• Microsoft Windows 2008 SP0 • Microsoft Windows Vista SP1 • Microsoft Windows 7
作者通过构造fake SEH chains,绕过了合法性检查,执行shellcode成功。
SEH链构造的条件: We have to take in consideration some constraints: • SEH handler should point onto a non-SafeSEH module • The page should be executable • The SEH chain should not be altered and must end with a SEH structure containing a special value (0xFFFFFFFF as next SEH structure pointer and a specific value as SEH handler) • All SEH structures should be 4-byte aligned • Last SEH structure's handler should point right into ntdll to ntdll!FinalExceptionHandler routine • All SEH pointers should point to stack locations
