{"author":{"name":null,"type":"card","url":"/"},"content":{"html":"\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/veh-header.png\"/\u003e \u003c/figure\u003e\n\n\u003cp\u003eWhat brought me back to this subject is the analysis of \u003cem\u003eGuLoader\u003c/em\u003e that uses VEH (see \u003cem\u003eSonicWall\u003c/em\u003e, \u003cem\u003eZscaler\u003c/em\u003e and \u003cem\u003eUnit42\u003c/em\u003e articles for more deeper\nmalware analysis).\u003c/p\u003e\n\u003cp\u003eThis article is my attempt to write down what I learned properly, starting from the actual concepts rather than jumping straight to the tricks.\nSEH and VEH are legitimate, well-designed mechanisms. Understanding how they are supposed to work is what makes the abuse readable.\u003c/p\u003e\n\u003cp\u003eThe first part covers the concepts and the API, how the OS dispatches exceptions, how SEH and VEH handlers are registered,\nand what developers normally use them for. The second part gets into the malware side: how exception handling gets repurposed to hide execution flow.\nTo wrap things up, I decided to test some detection logic. I hacked together a basic implementation in C;\nwhile my C skills are definitely still a \u0026lsquo;work in progress,\u0026rsquo; the code serves its purpose in demonstrating how to catch this behavior.\u003c/p\u003e\n\u003cp\u003eIf you already know Windows internals well, the first two parts will mostly be a refresher.\nIf you are coming at this from the analysis side without much background in the underlying mechanism,\nI hope starting from the foundation makes the second part easier to follow.\u003c/p\u003e\n\u003cp\u003eBefore going further, here are some interesting external resources related to VEH related to malware domain:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://www.sonicwall.com/blog/guloader-demystified-unraveling-its-vectored-exception-handler-approach\"\u003eSonicWall - GuLoader Demystified: Unraveling its Vectored Exception Handler Approach\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques\"\u003eZscaler - Technical Analysis of GuLoader Obfuscation Techniques\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://www.slideshare.net/slideshow/unmasking-the-dark-art-of-vectored-exception-handling-bypassing-xdr-and-edr-in-the-evolving-cyber-threat-landscape/263989842?utm_source=clipboard_share_button\u0026amp;utm_campaign=slideshare_make_sharing_viral_v2\u0026amp;utm_variation=control\u0026amp;utm_medium=share\"\u003eCrowdStrike - Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR in the Evolving\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://www.ibm.com/think/x-force/using-veh-for-defense-evasion-process-injection\"\u003eIBM - You just got vectored – using vectored exception handlers (veh) for defense evasion and process injection\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\"\u003eUnit42 - Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch2 id=\"seh-veh-and-a-word-on-c-plus-plus-exceptions\"\u003eSEH, VEH and a Word on C++ Exceptions\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#seh-veh-and-a-word-on-c-plus-plus-exceptions\"\u003e#\u003c/a\u003e\u003c/h2\u003e\n\n\n\u003cul\u003e\n\u003cli\u003eWhat an exception is at the OS level and how Windows dispatches it (brief, just enough to understand the rest)\u003c/li\u003e\n\u003cli\u003eSEH: the stack-based chain, per-thread, per-frame, how the compiler owns it for you\u003c/li\u003e\n\u003cli\u003eVEH: process-wide, heap-resident, fires before SEH, the two-function API\u003c/li\u003e\n\u003cli\u003eThe difference with C++ exceptions: try/catch is a language abstraction built on top of SEH, not the same thing, why that distinction matters when you are reading disassembly\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe three terms (SEH, VEH and Exception) often get conflated, especially in malware analysis writeups (and especially by myself).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e\u003cstrong\u003eWhat is an exception at the OS level?\u003c/strong\u003e\u003c/strong\u003e\nWhen something goes wrong during execution, whether it is a divide by zero, an access to an unmapped memory page,\nor an explicit int 3 instruction, the CPU raises an exception.\nControl transfers to the kernel, which builds an \u003ccode\u003eEXCEPTION_RECORD\u003c/code\u003e describing what happened and a \u003ccode\u003eCONTEXT\u003c/code\u003e structure capturing the full register state at the time of the fault.\nWindows then tries to find something in user space that knows how to handle it. That search is what SEH and VEH are about.\u003c/p\u003e\n\n\u003ch3 id=\"structured-exception-handling\"\u003eStructured Exception Handling\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#structured-exception-handling\"\u003e#\u003c/a\u003e\u003c/h3\u003e\n\n\n\n\u003ch4 id=\"seh-in-x86\"\u003eSEH in x86\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#seh-in-x86\"\u003e#\u003c/a\u003e\u003c/h4\u003e\n\n\n\u003cp\u003e\u003ccode\u003eSEH\u003c/code\u003e is the older of the two mechanisms. The idea is straightforward: each function that wants to handle exceptions registers a handler on the stack,\nforming a linked list rooted at \u003ccode\u003efs:[0]\u003c/code\u003e on x86. When an exception occurs, Windows walks that list from the top, giving each registered handler a chance to deal with it.\nIf a handler claims the exception, execution resumes. If nothing handles it, the process crashes.\u003c/p\u003e\n\u003cp\u003eFrom a developer perspective, SEH is what sits behind \u003ccode\u003e__try\u003c/code\u003e / \u003ccode\u003e__except\u003c/code\u003e / \u003ccode\u003e__finally\u003c/code\u003e in C.\nThe compiler does most of the work, emitting the registration and cleanup code around the blocks.\nOn x64 the implementation is different: instead of a runtime chain on the stack, the compiler emits a static table in the \u003ccode\u003e.pdata\u003c/code\u003e section that the OS uses to \u003cem\u003eunwind\u003c/em\u003e.\nThe surface API looks the same but the mechanics underneath are not. That is still unclear to me\u0026hellip;\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;windows.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;stdio.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"nf\"\u003emain\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"kr\"\u003e__try\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"c1\"\u003e// intentionally trigger an access violation\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003eptr\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003eptr\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"mi\"\u003e42\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"kr\"\u003e__except\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eEXCEPTION_EXECUTE_HANDLER\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;SEH caught the exception\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThe C file is compiled with this command line: \u003ccode\u003ecl.exe /Zi /O1 /GS- test-seh.c\u003c/code\u003e. See below the difference between x86 that uses the \u003ccode\u003efs:[0]\u003c/code\u003e and\nthe x64 version that has the logic in the \u003ccode\u003e.pdata\u003c/code\u003e section.\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/seh-32bit-prologue.png\" alt=\"Figure 1: Main function in 32bit environment\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 1: \u003c/span\u003eMain function in 32bit environment\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003eIn the 32bits architecture, the exception is \u0026ldquo;registered\u0026rdquo; by the first instruction of the \u003ccode\u003emain\u003c/code\u003e function (see the screenshot below). Where the\ncompiler add the following instructions:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-asm\" data-lang=\"asm\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003epush\u003c/span\u003e \u003cspan class=\"mi\"\u003e8\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003epush\u003c/span\u003e \u003cspan class=\"no\"\u003eoffset\u003c/span\u003e \u003cspan class=\"no\"\u003estruc_478178\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003ecall\u003c/span\u003e \u003cspan class=\"no\"\u003ej__SEH_prolog\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003exor\u003c/span\u003e \u003cspan class=\"no\"\u003eeax\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"no\"\u003eeax\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eWhat \u003ccode\u003e__SEH_prolog\u003c/code\u003e does internally is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eSaves the current fs:[0] value (the previous handler in the chain)\u003c/li\u003e\n\u003cli\u003eBuilds an \u003ccode\u003eEXCEPTION_REGISTRATION_RECORD\u003c/code\u003e on the stack\u003c/li\u003e\n\u003cli\u003ePoints \u003ccode\u003efs:[0]\u003c/code\u003e to it, inserting this function into the SEH chain\u003c/li\u003e\n\u003cli\u003eSets up the \u003ccode\u003ems_exc\u003c/code\u003e local variable, which is the structure MSVC uses to track the current state of the exception handling frame\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe structure \u003ccode\u003estruc_478178\u003c/code\u003e is:\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/seh-32bit-structure.png\" alt=\"Figure 2: struc_478178 content\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 2: \u003c/span\u003estruc_478178 content\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003e\u003ca id=\"code-snippet--scopetable-entry\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-C\" data-lang=\"C\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003etypedef\u003c/span\u003e \u003cspan class=\"k\"\u003estruct\u003c/span\u003e \u003cspan class=\"n\"\u003e_SCOPETABLE_ENTRY\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eDWORD\u003c/span\u003e \u003cspan class=\"n\"\u003eEnclosingLevel\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// index of the enclosing scope, -1 if none\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003eFilterFunc\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// pointer to the filter expression\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003eHandlerFunc\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// pointer to the __except or __finally block\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e \u003cspan class=\"n\"\u003eSCOPETABLE_ENTRY\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eLooking at the entry \u003ccode\u003e\u0026lt;0FFFFFFFFh, offset $LN5, offset catch_except_ptr_42\u0026gt;:\u003c/code\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003cstrong\u003eEnclosingLevel = 0xFFFFFFFF\u003c/strong\u003e\u003c/strong\u003e this is \u003ccode\u003e-1\u003c/code\u003e, meaning this \u003ccode\u003e__try\u003c/code\u003e block has no enclosing \u003ccode\u003e__try\u003c/code\u003e block, it is the outermost one in the function\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003cstrong\u003eFilterFunc = $LN5\u003c/strong\u003e\u003c/strong\u003e this is the compiled form of the filter expression, the code that evaluates \u003ccode\u003eEXCEPTION_EXECUTE_HANDLER\u003c/code\u003e or whatever condition I would put in the C code \u003ccode\u003e__except(...)\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003cstrong\u003eHandlerFunc = catch_except_ptr_42\u003c/strong\u003e\u003c/strong\u003e this is the actual \u003ccode\u003e__except\u003c/code\u003e block that runs if the filter says to handle the exception\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch4 id=\"seh-in-x64\"\u003eSEH in x64\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#seh-in-x64\"\u003e#\u003c/a\u003e\u003c/h4\u003e\n\n\n\u003cp\u003eRegarding 64 bits architecture, the following main function is:\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/seh-64bit-prologue.png\" alt=\"Figure 3: x64 decompiled main function\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 3: \u003c/span\u003ex64 decompiled main function\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003eHere, as a first observation there is no \u003ccode\u003efs:[0]\u003c/code\u003e, no \u003ccode\u003e__SEH_prolog\u003c/code\u003e call. There is no explicit registration at function scope level (from my understanding).\u003c/p\u003e\n\u003cp\u003eThe handler is registered statically through the \u003ccode\u003e.pdata\u003c/code\u003e (I read that it also can be store in \u003ccode\u003e.rdata\u003c/code\u003e section too) structures.\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003e.pdata\u003c/code\u003e store the \u003ccode\u003eRUNTIME_FUNCTION\u003c/code\u003e structure that is define by three terms: \u003ccode\u003eBeginAddress\u003c/code\u003e, \u003ccode\u003eEndAddress\u003c/code\u003e and \u003ccode\u003eUnwindData\u003c/code\u003e (the last one is\na pointer to the \u003ccode\u003eUNWIND_INFO\u003c/code\u003e structure).\u003c/p\u003e\n\u003cp\u003eWhen the access violation fires at \u003ccode\u003emov dword ptr [rax], 2Ah\u003c/code\u003e (writing 42 to a null pointer), the OS:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCatches the fault in the kernel\u003c/li\u003e\n\u003cli\u003eComes back to user mode and calls \u003ccode\u003eRtlDispatchException\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eTakes the faulting \u003ccode\u003eRIP\u003c/code\u003e, does a binary search in \u003ccode\u003e.pdata\u003c/code\u003e to find the matching \u003ccode\u003eRUNTIME_FUNCTION\u003c/code\u003e (the structure that validate this condition: \u003ccode\u003eBeginAddress \u0026lt;= FaultyRIP \u0026lt; EndAddress\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003eFollows it to the \u003ccode\u003eUNWIND_INFO\u003c/code\u003e, sees \u003ccode\u003e__C_specific_handler\u003c/code\u003e as the registered handler\u003c/li\u003e\n\u003cli\u003eCalls \u003ccode\u003e__C_specific_handler\u003c/code\u003e which walks the \u003ccode\u003eC_SCOPE_TABLE\u003c/code\u003e, finds the scope covering the faulting address, evaluates the filter \u003ccode\u003emain$filt$0\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eFilter returns \u003ccode\u003eEXCEPTION_EXECUTE_HANDLER\u003c/code\u003e, execution jumps to \u003ccode\u003e$LN6\u003c/code\u003e which is the \u003ccode\u003e__except\u003c/code\u003e block calling printf\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe \u0026ldquo;workflow\u0026rdquo; of the exception is defined as below:\u003c/p\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode class=\"language-nil\" data-lang=\"nil\"\u003eException Triggers\n -\u0026gt; OS looks up RIP in .pdata\n -\u0026gt; Locates RUNTIME_FUNCTION (here stru_140092378)\n -\u0026gt; Follows pointer to UNWIND_INFO\n -\u0026gt; Calls __C_specific_handler\n -\u0026gt; Searches C_SCOPE_TABLE\n -\u0026gt; Jumps to $LN6 (my __except block)\n\u003c/code\u003e\u003c/pre\u003e\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/seh_pdata_runtime_function.png\" alt=\"Figure 4: .pdata section that hold the RUNTIME_FUNCTION for my exception in the main function\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 4: \u003c/span\u003e.pdata section that hold the RUNTIME_FUNCTION for my exception in the main function\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003eIDA labeled it \u003cstrong\u003e\u003cstrong\u003eExceptionDir\u003c/strong\u003e\u003c/strong\u003e because it is the first entry in the exception directory. The three fields map directly to the main function:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003erva main\u003c/code\u003e is the start address of the function, \u003ccode\u003e0x140007250\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erva byte_14000727E\u003c/code\u003e is the end address of the main function\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erva stru_140092378\u003c/code\u003e is the pointer to the \u003cstrong\u003e\u003cstrong\u003e\u003ccode\u003eUNWIND_INFO\u003c/code\u003e\u003c/strong\u003e\u003c/strong\u003e structure, the one that contains \u003ccode\u003e__C_specific_handler\u003c/code\u003e and the \u003ccode\u003eC_SCOPE_TABLE\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe structure is as follow:\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/seh_64bit_runtime_struct.png\" alt=\"Figure 5: IDA view of the structure stru_140092378\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 5: \u003c/span\u003eIDA view of the structure stru_140092378\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003e\u003ccode\u003estru_140092378\u003c/code\u003e is the \u003ccode\u003eUNWIND_INFO\u003c/code\u003e structure that the \u003ccode\u003e.pdata\u003c/code\u003e entry for \u003ccode\u003emain\u003c/code\u003e points to. It is made of three parts:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eThe \u003ccode\u003eUNWIND_INFO_HDR\u003c/code\u003e is the header. It describes the prologue of the function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUNWIND_CODE\u003c/code\u003e is the actual unwinding instruction.\u003c/li\u003e\n\u003cli\u003eAfter the unwind codes, because \u003ccode\u003eUNW_FLAG_EHANDLER\u003c/code\u003e was set, comes the exception handler pointer pointing to \u003ca href=\"https://learn.microsoft.com/en-us/windows/win32/devnotes/--c-specific-handler2\"\u003e\u003ccode\u003e__C_specific_handler\u003c/code\u003e\u003c/a\u003e,\nfollowed by the \u003ccode\u003eC_SCOPE_TABLE\u003c/code\u003e (which a bit different from the structure for \u003ca href=\"#code-snippet--scopetable-entry\"\u003ex86\u003c/a\u003e).\nThat table is where the actual exception handling logic is described: which address range is covered by the \u003ccode\u003e__try\u003c/code\u003e block,\nwhich function to call as the filter, and where to redirect execution if the filter decides to handle the exception.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIn x64 the \u003ccode\u003eC_SCOPE_TABLE_ENTRY\u003c/code\u003e structrure is defined as:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estruct\u003c/span\u003e \u003cspan class=\"n\"\u003e_C_SCOPE_TABLE_ENTRY\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"kt\"\u003euint32_t\u003c/span\u003e \u003cspan class=\"n\"\u003eBeginAddress\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// RVA of the start of the __try block\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"kt\"\u003euint32_t\u003c/span\u003e \u003cspan class=\"n\"\u003eEndAddress\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// RVA of the end of the __try block\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"kt\"\u003euint32_t\u003c/span\u003e \u003cspan class=\"n\"\u003eHandlerAddress\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// RVA of the filter or __finally handler\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"kt\"\u003euint32_t\u003c/span\u003e \u003cspan class=\"n\"\u003eJumpTarget\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e \u003cspan class=\"n\"\u003eC_SCOPE_TABLE_ENTRY\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cdiv class=\"src-block-caption\"\u003e\n \u003cspan class=\"src-block-number\"\u003eCode Snippet 1:\u003c/span\u003e\n C_SCOPE_TABLE defintion\n\u003c/div\u003e\n\u003cp\u003eOne structure, three responsibilities: unwind the stack, find the handler, map the guarded region.\u003c/p\u003e\n\u003cp\u003eSo the definition of the structure is:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-C\" data-lang=\"C\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003etypedef\u003c/span\u003e \u003cspan class=\"k\"\u003estruct\u003c/span\u003e \u003cspan class=\"n\"\u003e_UNWIND_INFO\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003eVersionAndFlags\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// UNWIND_INFO_HDR - version + flags (UNW_FLAG_EHANDLER etc.)