我的书签
添加书签
移除书签68.3 Windows SEH
68.3.1 让我们先忘了MSVC
在Windows,SEH(Structured Exception Handling(结构化异常处理))是异常处理的一种机制。然而,它是语言无关的,不管是C++或者其它OOP语言。我们可以看到SEH(从C++和MSVC扩展)是独立实现的。
每个运行的进程都有一个SEH处理链,TIB有它最后的处理程序的地址。当异常发生时(除零,错误的地址访问,用户通过调用RaiseException()函数引发异常),操作系统在TIB找到最后的处理程序并调用它,获取异常时CPU的状态信息(如寄存器的值等等)。处理程序当前的异常能否修复,如果能,则修复该异常。如果不能,它通知操作系统无法处理它并由操作系统调用异常处理链中的下一个处理程序,直到处理程序能够处理的异常被发现。
在异常处理链的结尾处有一个标准的处理程序,它显示一个对话框用于通知用户进程崩溃,然后把一些崩溃时CPU的状态信息,收集起来并将其发送给微软开发商。
Figure 68.2: Windows XP
Figure 68.2: Windows XP
Figure 68.3: Windows XP
Figure 68.3: Windows XP
Figure 68.4: Windows 7
Figure 68.4: Windows 7
Figure 68.5: Windows 8.1
Figure 68.5: Windows 8.1
早些时候,这个处理程序被称为Dr.Watson。
顺便说一句,有些开发人员会在自己的处理程序发送程序崩溃的信息。通过SetUnhandledExceptionFilter()函数注册异常处理程序,如果操作系统没有任何其它方式处理异常,则调用它。一个例子是Oracle RDBMS,它保存了CPU所有可能有用的信息和内存状态的巨大转储文件。
让我们写一个自己的primitive exception handler:
#include <windows.h>#include <stdio.h>DWORD new_value=1234;EXCEPTION_DISPOSITION __cdecl except_handler(struct _EXCEPTION_RECORD *ExceptionRecord,void * EstablisherFrame,struct _CONTEXT *ContextRecord,void * DispatcherContext ){unsigned i;printf ("%s\n", __FUNCTION__);printf ("ExceptionRecord->ExceptionCode=0x%p\n", ExceptionRecord->ExceptionCode);printf ("ExceptionRecord->ExceptionFlags=0x%p\n", ExceptionRecord->ExceptionFlags);printf ("ExceptionRecord->ExceptionAddress=0x%p\n", ExceptionRecord->ExceptionAddress);if (ExceptionRecord->ExceptionCode==0xE1223344){printf ("That's for us\n");// yes, we "handled" the exceptionreturn ExceptionContinueExecution;}else if (ExceptionRecord->ExceptionCode==EXCEPTION_ACCESS_VIOLATION){printf ("ContextRecord->Eax=0x%08X\n", ContextRecord->Eax);// will it be possible to 'fix' it?printf ("Trying to fix wrong pointer address\n");ContextRecord->Eax=(DWORD)&new_value;// yes, we "handled" the exceptionreturn ExceptionContinueExecution;}else{printf ("We do not handle this\n");// someone else's problemreturn ExceptionContinueSearch;};}int main(){DWORD handler = (DWORD)except_handler; // take a pointer to our handler// install exception handler__asm{ // make EXCEPTION_REGISTRATION record:push handler // address of handler functionpush FS:[0] // address of previous handlermov FS:[0],ESP // add new EXECEPTION_REGISTRATION}RaiseException (0xE1223344, 0, 0, NULL);// now do something very badint* ptr=NULL;int val=0;val=*ptr;printf ("val=%d\n", val);// deinstall exception handler__asm{ // remove our EXECEPTION_REGISTRATION recordmov eax,[ESP] // get pointer to previous recordmov FS:[0], EAX // install previous recordadd esp, 8 // clean our EXECEPTION_REGISTRATION off stack}return 0;}
FS段寄存器:在Win32指向TIB。在TIB的第一个元素是指向异常处理指针链中的最后一个处理程序,我们将自己的异常处理程序的地址保存在这里。异常处理链的结点结构体名字是_EXCEPTION_REGISTRATION,这是一个单链表实现的栈容器。
Listing 68.1: MSVC/VC/crt/src/exsup.inc
\_EXCEPTION\_REGISTRATION strucprev dd ?handler dd ?\_EXCEPTION\_REGISTRATION ends
