I've been experimenting with assembly SEH for a while, but one thing I do not understand is why my code below doesn't execute the injected SEH but instead the default in ntdll.
I've got a simple ASM app name "one.exe" which doesn't implement any SEH by itself. I want to inject a SEH handler into this app so I can catch all necessary exceptions in a random code cave.
I thought this would be as easy as injecting the three-line SEH initializer, but when (purposely - mov [eax],1) causing an access violation exception, my exception handler isn't called. What did I do wrong?
Code injected into code-cave and called by "one.exe"
Code:
00401189 PUSH one.004011B0 ; se initializer
0040118E PUSH DWORD PTR FS:[0]
00401195 MOV DWORD PTR FS:[0],ESP
0040119C MOV EAX,0
004011A1 MOV BYTE PTR DS:[EAX],1 ; purposely cause exception to test
004011A4 RETN
Se-handler code also injected into "one.exe"
Code:
004011B0 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL;
004011B2 PUSH 0 ; |Title = NULL
004011B4 PUSH One.004030BF ; |Text = "Exception caught!"
004011B9 PUSH DWORD PTR DS:[4030E8] ; |hOwner = NULL
004011BF CALL user32.MessageBoxA ; \MessageBoxA
004011C4 RETN
