由于分析失误， 该帖作废。

7C9579C8    8BFF            mov     edi, edi                        
7C9579CA    55              push    ebp
7C9579CB    8BEC            mov     ebp, esp
7C9579CD    51              push    ecx
7C9579CE    FF75 08         push    dword ptr [ebp+8]
7C9579D1    E8 738EFDFF     call    RtlImageNtHeader
7C9579D6    F640 5F 04      test    byte ptr [eax+5F], 4
7C9579DA    0F85 CF7C0100   jnz     7C96F6AF
7C9579E0    8D45 FC         lea     eax, [ebp-4]
7C9579E3    50              push    eax
7C9579E4    6A 0A           push    0A
7C9579E6    6A 01           push    1
7C9579E8    FF75 08         push    dword ptr [ebp+8]
7C9579EB    E8 668EFDFF     call    RtlImageDirectoryEntryToData
7C9579F0    85C0            test    eax, eax
7C9579F2    0F84 D8010000   je      7C957BD0

这个地方如果把PE + 0x5F的地方, 也就是
ImageNtHeader->OptionalHeader.DllCharacteristics = ImageNtHeader->OptionalHeader.DllCharacteristics | 0x0400;
这样改过的PE文件, 在调试的时候则无法通过异常. 但是可以正常运行

(在XP SP2系统支持, W2K系统不支持)

#define IMAGE_DLLCHARACTERISTICS_NO_SEH      0x0400     // Image does not use SEH.  No SE handler may reside in this image

PECOFF v8
IMAGE_DLLCHARACTERISTICS_NO_SEH is clear in the DllCharacteristics field of the optional header, as described earlier), then the handler must be in the list of known safe handlers for that image. Otherwise, the operating system terminates the application. This helps prevent the “x86 exception handler hijacking” exploit that has been used in the past to take control of the operating system.
The Microsoft linker automatically provides a default load configuration structure to include the reserved SEH data. If the user code already provides a load configuration structure, it must include the new reserved SEH fields. Otherwise, the linker cannot include the reserved SEH data and the image is not marked as containing reserved SEH.

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法