issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
The exception handler list is stored in the thread information block(TIB) data

structure, which is available from user mode and contains the following fields:

_NT_TIB:

+0x000 ExceptionList : 0x0012fecc

+0x004 StackBase : 0x00130000

+0x008 StackLimit : 0x0012e000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffde000

The TIB is stored in a regular private-allocation user-mode memory. We

already know that a single process can have multiple threads, but all threads

see the same memory; they all share the same address space. This means that

each process can have multiple TIB data structures. How does a thread find its

own TIB in runtime? On IA-32 processors, Windows uses the FS segment reg-

ister as a pointer to the currently active thread-specific data structures. The

current thread’s TIB is always available at FS:[0].

The ExceptionListmember is the one of interest; it is the head of the cur-

rent thread’s exception handler list. When an exception is generated, the proces-

sor calls the registered handler from the IDT. Let’s take a page-fault exception as

an example. When an invalid memory address is accessed (an invalid memory

address is one that doesn’t have a valid page-table entry), the processor gener-

ates a page-fault interrupt (interrupt #14), and invokes the interrupt handler

from entry 14 at the IDT. In Windows, this entry usually points to the KiTrap0E

function in the Windows kernel. KiTrap0Edecides which type of page fault has

occurred and dispatches it properly. For user-mode page faults that aren’t

resolved by the memory manager (such as faults caused by an application

accessing an invalid memory address), Windows calls into a user-mode excep-

tion dispatcher routine called KiUserExceptionDispatcherin NTDLL.DLL.

KiUserExceptionDispatchercalls into RtlDispatchException, which

is responsible for going through the linked list at ExceptionListand looking

for an exception handler that can deal with the exception. The linked list is

essentially a chain of _EXCEPTION_REGISTRATION_RECORDdata structures,

which are defined as follows:

_EXCEPTION_REGISTRATION_RECORD:

+0x000 Next : Ptr32 _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : Ptr32

106 Chapter 3

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.