (except for timing and approach similar to
r0 rootkit detection, but that's neglectable).
Check the app/code of ExcpHook (it's opensource). The downfall here is
that it currently works only on 32-bit XP (didn't have time yet to
port it to new Windows).

Another idea would be to open a process and hook
ntdll.KiUserExceptionDispatcher, which is the function called from
kernel mode to user mode, and which handles inter alia SEH. The
problem here is that if the stack gets corrupted, the hook-function
will probably fail (hint: allocate some space you can use as a stack
for the hook handler).

Anyway, check out the 1st issue of Hack In The Box Magazine from this
year (http://magazine.hackinthebox.org/hitb-magazine.html). I've
posted an article there about exception detection there with more
details.

Have fun,


On Thu, Nov 4, 2010 at 12:30 PM, primehaxor <primehaxor () gmail com> wrote:

Hi list,

When i run some fuzzing tests i can't trap the exception when found some
bug due invalid input. I'm trying to figure out a smart way to handle
the exception, and tell me when it run.

On the PoC i've got the daemon crashed but it still working whithout
response the requests.

I'm reading the Sulley framework and PyDBG doc to find some trick to get
it working.

Any ideia?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
gynvael.coldwind//vx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Fuzzing and SEH primehaxor (Nov 04)
- Re: Fuzzing and SEH Marsh Ray (Nov 04)
- Re: Fuzzing and SEH Gynvael Coldwind (Nov 05)