flat assembler
Message board for the users of flat assembler.
Index
> Windows > SEH Problem |
Author |
|
baldr 03 Dec 2010, 11:32
SPTH,
It seems that exception registration record being in stack range of faulting thread is crucial for SEH to work as expected. Quite logical, I should say (think of reentrance and unwinding). |
|||
03 Dec 2010, 11:32 |
|
pearlz 03 Dec 2010, 16:23
hey, buddy. I'm not sure what you do, but
Code: ;in 32 bit protected mode all segment register must be zero ;fs=gs=es=ds=cs=0 pop dword[fs:0x0] ;.................... mov dword[fs:0x0], eax ;................... xor eax, eax mov dword[eax], eax ; same as mov dword[0x0],0 ; eax=0 all of it bring any value to low memory of program in virtual ram but this adress not for program store data you can get value of it but can't store value to it -> crash |
|||
03 Dec 2010, 16:23 |
|
SPTH 03 Dec 2010, 16:40
@baldr: Hey. Why is this logic? The documentation says that [fs:0x0] points to a EXCEPTION_REGISTRATION struct, and the struct contains the handler.
It is not mentioned that it is restricted to the stack. Sorry, but I dont see your arguments why this is logic, it is not for me. What do you mean by reentrance and unwinding? --- @pearlz: Code: mov dword[fs:0x0], eax This is to save the pointer to the EXCEPTION_REGISTRATION structure - this is the standard way it is done for SEHs. Code: xor eax, eax mov dword[eax],eax With that code I try to trow an exception which should be handled by the SEH Handler. Thats to test whether the SEH works or not. That should be quite obvious - sorry for misunderstanding anyway. |
|||
03 Dec 2010, 16:40 |
|
f0dder 03 Dec 2010, 19:40
SPTH: there's more stored af [FS:xx] than just the TEB pointer. For instance, "acceptable limits" (lower, higher) values for ESP are stored there; if your ESP is outside that range, your process will be forcefully terminated (dunno if it's the thread scheduler or API calls that check it). This makes a lot of sense for normal programs, since a corrupted stack means you're fucked - you can't stack unwind and call exceptions, and the reasoning is probably also that if ESP goes outside a sane range, it's probably best to just terminate anyway.
And for some reason, the SEH is (heavily ) expected to be located inside the stack. I wouldn't recommend changing the stack range for normal programs (could trigger AV products), and if you're working on SEH tracing for unpcaking reasons, be aware that this is very likely checked against. |
|||
03 Dec 2010, 19:40 |
|
baldr 03 Dec 2010, 22:54
SPTH,
Probably f0dder had it right, I'm just adding: reentrance means recursivity, unwinding means proper recovery from nested SEH (perhaps recursive ). |
|||
03 Dec 2010, 22:54 |
|
SPTH 04 Dec 2010, 09:23
|
|||
04 Dec 2010, 09:23 |
|
baldr 04 Dec 2010, 10:32
SPTH wrote: I am curious: Is it possible to make the SEH frame somewhere else? |
|||
04 Dec 2010, 10:32 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.