Misusing Structured Exception Handlers
Created the Monday 13 June 2022. Updated 4 months, 3 weeks ago.
Misusing Structured Exception Handlers is a technique used by malware to make it more difficult for security analysts to reverse engineer the code. Structured Exception Handlers (SEH) are functions that are used to handle exceptions in a program. These can be misused by malware to fool disassemblers and make it harder to analyze the code. One way this is done is by using the FS segment register to gain access to the Thread Environment Block (TEB), which contains a pointer to the Structured Exception Handler (SEH) chain.
The SEH chain functions like a stack, with the most recently pushed function being the one that is executed when an exception occurs. By manipulating the SEH chain, malware authors can make it more difficult for analysts to understand the code and identify any potentially malicious behavior.
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.