How does this asm code setup SEH?

Question

I grabbed some code from internet, that supposed to handle exceptions with SEH,

  ASSUME FS:NOTHING
  PUSH  OFFSET Handler
  PUSH  FS:[0]
  MOV  FS:[0], ESP
  ...

But the FS:[0] should be holding the address of handler instead right?

So mov fs:[0], esp is wrong, because esp currently pointed to the original fs:[0]:

The stack is like this:

-----------
| fs:[0]  |  <-- ESP
-----------
| handler |
-----------

So, shouldn't that be esp + 4 like stuff? I'm obviously wrong, but I don't get why.

Answer 1

[fs:0] points to the last element in the linked list of exception handlers.

Each element contains two things:

1. the address of the next/previous element
2. the address of a handler/function

The code that you presented creates another element, links it to the current/last element, and makes the new element the current/last one.

Look up Matt Pietrek's articles on SEH. This stuff is described there in greater detail.