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003eSizeOfProlog\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// UNWIND_INFO_HDR - prologue size in bytes\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003eCountOfCodes\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// UNWIND_INFO_HDR - number of UNWIND_CODE slots\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003eFrameRegisterAndOffset\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\u003cspan class=\"c1\"\u003e// UNWIND_INFO_HDR - frame register + offset\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eUNWIND_CODE\u003c/span\u003e \u003cspan class=\"n\"\u003eUnwindCodes\u003c/span\u003e\u003cspan class=\"p\"\u003e[];\u003c/span\u003e \u003cspan class=\"c1\"\u003e// variable length array, CountOfCodes entries\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"c1\"\u003e// padded to 4 byte alignment\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"c1\"\u003e// only present if flags contain UNW_FLAG_EHANDLER or UNW_FLAG_UHANDLER\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eDWORD\u003c/span\u003e \u003cspan class=\"n\"\u003eExceptionHandlerRVA\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// rva j___C_specific_handler\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"c1\"\u003e// handler specific data, depends on which handler is used\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"c1\"\u003e// for __C_specific_handler this is the C_SCOPE_TABLE\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eC_SCOPE_TABLE\u003c/span\u003e \u003cspan class=\"n\"\u003eScopeTable\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e \u003cspan class=\"n\"\u003eUNWIND_INFO\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cdiv class=\"src-block-caption\"\u003e\n \u003cspan class=\"src-block-number\"\u003eCode Snippet 2:\u003c/span\u003e\n _UNWIND_INFO structure\n\u003c/div\u003e\n\u003cp\u003eAt the end of the \u003ccode\u003eUNWIND_INFO\u003c/code\u003e (if certain flags like \u003ccode\u003eUNW_FLAG_EHANDLER\u003c/code\u003e are set), there is an extra field\ncalled the \u003ccode\u003eExceptionHandler\u003c/code\u003e. For C/C++ code compiled with \u003cstrong\u003e\u003cstrong\u003eMSVC\u003c/strong\u003e\u003c/strong\u003e, this almost always points to \u003ccode\u003e__C_specific_handler\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eLink to \u003ca href=\"https://learn.microsoft.com/en-us/cpp/build/exception-handling-x64?view=msvc-170#struct-unwind_info\"\u003eMicrosoft documentation\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\n\u003ch3 id=\"vectored-exception-handling\"\u003eVectored Exception Handling\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#vectored-exception-handling\"\u003e#\u003c/a\u003e\u003c/h3\u003e\n\n\n\u003cp\u003e\u003ccode\u003eVEH\u003c/code\u003e was introduced in Windows XP and works differently. Instead of being tied to the stack,\nVEH handlers are registered at the process level and stored in a list maintained by \u003ccode\u003entdll\u003c/code\u003e. The vectored handler list is consulted before \u003ccode\u003eSEH\u003c/code\u003e.\nIf any \u003ccode\u003eVEH\u003c/code\u003e handler claims the exception, the SEH chain is never walked at all.\u003c/p\u003e\n\u003cp\u003eThe API is simple. A handler is registered with \u003ccode\u003eAddVectoredExceptionHandler\u003c/code\u003e, which takes a flag indicating whether the handler should be first or last in the list,\nand a pointer to the handler function. The handler receives an \u003ccode\u003eEXCEPTION_POINTERS\u003c/code\u003e structure giving it access to both the \u003ccode\u003eEXCEPTION_RECORD\u003c/code\u003e and the \u003ccode\u003eCONTEXT\u003c/code\u003e.\nIt then returns either \u003ccode\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/code\u003e to resume execution, or \u003ccode\u003eEXCEPTION_CONTINUE_SEARCH\u003c/code\u003e to pass to the next handler.\u003c/p\u003e\n\u003cp\u003eThere is also a sibling mechanism called Vectored Continue Handlers, registered with \u003ccode\u003eAddVectoredContinueHandler\u003c/code\u003e, which fires after a handler has already claimed the exception.\nI did not exercice this path in the article.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;windows.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;stdio.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003eLONG\u003c/span\u003e \u003cspan class=\"n\"\u003eCALLBACK\u003c/span\u003e \u003cspan class=\"nf\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePEXCEPTION_POINTERS\u003c/span\u003e \u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionCode\u003c/span\u003e \u003cspan class=\"o\"\u003e==\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_ACCESS_VIOLATION\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;VEH caught an access violation at 0x%p\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionAddress\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"c1\"\u003e// move RIP past the faulting instruction (could be wrapped with macro for 32bit with eip)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eRip\u003c/span\u003e \u003cspan class=\"o\"\u003e+=\u003c/span\u003e \u003cspan class=\"mi\"\u003e2\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"nf\"\u003emain\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003ehandler\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"c1\"\u003e// intentionally trigger an access violation\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003eptr\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003eptr\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"mi\"\u003e42\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eRemoveVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ehandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eHere registration is explicit. The first argument to \u003ccode\u003eAddVectoredExceptionHandler\u003c/code\u003e being \u003ccode\u003e1\u003c/code\u003e means this handler goes to the front of the list,\nso it fires before any other \u003ccode\u003eVEH\u003c/code\u003e handler and before \u003ccode\u003eSEH\u003c/code\u003e. The handler inspects the exception code, adjusts \u003ccode\u003eRIP\u003c/code\u003e to skip past the faulting instruction,\nand returns \u003ccode\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/code\u003e to resume. If the exception is not one it cares about, it returns \u003ccode\u003eEXCEPTION_CONTINUE_SEARCH\u003c/code\u003e to let the next handler in the chain take over.\nThe key difference to notice: in the \u003ccode\u003eSEH\u003c/code\u003e example the handler is scoped to the \u003ccode\u003e__try\u003c/code\u003e block and the stack frame it lives in.\nIn the VEH example the handler is active process-wide from the moment it is registered until \u003ccode\u003eRemoveVectoredExceptionHandler\u003c/code\u003e is called, regardless of which function is currently executing.\u003c/p\u003e\n\n\u003ch3 id=\"c-plus-plus-exceptions-are-not-the-same-thing\"\u003eC++ Exceptions are not the Same Thing\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#c-plus-plus-exceptions-are-not-the-same-thing\"\u003e#\u003c/a\u003e\u003c/h3\u003e\n\n\n\u003cp\u003eThis one trips people up. When you write \u003ccode\u003etry / catch\u003c/code\u003e in C++, you are using the C++ exception model, which is a language-level abstraction.\nUnder the hood on Windows, the compiler implements it on top of SEH, using a special SEH filter to match C++ exception types.\nBut they are not the same layer. A C++ catch block is not an SEH handler, and it is definitely not a VEH handler.\u003c/p\u003e\n\u003cp\u003eThe reason this distinction matters in practice is that when you are reversing a sample and you see \u003ccode\u003eAddVectoredExceptionHandler\u003c/code\u003e being called, you are not looking at a compiler artifact.\nThere is no language feature that emits that call for you. It is explicit, intentional code, and whoever wrote it made a deliberate\nchoice to intercept exceptions at the process level before anything else gets a chance to see them.\u003c/p\u003e\n\u003cp\u003eIf you are interested in C++ exceptions, I highly encourage you to read \u003ca href=\"https://www.msreverseengineering.com/blog/2024/8/20/c-unwind-metadata-1\"\u003eC++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza written by Rolf Rolles\u003c/a\u003e.\u003c/p\u003e\n\n\u003ch2 id=\"how-the-veh-list-is-built-and-stored\"\u003eHow the VEH List is Built and Stored\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#how-the-veh-list-is-built-and-stored\"\u003e#\u003c/a\u003e\u003c/h2\u003e\n\n\n\u003cp\u003eThe VEH list is a doubly-linked list maintained per-process in user-mode memory, managed by ntdll.dll. It holds pointers to registered \u003ccode\u003ePVECTORED_EXCEPTION_HANDLER\u003c/code\u003e callbacks.\u003c/p\u003e\n\u003cp\u003eWhen \u003ccode\u003eAddVectoredExceptionHandler\u003c/code\u003e is called, it calls a thin wrapper that forwards to \u003ccode\u003eRtlAddVectoredExceptionHandler\u003c/code\u003e in \u003ccode\u003entdll.dll\u003c/code\u003e.\nThat is where the actual work happens, and it is worth understanding what that function does with the handler pointer.\u003c/p\u003e\n\u003cp\u003eNtdll maintains two doubly linked lists for exception handling, one for vectored exception handlers and one for vectored continue handlers.\nBoth lists are anchored by a single global structure that lives inside ntdll\u0026rsquo;s data segment, commonly referred to as \u003ccode\u003eLdrpVectorHandlerList\u003c/code\u003e in debugging sessions.\u003c/p\u003e\n\u003cp\u003eThe structure looks roughly like this:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003etypedef\u003c/span\u003e \u003cspan class=\"k\"\u003estruct\u003c/span\u003e \u003cspan class=\"n\"\u003e_VECTORED_HANDLER_LIST\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eSRWLOCK\u003c/span\u003e \u003cspan class=\"n\"\u003eLock\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// slim reader/writer lock protecting the list\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eLIST_ENTRY\u003c/span\u003e \u003cspan class=\"n\"\u003eVEHList\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// head of the vectored exception handler list\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eLIST_ENTRY\u003c/span\u003e \u003cspan class=\"n\"\u003eVCHList\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// head of the vectored continue handler list\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e \u003cspan class=\"n\"\u003eVECTORED_HANDLER_LIST\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eEach registered handler is wrapped in a node that gets allocated on the heap:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003etypedef\u003c/span\u003e \u003cspan class=\"k\"\u003estruct\u003c/span\u003e \u003cspan class=\"n\"\u003e_VECTORED_EXCEPTION_NODE\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eLIST_ENTRY\u003c/span\u003e \u003cspan class=\"n\"\u003eListEntry\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// links to previous and next node\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003eEncodedHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// the function pointer, but encoded\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"n\"\u003eReferenceCount\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e \u003cspan class=\"n\"\u003eVECTORED_EXCEPTION_NODE\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThe \u003ccode\u003eLIST_ENTRY\u003c/code\u003e is the standard Windows doubly linked list structure, with a \u003ccode\u003eFlink\u003c/code\u003e pointing to the next node and a \u003ccode\u003eBlink\u003c/code\u003e pointing to the previous one.\nThe list head in \u003ccode\u003eLdrpVectorHandlerList\u003c/code\u003e acts as the sentinel node, so walking from \u003ccode\u003eVEHList.Flink\u003c/code\u003e until you loop back to the head gives you every registered handler in order.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eRtlAddVectoredExceptionHandler\u003c/code\u003e does the following (in order):\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAllocates a \u003ccode\u003eVECTORED_EXCEPTION_NODE\u003c/code\u003e on the process heap with \u003ccode\u003eRtlAllocateHeap\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eEncodes the function pointer using \u003ccode\u003eRtlEncodePointer\u003c/code\u003e before storing it in \u003ccode\u003eEncodedHandler\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eAcquires an exclusive lock on the \u003ccode\u003eSRWLOCK\u003c/code\u003e in \u003ccode\u003eLdrpVectorHandlerList\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eInserts the node either at the front or at the back of the list depending on the first parameter you passed\u003c/li\u003e\n\u003cli\u003eReleases the lock\u003c/li\u003e\n\u003cli\u003eReturns the address of the node as the handle you use later to remove it\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe first parameter is documented as \u003ca href=\"https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler\"\u003eULONG First\u003c/a\u003e.\nA non-zero value puts the handler at the head of the list, meaning it will be called before any previously registered handler. Zero puts it at the tail.\u003c/p\u003e\n\u003cp\u003eWhen an exception occurs, after the kernel-side handling and the transition back to user mode,\nntdll calls \u003ccode\u003eRtlDispatchException\u003c/code\u003e. Before touching SEH, it acquires a shared lock on \u003ccode\u003eLdrpVectorHandlerList\u003c/code\u003e and walks the \u003ccode\u003eVEH\u003c/code\u003e list from head to tail.\nFor each node it decodes the handler pointer and calls it with the \u003ccode\u003eEXCEPTION_POINTERS\u003c/code\u003e structure.\nIf a handler returns \u003ccode\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/code\u003e, the walk stops and execution resumes. If it returns \u003ccode\u003eEXCEPTION_CONTINUE_SEARCH\u003c/code\u003e, the walk continues to the next node.\nIf the entire \u003ccode\u003eVEH\u003c/code\u003e list is exhausted without anyone claiming the exception, the \u003ccode\u003eSEH\u003c/code\u003e chain is walked. If \u003ccode\u003eSEH\u003c/code\u003e also passes, the \u003ccode\u003eVCH\u003c/code\u003e list is walked.\n(VCH: Vectored Continue Handlers, where handler are register via \u003ccode\u003eAddVectoredContinueHandler\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003eThe ordering guarantee is therefore strict: VEH first, in registration order, then SEH, then VCH.\u003c/p\u003e\n\n\u003ch3 id=\"practice-observing-it-at-runtime\"\u003ePractice: Observing it at runtime\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#practice-observing-it-at-runtime\"\u003e#\u003c/a\u003e\u003c/h3\u003e\n\n\n\u003cp\u003eThis is a short of note section on how to inspect the exception regarding VEH and its underlaying structure in \u003cstrong\u003e\u003cstrong\u003eWinDbg\u003c/strong\u003e\u003c/strong\u003e.\nFor this short exercice, I used the following C code is used:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;windows.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;stdio.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003eLONG\u003c/span\u003e \u003cspan class=\"n\"\u003eCALLBACK\u003c/span\u003e \u003cspan class=\"nf\"\u003eFirstHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePEXCEPTION_POINTERS\u003c/span\u003e \u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionCode\u003c/span\u003e \u003cspan class=\"o\"\u003e==\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_ACCESS_VIOLATION\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;FirstHandler: passing to next handler\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003eLONG\u003c/span\u003e \u003cspan class=\"n\"\u003eCALLBACK\u003c/span\u003e \u003cspan class=\"nf\"\u003eSecondHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePEXCEPTION_POINTERS\u003c/span\u003e \u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionCode\u003c/span\u003e \u003cspan class=\"o\"\u003e==\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_ACCESS_VIOLATION\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;SecondHandler: claiming the exception\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eExceptionInfo\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eEip\u003c/span\u003e \u003cspan class=\"o\"\u003e+=\u003c/span\u003e \u003cspan class=\"mi\"\u003e6\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"nf\"\u003emain\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003eh1\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eFirstHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003eh2\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eSecondHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003eptr\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003eptr\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"mi\"\u003e42\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eRemoveVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eh1\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eRemoveVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eh2\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;execution continued after the fault\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003cem\u003eNB: I skip the part where I setup the symbols in windbg.\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eTo watch how: the double linked list work, the following breakpoints are set:\u003c/p\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode class=\"language-nil\" data-lang=\"nil\"\u003ebp ntdll!RtlpCallVectoredHandlers\nbp double_veh!FirstHandler\nbp double_veh!SecondHandler\n\u003c/code\u003e\u003c/pre\u003e\u003cp\u003eWhy breaking at \u003ccode\u003eRtlpCallVectoredHandlers\u003c/code\u003e? Reading from the bottom up, this is the full execution path that led to the VEH list walk:\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/double-veh.png\" alt=\"Figure 6: capture of the stack after reaching the RtlpCallVectoredHandler in ntdll (just after ACCESS_VIOLATION occured)\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 6: \u003c/span\u003ecapture of the stack after reaching the RtlpCallVectoredHandler in ntdll (just after \u003ccode\u003eACCESS_VIOLATION\u003c/code\u003e occured)\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e_RtlUserThreadStart\u003c/code\u003e and \u003ccode\u003eBaseThreadInitThunk\u003c/code\u003e are the standard thread startup boilerplate\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e__scrt_common_main_seh\u003c/code\u003e is the MSVC CRT startup wrapper that calls main\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emain+0x30\u003c/code\u003e is my code, specifically line 32 in \u003cem\u003edouble-veh.c\u003c/em\u003e which is the null pointer write \u003ccode\u003e*ptr = 42\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eKiUserExceptionDispatcher\u003c/code\u003e is the first user mode function that ran after the kernel caught the fault, the entry point back from kernel mode\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRtlDispatchException+0x67\u003c/code\u003e is where the OS starts looking for a handler\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRtlpCallVectoredHandlers\u003c/code\u003e is where the execution is currently -\u0026gt; the function about to walk the process VEH list\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe key thing to point out for the article is frames 02, 01 and 00.\nThat three step sequence from \u003ccode\u003eKiUserExceptionDispatcher\u003c/code\u003e to \u003ccode\u003eRtlDispatchException\u003c/code\u003e to \u003ccode\u003eRtlpCallVectoredHandlers\u003c/code\u003e is the exact dispatch chain.\u003c/p\u003e\n\u003cp\u003eLet it run with \u003ccode\u003eg\u003c/code\u003e until it hits another breakpoint which should be \u003ccode\u003eSecondHandler\u003c/code\u003e, since it is registered second with parameter \u003cstrong\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/strong\u003e\nso the first in the VEH list.\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/second_handler_called.png\" alt=\"Figure 7: windbg capture of the stack after hitting SecondHandler function during the exception management\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 7: \u003c/span\u003ewindbg capture of the stack after hitting \u003ccode\u003eSecondHandler\u003c/code\u003e function during the exception management\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003eNow looking at \u003ccode\u003edd esp\u003c/code\u003e, the second value \u003ccode\u003e010fec90\u003c/code\u003e is the \u003ccode\u003eEXCEPTION_POINTERS\u003c/code\u003e pointer being passed as the argument to the handler (\u003ccode\u003eSecondHandler\u003c/code\u003e).\nWhich can follow with: \u003ccode\u003edt EXCEPTION_POINTERS 010fec90\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eAnd we obtains:\u003c/p\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode class=\"language-nil\" data-lang=\"nil\"\u003edouble_veh!