每个结点的handler字段指向一个异常处理程序,每个结点的prev字段指向在栈中的上一个结点。最后一个结点的prev指向0xFFFFFFFF(-1)。
Figure 68.5: Windows 8.1
我们的处理程序安装后,我们调用RaiseException()。这是一个用户异常。处理程序检查异常代码,如果异常代码是0xE1223344,它返回ExceptionContinueExecution。这意味着处理程序修复了CPU的状态(通常是EIP/ESP寄存器),操作系统可以恢复运行。如果你稍微修改一下代码,处理程序返回ExceptionContinueSearch,那么操作系统将调用下一个处理程序,如果没有找到处理程序(因为没人捕获该异常),你会看到标准的Windows进程崩溃对话框。
系统异常和用户异常之间的区别是什么?这里有系统的:
| as defined in WinBase.h |
|---|
| EXCEPTION_ACCESS_VIOLATION |
| EXCEPTION_DATATYPE_MISALIGNMENT |
| EXCEPTION_BREAKPOINT |
| EXCEPTION_SINGLE_STEP |
| EXCEPTION_ARRAY_BOUNDS_EXCEEDED |
| EXCEPTION_FLT_DENORMAL_OPERAND |
| EXCEPTION_FLT_DIVIDE_BY_ZERO |
| EXCEPTION_FLT_INEXACT_RESULT |
| EXCEPTION_FLT_INVALID_OPERATION |
| EXCEPTION_FLT_OVERFLOW |
| EXCEPTION_FLT_STACK_CHECK |
| EXCEPTION_FLT_UNDERFLOW |
| EXCEPTION_INT_DIVIDE_BY_ZERO |
| EXCEPTION_INT_OVERFLOW |
| EXCEPTION_PRIV_INSTRUCTION |
| EXCEPTION_IN_PAGE_ERROR |
| EXCEPTION_ILLEGAL_INSTRUCTION |
| EXCEPTION_NONCONTINUABLE_EXCEPTION |
| EXCEPTION_STACK_OVERFLOW |
| EXCEPTION_INVALID_DISPOSITION |
| EXCEPTION_GUARD_PAGE |
| EXCEPTION_INVALID_HANDLE |
| EXCEPTION_POSSIBLE_DEADLOCK |
| CONTROL_C_EXIT |
这些异常码的定义规则是:
| 31 |
|---|
| S |
S是一个基本代码: 11—error; 10—warning; 01—informational; 00—success;U表示是否是用户代码。
这就是为什么我选择了0xE1223344,0xE(1110b)意味着1)user exception(用户异常);2)error(错误)。
当我们尝试读取地址为0的内存时。因为这个地址在win32中并不被使用,所以会引发一个异常。通过检查异常码是否等于EXCEPTION_ACCESS_VIOLATION常量。
读0地址内存的代码看起来像这样:
Listing 68.2: MSVC 2010
...xor eax, eaxmov eax, DWORD PTR [eax] ; exception will occur herepush eaxpush OFFSET msgcall _printfadd esp, 8...
能否修复“on the fly”这个错误然后继续执行程序?当然,我们的异常处理程序可以修复EAX值然后让操作系统继续执行下去。这是我们该做的。printf()将打印1234,因为我们的处理程序执行后EAX不是0,而是全局变量new_value的地址。
若内存管理器有一个关于CPU的错误信号,CPU会暂停线程,在Windows内核查找异常处理程序,然后一个一个调用SEH链的handler。
我在这里使用MSVC 2010,当然,没有任何保证EAX将用于这个指针。
这个地址替换的技巧非常的漂亮,我经常使用它插入到SEH内部中。不过,我忘记了在哪里用它修复“on the fly”错误。
为什么SHE相关的记录存储在栈上而不是其它地方?据说这是因为操作系统不需要在函数执行完成之后关心这些信息。但我不能100%肯定。这有点类似alloca()。
68.3.2 现在让我们回到MSVC
据说,微软的程序员需要在C语言而不是C++上使用异常,所以它们在MSVC上添加了一个非标准的C扩展。它与C++的异常没有任何关联。
__try{...}__except(filter code){handler code}
“Finally”块也许能代替handler code:
__try{...}__finally{...}
filte code是一个表达式,告诉handler code是否对应引发的异常。如果你的filte code太大而无法使用一个表达式,可以定义一个单独的filte函数。
在Windows内核有很多这样的结构,下面是几个例子(WRK(Windows Research Kernel)):
Listing 68.3: WRK-v1.2/base/ntos/ob/obwait.c
try {KeReleaseMutant( (PKMUTANT)SignalObject,MUTANT_INCREMENT,FALSE,TRUE );} except((GetExceptionCode () == STATUS_ABANDONED ||GetExceptionCode () == STATUS_MUTANT_NOT_OWNED)?EXCEPTION_EXECUTE_HANDLER :EXCEPTION_CONTINUE_SEARCH) {Status = GetExceptionCode();goto WaitExit;}
Listing 68.4: WRK-v1.2/base/ntos/cache/cachesub.c
try {RtlCopyBytes( (PVOID)((PCHAR)CacheBuffer + PageOffset),UserBuffer,MorePages ?(PAGE_SIZE - PageOffset) :(ReceivedLength - PageOffset) );} except( CcCopyReadExceptionFilter( GetExceptionInformation(), Status ) ) {
