Thursday, 8 December 2016

UnhandledExceptionFilter wont compile in VS2015 but worked in VS2012 Already defined. Also VEH to detect unpacked ASProtect.

If you are using UnhandledExceptionFilter in a C++ application and try to compile with VS2017 (It worked in 2012 just fine)

And you get the error message

Severity Code Description Project File Line Suppression State
Error LNK2005 _UnhandledExceptionFilter@4 already defined in kernel32.lib(KERNEL32.dll) ...
Error LNK1169 one or more multiply defined symbols found ...

And you also have a function called UnhandledExceptionFilter

Try renaming it to something else.

The compiler or linker? im not sure which.
Rename the method to _UnhandledExceptionFilter which conflicts with one in kernel32 when linking....

What the heck.

A bonus content for you.

I detect if the ASProtect packed target executable is unpacked by using a VEH
I use an injected dll to run this code and the rest of my code inside the target process.
I start the process suspended, inject dll then resume the main thread.

VEH Handler

DWORD test = 0;
DWORD exceptionCount = 0;
LONG WINAPI MyUnhandledExceptionFilter(EXCEPTION_POINTERS *pExceptionInfo)
void* Eip = (void*)pExceptionInfo->ContextRecord->Eip;


// sprintf(Message, "Exception Count: %i\nException Code: %X\nEIP: %p\nRegisters\n\nEAX: %X EBX: %X ECX: %X EDX: %X\nESP: %X EBP: %X\nESI: %X EDI: %X\n",
// exceptionCount,
// pExceptionInfo->ExceptionRecord->ExceptionCode,
// pExceptionInfo->ContextRecord->Eip,
// pExceptionInfo->ContextRecord->Eax, pExceptionInfo->ContextRecord->Ebx, pExceptionInfo->ContextRecord->Ecx, pExceptionInfo->ContextRecord->Edx,
// pExceptionInfo->ContextRecord->Esp, pExceptionInfo->ContextRecord->Ebp,
// pExceptionInfo->ContextRecord->Esi, pExceptionInfo->ContextRecord->Edi);
//MessageBox(null, Message, "Debug", MB_OK);

// We know the game is unpacked when the exception has a PUSH 0C after it.
// This just seems to be the way it is for asprotect. See Tuts4You Loaders.asprotect1.pdf
BYTE* oData = (BYTE*)Eip;
if (oData[19] == 0x6A && oData[20] == 0x0C)
// Game is unpacked in memory and memory security check is done.
// This just detours the games init function. (I couldn't detour it reliably without this code because some faster computers would have already run it, and slower computers might not have even unpacked by the time my dll inits. Sleeps were not a good solution.
origInitGame = (t_InitGameFn)DetourCreate((LPVOID)0x00403180,(LPVOID)initGameHook, DETOUR_TYPE_JMP);

isGameUnpacked = true;


Add the VEH

hVEH = AddVectoredExceptionHandler(1, &MyUnhandledExceptionFilter);
if (hVEH == NULL)
MessageBox(mainhWnd, "Error VEH 1.", "DLL ERROR", MB_OK + MB_APPLMODAL);
return 0;

// Check while its not unpacked. This serves as a timeout.

int pCheckUnpackedCounter = 0;
while (isGameUnpacked == FALSE)

if (pCheckUnpackedCounter > 60000)
// Roughly 1 minute.
// Unable to detect unpacked game code.
// Remove our vectored exception handler, it has done its job.
MessageBox(mainhWnd, "Error VEH 2.", "DEBUG", MB_OK + MB_APPLMODAL);
return 0;


Remove the VEH when its done its job.

// Remove our vectored exception handler, it has done its job.

No comments:

Post a Comment