issuhub.com

Assembly Language for Beginners

(nextflipdebug2) #1 
6.5. WINDOWS NT

_ep$ = 12 ; size = 4

_filter_user_exceptions PROC

push ebp

mov ebp, esp

mov eax, DWORD PTR _code$[ebp]

push eax

push OFFSET $SG85486 ; 'in filter. code=0x%08X'

call _printf

add esp, 8

cmp DWORD PTR _code$[ebp], 1122867 ; 00112233H

jne SHORT $LN2@filter_use

push OFFSET $SG85488 ; 'yes, that is our exception'

call _printf

add esp, 4

mov eax, 1

jmp SHORT $LN3@filter_use

jmp SHORT $LN3@filter_use

$LN2@filter_use:

push OFFSET $SG85490 ; 'not our exception'

call _printf

add esp, 4

xor eax, eax

$LN3@filter_use:

pop ebp

ret 0

_filter_user_exceptions ENDP

Here is the meaning of thecookies: Cookie Offsetis the difference between the address of the saved

EBPvalueinthestackandtheEBP⊕security_cookievalueinthestack.Cookie XOR Offsetisanadditional

difference between theEBP⊕security_cookievalue and what is stored in the stack.

If this equation is not true, the process is to halt due to stack corruption:

security_cookie⊕(CookieXOROf f set+address_of_saved_EBP) ==stack[address_of_saved_EBP+CookieOf f set]

IfCookie Offsetis− 2 , this implies that it is not present.

Cookieschecking is also implemented in mytracer, seeGitHubfor details.

It is still possible to fall back to SEH3 in the compilers after (and including) MSVC 2005 by setting the
/GS-option, however, theCRTcode use SEH4 anyway.


Windows x64

As you might think, it is not very fast to set up the SEH frame at each function prologue. Another perfor-

mance problem is changing theprevious try levelvalue many times during the function’s execution.

So things are changed completely in x64: now all pointers totryblocks, filter and handler functions are

stored in another PE segment.pdata, and from there theOS’s exception handler takes all the information.

Here are the two examples from the previous section compiled for x64:

Listing 6.33: MSVC 2012

$SG86276 DB 'hello #1!', 0aH, 00H

$SG86277 DB 'hello #2!', 0aH, 00H

$SG86279 DB 'access violation, can''t recover', 0aH, 00H

pdata SEGMENT

$pdata$main DD imagerel $LN9

DD imagerel $LN9+61

DD imagerel $unwind$main

pdata ENDS

pdata SEGMENT

$pdata$main$filt$0 DD imagerel main$filt$0

DD imagerel main$filt$0+32

DD imagerel $unwind$main$filt$0

pdata ENDS

xdata SEGMENT

$unwind$main DD 020609H
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.