issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 68. WINDOWS NT CHAPTER 68. WINDOWS NT


call _printf

add esp, 4

mov DWORD PTR __$SEHRec$[ebp+20], -1 ; previous try level

jmp SHORT $L74616

; filter code:
$L74617:
$L74627:
mov ecx, DWORD PTR __$SEHRec$[ebp+4]
mov edx, DWORD PTR [ecx]
mov eax, DWORD PTR [edx]
mov DWORD PTR $T74621[ebp], eax
mov eax, DWORD PTR $T74621[ebp]
sub eax, -1073741819; c0000005H
neg eax
sbb eax, eax
inc eax
$L74619:
$L74626:
ret 0


; handler code:
$L74618:
mov esp, DWORD PTR __$SEHRec$[ebp]
push OFFSET FLAT:$SG74608 ; 'access violation, can''t recover'
call _printf
add esp, 4
mov DWORD PTR $SEHRec$[ebp+20], -1 ; setting previous try level back to -1
$L74616:
xor eax, eax
mov ecx, DWORD PTR $SEHRec$[ebp+8]
mov DWORD PTR fs:__except_list, ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
ret 0
_main ENDP
_TEXT ENDS
END


Here we see how the SEH frame is constructed in the stack. Thescope tableis located in theCONSTsegment— indeed,
these fields are not to be changed. An interesting thing is how theprevious try levelvariable has changed. The initial
value is0xFFFFFFFF(− 1 ). The moment when the body of thetry statement is opened is marked with an instruction
that writes 0 to the variable. The moment when the body of thetrystatement is closed,− 1 is written back to it. We also
see the addresses of filter and handler code. Thus we can easily see the structure of thetry/exceptconstructs in the function.


Since the SEH setup code in the function prologue may be shared between many functions, sometimes the compiler inserts a
call to theSEH_prolog()function in the prologue, which does just that. The SEH cleanup code is in theSEH_epilog()
function.


Let’s try to run this example intracer:


tracer.exe -l:2.exe --dump-seh


Listing 68.7: tracer.exe output

EXCEPTION_ACCESS_VIOLATION at 2.exe!main+0x44 (0x401054) ExceptionInformation[0]=1
EAX=0x00000000 EBX=0x7efde000 ECX=0x0040cbc8 EDX=0x0008e3c8
ESI=0x00001db1 EDI=0x00000000 EBP=0x0018feac ESP=0x0018fe80
EIP=0x00401054
FLAGS=AF IF RF



  • SEH frame at 0x18fe9c prev=0x18ff78 handler=0x401204 (2.exe!_except_handler3)
    SEH3 frame. previous trylevel=0
    scopetable entry[0]. previous try level=-1, filter=0x401070 (2.exe!main+0x60) handler=0x401088⤦
    Ç(2.exe!main+0x78)

  • SEH frame at 0x18ff78 prev=0x18ffc4 handler=0x401204 (2.exe!_except_handler3)
    SEH3 frame. previous trylevel=0

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.