Before we start, we need to understand what SEH is. SEH stands for structured exception handling. We may have seen programs throw an error that says the software has encountered a problem and needs to close. This basically means it's the default exception handler of Windows kicking in.

SEH handlers can be considered the block of try and catch statements that are executed in order when there's an exception in the program. This is what a typical SEH chain would look like:

When an exception occurs, the SEH chain comes to the rescue and handles the exception based on its type.

So, when an illegal instruction occurs, the application gets a chance to handle the exception. If no exception handler is defined in the application, we will see an error shown by Windows, such as Send a report to Microsoft.

To perform the successful exploitation of a program with the SEH handler, we first try to fill the stack with our buffer and then try to overwrite the memory address that stores the first SEH record chain. However, that is not enough; we need to generate an error as well, which will actually trigger the SEH handler. Then, we will be able to gain complete control over the execution flow of the program. An easy way to do this is to keep filling the stack all the way down, which will create an exception to be handled, and since we already have control over the first SEH record, we will be able to exploit it.