_EXCEPTION_POINTERS\n +0x000 ExceptionRecord : 0x010fed74 _EXCEPTION_RECORD\n +0x004 ContextRecord : 0x010fedc4 _CONTEXT\n\u003c/code\u003e\u003c/pre\u003e\u003cp\u003eand with \u003ccode\u003edt _EXCEPTION_RECORD 0x010fed74\u003c/code\u003e to inspect the exception record\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/exception_code.png\" alt=\"Figure 8: Exception record inspection\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 8: \u003c/span\u003eException record inspection\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003eThis is what expected to observed the \u003cem\u003ecode\u003c/em\u003e is \u003ccode\u003e0n-1073741819\u003c/code\u003e which is equivalent to \u003ccode\u003e0xC0000005\u003c/code\u003e (\u003ccode\u003eSTATUS_ACCESS_VIOLATION\u003c/code\u003e)\u003c/p\u003e\n\u003cp\u003eTo convert this value from windbg to a hexadecimal representation I used the following Python snippet:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-python\" data-lang=\"python\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003evalue\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"o\"\u003e-\u003c/span\u003e\u003cspan class=\"mi\"\u003e1073741819\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003eprint\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"nb\"\u003ehex\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003evalue\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026amp;\u003c/span\u003e \u003cspan class=\"mh\"\u003e0xFFFFFFFF\u003c/span\u003e\u003cspan class=\"p\"\u003e))\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-text\" data-lang=\"text\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e0xc0000005\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003ch2 id=\"using-exceptions-as-a-control-flow-primitive\"\u003eUsing Exceptions as a Control Flow Primitive\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#using-exceptions-as-a-control-flow-primitive\"\u003e#\u003c/a\u003e\u003c/h2\u003e\n\n\n\u003cp\u003eIn this section, I decided to put my modest C skills to the test to see if I could trip up the decompiler.\u003c/p\u003e\n\u003cp\u003eThree source codes are provided as Proof of Concept see them as ladder to tackle the above challenge.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eSimple PoC which API hashing.\u003c/li\u003e\n\u003cli\u003eIntroduce inline ASM to produce faulty instruction.\u003c/li\u003e\n\u003cli\u003eImprove code to trick decompiler to resolv faulty instructions construction.\u003c/li\u003e\n\u003c/ol\u003e\n\n\u003ch3 id=\"veh-combined-with-api-hashing\"\u003eVEH combined with API hashing\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#veh-combined-with-api-hashing\"\u003e#\u003c/a\u003e\u003c/h3\u003e\n\n\n\u003cp\u003eThe PoC starts by resolving \u003ccode\u003eAddVectoredExceptionHandler\u003c/code\u003e through API hashing rather\nthan a normal import: the function name is reduced to a single 32-bit ROR13 constant (\u003ccode\u003e0x159B3EA0\u003c/code\u003e),\nand a small resolver walks kernel32\u0026rsquo;s export directory at runtime, transparently following the forwarder into \u003cem\u003ekernelbase.dll\u003c/em\u003e.\nNo string, no IAT entry, no static cross-reference. Once the address is in hand, the handler is registered with CALL_FIRST priority\nso it sees exceptions before anything else in the process, and the program deliberately raises an \u003ccode\u003eint3\u003c/code\u003e to invoke it.\nInside the handler, instead of calling \u003ccode\u003eIsDebuggerPresent\u003c/code\u003e, the code reads \u003ccode\u003eNtGlobalFlag\u003c/code\u003e directly from the \u003ccode\u003ePEB\u003c/code\u003e at offset \u003ccode\u003e0xBC\u003c/code\u003e (x64) or \u003ccode\u003e0x68\u003c/code\u003e (x86)\nand tests for the \u003ccode\u003e0x70\u003c/code\u003e heap-debug bit pattern that Windows OR\u0026rsquo;s in whenever a process is launched under a debugger.\nI recently came accross this technique which is documented by CheckPoint in there \u003ca href=\"https://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-ntglobalflag\"\u003eAnti-Debug: Debug Flags\u003c/a\u003e documentation.\u003c/p\u003e\n\u003cp\u003eIn the normal case the bits are clear, the handler advances \u003ccode\u003eRIP\u003c/code\u003e past the \u003ccode\u003eint3\u003c/code\u003e,\nreturns \u003ccode\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/code\u003e, and the program prints its \u0026ldquo;survived\u0026rdquo; message and exits cleanly.\nUnder a debugger the same read returns \u003ccode\u003e0x70\u003c/code\u003e, the process terminates with exit code \u003ccode\u003e0xDEAD\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;windows.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;stdio.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_ENABLE_FREE_CHECK 0x20\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_VALIDATE_PARAMETERS 0x40\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define NT_GLOBAL_FLAG_DBG_MASK \\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003etypedef\u003c/span\u003e \u003cspan class=\"nf\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eWINAPI\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003epfnAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"n\"\u003eFirst\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePVECTORED_EXCEPTION_HANDLER\u003c/span\u003e \u003cspan class=\"n\"\u003eHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetNtGlobalFlag\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#ifdef _WIN64\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"nf\"\u003e__readgsqword\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0x60\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mh\"\u003e0xBC\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#else\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"nf\"\u003e__readfsdword\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0x30\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mh\"\u003e0x68\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#endif\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"n\"\u003eLONG\u003c/span\u003e \u003cspan class=\"n\"\u003eWINAPI\u003c/span\u003e \u003cspan class=\"nf\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePEXCEPTION_POINTERS\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionCode\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_BREAKPOINT\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"n\"\u003eflag\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetNtGlobalFlag\u003c/span\u003e\u003cspan class=\"p\"\u003e();\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] hit. NtGlobalFlag = 0x%lx\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eflag\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e((\u003c/span\u003e\u003cspan class=\"n\"\u003eflag\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026amp;\u003c/span\u003e \u003cspan class=\"n\"\u003eNT_GLOBAL_FLAG_DBG_MASK\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e==\u003c/span\u003e \u003cspan class=\"n\"\u003eNT_GLOBAL_FLAG_DBG_MASK\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] debugger detected via NtGlobalFlag -\u0026gt; bailing.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eExitProcess\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0xDEAD\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] clean. Skipping the int3 and resuming.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#ifdef _WIN64\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eRip\u003c/span\u003e \u003cspan class=\"o\"\u003e+=\u003c/span\u003e \u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#else\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eEip\u003c/span\u003e \u003cspan class=\"o\"\u003e+=\u003c/span\u003e \u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#endif\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define HASH_ADDVECTOREDEXCEPTIONHANDLER 0x159B3EA0UL\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"n\"\u003eDWORD\u003c/span\u003e \u003cspan class=\"nf\"\u003eRor13Hash\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003econst\u003c/span\u003e \u003cspan class=\"kt\"\u003echar\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003es\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eDWORD\u003c/span\u003e \u003cspan class=\"n\"\u003eh\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ewhile\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003es\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eh\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eh\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026gt;\u0026gt;\u003c/span\u003e \u003cspan class=\"mi\"\u003e13\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e|\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eh\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026lt;\u0026lt;\u003c/span\u003e \u003cspan class=\"mi\"\u003e19\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eh\u003c/span\u003e \u003cspan class=\"o\"\u003e+=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eBYTE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003es\u003c/span\u003e\u003cspan class=\"o\"\u003e++\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eh\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"n\"\u003eFARPROC\u003c/span\u003e \u003cspan class=\"nf\"\u003eResolveByHash\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eHMODULE\u003c/span\u003e \u003cspan class=\"n\"\u003ehMod\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eDWORD\u003c/span\u003e \u003cspan class=\"n\"\u003etarget\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"n\"\u003ehMod\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePIMAGE_DOS_HEADER\u003c/span\u003e \u003cspan class=\"n\"\u003edos\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePIMAGE_DOS_HEADER\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003edos\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003ee_magic\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"n\"\u003eIMAGE_DOS_SIGNATURE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePIMAGE_NT_HEADERS\u003c/span\u003e \u003cspan class=\"n\"\u003ent\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePIMAGE_NT_HEADERS\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003edos\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003ee_lfanew\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ent\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eSignature\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"n\"\u003eIMAGE_NT_SIGNATURE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eIMAGE_DATA_DIRECTORY\u003c/span\u003e \u003cspan class=\"n\"\u003edir\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ent\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eOptionalHeader\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eDataDirectory\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003eIMAGE_DIRECTORY_ENTRY_EXPORT\u003c/span\u003e\u003cspan class=\"p\"\u003e];\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003edir\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eVirtualAddress\u003c/span\u003e \u003cspan class=\"o\"\u003e||\u003c/span\u003e \u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003edir\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eSize\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePIMAGE_EXPORT_DIRECTORY\u003c/span\u003e \u003cspan class=\"n\"\u003eexp\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePIMAGE_EXPORT_DIRECTORY\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003edir\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eVirtualAddress\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePDWORD\u003c/span\u003e \u003cspan class=\"n\"\u003enames\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePDWORD\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003eexp\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eAddressOfNames\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePWORD\u003c/span\u003e \u003cspan class=\"n\"\u003eordinals\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePWORD\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003eexp\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eAddressOfNameOrdinals\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePDWORD\u003c/span\u003e \u003cspan class=\"n\"\u003efuncs\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePDWORD\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003eexp\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eAddressOfFunctions\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003efor\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eDWORD\u003c/span\u003e \u003cspan class=\"n\"\u003ei\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003ei\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026lt;\u003c/span\u003e \u003cspan class=\"n\"\u003eexp\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eNumberOfNames\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003ei\u003c/span\u003e\u003cspan class=\"o\"\u003e++\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003econst\u003c/span\u003e \u003cspan class=\"kt\"\u003echar\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003ename\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003econst\u003c/span\u003e \u003cspan class=\"kt\"\u003echar\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003enames\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003ei\u003c/span\u003e\u003cspan class=\"p\"\u003e]);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"nf\"\u003eRor13Hash\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"n\"\u003etarget\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003econtinue\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eDWORD\u003c/span\u003e \u003cspan class=\"n\"\u003efuncRva\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003efuncs\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003eordinals\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003ei\u003c/span\u003e\u003cspan class=\"p\"\u003e]];\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003efuncRva\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026gt;=\u003c/span\u003e \u003cspan class=\"n\"\u003edir\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eVirtualAddress\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003efuncRva\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026lt;\u003c/span\u003e \u003cspan class=\"n\"\u003edir\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eVirtualAddress\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003edir\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"n\"\u003eSize\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003econst\u003c/span\u003e \u003cspan class=\"kt\"\u003echar\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003efwd\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003econst\u003c/span\u003e \u003cspan class=\"kt\"\u003echar\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003efuncRva\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003econst\u003c/span\u003e \u003cspan class=\"kt\"\u003echar\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003edot\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003efwd\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ewhile\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003edot\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003edot\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"sc\"\u003e\u0026#39;.\u0026#39;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"n\"\u003edot\u003c/span\u003e\u003cspan class=\"o\"\u003e++\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"n\"\u003edot\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"sc\"\u003e\u0026#39;.\u0026#39;\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"kt\"\u003echar\u003c/span\u003e \u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"mi\"\u003e64\u003c/span\u003e\u003cspan class=\"p\"\u003e];\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"kt\"\u003esize_t\u003c/span\u003e \u003cspan class=\"n\"\u003en\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003esize_t\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003edot\u003c/span\u003e \u003cspan class=\"o\"\u003e-\u003c/span\u003e \u003cspan class=\"n\"\u003efwd\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003en\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mi\"\u003e5\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"k\"\u003esizeof\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e))\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003efor\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003esize_t\u003c/span\u003e \u003cspan class=\"n\"\u003ek\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003ek\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026lt;\u003c/span\u003e \u003cspan class=\"n\"\u003en\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003ek\u003c/span\u003e\u003cspan class=\"o\"\u003e++\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003ek\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003efwd\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003ek\u003c/span\u003e\u003cspan class=\"p\"\u003e];\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003en\u003c/span\u003e\u003cspan class=\"o\"\u003e+\u003c/span\u003e\u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"sc\"\u003e\u0026#39;.\u0026#39;\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003en\u003c/span\u003e\u003cspan class=\"o\"\u003e+\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"sc\"\u003e\u0026#39;d\u0026#39;\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003en\u003c/span\u003e\u003cspan class=\"o\"\u003e+\u003c/span\u003e\u003cspan class=\"mi\"\u003e2\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"sc\"\u003e\u0026#39;l\u0026#39;\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003en\u003c/span\u003e\u003cspan class=\"o\"\u003e+\u003c/span\u003e\u003cspan class=\"mi\"\u003e3\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"sc\"\u003e\u0026#39;l\u0026#39;\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003en\u003c/span\u003e\u003cspan class=\"o\"\u003e+\u003c/span\u003e\u003cspan class=\"mi\"\u003e4\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eHMODULE\u003c/span\u003e \u003cspan class=\"n\"\u003ehNext\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetModuleHandleA\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003ehNext\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"n\"\u003ehNext\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eLoadLibraryA\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003edllName\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003ehNext\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"nf\"\u003eResolveByHash\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ehNext\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"nf\"\u003eRor13Hash\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003edot\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e));\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eFARPROC\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003ebase\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"n\"\u003efuncRva\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"nb\"\u003eNULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"nf\"\u003emain\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eHMODULE\u003c/span\u003e \u003cspan class=\"n\"\u003ehK32\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003epfnAddVectoredExceptionHandler\u003c/span\u003e \u003cspan class=\"n\"\u003epAddVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ehK32\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetModuleHandleA\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;kernel32.dll\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003ehK32\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003efprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003estderr\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;[-] GetModuleHandleA failed (%lu)\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetLastError\u003c/span\u003e\u003cspan class=\"p\"\u003e());\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003epAddVEH\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003epfnAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eResolveByHash\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ehK32\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eHASH_ADDVECTOREDEXCEPTIONHANDLER\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003epAddVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003efprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003estderr\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;[-] hash resolution failed\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] AddVectoredExceptionHandler resolved at %p\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"n\"\u003epAddVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003epAddVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003efprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003estderr\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;[-] AddVectoredExceptionHandler returned NULL\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] VEH installed at handle %p. Triggering int3...