binary/pe/exceptions

reg_has_tib(EA:address, Reg:register)

Register “Reg” at address “EA” contains a reference to the Thread Information Block (TIB).

WARNING: Predicate not present in compiled Datalog program (Dead Code)

pe_exception_handler(EA:address)

PE32 SEH - Structured Exception Handlers

Relations for identifying exception registrations.

SEH can be summarized with the following mechanics:

1. Segment register FS references the Thread Information Block (TIB).

2. FS:[0], the first field of in TIB, is a linked-list of exceptions:

   typedef struct _NT_TIB {

   struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList;

   … } NT_TIB;

2. An exception registration record has a reference to the previously registered exception and a reference to the new exception handler:

   typedef struct _EXCEPTION_REGISTRATION_RECORD {

   struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler;

   } EXCEPTION_REGISTRATION_RECORD;

3. Registering a new exception is done by creating a new registration record struct on the stack and writing it directly to FS:[0], e.g.:

   push _except_handler ; handler mov EAX,FS:[0] ; previous push EAX … mov FS:[0], EAX ; register new exception

• Uses: code_in_block, seh_handler_entry

seh_handler_table(Beg:address, End:address)

PE32 SAFESEH - Safe Structured Exception Handlers

Windows PE32 binaries may specify a table of safe exception handlers when linked with the ‘/SAFESEH’ parameter. These predicates identify those handlers for code and data-object inference.

SEH exception handlers are stored as a linked list on the stack, and are vulnerable to corruption by buffer-overflow and other memory-safety bugs.

SAFESEH is an extension of SEH that stores a list of exceptions handlers, checked at runtime. The safe exception handler table is stored in a table referenced by the ‘SEHandlerTable’ pointer in the load configuration data directory:

// WINNT.H typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY32 { … DWORD SEHandlerTable; DWORD SEHandlerCount; … }

https://docs.microsoft.com/en-us/cpp/build/reference/safeseh-image-has-safe-exception-handlers

• Uses: binary_format, pe_load_config

• Used by: data_block_candidate, data_region, known_block, seh_handler_entry

seh_handler_entry(EA:address, Handler:address)

• Uses: base_address, seh_handler_table

• Used by: basic_target, block_heuristic, pe_exception_handler, symbol_minus_symbol

• Recursive: seh_handler_entry