A bare-bones exception handler set up sequence looks something like this:00411F8A push ExceptionHandler
00411F8F mov eax,dword ptr fs:[00000000h]
00411F95 push eax
00411F96 mov dword ptr fs:[0],espThis sequence simply adds an _EXCEPTION_REGISTRATION_RECORD
entry into the current thread’s exception handler list. The items are stored on
the stack.
In real-life you will rarely run into simple exception handler setup
sequences such as the one just shown. That’s because compilers typically aug-
ment the operating system’s mechanism in order to provide support for nested
exception-handling blocks and for multiple blocks within the same function.
In the Microsoft compilers, this is done by routing exception to the
_except_handler3exception handler, which then calls the correct excep-
tion filter and exception handler based on the current function’s layout. To
implement this functionality, the compiler manages additional data structures
that manage the hierarchy of exception handlers within a single function. The
following is a typical Microsoft C/C++ compiler SEH installation sequence:
00411F83 push 0FFFFFFFFh
00411F85 push 425090h
00411F8A push offset @ILT+420(__except_handler3) (4111A9h)
00411F8F mov eax,dword ptr fs:[00000000h]
00411F95 push eax
00411F96 mov dword ptr fs:[0],espAs you can see, the compiler has extended the _EXCEPTION_REGISTRA-
TION_RECORD data structure and has added two new members. These mem-
bers will be used by _except_handler3to determine which handler should
be called.
Beyond the frame-based exception handlers, recent versions of the operating
system also support a vector of exception handlers, which is a linear list of han-
dlers that are called for every exception, regardless which code generated it.
Vectored exception handlers are installed using the Win32 API AddVectored
ExceptionHandler.
Conclusion
This concludes our (extremely brief) journey through the architecture and
internals of the Windows operating system. This chapter provides the very
basics that every reverser must know about the operating system he or she is
using.
Windows Fundamentals 107