\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003e__debugbreak\u003c/span\u003e\u003cspan class=\"p\"\u003e();\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] Survived. NtGlobalFlag check did not trip.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cdiv class=\"src-block-caption\"\u003e\n \u003cspan class=\"src-block-number\"\u003eCode Snippet 3:\u003c/span\u003e\n PoC to implement an Exception that hijack the standard execution flow when it is in a debugger\n\u003c/div\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/exec_poc.png\" alt=\"Figure 9: Output of two execution, one in nominal execution and another in the debug that trigger the ExitProcess(0xDEAD)\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 9: \u003c/span\u003eOutput of two execution, one in nominal execution and another in the debug that trigger the ExitProcess(0xDEAD)\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003eThis is a very simple scenario of how malware could abuse this feature to \u0026ldquo;hijack\u0026rdquo; the execution flow, here the Exception is made with an explicite \u003ccode\u003eint3\u003c/code\u003e.\nBut nothing is really hidden when decompiling the binary, even with dynamic api resolution, so analyst just after resolving the hash will pretty fastly\ncatch what to analyse. So, from an attacker point of view, how could this simple scenario can be improved?\u003c/p\u003e\n\n\u003ch3 id=\"veh-a-failed-way-to-arithmetic-as-a-smokescreen\"\u003eVEH / A failed way to \u0026ldquo;Arithmetic as a smokescreen\u0026rdquo;\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#veh-a-failed-way-to-arithmetic-as-a-smokescreen\"\u003e#\u003c/a\u003e\u003c/h3\u003e\n\n\n\u003cp\u003eFirst idea is to change the code that raise the exception, so instead of a \u003ccode\u003eint3\u003c/code\u003e why not triggering an \u003ccode\u003eACCESS_VIOLATION\u003c/code\u003e based on simple arithmetic calculation.\u003c/p\u003e\n\u003cp\u003eHere for instance, we can add an inline ASM block that will trigger an \u003ccode\u003eACCESS_VIOLATION\u003c/code\u003e by compute via boolean arithmetic a zero that will be used as an address:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-ASM\" data-lang=\"ASM\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003emov\u003c/span\u003e \u003cspan class=\"no\"\u003erbx\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"mi\"\u003e0xdeadbeef\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003emov\u003c/span\u003e \u003cspan class=\"no\"\u003ercx\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"mi\"\u003e0xd2acc002\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003eadd\u003c/span\u003e \u003cspan class=\"no\"\u003ercx\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"mi\"\u003e0xc00feed\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003exor\u003c/span\u003e \u003cspan class=\"no\"\u003erbx\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"no\"\u003ercx\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003emov\u003c/span\u003e \u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"no\"\u003erbx\u003c/span\u003e\u003cspan class=\"p\"\u003e],\u003c/span\u003e \u003cspan class=\"no\"\u003ercx\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThis result in the register \u003ccode\u003erbx\u003c/code\u003e being set to 0, that could read in C as \u003ccode\u003eint *ptr = NULL; *ptr = 0xdeadbeef;\u003c/code\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;windows.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;stdio.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_ENABLE_FREE_CHECK 0x20\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_VALIDATE_PARAMETERS 0x40\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define NT_GLOBAL_FLAG_DBG_MASK (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetNtGlobalFlag\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#ifdef _WIN64\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"nf\"\u003e__readgsqword\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0x60\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mh\"\u003e0xBC\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e \u003cspan class=\"c1\"\u003e// NtGlobalFlag in x64\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\u003cspan class=\"cp\"\u003e#else\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"nf\"\u003e__readfsdword\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0x30\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mh\"\u003e0x68\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e \u003cspan class=\"c1\"\u003e// NtGlobalFlag in x86\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\u003cspan class=\"cp\"\u003e#endif\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e/* ---------- The vectored handler --------------------------------------- */\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"n\"\u003eLONG\u003c/span\u003e \u003cspan class=\"n\"\u003eWINAPI\u003c/span\u003e \u003cspan class=\"nf\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePEXCEPTION_POINTERS\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionCode\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_ACCESS_VIOLATION\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionInformation\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"n\"\u003eflag\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetNtGlobalFlag\u003c/span\u003e\u003cspan class=\"p\"\u003e();\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] hit. NtGlobalFlag = 0x%lx\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eflag\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e((\u003c/span\u003e\u003cspan class=\"n\"\u003eflag\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026amp;\u003c/span\u003e \u003cspan class=\"n\"\u003eNT_GLOBAL_FLAG_DBG_MASK\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e==\u003c/span\u003e \u003cspan class=\"n\"\u003eNT_GLOBAL_FLAG_DBG_MASK\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] debugger detected via NtGlobalFlag.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eExitProcess\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0xDEAD\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] clean. Skipping the faulting store and resuming.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#ifdef _WIN64\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eRip\u003c/span\u003e \u003cspan class=\"o\"\u003e+=\u003c/span\u003e \u003cspan class=\"mi\"\u003e3\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#else\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eEip\u003c/span\u003e \u003cspan class=\"o\"\u003e+=\u003c/span\u003e \u003cspan class=\"mi\"\u003e2\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#endif\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"nf\"\u003emain\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003efprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003estderr\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;[-] AddVectoredExceptionHandler returned NULL\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] VEH installed at handle %p. Triggering AV via arithmetic NULL...\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"cm\"\u003e/* Compute a NULL pointer at runtime via boolean arithmetic,\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e rcx = 0xd2acc002 + 0x0c00feed = 0xdeadbeef\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e rbx ^= rcx -\u0026gt; 0xdeadbeef ^ 0xdeadbeef = 0\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e [rbx] = rcx -\u0026gt; write to address 0 -\u0026gt; EXCEPTION_ACCESS_VIOLATION */\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003e__asm__\u003c/span\u003e \u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;.intel_syntax noprefix\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;mov rbx, 0xdeadbeef\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;mov rcx, 0xd2acc002\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;add rcx, 0x0c00feed\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;xor rbx, rcx\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;mov [rbx], rcx\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;.att_syntax prefix\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"o\"\u003e:::\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;rbx\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;rcx\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;memory\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] Survived. NtGlobalFlag check did not trip.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cdiv class=\"src-block-caption\"\u003e\n \u003cspan class=\"src-block-number\"\u003eCode Snippet 4:\u003c/span\u003e\n Source: [veh_arithmetic_access_violationation.c]\n\u003c/div\u003e\n\u003cp\u003e\u003cem\u003ex86_64-w64-mingw32-gcc -Wall -O0 veh_arithmetic_access_violationation.c -o veh.exe\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eFrom the disasembly view it is what I was expected, however Hex-Rays is doing constant propagation across the basic block.\nIt sees five instructions with pure-immediate inputs and no external state, so it folds the whole computation at decompile time.\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/veh_arithmetic_clear.png\" alt=\"Figure 10: Disassembly view and decompiled view in IDA\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 10: \u003c/span\u003eDisassembly view and decompiled view in IDA\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\u003cp\u003eThis implementation is too transparent: Hex-Rays was able to fold the five constant-driven instructions into a single \u003ccode\u003eMEMORY[0] = 0xdeadbeef\u003c/code\u003e.\u003c/p\u003e\n\n\u003ch3 id=\"veh-sealing-the-fault\"\u003eVEH / Sealing the fault\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#veh-sealing-the-fault\"\u003e#\u003c/a\u003e\u003c/h3\u003e\n\n\n\u003cp\u003eThis section builds on the previous proof of concept and pushes the obfuscation one step further,\ntargeting the decompiler specifically: constants are hidden behind an opaque wrapper,\nand the handler stops stepping over the fault and starts redirecting execution to an entirely separate function.\u003c/p\u003e\n\u003cp\u003eBasically what I want to test is the following workflow:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003et\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003euint64_t\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003eg_mask\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003et\u003c/span\u003e \u003cspan class=\"o\"\u003e^\u003c/span\u003e \u003cspan class=\"nf\"\u003eOpaque\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003et\u003c/span\u003e\u003cspan class=\"p\"\u003e))\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"nf\"\u003eOpaque\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0xd2acc002\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mh\"\u003e0x0c00feed\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"n\"\u003emask_val\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003eg_mask\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kr\"\u003e__asm\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e \u003cspan class=\"n\"\u003emov\u003c/span\u003e \u003cspan class=\"n\"\u003ercx\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"mh\"\u003e0xd2acc002\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003eadd\u003c/span\u003e \u003cspan class=\"n\"\u003ercx\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"mh\"\u003e0xc00feed\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003exor\u003c/span\u003e \u003cspan class=\"n\"\u003erbx\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003ercx\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"n\"\u003emov\u003c/span\u003e \u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"n\"\u003erbx\u003c/span\u003e\u003cspan class=\"p\"\u003e],\u003c/span\u003e \u003cspan class=\"n\"\u003ercx\u003c/span\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;(decoy) Survived...\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e \u003cspan class=\"c1\"\u003e// I don\u0026#39;t want to see this in the decompiled view\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThe idea here was to try to make the decompiler less helpful to the analyst,\nboth at the operand level and at the control-flow level.\nI\u0026rsquo;m not sure these are the best techniques, but two small changes were layered onto the previous PoC\nto see if Hex-Rays could still be coaxed away from showing a tidy \u003ccode\u003eMEMORY[0] = 0xdeadbeef\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eFirst, the constants feeding the inline asm go through \u003ca href=\"#org-coderef--cbf663-11\"\u003e\u003ccode\u003eOpaque()\u003c/code\u003e\u003c/a\u003e function, a noinline identity function wrapping a volatile read.\nThe two attributes seem to pull in different directions, and I think that\u0026rsquo;s why it works.\nnoinline forces the compiler to emit a real call at every call site instead of pasting the body inline.\nvolatile tells it the value inside the function could change between the store and the load\n(in practice it can\u0026rsquo;t, but as far as I understand the standard says the compiler has to assume it might),\nso it can\u0026rsquo;t reason about what comes out.\nTogether you get something close to a sealed black box: the compiler has to make the call,\nand once execution is inside it can\u0026rsquo;t really prove anything about the return value.\u003c/p\u003e\n\u003cp\u003eIn my tests \u003ccode\u003e0xdeadbeef\u003c/code\u003e no longer shows up as a literal anywhere in the binary,\nit only exists in \u003ccode\u003erbx\u003c/code\u003e at runtime after the \u003ca href=\"#org-coderef--cbf663-11\"\u003e\u003ccode\u003eOpaque()\u003c/code\u003e\u003c/a\u003e compute part of the operation with other static variable.\u003c/p\u003e\n\u003cp\u003eSecond, the handler stops being polite. Instead of just stepping over the faulting instruction,\nit rewrites \u003ca href=\"#org-coderef--cbf663-63\"\u003e\u003ccode\u003eCONTEXT.Rip\u003c/code\u003e\u003c/a\u003e to point at a separate function, named here \u003ca href=\"#org-coderef--cbf663-35\"\u003e\u003ccode\u003eRealNextStage\u003c/code\u003e\u003c/a\u003e, which is where the real \u0026ldquo;work\u0026rdquo; happens.\nFrom what I\u0026rsquo;ve seen, IDA seems to treat an access violation as a dead end, so the decompilation of \u003ccode\u003emain\u003c/code\u003e just stops at the fault.\nThe \u003ca href=\"#org-coderef--cbf663-103\"\u003e\u003ccode\u003eprintf\u003c/code\u003e\u003c/a\u003e sitting right after it looks like reachable code but never actually runs,\nand the code that does run lives in a function with no static reference from \u003ccode\u003emain\u003c/code\u003e at all.\u003c/p\u003e\n\u003cp\u003eAn analyst still has to read the handler, spot the \u003ccode\u003eRip\u003c/code\u003e write, and follow it by hand.\nThat probably isn\u0026rsquo;t a huge obstacle for someone experienced, but it does mean \u003ccode\u003emain\u003c/code\u003e\u0026rsquo;s decompilation on its own won\u0026rsquo;t point the way.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cdiv class=\"chroma\"\u003e\n\u003ctable class=\"lntable\"\u003e\u003ctr\u003e\u003ctd class=\"lntd\"\u003e\n\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-1\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-1\"\u003e 1\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-2\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-2\"\u003e 2\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-3\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-3\"\u003e 3\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-4\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-4\"\u003e 4\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-5\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-5\"\u003e 5\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-6\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-6\"\u003e 6\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-7\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-7\"\u003e 7\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-8\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-8\"\u003e 8\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-9\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-9\"\u003e 9\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-10\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-10\"\u003e 10\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-11\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-11\"\u003e 11\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-12\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-12\"\u003e 12\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-13\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-13\"\u003e 13\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-14\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-14\"\u003e 14\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-15\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-15\"\u003e 15\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-16\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-16\"\u003e 16\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-17\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-17\"\u003e 17\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-18\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-18\"\u003e 18\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-19\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-19\"\u003e 19\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-20\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-20\"\u003e 20\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-21\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-21\"\u003e 21\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-22\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-22\"\u003e 22\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-23\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-23\"\u003e 23\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-24\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-24\"\u003e 24\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-25\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-25\"\u003e 25\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-26\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-26\"\u003e 26\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-27\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-27\"\u003e 27\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-28\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-28\"\u003e 28\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-29\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-29\"\u003e 29\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-30\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-30\"\u003e 30\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-31\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-31\"\u003e 31\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-32\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-32\"\u003e 32\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-33\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-33\"\u003e 33\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-34\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-34\"\u003e 34\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-35\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-35\"\u003e 35\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-36\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-36\"\u003e 36\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-37\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-37\"\u003e 37\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-38\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-38\"\u003e 