How does try/catch works at assembly level?

Index > Windows > How does try/catch works at assembly level?

Author

Thread

Teehee

Joined: 05 Aug 2009
Posts: 568
Location: Brazil

Teehee

Code:

try
{
}
catch (Exception)
{
}

_________________
Sorry if bad english.

21 Jul 2010, 11:39

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17663
Location: In your JS exploiting you and your system

revolution

Here is my old try/catch/finally macro.

Code:

struct SEH
    PrevLink        dd      ?       ;the address of the previous seh structure
  CurrentHandler  dd      ?       ;the address of the exception handler
       SafeOffset      dd      ?       ;The offset where it's safe to continue execution
  PrevEsp         dd      ?       ;the old value in esp
       PrevEbp         dd      ?       ;The old value in ebp
ends

macro try handler {
       local   .catch,catch_list,.finally
  try@catch_list equ catch_list
       try@.finally equ .finally
   try@.catch equ .catch
       pushd   ebp
 pushd   esp
 pushd   .catch
      pushd   handler
     pushd   [fs:0]
  mov     [fs:0],esp
      mov     [esp+SEH.PrevEsp],esp
        catch_list equ
    macro catch exception \{
       \local .address
      match ,catch_list\\{
       jmp     .finally
      \\}
      match any,exception \\{
        catch_list equ catch_list, exception .address
       .address:
      \\}
      match ,exception \\{
      .catch:
 match catchlist,catch_list\\\{irp except_addr,catchlist\\\\{match except _addr,except_addr\\\\\{
 cmp     eax,except
  jz      _addr \\\\\} \\\\} \\\}
  catch_list equ
      \\}
    \}
}
try@catch_list equ
try@.finally equ
try@.catch equ
macro finally {
    local here
      match ,try@.catch\{
       display 'Finally without try',13,10
       halt
      \}
      if ~ defined try@.catch | defined here
      match any,try@.catch\{
        try@.catch:
     here=1
      \}
      end if
      match clst,try@catch_list\{match any,clst\\{
 display 'Pending catches not cleared with "catch"',13,10
        halt
      \\} \}
      match any,try@.finally\{
   try@.finally:
      \}
 mov     esp,[fs:0]
      popd    [fs:0]
  add     esp,16
      purge catch
 restore try@.catch,try@catch_list,try@.finally
}

edit: I forgot to include a generic handler:

Code:

generic_handler:
    ;edx=exception address
    ;eax=exception code
      virtual at esp+4
  .pExcept        dd      ?
   .pFrame         dd      ?
   .pContext       dd      ?
   .pDispatch      dd      ?
      end virtual
      mov     ecx,[.pFrame]
       mov     eax,[.pContext]
     sub     eax,-80h
    mov     edx,[eax+CONTEXT.Eip-080h]
  mov     [eax+CONTEXT.Edx-080h],edx
  mov     edx,[ecx+SEH.SafeOffset]
    mov     [eax+CONTEXT.Eip-080h],edx
  mov     edx,[ecx+SEH.PrevEsp]
       mov     [eax+CONTEXT.Esp-080h],edx
  mov     edx,[ecx+SEH.PrevEbp]
       mov     [eax+CONTEXT.Ebp-080h],edx
  mov     edx,[.pExcept]
      mov     edx,[edx+EXCEPTION_RECORD.ExceptionCode]
    mov     [eax+CONTEXT.Eax-080h],edx
  xor     eax,eax
     ret     16

Last edited by revolution on 21 Jul 2010, 11:48; edited 1 time in total

21 Jul 2010, 11:44

Teehee

Joined: 05 Aug 2009
Posts: 568
Location: Brazil

Teehee

wow, thats so big.. but i can't understand macros yet. Sad

21 Jul 2010, 11:47

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17663
Location: In your JS exploiting you and your system

revolution

It is probably easier just to make your code correct and never generate exceptions.

Try/catch is the only way I know of to use into in a Windows proggy. But who ever used it anyway even in the DOS days when you could?

21 Jul 2010, 13:29

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17663
Location: In your JS exploiting you and your system

revolution

BTW: did you know that the WM_TIMER callback is run under the API try/catch block? This means you can't use int3 to trigger a debugger, it gets swallowed by the handler and your proggy continues to run. Sad

21 Jul 2010, 13:32

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid

Most often I have seen try/catch implemented in C using setjmp() / longjmp() mechanism.

Basically you just save stack pointer and address where to jump on every "try", stack up these structures, and on exception go back over them until you find appropriate catch for the type of exception that was thrown.

This becomes useful when you have ability to automatically call "destructors" of objects that needs some extra code upon release (like open file handles, allocated memory, etc.). This is not very much possible to do (in sane way) in ASM or C, and so try/catch isn't used so often either.

21 Jul 2010, 14:11

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17663
Location: In your JS exploiting you and your system

revolution

vid wrote:

Most often I have seen try/catch implemented in C using setjmp() / longjmp() mechanism.

Does that use the SEH mechanism? Or is it just an internal C error check and jump?

21 Jul 2010, 15:21

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid

Depends on implementation Wink

Supposing we are speaking of Windows, I never checked. However, I saw it used somewhere in HAL.DLL, and I am not really so sure SEH can be used there. In userland, my guess would be SEH is used.

21 Jul 2010, 15:52

b1528932

Joined: 21 May 2010
Posts: 287

b1528932

in userland, exceptions will NEVER occur. And if they do there is nbothing u can do about them, just kill the app.
In kernel mode however, its diffrent story.

Windows provide SEH. structure at address 0 holds NT_TIB, and NT_TIB holds exception records. each one is called by exception handler (well not exactly, exception handler return control to userland first, then userland function calls them). If they return something - next is invoked, if theyt return something else - execution is halted.

you have to change ip/registers manually to fix the exception issue.

21 Jul 2010, 23:16

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 17663
Location: In your JS exploiting you and your system

revolution

b1528932 wrote:

in userland, exceptions will NEVER occur.

Are you sure? "cli" will cause an exception.

b1528932 wrote:

And if they do there is nbothing u can do about them, just kill the app.

Nothing? But you can use SEH to catch it and recover if wanted.

22 Jul 2010, 00:03

baldr

Joined: 19 Mar 2008
Posts: 1651

baldr

Teehee,

There are try/catch and __try/__catch. They are different. Matt Pietrek described them in MSJ June 1997 "Under the hood" column; OpenRCE contains fine article about MSVC implementation details.

25 Aug 2010, 09:20

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum