Vectored Exception Handling (VEH) is a Windows mechanism that allows applications to register exception handlers before Structured Exception Handling (SEH) takes over. This mechanism can be abused for code injection and execution, making it useful for red team operations and malware development.
Vectored Exception Handling (VEH)
Vectored Exception Handling provides a method for intercepting exceptions raised by a process before Structured Exception Handling (SEH) is engaged. Unlike SEH, which follows a per-thread linked list, VEH is process-wide, making it an attractive technique for stealthy payload execution.
The key API functions used in VEH execution include:
AddVectoredExceptionHandler: Registers a custom exception handler.
RemoveVectoredExceptionHandler: Unregisters the handler.
RaiseException: Triggers an exception to execute the registered handler.
Execution Flow
Retrieve NTAPI Function Pointers:
Load ntdll.dll and resolve function addresses for NtAllocateVirtualMemory, NtWriteVirtualMemory, and NtProtectVirtualMemory using GetProcAddress.
Allocate Memory:
Call NtAllocateVirtualMemory to allocate memory in the current process with PAGE_READWRITE permissions.
Write Shellcode into Allocated Memory:
Use NtWriteVirtualMemory to copy shellcode into the allocated region.
Set Memory Permissions to Executable:
Change the memory protection to PAGE_EXECUTE_READ using NtProtectVirtualMemory.
Register the Vectored Exception Handler:
Call AddVectoredExceptionHandler, specifying the allocated shellcode region as the handler function.
Trigger Exception to Execute Shellcode:
Call RaiseException(0x41414141, 0, 0, NULL), which causes the VEH to intercept and execute the registered handler.
Cleanup:
After execution, RemoveVectoredExceptionHandler is called to unregister the handler.
Practice
The following code implements this technique:
We can compile it from linux using following command
