23rd Chapter SEH Structured exception handling (2)

23.2 encapsulation of the system SEH mechanism at the compiler level

23.2.1 extended exception_registration-level related structures: Vc_exception_registration

(1) Vc_exception_registration structure

 struct   vc_exception_registration{Vc_    Exception_registration  * prev; //   Farproc handler;  //   scopetable_entry  * scopetable; //  pointer to scpoetable array   int  _index; //   DWORD _EBP;  //  current EBP value for access to members  }

(2) Scopetable_entry structural body

struct scopetable_entry{     DWORD     prev_entryindex; // Index pointing to the previous scopetable_entry in scopetable     Farproc   // corresponds to the filter function in parentheses after __except block; __finally is null     farproc   lpfnhandler;   __exception or __finally the code address inside the curly braces {}. }

(3) VC exception frame stack layout and VC default exception handling

23.2.2 Data Structure Organization

(1) each function registers only one vc_exception_registration structure (also called an exception frame, in which there are 5 frames, i.e. 5 function calls). Create a scopetable table for all __try blocks within the function , where each __try block corresponds to an item in the scopetable. (using scopetable_entry structure to represent this __try term, the structure of Lpfnfilter and Lpfnhandler to represent the __except/__finally of the filter function and processing function, where _finally no filter function, Only exception handling functions).

(2) If there is __try block nesting, then in the scopetable_entry structure of the PREV_ENTRYINDEX or specified, multi-layered nesting form a unidirectional chain list.

(3) For the exception handling of VC, the callback handler function of each exception frame is set to _except_handler4 uniformly. Each time you enter a try block, the compiler assigns the trylevel in Vc_exception_registration to the corresponding value. Once the try block exception occurs, the system will first find the _EXCEPTION_HANDLER4 function (C run-time library function) from the vc_exception_registration handler domain. Then, according to the value of the current Trylevel, find the corresponding filter function and handler function of the __try block in the scopetable table to handle the exception accordingly.

23.2.3 _exception_handler4 execution flow of functions

(1) When an exception occurs, the Scopetable item is found according to index, and the lfpnfilter is called. If the filter function Lpfnfilter returns Exception_execute_handler, the lpfnhandler function is called after the global expansion is performed. If the filter function Lpfnfilter returns exception_continue_execution, the _except_handler4 simply returns exception_continue_execution To the system recovery thread execution .

(2) If Lpfnfilter returns Exception_continue_search , _except_handler4 to see if Previndex is 0xFFFFFFFE, then _except_ Handler4 returns Exceptioncontinuesearch lets the system continue to traverse the outer SEH chain or be processed directly by the system. Otherwise _except_handler4 will find the corresponding filter function according to Previndex, and repeat the above action according to its return value. Until the exception is processed or Previndex to 0xFFFFFFFE.