这里是一个filter code的例子:
Listing 68.5: WRK-v1.2/base/ntos/cache/copysup.c
LONGCcCopyReadExceptionFilter(IN PEXCEPTION_POINTERS ExceptionPointer,IN PNTSTATUS ExceptionCode)/*++Routine Description:This routine serves as a exception filter and has the special job ofextracting the "real" I/O error when Mm raises STATUS_IN_PAGE_ERRORbeneath us.Arguments:ExceptionPointer - A pointer to the exception record that containsthe real Io Status.ExceptionCode - A pointer to an NTSTATUS that is to receive the realstatus.Return Value:EXCEPTION_EXECUTE_HANDLER--*/{*ExceptionCode = ExceptionPointer->ExceptionRecord->ExceptionCode;if ( (*ExceptionCode == STATUS_IN_PAGE_ERROR) &&(ExceptionPointer->ExceptionRecord->NumberParameters >= 3) ) {*ExceptionCode = (NTSTATUS) ExceptionPointer->ExceptionRecord->ExceptionInformation[2];}ASSERT( !NT_SUCCESS(*ExceptionCode) );return EXCEPTION_EXECUTE_HANDLER;}
在内部,SEH是操作系统支持的异常扩展。但是处理函数是_except_handler3(对于SEH3)或_except_handler4(对于SEH4)。 这个处理函数的代码是与MSVC相关的,它位于它的库或在msvcr*.dll文件。其他的Win32编译器可以提供与之完全不同的机制。
SEH3
SEH3有一个_except_handler3处理函数,而且扩展了_EXCEPTION_REGISTRATION表,并添加了一个指向scope table和previous try level变量。SEH4扩展了scope table缓冲溢出保护。
scope table是一个表,包含了指向filter和handler code的块和每个try/except嵌套。
scopetable
再者,操作系统只关心prev/handle字段。excepthandler3函数的工作是读取其他字段和scope table,并决定由哪些处理程序来执行。
excepthandler3函数的源代码是闭源的。然而,Sanos操作系统的win32兼容性层重新实现相同的功能。其它类似的实现有Wine和ReactOS。
如果filter指针为NULL,handler指针则指向finally代码块。
执行期间,栈中的previous try level变量发生变化,所以_except_handler3可以获取当前嵌套级的信息,才知道要使用scope table哪一表项。
SEH3: 一个try/except块例子
#include <stdio.h>#include <windows.h>#include <excpt.h>int main(){int* p = NULL;__try{printf("hello #1!\n");*p = 13; // causes an access violation exception;printf("hello #2!\n");}__except(GetExceptionCode()==EXCEPTION_ACCESS_VIOLATION ?EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH){printf("access violation, can't recover\n");}}
Listing 68.6: MSVC 2003
$SG74605 DB 'hello #1!', 0aH, 00H$SG74606 DB 'hello #2!', 0aH, 00H$SG74608 DB 'access violation, can''t recover', 0aH, 00H_DATA ENDS; scope tableCONST SEGMENT$T74622 DD 0ffffffffH ; previous try levelDD FLAT:$L74617 ; filterDD FLAT:$L74618 ; handlerCONST ENDS_TEXT SEGMENT$T74621 = -32 ; size = 4_p$ = -28 ; size = 4__$SEHRec$ = -24 ; size = 24_main PROC NEARpush ebpmov ebp, esppush -1 ; previous try levelpush OFFSET FLAT:$T74622 ; scope tablepush OFFSET FLAT:__except_handler3 ; handlermov eax, DWORD PTR fs:__except_listpush eax ; prevmov DWORD PTR fs:__except_list, espadd esp, -16push ebx ; saved 3 registerspush esi ; saved 3 registerspush edi ; saved 3 registersmov DWORD PTR __$SEHRec$[ebp], espmov DWORD PTR _p$[ebp], 0mov DWORD PTR __$SEHRec$[ebp+20], 0 ; previous try levelpush OFFSET FLAT:$SG74605 ; 'hello #1!'call _printfadd esp, 4mov eax, DWORD PTR _p$[ebp]mov DWORD PTR [eax], 13push OFFSET FLAT:$SG74606 ; 'hello #2!'call _printfadd esp, 4mov DWORD PTR __$SEHRec$[ebp+20], -1 ; previous try leveljmp SHORT $L74616; filter code$L74617:$L74627:mov ecx, DWORD PTR __$SEHRec$[ebp+4]mov edx, DWORD PTR [ecx]mov eax, DWORD PTR [edx]mov DWORD PTR $T74621[ebp], eaxmov eax, DWORD PTR $T74621[ebp]sub eax, -1073741819; c0000005Hneg eaxsbb eax, eaxinc eax$L74619:$L74626:ret 0; handler code$L74618:mov esp, DWORD PTR __$SEHRec$[ebp]push OFFSET FLAT:$SG74608 ; 'access violation, can''t recover'call _printfadd esp, 4mov DWORD PTR __$SEHRec$[ebp+20], -1 ; setting previous try level back to -1$L74616:xor eax, eaxmov ecx, DWORD PTR __$SEHRec$[ebp+8]mov DWORD PTR fs:__except_list, ecxpop edipop esipop ebxmov esp, ebppop ebpret 0_main ENDP_TEXT ENDSEND
在这里我们可以看到SEH帧是如果在栈中构建出来的,scope table位于CONST segment-事实上,这些字段是不被改变的。一件有趣的事情是如何改变previous try level变量。它的初始化值是0xFFFFFFFF(-1)。当进入try语句块的时候,变量赋值为0。当try语句块结束的时候,写回-1。我们还能看到filter和handler code的地址。因此,我们可以很容易在函数里看到try/except是如何构造的。
由于函数序言的SEH安装代码被多个函数共享,有时候编译器会在函数序言插入调用SEH_prolog()函数,这就完成了这个任务。该SEH回收代码是SEH_epilog()函数。
让我们尝试用tracer运行这个例子:
tracer.exe -l:2.exe --dump-seh
Listing 68.7: tracer.exe output
EXCEPTION_ACCESS_VIOLATION at 2.exe!main+0x44 (0x401054) ExceptionInformation[0]=1EAX=0x00000000 EBX=0x7efde000 ECX=0x0040cbc8 EDX=0x0008e3c8ESI=0x00001db1 EDI=0x00000000 EBP=0x0018feac ESP=0x0018fe80EIP=0x00401054FLAGS=AF IF RF* SEH frame at 0x18fe9c prev=0x18ff78 handler=0x401204 (2.exe!_except_handlerSEH3 frame. previous trylevel=0scopetable entry[0]. previous try level=-1, filter=0x401070 (2.exe!main+0x60) handler=0x401088 (2.exe!main+0x78)* SEH frame at 0x18ff78 prev=0x18ffc4 handler=0x401204 (2.exe!_except_handler3)SEH3 frame. previous trylevel=0scopetable entry[0]. previous try level=-1, filter=0x401531 (2.exe!mainCRTStartup+0x18d) handler=0x401545 (2.exe!mainCRTStartup+0x1a1)* SEH frame at 0x18ffc4 prev=0x18ffe4 handler=0x771f71f5 (ntdll.dll!__except_handler4)SEH4 frame. previous trylevel=0SEH4 header: GSCookieOffset=0xfffffffe GSCookieXOROffset=0x0EHCookieOffset=0xffffffcc EHCookieXOROffset=0x0scopetable entry[0]. previous try level=-2, filter=0x771f74d0 (ntdll.dll!___safe_se_handler_table+0x20) handler=0x771f90eb (ntdll.dll!_TppTerminateProcess@4+0x43)* SEH frame at 0x18ffe4 prev=0xffffffff handler=0x77247428 (ntdll.dll!_FinalExceptionHandler@16)
我们看到,SEH链包含4个handler。
前面两个是我们的例子。两个?但是我们只有一个?是的,一个是CRT的_mainCRTStartup()函数设置的。并至少作为FPU异常的处理。它的源码可以在MSVC的安装目录找到:crt/src/winxfltr.c。
第三个是ntdll.dll的SEH4,第四个handler也位于ntdll.dll,跟MSVC没什么关系,它有一个自描述函数名。
正如你所见,在一个链中有三种类型的处理函数:一个跟MSVC(最后一个)没什么关系和两个与MSVC关联的:SEH3和SEH4。
SEH3: 两个try/except块例子
#include <stdio.h>#include <windows.h>#include <excpt.h>int filter_user_exceptions (unsigned int code, struct _EXCEPTION_POINTERS *ep){printf("in filter. code=0x%08X\n", code);if (code == 0x112233){printf("yes, that is our exception\n");return EXCEPTION_EXECUTE_HANDLER;}else{printf("not our exception\n");return EXCEPTION_CONTINUE_SEARCH;};}int main(){int* p = NULL;__try{__try{printf ("hello!\n");RaiseException (0x112233, 0, 0, NULL);printf ("0x112233 raised. now let's crash\n");*p = 13; // causes an access violation exception;}__except(GetExceptionCode()==EXCEPTION_ACCESS_VIOLATION ?EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH){printf("access violation, can't recover\n");}}__except(filter_user_exceptions(GetExceptionCode(), GetExceptionInformation())){// the filter_user_exceptions() function answering to the question// "is this exception belongs to this block?"// if yes, do the follow:printf("user exception caught\n");}}
现在有两个try块,所以scope table现在有两个元素,每个块占用一个。Previous try level随着try块的进入或退出而改变。
Listing 68.8: MSVC 2003
$SG74606 DB 'in filter. code=0x%08X', 0aH, 00H$SG74608 DB 'yes, that is our exception', 0aH, 00H$SG74610 DB 'not our exception', 0aH, 00H$SG74617 DB 'hello!', 0aH, 00H$SG74619 DB '0x112233 raised. now let''s crash', 0aH, 00H$SG74621 DB 'access violation, can''t recover', 0aH, 00H$SG74623 DB 'user exception caught', 0aH, 00H_code$ = 8 ; size = 4_ep$ = 12 ; size = 4_filter_user_exceptions PROC NEARpush ebpmov ebp, espmov eax, DWORD PTR _code$[ebp]push eaxpush OFFSET FLAT:$SG74606 ; 'in filter. code=0x%08X'call _printfadd esp, 8cmp DWORD PTR _code$[ebp], 1122867; 00112233Hjne SHORT $L74607push OFFSET FLAT:$SG74608 ; 'yes, that is our exception'call _printfadd esp, 4mov eax, 1jmp SHORT $L74605$L74607:push OFFSET FLAT:$SG74610 ; 'not our exception'call _printfadd esp, 4xor eax, eax$L74605:pop ebpret 0_filter_user_exceptions ENDP; scope tableCONST SEGMENT$T74644 DD 0ffffffffH ; previous try level for outer blockDD FLAT:$L74634 ; outer block filterDD FLAT:$L74635 ; outer block handlerDD 00H ; previous try level for inner blockDD FLAT:$L74638 ; inner block filterDD FLAT:$L74639 ; inner block handlerCONST ENDS$T74643 = -36 ; size = 4$T74642 = -32 ; size = 4_p$ = -28 ; size = 4__$SEHRec$ = -24 ; size = 24_main PROC NEARpush ebpmov ebp, esppush -1 ; previous try levelpush OFFSET FLAT:$T74644push OFFSET FLAT:__except_handler3mov eax, DWORD PTR fs:__except_listpush eaxmov DWORD PTR fs:__except_list, espadd esp, -20push ebxpush esipush edimov DWORD PTR __$SEHRec$[ebp], espmov DWORD PTR _p$[ebp], 0mov DWORD PTR __$SEHRec$[ebp+20], 0 ; outer try block entered. set previous try level to 0mov DWORD PTR __$SEHRec$[ebp+20], 1 ; inner try block entered. set previous try level to 1push OFFSET FLAT:$SG74617 ; 'hello!'call _printfadd esp, 4push 0push 0push 0push 1122867 ; 00112233Hcall DWORD PTR __imp__RaiseException@16push OFFSET FLAT:$SG74619 ; '0x112233 raised. now let''s crash'call _printfadd esp, 4mov