Unhandled Exception Filter

Created the Monday 18 March 2019. Updated 3 months, 1 week ago.

An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.

If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter function will be called. It is possible to register a custom unhandled exception filter using the SetUnhandledExceptionFilter. But if the program is running under a debugger, the custom filter won’t be called, and the exception will be passed to the debugger.

Therefore, if the unhandled exception filter is registered and the control is passed to it, then the process is not running with a debugger.

Technique Identifiers

U0108 B0001.030

Technique Tag

exception

Code Snippets

Description

Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/UnhandledExceptionFilter_Handler.cpp

#include "pch.h"
#include "UnhandledExceptionFilter_Handler.h"


/*
When an exception occurs, and no registered Exception Handlers exist (neither Structured nor
Vectored), or if none of the registered handlers handles the exception, then the kernel32
UnhandledExceptionFilter() function will be called as a last resort. 
*/

BOOL bIsBeinDbg = TRUE;

LONG WINAPI UnhandledExcepFilter(PEXCEPTION_POINTERS pExcepPointers)
{
	// If a debugger is present, then this function will not be reached.
	bIsBeinDbg = FALSE;
    return EXCEPTION_CONTINUE_EXECUTION;
}


BOOL UnhandledExcepFilterTest ()
{
	LPTOP_LEVEL_EXCEPTION_FILTER Top = SetUnhandledExceptionFilter(UnhandledExcepFilter);
	RaiseException(EXCEPTION_FLT_DIVIDE_BY_ZERO, 0, 0, NULL);
	SetUnhandledExceptionFilter(Top);
	return bIsBeinDbg;
}

Detection Rules

                                    rule Detect_SuspendThread: AntiDebug {
    meta: 
        description = "Detect SuspendThread as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "UnhandledExcepFilter" fullword ascii
        $2 = "SetUnhandledExceptionFilter" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them 
}

Contributors

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.