flat assembler
Message board for the users of flat assembler.

Index > Windows > SEH Problem

Author
Thread Post new topic Reply to topic
SPTH



Joined: 24 Jul 2004
Posts: 91
SPTH
Hello

I have a problem with SEH.
I want my SEH frame be in a buffer of my memory, not on the stack (as it is done by most SEH (reason is, that I also want to catch malicous usage of buffers, which will cause problems when I use the stack for the SEH frame)
I've read that (http://www.microsoft.com/msj/0197/exception/exception.aspx) docu today - so i know it should work in theory.

Using the stack, the code works, using the memory buffer, it does not.

(see especially the SEH_TRY macro)

Code:
include 'E:\Programme\FASM\INCLUDE\win32ax.inc'

macro SEH_TRY
{

        push    dword[fs:0x0]
        pop     dword[ExcReg_prev]   ; Save old Exception Handler (whatever it is)

        mov     dword[sEAX], eax        ; Save Registers
        mov     dword[sECX], ecx        ; same as PUSHAD, but saves in .data
        mov     dword[sEDX], edx
        mov     dword[sEBX], ebx
        mov     dword[sESP], esp
        mov     dword[sEBP], ebp
        mov     dword[sESI], esi
        mov     dword[sEDI], edi

        ; When an exception is thrown, the OS will act as follows:

        ; TIB (Threat Information Block)=fs:0x0
        ; dword[TIB:0x0]=dword[fs:0x0] -> EXCEPTION_REGISTRATION struct
        ; EXCEPTION_REGISTRATION.handler -> callback function (will be called)

        push    SEH_Handler
        pop     dword[ExcReg_handler]   ; Set Handler in EXCEPTION_REGISTRATION structur

;        push    SEH_Handler
;        push    dword[fs:0x0]
;        mov     dword[fs:0x0], esp   ; this works!

        push    EXCEPTION_REGISTRATION
        pop     dword[fs:0x0]   ; this does NOT work!!!!!!!!!

}


macro SEH_EXCEPTION
{
        jmp     SEH_NoException

     SEH_Handler:

        mov     eax, dword[ExcReg_prev]
        mov     dword[fs:0x0], eax

        mov     eax, dword[sEAX]
        mov     ecx, dword[sECX]
        mov     edx, dword[sEDX]
        mov     ebx, dword[sEBX]
        mov     esp, dword[sESP]
        mov     ebp, dword[sEBP]
        mov     esi, dword[sESI]
        mov     edi, dword[sEDI]
}


macro SEH_END
{
        jmp     SEH_Finish

     SEH_NoException:
        push    dword[ExcReg_prev]
        pop     dword[fs:0x0]

     SEH_Finish:
}



.data
                sEAX dd 0x0
                sECX dd 0x0
                sEDX dd 0x0
                sEBX dd 0x0
                sESP dd 0x0
                sEBP dd 0x0
                sESI dd 0x0
                sEDI dd 0x0

                oldEH dd 0x0

            EXCEPTION_REGISTRATION:
                ExcReg_prev    dd 0x0
                ExcReg_handler dd 0x0


start:
           SEH_TRY

                invoke  MessageBox, 0x0, "try", "try", 0x0
                xor     eax, eax
                mov     dword[eax], eax

           SEH_EXCEPTION

                invoke  MessageBox, 0x0, "EX", "EX", 0x0

           SEH_END

                invoke  MessageBox, 0x0, "fin", "fin", 0x0

                ret

.end start
    


With the stack-SEH, it catches the exception and shows all 3 Msg-Boxes. With the memory buffer SEH, it shows the first messagebox and stops the program then (without any further message such as a windows-warning).

I have no idea what could be the reason that it does not work. can anybody help me please?!

I'm hopeless, tried for many hours without success :cry:


THANKS in advance!

Have a nice day!
Post 03 Dec 2010, 02:56
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
SPTH,

It seems that exception registration record being in stack range of faulting thread is crucial for SEH to work as expected. Quite logical, I should say (think of reentrance and unwinding).
Post 03 Dec 2010, 11:32
View user's profile Send private message Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
hey, buddy. I'm not sure what you do, but
Code:
;in 32 bit protected mode all segment register must be zero
;fs=gs=es=ds=cs=0

pop     dword[fs:0x0]
;....................
mov     dword[fs:0x0], eax
;...................
 xor     eax, eax 
 mov     dword[eax], eax 
; same as 
mov     dword[0x0],0  ; eax=0

    

all of it bring any value to low memory of program in virtual ram
but this adress not for program store data
you can get value of it but can't store value to it
-> crash
Post 03 Dec 2010, 16:23
View user's profile Send private message Reply with quote
SPTH



Joined: 24 Jul 2004
Posts: 91
SPTH
@baldr: Hey. Why is this logic? The documentation says that [fs:0x0] points to a EXCEPTION_REGISTRATION struct, and the struct contains the handler.
It is not mentioned that it is restricted to the stack.

Sorry, but I dont see your arguments why this is logic, it is not for me. What do you mean by reentrance and unwinding?

---

@pearlz:


Code:
mov dword[fs:0x0], eax
    


This is to save the pointer to the EXCEPTION_REGISTRATION structure - this is the standard way it is done for SEHs.

Code:
xor eax, eax
mov dword[eax],eax
    

With that code I try to trow an exception which should be handled by the SEH Handler. Thats to test whether the SEH works or not. That should be quite obvious - sorry for misunderstanding anyway.
Post 03 Dec 2010, 16:40
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
SPTH: there's more stored af [FS:xx] than just the TEB pointer. For instance, "acceptable limits" (lower, higher) values for ESP are stored there; if your ESP is outside that range, your process will be forcefully terminated (dunno if it's the thread scheduler or API calls that check it). This makes a lot of sense for normal programs, since a corrupted stack means you're fucked - you can't stack unwind and call exceptions, and the reasoning is probably also that if ESP goes outside a sane range, it's probably best to just terminate anyway.

And for some reason, the SEH is (heavily Smile) expected to be located inside the stack.

I wouldn't recommend changing the stack range for normal programs (could trigger AV products), and if you're working on SEH tracing for unpcaking reasons, be aware that this is very likely checked against.
Post 03 Dec 2010, 19:40
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
SPTH,

Probably f0dder had it right, I'm just adding: reentrance means recursivity, unwinding means proper recovery from nested SEH (perhaps recursive Wink).
Post 03 Dec 2010, 22:54
View user's profile Send private message Reply with quote
SPTH



Joined: 24 Jul 2004
Posts: 91
SPTH
Post 04 Dec 2010, 09:23
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
SPTH wrote:
I am curious: Is it possible to make the SEH frame somewhere else?
Among first things RtlDispatchException() does is check for exception registration record to be within thread stack range (it should be dword-aligned too).
Post 04 Dec 2010, 10:32
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.