38\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-39\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-39\"\u003e 39\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-40\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-40\"\u003e 40\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-41\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-41\"\u003e 41\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-42\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-42\"\u003e 42\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-43\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-43\"\u003e 43\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-44\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-44\"\u003e 44\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-45\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-45\"\u003e 45\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-46\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-46\"\u003e 46\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-47\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-47\"\u003e 47\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-48\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-48\"\u003e 48\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-49\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-49\"\u003e 49\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-50\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-50\"\u003e 50\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-51\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-51\"\u003e 51\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-52\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-52\"\u003e 52\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-53\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-53\"\u003e 53\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-54\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-54\"\u003e 54\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-55\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-55\"\u003e 55\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-56\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-56\"\u003e 56\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-57\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-57\"\u003e 57\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-58\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-58\"\u003e 58\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-59\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-59\"\u003e 59\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-60\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-60\"\u003e 60\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-61\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-61\"\u003e 61\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-62\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-62\"\u003e 62\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-63\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-63\"\u003e 63\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-64\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-64\"\u003e 64\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-65\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-65\"\u003e 65\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-66\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-66\"\u003e 66\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-67\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-67\"\u003e 67\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-68\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-68\"\u003e 68\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-69\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-69\"\u003e 69\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-70\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-70\"\u003e 70\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-71\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-71\"\u003e 71\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-72\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-72\"\u003e 72\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-73\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-73\"\u003e 73\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-74\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-74\"\u003e 74\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-75\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-75\"\u003e 75\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-76\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-76\"\u003e 76\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-77\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-77\"\u003e 77\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-78\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-78\"\u003e 78\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-79\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-79\"\u003e 79\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-80\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-80\"\u003e 80\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-81\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-81\"\u003e 81\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-82\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-82\"\u003e 82\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-83\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-83\"\u003e 83\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-84\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-84\"\u003e 84\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-85\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-85\"\u003e 85\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-86\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-86\"\u003e 86\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-87\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-87\"\u003e 87\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-88\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-88\"\u003e 88\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-89\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-89\"\u003e 89\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-90\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-90\"\u003e 90\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-91\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-91\"\u003e 91\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-92\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-92\"\u003e 92\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-93\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-93\"\u003e 93\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-94\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-94\"\u003e 94\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-95\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-95\"\u003e 95\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-96\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-96\"\u003e 96\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-97\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-97\"\u003e 97\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-98\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-98\"\u003e 98\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-99\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-99\"\u003e 99\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-100\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-100\"\u003e100\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-101\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-101\"\u003e101\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-102\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-102\"\u003e102\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"hl\"\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-103\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-103\"\u003e103\u003c/a\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-104\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-104\"\u003e104\u003c/a\u003e\n\u003c/span\u003e\u003cspan class=\"lnt\" id=\"org-coderef--cbf663-105\"\u003e\u003ca class=\"lnlinks\" href=\"#org-coderef--cbf663-105\"\u003e105\u003c/a\u003e\n\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/td\u003e\n\u003ctd class=\"lntd\"\u003e\n\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-c\" data-lang=\"c\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;windows.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;stdio.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#include\u003c/span\u003e \u003cspan class=\"cpf\"\u003e\u0026lt;stdint.h\u0026gt;\u003c/span\u003e\u003cspan class=\"cp\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_ENABLE_FREE_CHECK 0x20\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define FLG_HEAP_VALIDATE_PARAMETERS 0x40\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#define NT_GLOBAL_FLAG_DBG_MASK (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"nf\"\u003e__attribute__\u003c/span\u003e\u003cspan class=\"p\"\u003e((\u003c/span\u003e\u003cspan class=\"n\"\u003enoinline\u003c/span\u003e\u003cspan class=\"p\"\u003e))\u003c/span\u003e \u003cspan class=\"kt\"\u003euint64_t\u003c/span\u003e \u003cspan class=\"nf\"\u003eOpaque\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003euint64_t\u003c/span\u003e \u003cspan class=\"n\"\u003ex\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eopaque\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u003c/span\u003e\u003cspan class=\"n\"\u003efnc\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"kt\"\u003euint64_t\u003c/span\u003e \u003cspan class=\"n\"\u003ev\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003ex\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003ev\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e/* (volatile, in .bss) */\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"kt\"\u003euint64_t\u003c/span\u003e \u003cspan class=\"n\"\u003eg_mask\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e// Same as previous PoC\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetNtGlobalFlag\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#ifdef _WIN64\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"nf\"\u003e__readgsqword\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0x60\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mh\"\u003e0xBC\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#else\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e \u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePBYTE\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"nf\"\u003e__readfsdword\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0x30\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"o\"\u003e*\u003c/span\u003e\u003cspan class=\"p\"\u003e)(\u003c/span\u003e\u003cspan class=\"n\"\u003epeb\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mh\"\u003e0x68\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#endif\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e/* Reached only by the VEH rewriting CONTEXT.Rip. It has no static caller,\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003eso IDA shows zero xrefs to it from main. End with ExitProcess because\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003ethere is no return address to ret */\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"kt\"\u003evoid\u003c/span\u003e \u003cspan class=\"nf\"\u003e__attribute__\u003c/span\u003e\u003cspan class=\"p\"\u003e((\u003c/span\u003e\u003cspan class=\"n\"\u003eused\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003enoinline\u003c/span\u003e\u003cspan class=\"p\"\u003e))\u003c/span\u003e \u003cspan class=\"nf\"\u003eRealNextStage\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003erealnextstage\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u003c/span\u003e\u003cspan class=\"n\"\u003efnc\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] RealNextStage reached. Decompiler thinks main() crashed here.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] This is the path real loaders use to hide their flow.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eExitProcess\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"k\"\u003estatic\u003c/span\u003e \u003cspan class=\"n\"\u003eLONG\u003c/span\u003e \u003cspan class=\"n\"\u003eWINAPI\u003c/span\u003e \u003cspan class=\"nf\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003ePEXCEPTION_POINTERS\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionCode\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_ACCESS_VIOLATION\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eExceptionInformation\u003c/span\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e \u003cspan class=\"o\"\u003e!=\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_SEARCH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eULONG\u003c/span\u003e \u003cspan class=\"n\"\u003eflag\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eGetNtGlobalFlag\u003c/span\u003e\u003cspan class=\"p\"\u003e();\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] hit. NtGlobalFlag = 0x%lx\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eflag\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e((\u003c/span\u003e\u003cspan class=\"n\"\u003eflag\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026amp;\u003c/span\u003e \u003cspan class=\"n\"\u003eNT_GLOBAL_FLAG_DBG_MASK\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e==\u003c/span\u003e \u003cspan class=\"n\"\u003eNT_GLOBAL_FLAG_DBG_MASK\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] debugger detected via NtGlobalFlag.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eExitProcess\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0xDEAD\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[VEH] clean. Rewriting Rip to RealNextStage (not visible in IDA).\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"cm\"\u003e/* x64 ABI: at function entry rsp must satisfy rsp % 16 == 8 (because a *\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e * CALL would have pushed an 8-byte return address) tkt claude*/\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#ifdef _WIN64\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eRsp\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eRsp\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026amp;\u003c/span\u003e \u003cspan class=\"o\"\u003e~\u003c/span\u003e\u003cspan class=\"mh\"\u003e0xFULL\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e-\u003c/span\u003e \u003cspan class=\"mi\"\u003e8\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eRip\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eDWORD64\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"o\"\u003e\u0026amp;\u003c/span\u003e\u003cspan class=\"n\"\u003eRealNextStage\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003erewrite\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u003c/span\u003e\u003cspan class=\"n\"\u003erip\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#else\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eEsp\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eEsp\u003c/span\u003e \u003cspan class=\"o\"\u003e\u0026amp;\u003c/span\u003e \u003cspan class=\"o\"\u003e~\u003c/span\u003e\u003cspan class=\"mh\"\u003e0xFUL\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e-\u003c/span\u003e \u003cspan class=\"mi\"\u003e4\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eep\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eContextRecord\u003c/span\u003e\u003cspan class=\"o\"\u003e-\u0026gt;\u003c/span\u003e\u003cspan class=\"n\"\u003eEip\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003eDWORD\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"o\"\u003e\u0026amp;\u003c/span\u003e\u003cspan class=\"n\"\u003eRealNextStage\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#endif\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e\u003c/span\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"n\"\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"kt\"\u003eint\u003c/span\u003e \u003cspan class=\"nf\"\u003emain\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003evoid\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003ePVOID\u003c/span\u003e \u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"nf\"\u003eAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003eMyVectoredHandler\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003eif\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"o\"\u003e!\u003c/span\u003e\u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"p\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003efprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003estderr\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;[-] AddVectoredExceptionHandler returned NULL\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e1\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] VEH installed at %p. Building opaque mask...\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"kt\"\u003euint64_t\u003c/span\u003e \u003cspan class=\"n\"\u003et\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"kt\"\u003euint64_t\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\u003cspan class=\"n\"\u003ehVEH\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003eg_mask\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003et\u003c/span\u003e \u003cspan class=\"o\"\u003e^\u003c/span\u003e \u003cspan class=\"nf\"\u003eOpaque\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003et\u003c/span\u003e\u003cspan class=\"p\"\u003e))\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"nf\"\u003eOpaque\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"mh\"\u003e0xd2acc002ULL\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e \u003cspan class=\"o\"\u003e+\u003c/span\u003e \u003cspan class=\"mh\"\u003e0x0c00feedULL\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e \u003cspan class=\"c1\"\u003e// g_mask after calcul is the 0xdeadbeef\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"c1\"\u003e\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"cm\"\u003e/* Force the volatile read into rbx via the \u0026#34;b\u0026#34; input constraint.\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e decompiler should see rbx loaded from a global it cannot fold. */\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"kt\"\u003euint64_t\u003c/span\u003e \u003cspan class=\"n\"\u003emask_val\u003c/span\u003e \u003cspan class=\"o\"\u003e=\u003c/span\u003e \u003cspan class=\"n\"\u003eg_mask\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] Compute the opaque arithmetic NULL...\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"n\"\u003e__asm__\u003c/span\u003e \u003cspan class=\"k\"\u003evolatile\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;.intel_syntax noprefix\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;mov rcx, 0xd2acc002\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;add rcx, 0x0c00feed\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;xor rbx, rcx\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;mov [rbx], rcx\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"s\"\u003e\u0026#34;.att_syntax prefix\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\\t\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"o\"\u003e:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"o\"\u003e:\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;b\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003emask_val\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"o\"\u003e:\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;rcx\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e,\u003c/span\u003e \u003cspan class=\"s\"\u003e\u0026#34;memory\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"p\"\u003e);\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"cm\"\u003e/* Should not be reached at runtime if executed in a debugger because Rip\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cm\"\u003e point to RealNextStage */\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line hl\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"nf\"\u003eprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;[+] (decoy) Survived. NtGlobalFlag check did not trip.