In the last decade the “Data protection” has found new expressions in the field of software security. The word ‘data‘ is being replaced with ‘information‘. The line between them is blur however there is a distinction in the context they are being used. I notice that system security experts or system developers generally use the term ‘data protection’. Otherwise, mostly the term ‘data’ and ‘information’ are used indistinguishably. In my opinion, information is what we deduce from the data. It has a meaning associated with it in the forms of an answer to a question. Data can be stored or transferred by a software system. In general, a system should ‘not’ allow the data to be read or written without the user’s consent. To enable this, software systems have many inbuilt mechanisms for data protection.
The objective of this post and upcoming many posts in this series of “Data Protection” is to not only provide conceptual understanding but walk through various mechanisms (hardware and software) with the help of sample source code and disassembly by reverse engineering tools such as WinDbg. It is expected that the reader has some knowledge of C, CPU Registers, and WinDbg or any other related debugging tool. To begin with, we look into the security or protection for executable code and data at the processor level. Later we explore other levels of system security built on top of it. Continue reading “Where It All Begins – An Introduction Protected Mode [Data Protection Series – Part 1]”
This is the last post related to the internals of structured exception handling (SEH). In this post, we look at the summary of the exception handling and dispatching, a WinDbg extension ‘exchain’ to view the chain of registered exception handlers. We start by inspecting the disassembly of the exception handling code. We look at how the exception handler frames are created on the stack and unwinded as the programs execute. Next, we use the WinDbg extension to display the exception registration records and understand the nested structure in case of nested __try, __except block. It is expected that the reader has some knowledge of C and WinDbg or any other related debugging tool.
Let’s take a look at the code and compiler-generated disassembled code again to understand how the registration record is created:
Continue reading “Everybody likes automation (!exchain) – Exception Handling (Part 5)”
The C programming language does not offer any support to handle exceptions in the program and this is one of the major differences between C and C++. The Structured Exception Handling (SEH) is an extension to Microsoft C++ and C language support. Although, it is recommended to use the in-built exception handling mechanism if you are using C++ because it helps with the portability of the code across platforms. But, Microsoft compiler allows us to use SEH with C++ and C. The SEH provides a way to handle resources (memory buffers, synchronization primitives, etc) in case the program flow is interrupted due to software or hardware exceptions.
The SEH mechanism which was mentioned in the first post is :
- Exception handler – __except block: called in response to an exception.
- Termination handler – __finally block: always called.
When the developer defines the SEH block (aka exception frame), it gets installed on the stack and with the unwinding of the stack, it gets removed. The exception can be caught in the same function or the caller function. In terms of unwinding the stack, if the exception is unhandled in the callee, it goes higher up the stack in the previous or caller’s frame and appropriate action is taken. So the above two SEH mechanisms may be different in terms of functionality but as far as unwinding the stack is concerned, they are similar.
In this post, we dig into the flow of the exception in user-mode (supported by OS) and in the developer’s code (exception or termination handler written by the developer). It is expected that the reader has some knowledge of C and WinDbg or any other related debugging tool.
The Thread Environment
Let’s take a look at the stack once we return to the user-mode after the ‘First Chance’ exception (see previous post).
Continue reading “Back to the Start – Exception Handling (Part 4)”