Failing to report NO_SEH modules #14
Comments
|
would you mind sharing what app you're attaching to, so I can try to reproduce your setup ? |
|
closing for now, feel free to reopen if you can help me reproduce the issue. tx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
0:015> !nmod
00030000 0003c000 CRYPTBASE NO_SEH *ASLR *DEP C:\Windows\syswow64\CRYPTBASE.dll
00230000 00239000 netutils /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\netutils.dll
00240000 0024f000 wkscli /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\wkscli.dll
00320000 0032d000 wshbth /SafeSEH ON /GS *ASLR *DEP C:\Windows\SysWOW64\wshbth.dll
00330000 0033a000 NO_SEH *ASLR *DEP C:\Program Files (x86)\masked
\masked.dll
0x00330000 | 0x0033a000 | 0x0000a000 | True | True | True | True | False | 2016.0.0.2150 [masked.dll](C:Program Files %28x86%29maskedmasked.dll)
0x40210000 | 0x40215000 | 0x00005000 | False | True | True | True | True | 6.1.7600.16385 [MSIMG32.dll](C:
WindowsSysWOW64MSIMG32.dll)
Log data, item 5
Address=0BADF00D
Message= 0x002b0000 | 0x002ba000 | 0x0000a000 | True | True | True | True | False | 2016.0.0.2150
[masked.dll](C:Program Files %28x86%29maskedmasked.dll)
/SafeSEH Module Scanner, item 5
SEH mode=No SEH
Base=0x560000
Limit=0x56a000
Module version=2016.0.0.2150
Module Name=C:\Program Files (x86)\masked\masked.dll
Narly and SafeSEH says my module masked.dll is safeSEH OFF. But mona on windbg & Immunity doesn't say the same. Infact, I see 4-6 safeSEH modules with other plugins but mona says all are SEH protected. Probably that's why "!mona seh" results into nothing.
Tested on Windows 7 64-bit with WinDbg:6.12.0002.633 x86 and Immunity v1.85
The text was updated successfully, but these errors were encountered: