SEH Exploits

There are two types of exceptions hardware and software. Hardware exceptions are initiated by the CPU. Software exceptions occur when the execution flow reaches unexpected conditions.

When a thread faults the operating system calls a set of functions known as exception handles which can either correct the error or provide logs on the unexpected condition.

When exceptions occur the operating system inspects the TEB structure of the faulted thread and retrieves the Exception List

In Windows when exceptions encounter the function kiUserExceptionDispatcher is called. The function takes two arguments _EXCEPTION_RECORD and _CONTEXT.

SEH overflows can be used to gain control over the execution flow of vulnerable applications. These occur when a stack buffer overflow is large enough or positioned in a manner that overwrites the valid registered exception handles on the stack.