blueteamsec

550 readers

7 users here now

For [Blue|Purple] Teams in Cyber Defence - covering discovery, detection, response, threat intelligence, malware, offensive tradecraft and tooling, deception, reverse engineering etc.

founded 2 years ago

MODERATORS

digicat@infosec.pub

Misaligned Opcode Exception Waterfall (MOEW) A Technical Analysis of Exception-Driven SEH Manipulation, Telemetry Evasion, and Kernel-Mediated User-Mode Code Execution (github.com)

submitted 3 days ago by digicat@infosec.pub to c/blueteamsec@infosec.pub

1 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] henfredemars@infosec.pub 2 points 3 days ago* (last edited 3 days ago)

What I think makes this especially interesting is that you can use this exception dispatch to build an interpreter. Think of it like a bytecode interpreter, where the codes are exceptions and the behaviors are the handlers. Because the faults are a function of the underlying code present in the module, it could even be used for early fingerprinting/binding to the intended target. You can make decoding a stage an absolute pain because it's dependent on the exact memory layout of the target process, which could itself have been manipulated by the attacker earlier as a kind of decoding key, causing replay attempts to fail and frustrating analysis.

And remember, an exception re-enters the handler, so you can even probe safely against unmapped pages.