\u003c/span\u003e\u003cspan class=\"se\"\u003e\\n\u003c/span\u003e\u003cspan class=\"s\"\u003e\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e);\u003c/span\u003e \u003cspan class=\"p\"\u003e(\u003c/span\u003e\u003cspan class=\"n\"\u003elastprintf\u003c/span\u003e\u003cspan class=\"p\"\u003e)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e \u003cspan class=\"k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"mi\"\u003e0\u003c/span\u003e\u003cspan class=\"p\"\u003e;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\u003c/div\u003e\n\u003c/div\u003e\u003cdiv class=\"src-block-caption\"\u003e\n \u003cspan class=\"src-block-number\"\u003eCode Snippet 5:\u003c/span\u003e\n Source [veh_hid_arithmetic_result.c]\n\u003c/div\u003e\n\u003cp\u003e\u003cem\u003ex86_64-w64-mingw32-gcc -Wall -O0 veh_hid_arithmetic_result.c -o veh.exe\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThe above code successfuly show what I expected where the \u0026ldquo;real\u0026rdquo; execution flow is hidden by the Vector Handler.\u003c/p\u003e\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/split_exec_main_veh.png\" alt=\"Figure 11: Decompiled view of the main function that implement the execution flow hidden\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 11: \u003c/span\u003eDecompiled view of the main function that implement the execution flow hidden\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\n\n\n\u003cfigure\u003e\n \n \u003cimg src=\"/ox-hugo/split_exec_veh.png\" alt=\"Figure 12: Decompiled view of the custom vector handler that change program execution flow if a debugger is detected via NtGlobalFlag\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003e\n \u003cspan class=\"figure-number\"\u003eFigure 12: \u003c/span\u003eDecompiled view of the custom vector handler that change program execution flow if a debugger is detected via NtGlobalFlag\n \n \n \u003c/p\u003e\n \n \u003c/figcaption\u003e\u003c/figure\u003e\n\n\n\u003ch2 id=\"detecting-it-as-a-malware-analyst\"\u003eDetecting It as a Malware Analyst\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#detecting-it-as-a-malware-analyst\"\u003e#\u003c/a\u003e\u003c/h2\u003e\n\n\n\u003cp\u003eAs a first ideas or the two starting points would be YARA and CAPA rules to search for following patterns:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eYARA: signatures on \u003ccode\u003eRtlAddVectoredExceptionHandler\u003c/code\u003e, \u003ccode\u003eAddVectoredExecptionHandler\u003c/code\u003e and \u003ccode\u003eAddVectoredContinueHandler\u003c/code\u003e, mixed with known patterns such as \u003ccode\u003eIsDebuggerPresent\u003c/code\u003e, \u003ccode\u003eNtQueryInformationProcess\u003c/code\u003e, \u003cem\u003eetc\u0026hellip;\u003c/em\u003e\u003c/li\u003e\n\u003cli\u003eCAPA: relevant rules around exception handler registration and dynamic control flow, what to write if the rule does not exist yet.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis is a lightweight attempt at a CAPA rule. It may produce false positives,\nbut it has been helpful as a starting point when exploring large binaries. Note that the rule\nis at function scope so, if the handler is registered at the beginning of the program and\nthe fault instructions in different functions, the rules won\u0026rsquo;t trigger.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eNB: The rule only cover 3 types of exceptions: undefined instruction, int3, divide by zero;\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003erule\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003emeta\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eregister vectored exception handler to redirect control flow\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003enamespace\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eanti-analysis/anti-debugging/debugger-evasion\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003eauthors\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- @\u003cspan class=\"l\"\u003eplebourhis\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003escopes\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003estatic\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003efunction\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003edynamic\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003ecall\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003eatt\u0026amp;ck\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"l\"\u003eDefense Evasion::Debugger Evasion [T1622]\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003embc\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"l\"\u003eAnti-Behavioral Analysis::Debugger Detection [B0001]\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"l\"\u003eAnti-Static Analysis::Disassembler Evasion [B0012]\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003ereferences\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"l\"\u003ehttps://anti-debug.checkpoint.com/techniques/exceptions.html\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"l\"\u003ehttps://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003edescription\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"p\"\u003e|\u003c/span\u003e\u003cspan class=\"sd\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e Malware registers a Vectored Exception Handler and then deliberately\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e raises an exception (int3, ud2, divide-by-zero, RaiseException, ...).\u003c/span\u003e\u003cspan class=\"w\"\u003e \n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003efeatures\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eand\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eor\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eapi\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eapi\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003ekernel32.AddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eapi\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003entdll.RtlAddVectoredExceptionHandler\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eor\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003emnemonic\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eint3\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003emnemonic\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eud2\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eapi\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eRaiseException\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eapi\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003ekernel32.RaiseException\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eand\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003emnemonic\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003ediv\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003enumber\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"m\"\u003e0\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e= divide-by-zero to trigger EXCEPTION_INT_DIVIDE_BY_ZERO\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eand\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003emnemonic\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eint\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003enumber\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e0x2D = EXCEPTION_BREAKPOINT alt path (int 0x2D)\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cdiv class=\"src-block-caption\"\u003e\n \u003cspan class=\"src-block-number\"\u003eCode Snippet 6:\u003c/span\u003e\n CAPA rules on VEH registration combined with simple instructions that raise EXCEPTION\n\u003c/div\u003e\n\u003cp\u003eA second rule, oriented on the handler itself, looks for code that rewrites the \u003ccode\u003eEip=/=Rip\u003c/code\u003e field of the \u003ccode\u003eContextRecord\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-yaml\" data-lang=\"yaml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nt\"\u003erule\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003emeta\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003ename\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003evectored exception handler rewrites instruction pointer\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003enamespace\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003eanti-analysis/anti-debugging/debugger-evasion\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003eauthors\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- @\u003cspan class=\"l\"\u003eplebourhis\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003escopes\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003estatic\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003efunction\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003edynamic\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003ecall\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003eatt\u0026amp;ck\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"l\"\u003eDefense Evasion::Debugger Evasion [T1622]\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003embc\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"l\"\u003eAnti-Behavioral Analysis::Debugger Detection [B0001]\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003edescription\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"p\"\u003e|\u003c/span\u003e\u003cspan class=\"sd\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e A VEH/SEH callback writes to the Eip (x86, CONTEXT+0xB8) or Rip\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e (x64, CONTEXT+0xF8) field of the EXCEPTION_POINTERS-\u0026gt;ContextRecord\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"sd\"\u003e it was handed, redirecting execution after a planted exception.\u003c/span\u003e\u003cspan class=\"w\"\u003e \n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"nt\"\u003efeatures\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eand\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eor\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003enumber\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e0xB8 = offsetof(CONTEXT, Eip) on x86\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003enumber\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e0xF8 = offsetof(CONTEXT, Rip) on x64\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003eor\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003enumber\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"m\"\u003e0x10001\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e= EXCEPTION_CONTINUE_EXECUTION\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003enumber\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e0xFFFFFFFF = (LONG)-1 EXCEPTION_CONTINUE_EXECUTION\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e- \u003cspan class=\"nt\"\u003enumber\u003c/span\u003e\u003cspan class=\"p\"\u003e:\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"m\"\u003e0\u003c/span\u003e\u003cspan class=\"w\"\u003e \u003c/span\u003e\u003cspan class=\"l\"\u003e= EXCEPTION_CONTINUE_SEARCH (handler chooses to skip)\u003c/span\u003e\u003cspan class=\"w\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cdiv class=\"src-block-caption\"\u003e\n \u003cspan class=\"src-block-number\"\u003eCode Snippet 7:\u003c/span\u003e\n CAPA rule for the Context Rip/Eip redirection\n\u003c/div\u003e\n\u003cp\u003eNone of the paths I wanted to follow seams accurate, however, a hint for my future self would be to checks for SEH function handler that could have interesting code inside.\nAnd also when debugging a new piece of malware add breakpoint on \u003ccode\u003eRtlAddVectoredExceptionHandler\u003c/code\u003e to investigate the handler code.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eA Note on the Limits of Detection\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eIt is important to remain humble about the visibility. While signature-level detection is highly effective against\nknown threats and reused codebases, it has inherent ceilings:\u003c/p\u003e\n\u003cp\u003eThe Reality Check: Static signatures catch what we have seen before.\nBecause the underlying technique of using exception handlers to redirect code flow is a generic architectural feature of Windows,\nit is relatively easy for an author to tweak the implementation. A new sample can sidestep most rules simply by\nchanging the \u0026ldquo;fault\u0026rdquo; instruction or obfuscating the registration call.\u003c/p\u003e\n\u003cp\u003eUltimately, these signatures are starting points for a deeper investigation, rather than a definitive \u0026ldquo;case closed\u0026rdquo; for a new piece of malware!\u003c/p\u003e\n\n\u003ch2 id=\"wrapping-up\"\u003eWrapping Up\u0026nbsp;\u003ca class=\"headline-hash no-text-decoration\" href=\"#wrapping-up\"\u003e#\u003c/a\u003e\u003c/h2\u003e\n\n\n\u003cp\u003eGoing into this I expected exception handling to be a small detour\nbefore getting back to the malware sample. It turned out to be a\nbigger topic than I thought, and I am sure parts of what I wrote above\nare still imprecise, the x64 unwind machinery in particular is\nsomething I want to revisit, because I don\u0026rsquo;t yet have a clean mental\nmodel of how \u003ccode\u003e__C_specific_handler\u003c/code\u003e decides what to do with the scope\ntable.\u003c/p\u003e\n\u003cp\u003eWhat I take away from this exercise:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eSEH\u003c/strong\u003e and \u003cstrong\u003eVEH\u003c/strong\u003e are not exotic. They are the documented Windows exception\nmodel, and most of what makes them feel \u0026ldquo;tricky\u0026rdquo; in malware is just\nthat the analyst is meeting them for the first time in an adversarial\ncontext.\u003c/li\u003e\n\u003cli\u003eVEH is interesting to an attacker for a very specific reason: it\nfires \u003cstrong\u003ebefore\u003c/strong\u003e SEH, it is process-wide, and the handler has full\nread/write access to the saved register context. That combination is\nwhat makes it usable as a control-flow primitive (from malware author PoV).\u003c/li\u003e\n\u003cli\u003eOn the detection side, my CAPA attempts are honestly a starting\npoint. The technique is generic enough that signatures will lag\nbehind any author who is willing to swap the faulting instruction or\nwrap the registration call. I think the more durable signal is\nbehavioural: a handler that writes to \u003ccode\u003eContextRecord-\u0026gt;Rip\u003c/code\u003e / \u003ccode\u003eEip\u003c/code\u003e and\nreturns \u003ccode\u003eEXCEPTION_CONTINUE_EXECUTION\u003c/code\u003e is doing something a\nwell-behaved program almost never needs to do (hope so\u0026hellip;) but turning that into\na rule that does not light up on every C++ runtime is its own\nproject.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf you spotted something wrong, or if you have a cleaner way of writing\nthe CAPA rules, I would genuinely like to hear it. The references at\nthe top of this post (\u003ca href=\"https://www.sonicwall.com/blog/guloader-demystified-unraveling-its-vectored-exception-handler-approach\"\u003eSonicWall\u003c/a\u003e, \u003ca href=\"https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques\"\u003eZscaler\u003c/a\u003e, \u003ca href=\"https://www.slideshare.net/slideshow/unmasking-the-dark-art-of-vectored-exception-handling-bypassing-xdr-and-edr-in-the-evolving-cyber-threat-landscape/263989842?utm_source=clipboard_share_button\u0026amp;utm_campaign=slideshare_make_sharing_viral_v2\u0026amp;utm_variation=control\u0026amp;utm_medium=share\"\u003eCrowdStrike\u003c/a\u003e, \u003ca href=\"https://www.ibm.com/think/x-force/using-veh-for-defense-evasion-process-injection\"\u003eIBM\u003c/a\u003e, \u003ca href=\"https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\"\u003eUnit42\u003c/a\u003e)\nremain the better place to read about VEH in the wild; this article is\njust my attempt to understand the plumbing well enough to recognise it\nnext time.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eOther great resources:\u003c/em\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://blog.talosintelligence.com/exceptional-behavior-windows-81-x64-seh/\"\u003eTalos - Exceptional behavior: the Windows 8.1 X64 SEH Implementation\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://blog.elmo.sg/posts/structured-exception-handler-x64/\"\u003eElmo.sg - A deep dive into modern Windows Structured Exception Handler (SEH) ⚠️\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://datafarm-cybersecurity.medium.com/code-execution-against-windows-hvci-f617570e9df0\"\u003eDatafarm - Code Execution against Windows HVCI\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n","text":" What brought me back to this subject is the analysis of GuLoader that uses VEH (see SonicWall, Zscaler and Unit42 articles for more deeper malware analysis).\nThis article is my attempt to write down what I learned properly, starting from the actual concepts rather than jumping straight to the tricks. SEH and VEH are legitimate, well-designed mechanisms. Understanding how they are supposed to work is what makes the abuse readable.\nThe first part covers the concepts and the API, how the OS dispatches exceptions, how SEH and VEH handlers are registered, and what developers normally use them for. The second part gets into the malware side: how exception handling gets repurposed to hide execution flow. To wrap things up, I decided to test some detection logic. I hacked together a basic implementation in C; while my C skills are definitely still a \u0026lsquo;work in progress,\u0026rsquo; the code serves its purpose in demonstrating how to catch this behavior.\nIf you already know Windows internals well, the first two parts will mostly be a refresher. If you are coming at this from the analysis side without much background in the underlying mechanism, I hope starting from the foundation makes the second part easier to follow.\nBefore going further, here are some interesting external resources related to VEH related to malware domain:\nSonicWall - GuLoader Demystified: Unraveling its Vectored Exception Handler Approach Zscaler - Technical Analysis of GuLoader Obfuscation Techniques CrowdStrike - Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR in the Evolving IBM - You just got vectored – using vectored exception handlers (veh) for defense evasion and process injection Unit42 - Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer SEH, VEH and a Word on C++ Exceptions\u0026nbsp;# What an exception is at the OS level and how Windows dispatches it (brief, just enough to understand the rest) SEH: the stack-based chain, per-thread, per-frame, how the compiler owns it for you VEH: process-wide, heap-resident, fires before SEH, the two-function API The difference with C++ exceptions: try/catch is a language abstraction built on top of SEH, not the same thing, why that distinction matters when you are reading disassembly The three terms (SEH, VEH and Exception) often get conflated, especially in malware analysis writeups (and especially by myself).\nWhat is an exception at the OS level? When something goes wrong during execution, whether it is a divide by zero, an access to an unmapped memory page, or an explicit int 3 instruction, the CPU raises an exception. Control transfers to the kernel, which builds an EXCEPTION_RECORD describing what happened and a CONTEXT structure capturing the full register state at the time of the fault. Windows then tries to find something in user space that knows how to handle it. That search is what SEH and VEH are about.\nStructured Exception Handling\u0026nbsp;# SEH in x86\u0026nbsp;# SEH is the older of the two mechanisms. The idea is straightforward: each function that wants to handle exceptions registers a handler on the stack, forming a linked list rooted at fs:[0] on x86. When an exception occurs, Windows walks that list from the top, giving each registered handler a chance to deal with it. If a handler claims the exception, execution resumes. If nothing handles it, the process crashes.\nFrom a developer perspective, SEH is what sits behind __try / __except / __finally in C. The compiler does most of the work, emitting the registration and cleanup code around the blocks. On x64 the implementation is different: instead of a runtime chain on the stack, the compiler emits a static table in the .pdata section that the OS uses to unwind. The surface API looks the same but the mechanics underneath are not. That is still unclear to me\u0026hellip;\n#include \u0026lt;windows.h\u0026gt; #include \u0026lt;stdio.h\u0026gt; int main(void) { __try { // intentionally trigger an access violation int *ptr = NULL; *ptr = 42; } __except(EXCEPTION_EXECUTE_HANDLER) { printf(\u0026#34;SEH caught the exception\\n\u0026#34;); } return 0; } The C file is compiled with this command line: cl.exe /Zi /O1 /GS- test-seh.c. See below the difference between x86 that uses the fs:[0] and the x64 version that has the logic in the .pdata section.