header image

Non-continuable exception trick [OpenRCE import]

I haven’t seen this before in public but it’s possible I’m not the first one who researched this subject. I implemented similar code about year ago in my “ever unfinished” crackme, but since I doubt I’ll finish the crackme, here it goes.

The idea revolves about non-continuable exceptions, that is exceptions with EXCEPTION_NONCONTINUABLE flag set in exception record. Normally, if your SEH procedure gets such an exception, you’re basically screwed: you can’t return ‘continue execution’ status, and your process is going to be mercilessly killed. If you try to continue, you will get STATUS_NONCONTINUABLE_EXCEPTION thrown by Windows exception dispatcher – there is no way out. Or is there? 😉

What if we patch or hook windows exception dispatcher (in our process only) and just clear the noncontinuable bit if it’s present before dispatching the exception down to SEH? It turns out that it works as expected – we can now escape and continue even after originally non-continuable exception. Furthermore, debuggers seem to not really like it. Olly simply refuses to continue even if we clear the noncontinuable flag (but olly can’t even properly handle hardware BPs set in the code so who cares ;). Windbg fares a bit better, but still falls in an infinite loop (maybe more experienced users could overcome that). IDA seems to not handle the “rethrow” of division by zero exception at the end properly (but I hardly use IDA’s debugger, so others may have more luck). Also, it doesn’t properly run on WINE I heard, but more tests would be nice. 🙂

Anyway, it’s quite fun code, maybe it will be useful to someone. Below is the FASM source, and here is the source+exe.

Asm code Show

~ by omeg on March 15, 2008.

assembly, code, reverse engineering, windows internals

Leave a Reply