Assembly Language for Beginners

6.5. WINDOWS NT A1 00 00 41 00 mov eax,[000410000] The base address of the module is0x400000, theRVAof the global variable is0x1 ...

6.5. WINDOWS NT Figure 6.1: A scheme that unites all PE-file structures related to imports The main structure is the arrayIMAGE_ ...

6.5. WINDOWS NT the imported function is a global variable in some sense, the address of thecallinstruction (plus 1 or 2) is to ...

6.5. WINDOWS NT Resources Resources in a PE file are just a set of icons, pictures, text strings, dialog descriptions. Perhaps t ...

6.5. WINDOWS NT 6.5.3 Windows SEH. Let’s forget about MSVC InWindows, theSEHisintendedforexceptionshandling, nevertheless, itisl ...

6.5. WINDOWS NT Figure 6.3:Windows XP Figure 6.4:Windows 7 ...

6.5. WINDOWS NT Figure 6.5:Windows 8.1 Earlier, this handler was called Dr. Watson^42. By the way, some developers make their ow ...

6.5. WINDOWS NT } int main() { DWORD handler = (DWORD)except_handler; // take a pointer to our handler // install exception hand ...

6.5. WINDOWS NT FS:0 +0: __except_list +4: ... +8: ... TIB ... Prev=0xFFFFFFFF Handle handler function ... Prev Handle handler f ...

6.5. WINDOWS NT That is why we chose 0xE1223344—E 16 (1110 2 ) 0xE (1110b) means that it is 1) user exception; 2) error. But to ...

6.5. WINDOWS NT The filter code is an expression, telling whether this handler code corresponds to the exception raised. If your ...

6.5. WINDOWS NT *ExceptionCode = ExceptionPointer->ExceptionRecord->ExceptionCode; if ( (*ExceptionCode == STATUS_IN_PAGE_ ...

6.5. WINDOWS NT FS:0 +0: __except_list +4: ... +8: ... TIB ... Prev=0xFFFFFFFF Handle ... Prev Handle ... Prev Handle scope tabl ...

6.5. WINDOWS NT try { printf("hello #1!\n"); *p = 13; // causes an access violation exception; printf("hello #2!\n"); } except(G ...

6.5. WINDOWS NT inc eax $L74619: $L74626: ret 0 ; handler code: $L74618: mov esp, DWORD PTR __$SEHRec$[ebp] push OFFSET FLAT:$SG ...

6.5. WINDOWS NT The first two are located in our example. Two? But we made only one? Yes, another one has been set up in theCRTf ...

6.5. WINDOWS NT $SG74621 DB 'access violation, can''t recover', 0aH, 00H $SG74623 DB 'user exception caught', 0aH, 00H _code$ = ...

6.5. WINDOWS NT call DWORD PTR __imp__RaiseException@16 push OFFSET FLAT:$SG74619 ; '0x112233 raised. now let''s crash' call _pr ...

6.5. WINDOWS NT pop esi pop ebx mov esp, ebp pop ebp ret 0 _main ENDP If we set a breakpoint on theprintf()function, which is ca ...

6.5. WINDOWS NT FS:0 +0: __except_list +4: ... +8: ... TIB ... Prev=0xFFFFFFFF Handle ... Prev Handle ... Prev Handle scope tabl ...