\nFigure 1: Main function in 32bit environment In the 32bits architecture, the exception is \u0026ldquo;registered\u0026rdquo; by the first instruction of the main function (see the screenshot below). Where the compiler add the following instructions:\npush 8 push offset struc_478178 call j__SEH_prolog xor eax, eax What __SEH_prolog does internally is:\nSaves the current fs:[0] value (the previous handler in the chain) Builds an EXCEPTION_REGISTRATION_RECORD on the stack Points fs:[0] to it, inserting this function into the SEH chain Sets up the ms_exc local variable, which is the structure MSVC uses to track the current state of the exception handling frame The structure struc_478178 is:\nFigure 2: struc_478178 content typedef struct _SCOPETABLE_ENTRY { DWORD EnclosingLevel; // index of the enclosing scope, -1 if none PVOID FilterFunc; // pointer to the filter expression PVOID HandlerFunc; // pointer to the __except or __finally block } SCOPETABLE_ENTRY; Looking at the entry \u0026lt;0FFFFFFFFh, offset $LN5, offset catch_except_ptr_42\u0026gt;:\nEnclosingLevel = 0xFFFFFFFF this is -1, meaning this __try block has no enclosing __try block, it is the outermost one in the function FilterFunc = $LN5 this is the compiled form of the filter expression, the code that evaluates EXCEPTION_EXECUTE_HANDLER or whatever condition I would put in the C code __except(...) HandlerFunc = catch_except_ptr_42 this is the actual __except block that runs if the filter says to handle the exception SEH in x64\u0026nbsp;# Regarding 64 bits architecture, the following main function is:\nFigure 3: x64 decompiled main function Here, as a first observation there is no fs:[0], no __SEH_prolog call. There is no explicit registration at function scope level (from my understanding).\nThe handler is registered statically through the .pdata (I read that it also can be store in .rdata section too) structures.\nThe .pdata store the RUNTIME_FUNCTION structure that is define by three terms: BeginAddress, EndAddress and UnwindData (the last one is a pointer to the UNWIND_INFO structure).\nWhen the access violation fires at mov dword ptr [rax], 2Ah (writing 42 to a null pointer), the OS:\nCatches the fault in the kernel Comes back to user mode and calls RtlDispatchException Takes the faulting RIP, does a binary search in .pdata to find the matching RUNTIME_FUNCTION (the structure that validate this condition: BeginAddress \u0026lt;= FaultyRIP \u0026lt; EndAddress) Follows it to the UNWIND_INFO, sees __C_specific_handler as the registered handler Calls __C_specific_handler which walks the C_SCOPE_TABLE, finds the scope covering the faulting address, evaluates the filter main$filt$0 Filter returns EXCEPTION_EXECUTE_HANDLER, execution jumps to $LN6 which is the __except block calling printf The \u0026ldquo;workflow\u0026rdquo; of the exception is defined as below:\nException Triggers -\u0026gt; OS looks up RIP in .pdata -\u0026gt; Locates RUNTIME_FUNCTION (here stru_140092378) -\u0026gt; Follows pointer to UNWIND_INFO -\u0026gt; Calls __C_specific_handler -\u0026gt; Searches C_SCOPE_TABLE -\u0026gt; Jumps to $LN6 (my __except block) Figure 4: .pdata section that hold the RUNTIME_FUNCTION for my exception in the main function IDA labeled it ExceptionDir because it is the first entry in the exception directory. The three fields map directly to the main function:\nrva main is the start address of the function, 0x140007250 rva byte_14000727E is the end address of the main function rva stru_140092378 is the pointer to the UNWIND_INFO structure, the one that contains __C_specific_handler and the C_SCOPE_TABLE The structure is as follow:\nFigure 5: IDA view of the structure stru_140092378 stru_140092378 is the UNWIND_INFO structure that the .pdata entry for main points to. It is made of three parts:\nThe UNWIND_INFO_HDR is the header. It describes the prologue of the function. The UNWIND_CODE is the actual unwinding instruction. After the unwind codes, because UNW_FLAG_EHANDLER was set, comes the exception handler pointer pointing to __C_specific_handler, followed by the C_SCOPE_TABLE (which a bit different from the structure for x86). That table is where the actual exception handling logic is described: which address range is covered by the __try block, which function to call as the filter, and where to redirect execution if the filter decides to handle the exception. In x64 the C_SCOPE_TABLE_ENTRY structrure is defined as:\nstruct _C_SCOPE_TABLE_ENTRY { uint32_t BeginAddress; // RVA of the start of the __try block uint32_t EndAddress; // RVA of the end of the __try block uint32_t HandlerAddress; // RVA of the filter or __finally handler uint32_t JumpTarget; } C_SCOPE_TABLE_ENTRY Code Snippet 1: C_SCOPE_TABLE defintion One structure, three responsibilities: unwind the stack, find the handler, map the guarded region.\nSo the definition of the structure is:\ntypedef struct _UNWIND_INFO { BYTE VersionAndFlags; // UNWIND_INFO_HDR - version + flags (UNW_FLAG_EHANDLER etc.) BYTE SizeOfProlog; // UNWIND_INFO_HDR - prologue size in bytes BYTE CountOfCodes; // UNWIND_INFO_HDR - number of UNWIND_CODE slots BYTE FrameRegisterAndOffset;// UNWIND_INFO_HDR - frame register + offset UNWIND_CODE UnwindCodes[]; // variable length array, CountOfCodes entries // padded to 4 byte alignment // only present if flags contain UNW_FLAG_EHANDLER or UNW_FLAG_UHANDLER DWORD ExceptionHandlerRVA; // rva j___C_specific_handler // handler specific data, depends on which handler is used // for __C_specific_handler this is the C_SCOPE_TABLE C_SCOPE_TABLE ScopeTable; } UNWIND_INFO; Code Snippet 2: _UNWIND_INFO structure At the end of the UNWIND_INFO (if certain flags like UNW_FLAG_EHANDLER are set), there is an extra field called the ExceptionHandler. For C/C++ code compiled with MSVC, this almost always points to __C_specific_handler.\nLink to Microsoft documentation\nVectored Exception Handling\u0026nbsp;# VEH was introduced in Windows XP and works differently. Instead of being tied to the stack, VEH handlers are registered at the process level and stored in a list maintained by ntdll. The vectored handler list is consulted before SEH. If any VEH handler claims the exception, the SEH chain is never walked at all.\nThe API is simple. A handler is registered with AddVectoredExceptionHandler, which takes a flag indicating whether the handler should be first or last in the list, and a pointer to the handler function. The handler receives an EXCEPTION_POINTERS structure giving it access to both the EXCEPTION_RECORD and the CONTEXT. It then returns either EXCEPTION_CONTINUE_EXECUTION to resume execution, or EXCEPTION_CONTINUE_SEARCH to pass to the next handler.\nThere is also a sibling mechanism called Vectored Continue Handlers, registered with AddVectoredContinueHandler, which fires after a handler has already claimed the exception. I did not exercice this path in the article.\n#include \u0026lt;windows.h\u0026gt; #include \u0026lt;stdio.h\u0026gt; LONG CALLBACK MyVectoredHandler(PEXCEPTION_POINTERS ExceptionInfo) { if (ExceptionInfo-\u0026gt;ExceptionRecord-\u0026gt;ExceptionCode == EXCEPTION_ACCESS_VIOLATION) { printf(\u0026#34;VEH caught an access violation at 0x%p\\n\u0026#34;, ExceptionInfo-\u0026gt;ExceptionRecord-\u0026gt;ExceptionAddress); // move RIP past the faulting instruction (could be wrapped with macro for 32bit with eip) ExceptionInfo-\u0026gt;ContextRecord-\u0026gt;Rip += 2; return EXCEPTION_CONTINUE_EXECUTION; } return EXCEPTION_CONTINUE_SEARCH; } int main(void) { PVOID handler = AddVectoredExceptionHandler(1, MyVectoredHandler); // intentionally trigger an access violation int *ptr = NULL; *ptr = 42; RemoveVectoredExceptionHandler(handler); return 0; } Here registration is explicit. The first argument to AddVectoredExceptionHandler being 1 means this handler goes to the front of the list, so it fires before any other VEH handler and before SEH. The handler inspects the exception code, adjusts RIP to skip past the faulting instruction, and returns EXCEPTION_CONTINUE_EXECUTION to resume. If the exception is not one it cares about, it returns EXCEPTION_CONTINUE_SEARCH to let the next handler in the chain take over. The key difference to notice: in the SEH example the handler is scoped to the __try block and the stack frame it lives in. In the VEH example the handler is active process-wide from the moment it is registered until RemoveVectoredExceptionHandler is called, regardless of which function is currently executing.\nC++ Exceptions are not the Same Thing\u0026nbsp;# This one trips people up. When you write try / catch in C++, you are using the C++ exception model, which is a language-level abstraction. Under the hood on Windows, the compiler implements it on top of SEH, using a special SEH filter to match C++ exception types. But they are not the same layer. A C++ catch block is not an SEH handler, and it is definitely not a VEH handler.\nThe reason this distinction matters in practice is that when you are reversing a sample and you see AddVectoredExceptionHandler being called, you are not looking at a compiler artifact. There is no language feature that emits that call for you. It is explicit, intentional code, and whoever wrote it made a deliberate choice to intercept exceptions at the process level before anything else gets a chance to see them.\nIf you are interested in C++ exceptions, I highly encourage you to read C++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza written by Rolf Rolles.\nHow the VEH List is Built and Stored\u0026nbsp;# The VEH list is a doubly-linked list maintained per-process in user-mode memory, managed by ntdll.dll. It holds pointers to registered PVECTORED_EXCEPTION_HANDLER callbacks.\nWhen AddVectoredExceptionHandler is called, it calls a thin wrapper that forwards to RtlAddVectoredExceptionHandler in ntdll.dll. That is where the actual work happens, and it is worth understanding what that function does with the handler pointer.\nNtdll maintains two doubly linked lists for exception handling, one for vectored exception handlers and one for vectored continue handlers. Both lists are anchored by a single global structure that lives inside ntdll\u0026rsquo;s data segment, commonly referred to as LdrpVectorHandlerList in debugging sessions.\nThe structure looks roughly like this:\ntypedef struct _VECTORED_HANDLER_LIST { SRWLOCK Lock; // slim reader/writer lock protecting the list LIST_ENTRY VEHList; // head of the vectored exception handler list LIST_ENTRY VCHList; // head of the vectored continue handler list } VECTORED_HANDLER_LIST; Each registered handler is wrapped in a node that gets allocated on the heap:\ntypedef struct _VECTORED_EXCEPTION_NODE { LIST_ENTRY ListEntry; // links to previous and next node PVOID EncodedHandler; // the function pointer, but encoded ULONG ReferenceCount; } VECTORED_EXCEPTION_NODE; The LIST_ENTRY is the standard Windows doubly linked list structure, with a Flink pointing to the next node and a Blink pointing to the previous one. The list head in LdrpVectorHandlerList acts as the sentinel node, so walking from VEHList.Flink until you loop back to the head gives you every registered handler in order.\nRtlAddVectoredExceptionHandler does the following (in order):\nAllocates a VECTORED_EXCEPTION_NODE on the process heap with RtlAllocateHeap Encodes the function pointer using RtlEncodePointer before storing it in EncodedHandler Acquires an exclusive lock on the SRWLOCK in LdrpVectorHandlerList Inserts the node either at the front or at the back of the list depending on the first parameter you passed Releases the lock Returns the address of the node as the handle you use later to remove it The first parameter is documented as ULONG First. A non-zero value puts the handler at the head of the list, meaning it will be called before any previously registered handler. Zero puts it at the tail.\nWhen an exception occurs, after the kernel-side handling and the transition back to user mode, ntdll calls RtlDispatchException. Before touching SEH, it acquires a shared lock on LdrpVectorHandlerList and walks the VEH list from head to tail. For each node it decodes the handler pointer and calls it with the EXCEPTION_POINTERS structure. If a handler returns EXCEPTION_CONTINUE_EXECUTION, the walk stops and execution resumes. If it returns EXCEPTION_CONTINUE_SEARCH, the walk continues to the next node. If the entire VEH list is exhausted without anyone claiming the exception, the SEH chain is walked. If SEH also passes, the VCH list is walked. (VCH: Vectored Continue Handlers, where handler are register via AddVectoredContinueHandler).\nThe ordering guarantee is therefore strict: VEH first, in registration order, then SEH, then VCH.\nPractice: Observing it at runtime\u0026nbsp;# This is a short of note section on how to inspect the exception regarding VEH and its underlaying structure in WinDbg. For this short exercice, I used the following C code is used:\n#include \u0026lt;windows.h\u0026gt; #include \u0026lt;stdio.h\u0026gt; LONG CALLBACK FirstHandler(PEXCEPTION_POINTERS ExceptionInfo) { if (ExceptionInfo-\u0026gt;ExceptionRecord-\u0026gt;ExceptionCode == EXCEPTION_ACCESS_VIOLATION) { printf(\u0026#34;FirstHandler: passing to next handler\\n\u0026#34;); return EXCEPTION_CONTINUE_SEARCH; } return EXCEPTION_CONTINUE_SEARCH; } LONG CALLBACK SecondHandler(PEXCEPTION_POINTERS ExceptionInfo) { if (ExceptionInfo-\u0026gt;ExceptionRecord-\u0026gt;ExceptionCode == EXCEPTION_ACCESS_VIOLATION) { printf(\u0026#34;SecondHandler: claiming the exception\\n\u0026#34;); ExceptionInfo-\u0026gt;ContextRecord-\u0026gt;Eip += 6; return EXCEPTION_CONTINUE_EXECUTION; } return EXCEPTION_CONTINUE_SEARCH; } int main(void) { PVOID h1 = AddVectoredExceptionHandler(1, FirstHandler); PVOID h2 = AddVectoredExceptionHandler(1, SecondHandler); int *ptr = NULL; *ptr = 42; RemoveVectoredExceptionHandler(h1); RemoveVectoredExceptionHandler(h2); printf(\u0026#34;execution continued after the fault\\n\u0026#34;); return 0; } NB: I skip the part where I setup the symbols in windbg.\nTo watch how: the double linked list work, the following breakpoints are set:\nbp ntdll!RtlpCallVectoredHandlers bp double_veh!FirstHandler bp double_veh!SecondHandler Why breaking at RtlpCallVectoredHandlers? Reading from the bottom up, this is the full execution path that led to the VEH list walk:\nFigure 6: capture of the stack after reaching the RtlpCallVectoredHandler in ntdll (just after ACCESS_VIOLATION occured) _RtlUserThreadStart and BaseThreadInitThunk are the standard thread startup boilerplate __scrt_common_main_seh is the MSVC CRT startup wrapper that calls main main+0x30 is my code, specifically line 32 in double-veh.c which is the null pointer write *ptr = 42 KiUserExceptionDispatcher is the first user mode function that ran after the kernel caught the fault, the entry point back from kernel mode RtlDispatchException+0x67 is where the OS starts looking for a handler RtlpCallVectoredHandlers is where the execution is currently -\u0026gt; the function about to walk the process VEH list The key thing to point out for the article is frames 02, 01 and 00. That three step sequence from KiUserExceptionDispatcher to RtlDispatchException to RtlpCallVectoredHandlers is the exact dispatch chain.\nLet it run with g until it hits another breakpoint which should be SecondHandler, since it is registered second with parameter 1 so the first in the VEH list.\nFigure 7: windbg capture of the stack after hitting SecondHandler function during the exception management Now looking at dd esp, the second value 010fec90 is the EXCEPTION_POINTERS pointer being passed as the argument to the handler (SecondHandler). Which can follow with: dt EXCEPTION_POINTERS 010fec90.\nAnd we obtains:\ndouble_veh!_EXCEPTION_POINTERS +0x000 ExceptionRecord : 0x010fed74 _EXCEPTION_RECORD +0x004 ContextRecord : 0x010fedc4 _CONTEXT and with dt _EXCEPTION_RECORD 0x010fed74 to inspect the exception record\nFigure 8: Exception record inspection This is what expected to observed the code is 0n-1073741819 which is equivalent to 0xC0000005 (STATUS_ACCESS_VIOLATION)\nTo convert this value from windbg to a hexadecimal representation I used the following Python snippet:\nvalue = -1073741819 print(hex(value \u0026amp; 0xFFFFFFFF)) 0xc0000005 Using Exceptions as a Control Flow Primitive\u0026nbsp;# In this section, I decided to put my modest C skills to the test to see if I could trip up the decompiler.\nThree source codes are provided as Proof of Concept see them as ladder to tackle the above challenge.\nSimple PoC which API hashing. Introduce inline ASM to produce faulty instruction. Improve code to trick decompiler to resolv faulty instructions construction. VEH combined with API hashing\u0026nbsp;# The PoC starts by resolving AddVectoredExceptionHandler through API hashing rather than a normal import: the function name is reduced to a single 32-bit ROR13 constant (0x159B3EA0), and a small resolver walks kernel32\u0026rsquo;s export directory at runtime, transparently following the forwarder into kernelbase.dll. No string, no IAT entry, no static cross-reference. Once the address is in hand, the handler is registered with CALL_FIRST priority so it sees exceptions before anything else in the process, and the program deliberately raises an int3 to invoke it. Inside the handler, instead of calling IsDebuggerPresent, the code reads NtGlobalFlag directly from the PEB at offset 0xBC (x64) or 0x68 (x86) and tests for the 0x70 heap-debug bit pattern that Windows OR\u0026rsquo;s in whenever a process is launched under a debugger. I recently came accross this technique which is documented by CheckPoint in there Anti-Debug: Debug Flags documentation.\nIn the normal case the bits are clear, the handler advances RIP past the int3, returns EXCEPTION_CONTINUE_EXECUTION, and the program prints its \u0026ldquo;survived\u0026rdquo; message and exits cleanly. Under a debugger the same read returns 0x70, the process terminates with exit code 0xDEAD.\n#include \u0026lt;windows.h\u0026gt; #include \u0026lt;stdio.h\u0026gt; #define FLG_HEAP_ENABLE_TAIL_CHECK 0x10 #define FLG_HEAP_ENABLE_FREE_CHECK 0x20 #define FLG_HEAP_VALIDATE_PARAMETERS 0x40 #define NT_GLOBAL_FLAG_DBG_MASK \\ (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS) typedef PVOID (WINAPI *pfnAddVectoredExceptionHandler)( ULONG First, PVECTORED_EXCEPTION_HANDLER Handler); static ULONG GetNtGlobalFlag(void) { #ifdef _WIN64 PBYTE peb = (PBYTE)__readgsqword(0x60); return *(volatile ULONG *)(peb + 0xBC); #else PBYTE peb = (PBYTE)__readfsdword(0x30); return *(volatile ULONG *)(peb + 0x68); #endif } static LONG WINAPI MyVectoredHandler(PEXCEPTION_POINTERS ep) { if (ep-\u0026gt;ExceptionRecord-\u0026gt;ExceptionCode != EXCEPTION_BREAKPOINT) return EXCEPTION_CONTINUE_SEARCH; ULONG flag = GetNtGlobalFlag(); printf(\u0026#34;[VEH] hit. NtGlobalFlag = 0x%lx\\n\u0026#34;, flag); if ((flag \u0026amp; NT_GLOBAL_FLAG_DBG_MASK) == NT_GLOBAL_FLAG_DBG_MASK) { printf(\u0026#34;[VEH] debugger detected via NtGlobalFlag -\u0026gt; bailing.\\n\u0026#34;); ExitProcess(0xDEAD); } printf(\u0026#34;[VEH] clean. Skipping the int3 and resuming.\\n\u0026#34;); #ifdef _WIN64 ep-\u0026gt;ContextRecord-\u0026gt;Rip += 1; #else ep-\u0026gt;ContextRecord-\u0026gt;Eip += 1; #endif return EXCEPTION_CONTINUE_EXECUTION; } #define HASH_ADDVECTOREDEXCEPTIONHANDLER 0x159B3EA0UL static DWORD Ror13Hash(const char *s) { DWORD h = 0; while (*s) { h = (h \u0026gt;\u0026gt; 13) | (h \u0026lt;\u0026lt; 19); h += (BYTE)*s++; } return h; } static FARPROC ResolveByHash(HMODULE hMod, DWORD target) { PBYTE base = (PBYTE)hMod; PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)base; if (dos-\u0026gt;e_magic != IMAGE_DOS_SIGNATURE) return NULL; PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)(base + dos-\u0026gt;e_lfanew); if (nt-\u0026gt;Signature != IMAGE_NT_SIGNATURE) return NULL; IMAGE_DATA_DIRECTORY dir = nt-\u0026gt;OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; if (!dir.VirtualAddress || !dir.Size) return NULL; PIMAGE_EXPORT_DIRECTORY exp = (PIMAGE_EXPORT_DIRECTORY)(base + dir.VirtualAddress); PDWORD names = (PDWORD)(base + exp-\u0026gt;AddressOfNames); PWORD ordinals = (PWORD) (base + exp-\u0026gt;AddressOfNameOrdinals); PDWORD funcs = (PDWORD)(base + exp-\u0026gt;AddressOfFunctions); for (DWORD i = 0; i \u0026lt; exp-\u0026gt;NumberOfNames; i++) { const char *name = (const char *)(base + names[i]); if (Ror13Hash(name) != target) continue; DWORD funcRva = funcs[ordinals[i]]; if (funcRva \u0026gt;= dir.VirtualAddress \u0026amp;\u0026amp; funcRva \u0026lt; dir.VirtualAddress + dir.Size) { const char *fwd = (const char *)(base + funcRva); const char *dot = fwd; while (*dot \u0026amp;\u0026amp; *dot != \u0026#39;.