Home

nonSafeSEH

NonSafeSEH refers to a property of a Windows PE module (EXE or DLL) in which Safe Structured Exception Handling (SafeSEH) is not implemented. SafeSEH is a mitigation that restricts which exception handlers can be invoked when an exception occurs. In 32-bit Windows, the operating system walks the exception handler chain and, if SafeSEH is present, only handlers from a validated list inside the module are allowed to execute. When a module is nonSafeSEH, it lacks this validated list, potentially allowing an attacker who can influence an exception to redirect execution to illicit code through an overwritten handler pointer.

The concept is most relevant for SEH-based exploit techniques, where uncontrolled or corrupted exception handlers can

Detection and mitigation involve both analysis and remediation. Tools that inspect Windows PE headers and load

be
leveraged
to
gain
code
execution.
NonSafeSEH
vulnerabilities
are
typically
associated
with
older
software,
legacy
libraries,
or
binaries
not
compiled
with
SafeSEH
support.
Modern
Windows
environments
and
compilers
generally
enable
SafeSEH
by
default,
reducing
exposure
from
nonSafeSEH
in
up-to-date
software.
configuration
data
can
indicate
whether
a
module
implements
SafeSEH.
A
SafeSEH-enabled
module
has
a
SafeSEH
table
that
restricts
handlers;
a
nonSafeSEH
module
does
not.
Mitigations
include
rebuilding
affected
binaries
with
SafeSEH
enabled,
enabling
additional
protections
such
as
SEHOP
(Structured
Exception
Handler
Overwrite
Prevention),
and
employing
best-practice
security
measures
like
DEP
and
ASLR,
along
with
timely
patching
and
vulnerability
management.
Understanding
SafeSEH
and
nonSafeSEH
helps
assess
the
exposure
of
software
components
to
SEH-based
attacks.