Technical problem with XP SP2 + VC++7 compiled files. (and PE packing)

Hello everyone,

Im currently having fun adding sections to binaries, and adding my own Loader
to handle IAT and stuff. some kind of packer..

Anyway, i have a few exceptions in my loader, and it works fine on any files
protected on SP2, except those using the VC++7 compiler !

Windows catch the exception, we go on the usual Exception Dispatcher, but
it doesn't give control to my Exception Handler ! It just kills the process ! !!

WTF!
I traced the dispatcher, and it works fine on any other compilers..

Is that part of the new security inside the compiler ?
Disabling DEP didn't help either..

Its just the usual SEH.. it never goes into the handler, OS kills it.
And it works as i said, on any other compiler..

Anyone has experienced this ? and know how to work around it ?

Thank you.

two guesses:

1. it did a SetErrorMode
2. it has something to do with vectored exception handeling

i have to admit that i have no idea where i'm talking about

[gigaman]

Is it really VC 7 (i.e. VS .NET 2002), or VC 7.1 actually (i.e. VS .NET 2003)?
VC 7.1 supports a new feature, called "safe exceptions" - some kind of protection against exception explots. It's not very documented (at least I didn't find any really useful info... anybody?), but it seems to use a list of "registered" exception handlers; if the exception handler is not registred, it cannot be called. The list of registered exception handlers seems to be stored in a special PE directory (IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG?)... or maybe not stored, but somehow connected at least - so, if your packer corrupts it, it may cause the described troubles.
I think that until recently, it was supported by Windows 2003 server only - but XP SP2 may have it, too, don't know.

I didn't study it very thoroughly, so I may certainly be wrong on any part.

Hey ho

Thank you for your answers.

To me, sounds more like this new security option.
Can't anything else. any other compiled files run good with a SEH, on SP2.
Except those inside VC++.

while tracing the dispatcher, i went to some routines where i could see:

mov eax, canarystuff.

The canary is used to protect against buffer overflow.. and maybe there is
something related to that , in your exception protection you are detailing.

I will need to dig ..

I tried two other protectors, and they seem to work well, their SEH works.
Fuck me, they are the same code as me.. so it got to be a white list or something.

The same file runs good on XP SP1 btw..
so its really a combination of SP2 and VC++ 7

I don't know about the version of VC++ . is it 7.0 or 7.1 ? i have no clue.
Probably the latest though..

Is this protection documented anywhere ?
I will look thru the msdn..

Thanks

Try to add IMAGE_SCN_MEM_EXECUTE attribute to this additional sections.

For the details download part 3 of the document at http://go.microsoft.com/fwlink/?LinkId=28022.

Just a shot in the dark here, but if you have modified/packed a raw compiled VSNET2003 .exe the PE mods/packing you did could have RUINED the SEH info in the (usually) redundant space in the PE Header. Check that first.

Actually gigaman was right.

After some debugging, i finally figured it was the Load Stuff in the Directory table

Zeroing its size resolved the problem

It was related to Safe Exceptions:

There is a white list of exception handlers. if an exception occurs , the OS checks whether the except handler is in the white list or not, and kill the software if not.. This is to prevent exploitation of buffer overflow and friends, via SEH overwrite.

Thank you all for your tips. and sorry for taking so long to answer

Cheers!