\u0026#39;) dot++; if (*dot != \u0026#39;.\u0026#39;) return NULL; char dllName[64]; size_t n = (size_t)(dot - fwd); if (n + 5 \u0026gt; sizeof(dllName)) return NULL; for (size_t k = 0; k \u0026lt; n; k++) dllName[k] = fwd[k]; dllName[n+0] = \u0026#39;.\u0026#39;; dllName[n+1] = \u0026#39;d\u0026#39;; dllName[n+2] = \u0026#39;l\u0026#39;; dllName[n+3] = \u0026#39;l\u0026#39;; dllName[n+4] = 0; HMODULE hNext = GetModuleHandleA(dllName); if (!hNext) hNext = LoadLibraryA(dllName); if (!hNext) return NULL; return ResolveByHash(hNext, Ror13Hash(dot + 1)); } return (FARPROC)(base + funcRva); } return NULL; } int main(void) { HMODULE hK32; pfnAddVectoredExceptionHandler pAddVEH; PVOID hVEH; hK32 = GetModuleHandleA(\u0026#34;kernel32.dll\u0026#34;); if (!hK32) { fprintf(stderr, \u0026#34;[-] GetModuleHandleA failed (%lu)\\n\u0026#34;, GetLastError()); return 1; } pAddVEH = (pfnAddVectoredExceptionHandler) ResolveByHash(hK32, HASH_ADDVECTOREDEXCEPTIONHANDLER); if (!pAddVEH) { fprintf(stderr, \u0026#34;[-] hash resolution failed\\n\u0026#34;); return 1; } printf(\u0026#34;[+] AddVectoredExceptionHandler resolved at %p\\n\u0026#34;, (void*)pAddVEH); hVEH = pAddVEH(1, MyVectoredHandler); if (!hVEH) { fprintf(stderr, \u0026#34;[-] AddVectoredExceptionHandler returned NULL\\n\u0026#34;); return 1; } printf(\u0026#34;[+] VEH installed at handle %p. Triggering int3...\\n\u0026#34;, hVEH); __debugbreak(); printf(\u0026#34;[+] Survived. NtGlobalFlag check did not trip.\\n\u0026#34;); return 0; } Code Snippet 3: PoC to implement an Exception that hijack the standard execution flow when it is in a debugger Figure 9: Output of two execution, one in nominal execution and another in the debug that trigger the ExitProcess(0xDEAD) This is a very simple scenario of how malware could abuse this feature to \u0026ldquo;hijack\u0026rdquo; the execution flow, here the Exception is made with an explicite int3. But nothing is really hidden when decompiling the binary, even with dynamic api resolution, so analyst just after resolving the hash will pretty fastly catch what to analyse. So, from an attacker point of view, how could this simple scenario can be improved?\nVEH / A failed way to \u0026ldquo;Arithmetic as a smokescreen\u0026rdquo;\u0026nbsp;# First idea is to change the code that raise the exception, so instead of a int3 why not triggering an ACCESS_VIOLATION based on simple arithmetic calculation.\nHere for instance, we can add an inline ASM block that will trigger an ACCESS_VIOLATION by compute via boolean arithmetic a zero that will be used as an address:\nmov rbx, 0xdeadbeef mov rcx, 0xd2acc002 add rcx, 0xc00feed xor rbx, rcx mov [rbx], rcx This result in the register rbx being set to 0, that could read in C as int *ptr = NULL; *ptr = 0xdeadbeef;\n#include \u0026lt;windows.h\u0026gt; #include \u0026lt;stdio.h\u0026gt; #define FLG_HEAP_ENABLE_TAIL_CHECK 0x10 #define FLG_HEAP_ENABLE_FREE_CHECK 0x20 #define FLG_HEAP_VALIDATE_PARAMETERS 0x40 #define NT_GLOBAL_FLAG_DBG_MASK (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS) static ULONG GetNtGlobalFlag(void) { #ifdef _WIN64 PBYTE peb = (PBYTE)__readgsqword(0x60); return *(volatile ULONG *)(peb + 0xBC); // NtGlobalFlag in x64 #else PBYTE peb = (PBYTE)__readfsdword(0x30); return *(volatile ULONG *)(peb + 0x68); // NtGlobalFlag in x86 #endif } /* ---------- The vectored handler --------------------------------------- */ static LONG WINAPI MyVectoredHandler(PEXCEPTION_POINTERS ep) { if (ep-\u0026gt;ExceptionRecord-\u0026gt;ExceptionCode != EXCEPTION_ACCESS_VIOLATION) return EXCEPTION_CONTINUE_SEARCH; if (ep-\u0026gt;ExceptionRecord-\u0026gt;ExceptionInformation[1] != 0) return EXCEPTION_CONTINUE_SEARCH; ULONG flag = GetNtGlobalFlag(); printf(\u0026#34;[VEH] hit. NtGlobalFlag = 0x%lx\\n\u0026#34;, flag); if ((flag \u0026amp; NT_GLOBAL_FLAG_DBG_MASK) == NT_GLOBAL_FLAG_DBG_MASK) { printf(\u0026#34;[VEH] debugger detected via NtGlobalFlag.\\n\u0026#34;); ExitProcess(0xDEAD); } printf(\u0026#34;[VEH] clean. Skipping the faulting store and resuming.\\n\u0026#34;); #ifdef _WIN64 ep-\u0026gt;ContextRecord-\u0026gt;Rip += 3; #else ep-\u0026gt;ContextRecord-\u0026gt;Eip += 2; #endif return EXCEPTION_CONTINUE_EXECUTION; } int main(void) { PVOID hVEH = AddVectoredExceptionHandler(1, MyVectoredHandler); if (!hVEH) { fprintf(stderr, \u0026#34;[-] AddVectoredExceptionHandler returned NULL\\n\u0026#34;); return 1; } printf(\u0026#34;[+] VEH installed at handle %p. Triggering AV via arithmetic NULL...\\n\u0026#34;, hVEH); /* Compute a NULL pointer at runtime via boolean arithmetic, rcx = 0xd2acc002 + 0x0c00feed = 0xdeadbeef rbx ^= rcx -\u0026gt; 0xdeadbeef ^ 0xdeadbeef = 0 [rbx] = rcx -\u0026gt; write to address 0 -\u0026gt; EXCEPTION_ACCESS_VIOLATION */ __asm__ volatile ( \u0026#34;.intel_syntax noprefix\\n\\t\u0026#34; \u0026#34;mov rbx, 0xdeadbeef\\n\\t\u0026#34; \u0026#34;mov rcx, 0xd2acc002\\n\\t\u0026#34; \u0026#34;add rcx, 0x0c00feed\\n\\t\u0026#34; \u0026#34;xor rbx, rcx\\n\\t\u0026#34; \u0026#34;mov [rbx], rcx\\n\\t\u0026#34; \u0026#34;.att_syntax prefix\\n\\t\u0026#34; ::: \u0026#34;rbx\u0026#34;, \u0026#34;rcx\u0026#34;, \u0026#34;memory\u0026#34; ); printf(\u0026#34;[+] Survived. NtGlobalFlag check did not trip.\\n\u0026#34;); return 0; } Code Snippet 4: Source: [veh_arithmetic_access_violationation.c] x86_64-w64-mingw32-gcc -Wall -O0 veh_arithmetic_access_violationation.c -o veh.exe\nFrom the disasembly view it is what I was expected, however Hex-Rays is doing constant propagation across the basic block. It sees five instructions with pure-immediate inputs and no external state, so it folds the whole computation at decompile time.\nFigure 10: Disassembly view and decompiled view in IDA This implementation is too transparent: Hex-Rays was able to fold the five constant-driven instructions into a single MEMORY[0] = 0xdeadbeef.\nVEH / Sealing the fault\u0026nbsp;# This section builds on the previous proof of concept and pushes the obfuscation one step further, targeting the decompiler specifically: constants are hidden behind an opaque wrapper, and the handler stops stepping over the fault and starts redirecting execution to an entirely separate function.\nBasically what I want to test is the following workflow:\nhVEH = AddVectoredExceptionHandler(1, MyVectoredHandler); t = (uint64_t)hVEH; g_mask = (t ^ Opaque(t)) + Opaque(0xd2acc002) + 0x0c00feed; mask_val = g_mask; __asm { mov rcx, 0xd2acc002; add rcx, 0xc00feed; xor rbx, rcx; mov [rbx], rcx } printf(\u0026#34;(decoy) Survived...\u0026#34;); // I don\u0026#39;t want to see this in the decompiled view The idea here was to try to make the decompiler less helpful to the analyst, both at the operand level and at the control-flow level. I\u0026rsquo;m not sure these are the best techniques, but two small changes were layered onto the previous PoC to see if Hex-Rays could still be coaxed away from showing a tidy MEMORY[0] = 0xdeadbeef.\nFirst, the constants feeding the inline asm go through Opaque() function, a noinline identity function wrapping a volatile read. The two attributes seem to pull in different directions, and I think that\u0026rsquo;s why it works. noinline forces the compiler to emit a real call at every call site instead of pasting the body inline. volatile tells it the value inside the function could change between the store and the load (in practice it can\u0026rsquo;t, but as far as I understand the standard says the compiler has to assume it might), so it can\u0026rsquo;t reason about what comes out. Together you get something close to a sealed black box: the compiler has to make the call, and once execution is inside it can\u0026rsquo;t really prove anything about the return value.\nIn my tests 0xdeadbeef no longer shows up as a literal anywhere in the binary, it only exists in rbx at runtime after the Opaque() compute part of the operation with other static variable.\nSecond, the handler stops being polite. Instead of just stepping over the faulting instruction, it rewrites CONTEXT.Rip to point at a separate function, named here RealNextStage, which is where the real \u0026ldquo;work\u0026rdquo; happens. From what I\u0026rsquo;ve seen, IDA seems to treat an access violation as a dead end, so the decompilation of main just stops at the fault. The printf sitting right after it looks like reachable code but never actually runs, and the code that does run lives in a function with no static reference from main at all.\nAn analyst still has to read the handler, spot the Rip write, and follow it by hand. That probably isn\u0026rsquo;t a huge obstacle for someone experienced, but it does mean main\u0026rsquo;s decompilation on its own won\u0026rsquo;t point the way.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 #include \u0026lt;windows.h\u0026gt; #include \u0026lt;stdio.h\u0026gt; #include \u0026lt;stdint.h\u0026gt; #define FLG_HEAP_ENABLE_TAIL_CHECK 0x10 #define FLG_HEAP_ENABLE_FREE_CHECK 0x20 #define FLG_HEAP_VALIDATE_PARAMETERS 0x40 #define NT_GLOBAL_FLAG_DBG_MASK (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS) static __attribute__((noinline)) uint64_t Opaque(uint64_t x) (opaque-fnc) { volatile uint64_t v = x; return v; } /* (volatile, in .bss) */ static volatile uint64_t g_mask; // Same as previous PoC static ULONG GetNtGlobalFlag(void) { #ifdef _WIN64 PBYTE peb = (PBYTE)__readgsqword(0x60); return *(volatile ULONG *)(peb + 0xBC); #else PBYTE peb = (PBYTE)__readfsdword(0x30); return *(volatile ULONG *)(peb + 0x68); #endif } /* Reached only by the VEH rewriting CONTEXT.Rip. It has no static caller, so IDA shows zero xrefs to it from main. End with ExitProcess because there is no return address to ret */ static void __attribute__((used, noinline)) RealNextStage(void) (realnextstage-fnc) { printf(\u0026#34;[+] RealNextStage reached. Decompiler thinks main() crashed here.\\n\u0026#34;); printf(\u0026#34;[+] This is the path real loaders use to hide their flow.\\n\u0026#34;); ExitProcess(0); } static LONG WINAPI MyVectoredHandler(PEXCEPTION_POINTERS ep) { if (ep-\u0026gt;ExceptionRecord-\u0026gt;ExceptionCode != EXCEPTION_ACCESS_VIOLATION) return EXCEPTION_CONTINUE_SEARCH; if (ep-\u0026gt;ExceptionRecord-\u0026gt;ExceptionInformation[1] != 0) return EXCEPTION_CONTINUE_SEARCH; ULONG flag = GetNtGlobalFlag(); printf(\u0026#34;[VEH] hit. NtGlobalFlag = 0x%lx\\n\u0026#34;, flag); if ((flag \u0026amp; NT_GLOBAL_FLAG_DBG_MASK) == NT_GLOBAL_FLAG_DBG_MASK) { printf(\u0026#34;[VEH] debugger detected via NtGlobalFlag.\\n\u0026#34;); ExitProcess(0xDEAD); } printf(\u0026#34;[VEH] clean. Rewriting Rip to RealNextStage (not visible in IDA).\\n\u0026#34;); /* x64 ABI: at function entry rsp must satisfy rsp % 16 == 8 (because a * * CALL would have pushed an 8-byte return address) tkt claude*/ #ifdef _WIN64 ep-\u0026gt;ContextRecord-\u0026gt;Rsp = (ep-\u0026gt;ContextRecord-\u0026gt;Rsp \u0026amp; ~0xFULL) - 8; ep-\u0026gt;ContextRecord-\u0026gt;Rip = (DWORD64)\u0026amp;RealNextStage; (rewrite-rip) #else ep-\u0026gt;ContextRecord-\u0026gt;Esp = (ep-\u0026gt;ContextRecord-\u0026gt;Esp \u0026amp; ~0xFUL) - 4; ep-\u0026gt;ContextRecord-\u0026gt;Eip = (DWORD)\u0026amp;RealNextStage; #endif return EXCEPTION_CONTINUE_EXECUTION; } int main(void) { PVOID hVEH = AddVectoredExceptionHandler(1, MyVectoredHandler); if (!hVEH) { fprintf(stderr, \u0026#34;[-] AddVectoredExceptionHandler returned NULL\\n\u0026#34;); return 1; } printf(\u0026#34;[+] VEH installed at %p. Building opaque mask...\\n\u0026#34;, hVEH); uint64_t t = (uint64_t)hVEH; g_mask = (t ^ Opaque(t)) + Opaque(0xd2acc002ULL) + 0x0c00feedULL; // g_mask after calcul is the 0xdeadbeef /* Force the volatile read into rbx via the \u0026#34;b\u0026#34; input constraint. decompiler should see rbx loaded from a global it cannot fold. */ uint64_t mask_val = g_mask; printf(\u0026#34;[+] Compute the opaque arithmetic NULL...\\n\u0026#34;); __asm__ volatile ( \u0026#34;.intel_syntax noprefix\\n\\t\u0026#34; \u0026#34;mov rcx, 0xd2acc002\\n\\t\u0026#34; \u0026#34;add rcx, 0x0c00feed\\n\\t\u0026#34; \u0026#34;xor rbx, rcx\\n\\t\u0026#34; \u0026#34;mov [rbx], rcx\\n\\t\u0026#34; \u0026#34;.att_syntax prefix\\n\\t\u0026#34; : : \u0026#34;b\u0026#34;(mask_val) : \u0026#34;rcx\u0026#34;, \u0026#34;memory\u0026#34; ); /* Should not be reached at runtime if executed in a debugger because Rip point to RealNextStage */ printf(\u0026#34;[+] (decoy) Survived. NtGlobalFlag check did not trip.\\n\u0026#34;); (lastprintf) return 0; } Code Snippet 5: Source [veh_hid_arithmetic_result.c] x86_64-w64-mingw32-gcc -Wall -O0 veh_hid_arithmetic_result.c -o veh.exe\nThe above code successfuly show what I expected where the \u0026ldquo;real\u0026rdquo; execution flow is hidden by the Vector Handler.\nFigure 11: Decompiled view of the main function that implement the execution flow hidden Figure 12: Decompiled view of the custom vector handler that change program execution flow if a debugger is detected via NtGlobalFlag Detecting It as a Malware Analyst\u0026nbsp;# As a first ideas or the two starting points would be YARA and CAPA rules to search for following patterns:\nYARA: signatures on RtlAddVectoredExceptionHandler, AddVectoredExecptionHandler and AddVectoredContinueHandler, mixed with known patterns such as IsDebuggerPresent, NtQueryInformationProcess, etc\u0026hellip; CAPA: relevant rules around exception handler registration and dynamic control flow, what to write if the rule does not exist yet. This is a lightweight attempt at a CAPA rule. It may produce false positives, but it has been helpful as a starting point when exploring large binaries. Note that the rule is at function scope so, if the handler is registered at the beginning of the program and the fault instructions in different functions, the rules won\u0026rsquo;t trigger.\nNB: The rule only cover 3 types of exceptions: undefined instruction, int3, divide by zero;\nrule: meta: name: register vectored exception handler to redirect control flow namespace: anti-analysis/anti-debugging/debugger-evasion authors: - @plebourhis scopes: static: function dynamic: call att\u0026amp;ck: - Defense Evasion::Debugger Evasion [T1622] mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] - Anti-Static Analysis::Disassembler Evasion [B0012] references: - https://anti-debug.checkpoint.com/techniques/exceptions.html - https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler description: | Malware registers a Vectored Exception Handler and then deliberately raises an exception (int3, ud2, divide-by-zero, RaiseException, ...). features: - and: - or: - api: AddVectoredExceptionHandler - api: kernel32.AddVectoredExceptionHandler - api: ntdll.RtlAddVectoredExceptionHandler - or: - mnemonic: int3 - mnemonic: ud2 - api: RaiseException - api: kernel32.RaiseException - and: - mnemonic: div - number: 0 = divide-by-zero to trigger EXCEPTION_INT_DIVIDE_BY_ZERO - and: - mnemonic: int - number: 0x2D = EXCEPTION_BREAKPOINT alt path (int 0x2D) Code Snippet 6: CAPA rules on VEH registration combined with simple instructions that raise EXCEPTION A second rule, oriented on the handler itself, looks for code that rewrites the Eip=/=Rip field of the ContextRecord.\nrule: meta: name: vectored exception handler rewrites instruction pointer namespace: anti-analysis/anti-debugging/debugger-evasion authors: - @plebourhis scopes: static: function dynamic: call att\u0026amp;ck: - Defense Evasion::Debugger Evasion [T1622] mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] description: | A VEH/SEH callback writes to the Eip (x86, CONTEXT+0xB8) or Rip (x64, CONTEXT+0xF8) field of the EXCEPTION_POINTERS-\u0026gt;ContextRecord it was handed, redirecting execution after a planted exception. features: - and: - or: - number: 0xB8 = offsetof(CONTEXT, Eip) on x86 - number: 0xF8 = offsetof(CONTEXT, Rip) on x64 - or: - number: 0x10001 = EXCEPTION_CONTINUE_EXECUTION - number: 0xFFFFFFFF = (LONG)-1 EXCEPTION_CONTINUE_EXECUTION - number: 0 = EXCEPTION_CONTINUE_SEARCH (handler chooses to skip) Code Snippet 7: CAPA rule for the Context Rip/Eip redirection None of the paths I wanted to follow seams accurate, however, a hint for my future self would be to checks for SEH function handler that could have interesting code inside. And also when debugging a new piece of malware add breakpoint on RtlAddVectoredExceptionHandler to investigate the handler code.\nA Note on the Limits of Detection\nIt is important to remain humble about the visibility. While signature-level detection is highly effective against known threats and reused codebases, it has inherent ceilings:\nThe Reality Check: Static signatures catch what we have seen before. Because the underlying technique of using exception handlers to redirect code flow is a generic architectural feature of Windows, it is relatively easy for an author to tweak the implementation. A new sample can sidestep most rules simply by changing the \u0026ldquo;fault\u0026rdquo; instruction or obfuscating the registration call.\nUltimately, these signatures are starting points for a deeper investigation, rather than a definitive \u0026ldquo;case closed\u0026rdquo; for a new piece of malware!\nWrapping Up\u0026nbsp;# Going into this I expected exception handling to be a small detour before getting back to the malware sample. It turned out to be a bigger topic than I thought, and I am sure parts of what I wrote above are still imprecise, the x64 unwind machinery in particular is something I want to revisit, because I don\u0026rsquo;t yet have a clean mental model of how __C_specific_handler decides what to do with the scope table.\nWhat I take away from this exercise:\nSEH and VEH are not exotic. They are the documented Windows exception model, and most of what makes them feel \u0026ldquo;tricky\u0026rdquo; in malware is just that the analyst is meeting them for the first time in an adversarial context. VEH is interesting to an attacker for a very specific reason: it fires before SEH, it is process-wide, and the handler has full read/write access to the saved register context. That combination is what makes it usable as a control-flow primitive (from malware author PoV). On the detection side, my CAPA attempts are honestly a starting point. The technique is generic enough that signatures will lag behind any author who is willing to swap the faulting instruction or wrap the registration call. I think the more durable signal is behavioural: a handler that writes to ContextRecord-\u0026gt;Rip / Eip and returns EXCEPTION_CONTINUE_EXECUTION is doing something a well-behaved program almost never needs to do (hope so\u0026hellip;) but turning that into a rule that does not light up on every C++ runtime is its own project. If you spotted something wrong, or if you have a cleaner way of writing the CAPA rules, I would genuinely like to hear it. The references at the top of this post (SonicWall, Zscaler, CrowdStrike, IBM, Unit42) remain the better place to read about VEH in the wild; this article is just my attempt to understand the plumbing well enough to recognise it next time.\nOther great resources:\nTalos - Exceptional behavior: the Windows 8.1 X64 SEH Implementation Elmo.sg - A deep dive into modern Windows Structured Exception Handler (SEH) ⚠️ Datafarm - Code Execution against Windows HVCI "},"name":"It's Called a VEH-tor ↗️","published":"2026-05-20T00:00:00+02:00","summary":"Reading through an old GuLoader sample in the decompiler, following the exception handler, trying to understand what it was actually doing, made it clear that my knowledge of Windows exception handling was not structured enough to tackle this kind of obfuscation confidently on another family. I knew the broad strokes, enough to recognize the technique, but not enough to follow it precisely or explain it to someone else.\nThis is a personal writeup, an attempt to connect the dots properly rather than carry around a vague understanding that works until it does not. It covers the theoretical foundation of SEH and VEH, and how the internal structures look in a debugger and a disassembler.\nA lot of what ended up here was things I already had a rough idea of but had never verified properly. Documenting what I learned about exceptions allowed me to refine my grasp of the subject. Nothing revolutionary, just notes from someone who went back to the source and want to avoid future headaches.\n","type":"entry","url":"/articles/veh/"}