REP(N)Z and the EFLAGS

Working on some debugger like automation code for EmsiSoft, I recently discovered a funny property when single stepping REPNZ prefixed SCAS and CMPS instructions using the TF bit set in EFLAGS. As expected, for each single byte / word / doubleword, a debug event occurs. However, the EFLAGS register's status bits (e.g. ZF) are not correct for each single iteration but the last.

I tested this in Windows XP in a VmWare, didn't have the time to reproduce on a physical machine yet. Let me know if you run over this quirk, too.

Get EIP with SEH

While talking about shellcode detection with Paul and Markus, I remembered some SEH based code I've written some time ago for some code to be position independent (and obfuscated). Unfortunately, I couldn't find the original source anymore but wrote up, what I remembered (and didn't test it):

Snippet 1: Custom Handler

mov eax, [esp+0x10]
mov eax, [eax+0x0c]
push eax
jmp eax

Snippet 2: SEH Overwrite

mov edi, [fs:0]
mov edi, [edi+4]
mov [edi+0], 0x448b6766
mov [edi+4], 0x67661024
mov [edi+8], 0x660c408b
mov [edi+12], 0xe0ff6650
 
xor eax, eax
xor [eax], eax
 
pop eax

Basically, the second snippet fetches the address of the current top-most SEH, overwrites it with the binary version of the first snippet and triggers a general protection fault. The address is then popped. Of course, this only works on Win32.

At the time I `invented' that code, I didn't have any reference for such code ITW. But I'm pretty sure, I'm not the first one to have that idea (although a quick Google run didn't reveal anything to me).