issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 68. WINDOWS NT CHAPTER 68. WINDOWS NT


_main ENDP


_code$ = 8 ; size = 4
_ep$ = 12 ; size = 4
_filter_user_exceptions PROC
push ebp
mov ebp, esp
mov eax, DWORD PTR _code$[ebp]
push eax
push OFFSET $SG85486 ; 'in filter. code=0x%08X'
call _printf
add esp, 8
cmp DWORD PTR _code$[ebp], 1122867 ; 00112233H
jne SHORT $LN2@filter_use
push OFFSET $SG85488 ; 'yes, that is our exception'
call _printf
add esp, 4
mov eax, 1
jmp SHORT $LN3@filter_use
jmp SHORT $LN3@filter_use
$LN2@filter_use:
push OFFSET $SG85490 ; 'not our exception'
call _printf
add esp, 4
xor eax, eax
$LN3@filter_use:
pop ebp
ret 0
_filter_user_exceptions ENDP


Here is the meaning of thecookies:Cookie Offset is the difference between the address of the saved EBP value in the
stack and theEBP⊕security_cookievalue in the stack.Cookie XOR Offsetis an additional difference between the
EBP⊕security_cookievalue and what is stored in the stack. If this equation is not true, the process is to halt due to stack
corruption:


security_cookie⊕(CookieXOROf f set+address_of_saved_EBP) ==stack[address_of_saved_EBP+CookieOf f set]


IfCookie Offsetis− 2 , this implies that it is not present.


Cookieschecking is also implemented in mytracer, seeGitHubfor details.


It is still possible to fall back to SEH3 in the compilers after (and including) MSVC 2005 by setting the/GS-option, however,
theCRTcode use SEH4 anyway.


68.3.3 Windows x64


As you might think, it is not very fast to set up the SEH frame at each function prologue. Another performance problem is
changing theprevious try levelvalue many times during the function’s execution. So things are changed completely in x64:
now all pointers totryblocks, filter and handler functions are stored in another PE segment.pdata, and from there the
OS’s exception handler takes all the information.


Here are the two examples from the previous section compiled for x64:


Listing 68.12: MSVC 2012

$SG86276 DB 'hello #1!', 0aH, 00H
$SG86277 DB 'hello #2!', 0aH, 00H
$SG86279 DB 'access violation, can''t recover', 0aH, 00H


pdata SEGMENT
$pdata$main DD imagerel $LN9
DD imagerel $LN9+61
DD imagerel $unwind$main
pdata ENDS
pdata SEGMENT
$pdata$main$filt$0 DD imagerel main$filt$0
DD imagerel main$filt$0+32
DD imagerel $unwind$main$filt$0
pdata ENDS
xdata SEGMENT

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.