A deep dive into modern Windows Structured Exception Handler (SEH) ⚠️ | Elma

On Windows, the operating system implements its own unique exception handling mechanisms — Structured Exception Handling (SEH) and Vectored Exception Handling (VEH) — which is an extension on top of the conventional C/C++ language to provide support for runtime error handling.

These are only available for windows executables since it relies on the windows kernel to catch the exception and transfer the control flow back to the program!

These unique methods of exception handling makes it complicated for us to reverse engineer and trace the control flow of the program without sufficient understanding of how the handlers are installed and implemented.

Most of this blog post will study how SEH handlers work for 64-bit programs, after which, we will briefly compare it with the corresponding 32-bit implementation as well as VEH.

In order to better understand how an SEH handlers would look like in a compiled program, we can compile a simple program of our own and look at it in IDA. The following compiled program can be downloaded here.

Leave a Comment