Reverse Engineering for Beginners

CHAPTER 68. WINDOWS NT CHAPTER 68. WINDOWS NT

FS:0 +0: __except_list

+4: ...

+8: ...

TIB

...

Prev=0xFFFFFFFF

Handle

...

Prev

Handle

...

Prev

Handle

scope

table⊕security_cookie

previous try level

EBP

...

EBP⊕security_cookie

...

handler function

handler function

_except_handler4

...

Stack

GS Cookie Offset

GS Cookie XOR Offset

EH Cookie Offset

EH Cookie XOR Offset

0xFFFFFFFF (-1)

filter function

handler/finally function

0

filter function

handler/finally function

1

filter function

handler/finally function

...more entries...

information about first

try/except block

information about sec-

ond try/except block

information about

third try/except block

scope table

Here are both examples compiled in MSVC 2012 with SEH4:

Listing 68.10: MSVC 2012: one try block example

$SG85485 DB 'hello #1!', 0aH, 00H
$SG85486 DB 'hello #2!', 0aH, 00H
$SG85488 DB 'access violation, can''t recover', 0aH, 00H

; scope table:
xdata$x SEGMENT
__sehtable$_main DD 0fffffffeH ; GS Cookie Offset
DD 00H ; GS Cookie XOR Offset
DD 0ffffffccH ; EH Cookie Offset
DD 00H ; EH Cookie XOR Offset
DD 0fffffffeH ; previous try level
DD FLAT:$LN12@main ; filter
DD FLAT:$LN8@main ; handler
xdata$x ENDS

$T2 = -36 ; size = 4
_p$ = -32 ; size = 4
tv68 = -28 ; size = 4