SEH

Posted on   |  

Structured Exception Handling,即SEH,是windows的异常处理机制.官方已不建议使用SEH,而是用ISO标准的c++异常处理.但是因为要向前兼容,所以在windows下SEH还是可以使用的,除了系统的代码大量使用以外,自己在一些特殊情况下,也是非常好用的.

也是一些基础啦.

SEH结构

SEH其实说穿了就是几个结构体,然后window根据结构体的信息来进行相应处理.
即定义SEH的结构体ntdll!_EXCEPTION_REGISTRATION_RECORD,与SEH处理异常接受异常信息的结构体VCRUNTIME140!_EXCEPTION_RECORD
大致既是:
_EXCEPTION_REGISTRATION_RECORD->handle->_except_handler4->_except_handler4_common()->_EXCEPTION_RECORD

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
//winseh.cpp
int main()
{
    std::cout << "Hello World!\n";
    __try
    {
        _asm {
            mov eax, 0
            mov [eax], 0
        };
    }
    __except(EXCEPTION_EXECUTE_HANDLER){
        MessageBox(NULL, NULL, NULL, NULL);
    }
}
----------
0:000> u winseh!main l40
winseh!main [c:\users\root\source\repos\winseh\winseh\winseh.cpp @ 9]:
010f1000 55              push    ebp
010f1001 8bec            mov     ebp,esp
010f1003 6afe            push    0FFFFFFFEh
010f1005 6838250f01      push    offset winseh!__rtc_tzz+0x4 (010f2538)
010f100a 6885130f01      push    offset winseh!_except_handler4 (010f1385)--+//seh->Handler
010f100f 64a100000000    mov     eax,dword ptr fs:[00000000h]---------------+//seh->Next
010f1015 50              push    eax                           <--push fs:[0]
010f1016 83ec08          sub     esp,8
010f1019 53              push    ebx
010f101a 56              push    esi
010f101b 57              push    edi
010f101c a104300f01      mov     eax,dword ptr [winseh!__security_cookie (010f3004)]
010f1021 3145f8          xor     dword ptr [ebp-8],eax
010f1024 33c5            xor     eax,ebp
010f1026 50              push    eax
010f1027 8d45f0          lea     eax,[ebp-10h]                <--0x010f1015
010f102a 64a300000000    mov     dword ptr fs:[00000000h],eax <--SEH链最后的结构地址
010f1030 8965e8          mov     dword ptr [ebp-18h],esp
010f1033 8b0d34200f01    mov     ecx,dword ptr [winseh!_imp_?coutstd (010f2034)]
010f1039 e852000000      call    winseh!std::operator<<<std::char_traits<char> > (010f1090)
010f103e c745fc00000000  mov     dword ptr [ebp-4],0
010f1045 b800000000      mov     eax,0 <----
010f104a c60000          mov     byte ptr [eax],0  
010f104d eb17            jmp     winseh!main+0x66 (010f1066)
010f104f b801000000      mov     eax,1
0:000> bp 010f1045
0:000> r
----------
//seh链 此处为fs:[0]->0x00b5fba0->0x00b5fc0c->0x00b5fc24->0xffffffff
//所对应的处理函数为: 0x010f1385->0x010f1385->0x77a186d0->0x77a25196
0:000> !exchain 
00b5fb58: winseh!_except_handler4+0 (010f1385) 
  CRT scope  0, filter: winseh!main+4f (010f104f)
                func:   winseh!main+55 (010f1055)
00b5fba0: winseh!_except_handler4+0 (010f1385)
  CRT scope  0, filter: winseh!__scrt_common_main_seh+127 (010f15a5)
                func:   winseh!__scrt_common_main_seh+13b (010f15b9)
00b5fc0c: ntdll!_except_handler4+0 (77a186d0)
  CRT scope  0, filter: ntdll!__RtlUserThreadStart+3c97b (77a42f79)
                func:   ntdll!__RtlUserThreadStart+3ca17 (77a43015)
00b5fc24: ntdll!FinalExceptionHandlerPad22+0 (77a25196)
Invalid exception stack at ffffffff
------------
0:000> dt ntdll!_EXCEPTION_REGISTRATION_RECORD
   +0x000 Next             : Ptr32 _EXCEPTION_REGISTRATION_RECORD //下一个SEH结构地址
   +0x004 Handler          : Ptr32     _EXCEPTION_DISPOSITION  //异常处理函数
------------
//手动验证一波
0:000> dg fs
                                  P Si Gr Pr Lo
Sel    Base     Limit     Type    l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0053 00916000 00000fff Data RW Ac 3 Bg By P  Nl 000004f3
0:000> dt ntdll!_EXCEPTION_REGISTRATION_RECORD -l next poi(fs:[0])
next at 0x00b5fb58          //fs:[0]指向seh头
---------------------------------------------
   +0x000 Next             : 0x00b5fba0 _EXCEPTION_REGISTRATION_RECORD
   +0x004 Handler          : 0x010f1385     _EXCEPTION_DISPOSITION  winseh!_except_handler4+0

