hasherezade
commented
2 years ago Hi!
Is there anyway to keep tracing SEH exception?
Yes. In a normal situation (if the application didn't crash) the tracer will follow past the exception handler. Check this example: https://hshrzd.wordpress.com/2021/10/23/flare-on-8-task-9/ - and the corresponding log here.
Fragment:
35ace;ntdll.RtlAllocateHeap
284c;ntdll.KiUserExceptionDispatcher
6b7a;kernel32.VirtualProtect
6bba;kernel32.VirtualProtect
6bd3;ntdll.[RtlDeleteAce+1c0]*
284f;kernel32.GetCurrentProcess
2876;ntdll.KiUserExceptionDispatcher
6b7a;kernel32.VirtualProtect
6bba;kernel32.VirtualProtect
6bd3;ntdll.[RtlDeleteAce+1c0]*
2879;kernel32.CheckRemoteDebuggerPresent
264f1;ntdll.RtlEnterCriticalSection
2652e;ntdll.RtlLeaveCriticalSectionIf it wasn't able to follow, there was probably some other problem. I guess the application just crashed on this exception.
I am using tiny tracer when I encounter a problem where if the problem use seh exception for anti-debug but tiny tracer is also effect by it, the result in the end will look like this:
The main reason I can think of is because tiny tracer doesn't run the exception part. The SEH exception look like this:
Is there anyway to keep tracing SEH exception?