23.2.4 Summary: Exception handling process and global expansion

"Vcseh Program" demonstrates the invocation of a multi-layered nested try Block

/************************************************************************module:exceptframeinfo.hnotices: Copyright (c) The compiler turn on/GS option after Microsoft System journal,february 1997,matt pietrekmsvc 2005 may still be rolled back to SEH3. However, the CRT code always uses SEH4. ************************************************************************/#pragmaOnce#include<windows.h>#include<stdio.h>//-------------------------------------------------------------------//This program applies only to Visual C + +, which uses a data structure that is specific to Visual C + +//-------------------------------------------------------------------#ifndef _msc_ver#errorVisual C + + Required (Visual C + + specific information is displayed)#endif/////////////////////////////////structure Definition//////////////////////////////////basic exception frame defined by the operating systemstructexception_registration{exception_registration*prev; Farproc handler;};//VC + + Extended Exception frame-pointing data structurestructscopetable_entry{DWORD Previoustrylevel;  Farproc Lpfnfilter; //Filter FunctionFarproc Lpfnhandler;//address of the exception handler entity};//VC + + use of Extended exception framesstructvc_exception_registration:exception_registration{scopetable_entry*scopetable; intTrylevel; int_ebp;};////////////////////////////////////////////////////////////////////////////Prototype Declaration//__except_handler3 is a Visual C + + Runtime library function, and we want to print out its address, but its prototype//does not appear in any header file, so you need to declare it yourself. extern "C"DWORD __security_cookie;extern "C" int_except_handler4 (Pexception_record, Exception_registration*, PCONTEXT, Pexception_record);////////////////////////////////////////////////////////////////////////////displays information about an exception frame and its corresponding scopetablevoidShowsehframe (vc_exception_registration*Pvcexcreg) {BOOL BVcExceptionHandler4= Pvcexcreg->handler = = (Farproc) _except_handler4;//_except_handler4 function of VC    if(BVCEXCEPTIONHANDLER4) {//_except_handler4 function of VCprintf"frame:%08x handler:%08x prev:%08x scopetable:%08x\n", Pvcexcreg, Pvcexcreg->handler, Pvcexcreg->prev, (DWORD) pvcexcreg->scopetable^__security_cookie); } Else{printf ("frame:%08x handler:%08x prev:%08x\n", Pvcexcreg, Pvcexcreg->handler, pvcexcreg->prev); } DWORD iaddr= (DWORD) pvcexcreg->scopetable ^__security_cookie; //iaddr = 0x77090928;//in my system, this value is offset ntdll! rescsegmentvalidateheader+0x118e (77090928)//scopetable First 16 bytes Several Securitycookie related fields, followed by Scopetable_entryscopetable_entry* pscopetableentry = (scopetable_entry*) (iaddr + -);  for(inti =0; I <= pvcexcreg->trylevel; i++){        if(BVCEXCEPTIONHANDLER4) {//_except_handler4 function of VCprintf ("scopetable[%u] pretrylevel:%08x filter:%08x __except:%08x\n", I, Pscopetableentry-Previoustrylevel, Pscopetableentry-Lpfnfilter, Pscopetableentry-Lpfnhandler); } pscopetableentry++; } printf ("\ n");}////////////////////////////////////////////////////////////////////////////A linked list that iterates through the exception frames, displaying their information sequentiallyvoidWalksehframes (void) {vc_exception_registration*Pvcexcreg; //print out the location of the _EXCEPT_HANDLER4 functionprintf"_except_handler4 is at address:%08x\n", _except_handler4); printf ("\ n"); //get a pointer to the list header from fs:[0]__ASM mov eax, fs:[0] __asm Mov[pvcexcreg], EAX//A linked list that iterates through the exception frame. 0xFFFFFFFF marks the end of the list     while(0xFFFFFFFF!=(unsigned) pvcexcreg)        {showsehframe (Pvcexcreg); Pvcexcreg= (vc_exception_registration*) (pvcexcreg->prev); }}

VcSEH.cpp

#include <windows.h>#include<stdio.h>#include"ExceptionFrameInfo.h"voidTestvoid){    inti =0; //Block a__try{//1th Floor__try{//2nd Floor__try{//3rd Floor__try{//4th Floori++; }__finally {//4th Floor}}__except (exception_continue_search) {//3rd Floor//It won't be executed here .}}__except (exception_continue_search) {//2nd Floor//It won't be executed here .}} __except (Exception_execute_handler) {//1th Floor//the try block and the inner layer are executed when an exception occurs.    }    //B Block__try{walksehframes (); }__except (Exception_continue_search) {}}intMain () {__try{test (); }__except (exception_execute_handler) {}return 0;}

"References"

Deep parsing of structured exception handling (SEH)

Http://www.cppblog.com/weiym/archive/2015/02/27/209884.html

http://blog.csdn.net/bad_sheep/article/details/5803649

http://blog.csdn.net/yuzl32/article/details/5383542

Http://www.mouseos.com/windows/index.html

Structured exception handling of Windows system programming

http://bbs.pediy.com/showthread.php?threadid=32222

The inside of software encryption technology, see Snow College

23rd Chapter SEH Structured exception handling (2)