next at 0x00b5fba0
---------------------------------------------
   +0x000 Next             : 0x00b5fc0c _EXCEPTION_REGISTRATION_RECORD
   +0x004 Handler          : 0x010f1385     _EXCEPTION_DISPOSITION  winseh!_except_handler4+0

next at 0x00b5fc0c
---------------------------------------------
   +0x000 Next             : 0x00b5fc24 _EXCEPTION_REGISTRATION_RECORD
   +0x004 Handler          : 0x77a186d0     _EXCEPTION_DISPOSITION  ntdll!_except_handler4+0

next at 0x00b5fc24
---------------------------------------------
   +0x000 Next             : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
   +0x004 Handler          : 0x77a25196     _EXCEPTION_DISPOSITION  ntdll!FinalExceptionHandlerPad22+0
----

SEH异常处理函数

相关处理函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
0:000> u 77a25196 //SEH最终处理
ntdll!FinalExceptionHandlerPad22:
77a25196 90              nop
ntdll!FinalExceptionHandlerPad23:
77a25197 90              nop
ntdll!FinalExceptionHandlerPad24:
77a25198 90              nop
...more
77a251c0 e9f2b80500      jmp     ntdll!_FinalExceptionHandler (77a80ab7)


0:000> u 010f1385
winseh!_except_handler4 [d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\eh\i386\chandler4gs.c @ 84]:
010f1385 55              push    ebp
010f1386 8bec            mov     ebp,esp
010f1388 ff7514          push    dword ptr [ebp+14h]
010f138b ff7510          push    dword ptr [ebp+10h]
010f138e ff750c          push    dword ptr [ebp+0Ch]
010f1391 ff7508          push    dword ptr [ebp+8]
010f1394 68a8130f01      push    offset winseh!__security_check_cookie (010f13a8)
010f1399 6804300f01      push    offset winseh!__security_cookie (010f3004)
010f139e e8370b0000      call    winseh!except_handler4_common (010f1eda) <----
010f13a3 83c418          add     esp,18h
010f13a6 5d              pop     ebp
010f13a7 c3              ret

0:000> x vcruntime140!_except_handler4_common
74fe4480          VCRUNTIME140!_except_handler4_common (
                              unsigned int *, //0x0 __security_cookie
                              <function> *, //0x4 __security_check_cookie
                              struct _EXCEPTION_RECORD *, //0x8  <----
                              struct _EXCEPTION_REGISTRATION_RECORD *, //0xc
                              struct _CONTEXT *,//0x10
                              void *//0x14 (DispatcherContent)
                          )
0:000> dt _EXCEPTION_RECORD
winseh!_EXCEPTION_RECORD
   +0x000 ExceptionCode    : Uint4B //Exception Code 错误代码
   +0x004 ExceptionFlags   : Uint4B //EstablisherFlags 
   +0x008 ExceptionRecord  : Ptr32 _EXCEPTION_RECORD //*ExceptionRecord
   +0x00c ExceptionAddress : Ptr32 Void //ExceptionAddress 出错地址
   +0x010 NumberParameters : Uint4B //# os Parameters
   +0x014 ExceptionInformation : [15] Uint4B