SEH[Structured Exception Handling] it is a routine to carry out handling errors in our program rather than the system ,take windows for example it is by default shows an error message when ever your program tries to read from non-accessable memory ,do int 3 ...etc for more informations [see wikipedia or Microsoft System Journal]
I always did the following inorder to setup SEH :
assume fs:nothing
push offset handle_errors ;our procedure in handling errors
push fs:[0]
mov fs:[0],esp
int 3 ;inorder to raise the exception
handle_errors:
invoke ExitProcess,0
but what was bothering me is that I didnt know how return the old registers values back especially esp. Then I found out that SEH procedure takes parameters [thanx to y0da for this info] as this:
SehHandler PROC pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
so from that I fgured out that after SEH is completed and our SEH procedure is launched system will give us an important pointer which is a pointer to Context structure !!
since I didnt like the PROC method ,and like labels method :) I did this inorder to get esp back!!
assume fs:nothing
push offset handle_errors
push fs:[0]
mov fs:[0],esp
int 3
handle_errors:
mov eax,[esp+12] ;3 x 4bytes !! fugure out why :)
mov eax,dword ptr [eax+184+12] ;184 will point to eip and the +12 will point to esp!!
mov esp,eax
pop fs:[0]
pop eax ;now esp is restored :D
ofcourse you can use the following
assume eax:PTR CONTEXT ;CONTEXT STRUCT is defined in windows.inc in masm32 package
mov eax,[esp+12]
mov esp,[eax].regEsp
pop fs:[0]
pop eax ;and we have the esp back !
thats all
I always did the following inorder to setup SEH :
assume fs:nothing
push offset handle_errors ;our procedure in handling errors
push fs:[0]
mov fs:[0],esp
int 3 ;inorder to raise the exception
handle_errors:
invoke ExitProcess,0
but what was bothering me is that I didnt know how return the old registers values back especially esp. Then I found out that SEH procedure takes parameters [thanx to y0da for this info] as this:
SehHandler PROC pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
so from that I fgured out that after SEH is completed and our SEH procedure is launched system will give us an important pointer which is a pointer to Context structure !!
since I didnt like the PROC method ,and like labels method :) I did this inorder to get esp back!!
assume fs:nothing
push offset handle_errors
push fs:[0]
mov fs:[0],esp
int 3
handle_errors:
mov eax,[esp+12] ;3 x 4bytes !! fugure out why :)
mov eax,dword ptr [eax+184+12] ;184 will point to eip and the +12 will point to esp!!
mov esp,eax
pop fs:[0]
pop eax ;now esp is restored :D
ofcourse you can use the following
assume eax:PTR CONTEXT ;CONTEXT STRUCT is defined in windows.inc in masm32 package
mov eax,[esp+12]
mov esp,[eax].regEsp
pop fs:[0]
pop eax ;and we have the esp back !
thats all
Labels: Assembly
Smilar pages
posted by buggycoder at 7:56 AM
1 Comments:
wtf man use structures and procs
Handler PROC C pExcept:DWORD, pFrame:DWORD, pContext:DWORD, pDispatch:DWORD
mov edx,[pFrame]
ASSUME EDX:PTR SEH
mov eax,[pContext]
ASSUME EAX:PTR CONTEXT
push [edx].SafeExit
pop [eax].regEip
push [edx].PrevEsp
pop [eax].regEsp
push [edx].PrevEbp
pop [eax].regEbp
mov eax,ExceptionContinueExecution
ASSUME EDX:NOTHING
ASSUME EAX:NOTHING
ret
Handler ENDP
SEH STRUCT
PrevSEH dd ?
lpHandler dd ?
PrevEsp dd ?
PrevEbp dd ?
SafeExit dd ?
SEH ENDS
Post a Comment
<< Home