issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 68. WINDOWS NT CHAPTER 68. WINDOWS NT


68.2.10TLS


This section holds initialized data for theTLS(65 on page 656) (if needed). When a new thread start, itsTLSdata is initialized
using the data from this section.


Aside from that, the PE file specification also provides initialization of theTLSsection, the so-called TLS callbacks. If they
are present, they are to be called before the control is passed to the main entry point (OEP). This is used widely in the PE
file packers/encryptors.


68.2.11Tools.



  • objdump (present in cygwin) for dumping all PE-file structures.

  • Hiew(73 on page 706) as editor.

  • pefile—Python-library for PE-file processing^25.

  • ResHackAKAResource Hacker—resources editor^26.

  • PE_add_import^27 — simple tool for adding symbol(s) to PE executable import table.

  • PE_patcher^28 — simple tool for patching PE executables.

  • PE_search_str_refs^29 — simple tool for searching for a function in PE executables which use some text string.


68.2.12Further reading.



  • Daniel Pistelli—The .NET File Format^30


68.3 Windows SEH.


68.3.1 Let’s forget about MSVC.


In Windows, theSEHis intended for exceptions handling, nevertheless, it is language-agnostic, not related to C++ orOOPin
any way. Here we are going to take a look atSEHin its isolated (from C++ and MSVC extensions) form.


Each running process has a chain ofSEHhandlers,TIBhas the address of the last handler. When an exception occurs
(division by zero, incorrect address access, user exception triggered by calling theRaiseException()function), theOS
finds the last handler in theTIBand calls it, passing all information about theCPUstate (register values, etc) at the moment
of the exception. The exception handler considering the exception, was it made for it? If so, it handles the exception. If
not, it signals to theOSthat it cannot handle it and theOScalls the next handler in the chain, until a handler which is able
to handle the exception is be found.


At the very end of the chain there a standard handler that shows the well-known dialog box, informing the user about a
process crash, some technical information about theCPUstate at the time of the crash, and offering to collect all information
and send it to developers in Microsoft.


(^25) http://go.yurichev.com/17052
(^26) http://go.yurichev.com/17052
(^27) http://go.yurichev.com/17049
(^28) yurichev.com
(^29) yurichev.com
(^30) http://go.yurichev.com/17056

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.