eax, DWORD PTR _p$[ebp]mov DWORD PTR [eax], 13mov DWORD PTR __$SEHRec$[ebp+20], 0 ; inner try block exited. set previous try level back to 0jmp SHORT $L74615; inner block filter$L74638:$L74650:mov ecx, DWORD PTR __$SEHRec$[ebp+4]mov edx, DWORD PTR [ecx]mov eax, DWORD PTR [edx]mov DWORD PTR $T74643[ebp], eaxmov eax, DWORD PTR $T74643[ebp]sub eax, -1073741819; c0000005Hneg eaxsbb eax, eaxinc eax$L74640:$L74648:ret 0; inner block handler$L74639:mov esp, DWORD PTR __$SEHRec$[ebp]push OFFSET FLAT:$SG74621 ; 'access violation, can''t recover'call _printfadd esp, 4mov DWORD PTR __$SEHRec$[ebp+20], 0 ; inner try block exited. set previous try level back to 0$L74615:mov DWORD PTR __$SEHRec$[ebp+20], -1 ; outer try block exited, set previous try level back to -1jmp SHORT $L74633; outer block filter$L74634:$L74651:mov ecx, DWORD PTR __$SEHRec$[ebp+4]mov edx, DWORD PTR [ecx]mov eax, DWORD PTR [edx]mov DWORD PTR $T74642[ebp], eaxmov ecx, DWORD PTR __$SEHRec$[ebp+4]push ecxmov edx, DWORD PTR $T74642[ebp]push edxcall _filter_user_exceptionsadd esp, 8$L74636:$L74649:ret 0; outer block handler$L74635:mov esp, DWORD PTR __$SEHRec$[ebp]push OFFSET FLAT:$SG74623 ; 'user exception caught'call _printfadd esp, 4mov DWORD PTR __$SEHRec$[ebp+20], -1 ; both try blocks exited. set previous try level back to -1$L74633:xor eax, eaxmov ecx, DWORD PTR __$SEHRec$[ebp+8]mov DWORD PTR fs:__except_list, ecxpop edipop esipop ebxmov esp, ebppop ebpret 0_main ENDP
如果我们在handler中调用的printf()函数设置一个断点,可以看到另一个SEH handler如何被添加。同样,我们还可以看到scope table包含两个元素。
tracer.exe -l:3.exe bpx=3.exe!printf --dump-seh
Listing 68.9: tracer.exe output
(0) 3.exe!printfEAX=0x0000001b EBX=0x00000000 ECX=0x0040cc58 EDX=0x0008e3c8ESI=0x00000000 EDI=0x00000000 EBP=0x0018f840 ESP=0x0018f838EIP=0x004011b6FLAGS=PF ZF IF* SEH frame at 0x18f88c prev=0x18fe9c handler=0x771db4ad (ntdll.dll!ExecuteHandler2@20+0x3a)* SEH frame at 0x18fe9c prev=0x18ff78 handler=0x4012e0 (3.exe!_except_handler3)SEH3 frame. previous trylevel=1scopetable entry[0]. previous try level=-1, filter=0x401120 (3.exe!main+0xb0) handler=0x40113b (3.exe!main+0xcb)scopetable entry[1]. previous try level=0, filter=0x4010e8 (3.exe!main+0x78) handler=0x401100 (3.exe!main+0x90)* SEH frame at 0x18ff78 prev=0x18ffc4 handler=0x4012e0 (3.exe!_except_handler3)SEH3 frame. previous trylevel=0scopetable entry[0]. previous try level=-1, filter=0x40160d (3.exe!mainCRTStartup+0x18d) handler=0x401621 (3.exe!mainCRTStartup+0x1a1* SEH frame at 0x18ffc4 prev=0x18ffe4 handler=0x771f71f5 (ntdll.dll!__except_handler4)SEH4 frame. previous trylevel=0SEH4 header: GSCookieOffset=0xfffffffe GSCookieXOROffset=0x0EHCookieOffset=0xffffffcc EHCookieXOROffset=0x0scopetable entry[0]. previous try level=-2, filter=0x771f74d0 (ntdll.dll!___safe_se_handler_table+0x20) handler=0x771f90eb (ntdll.dll!_TppTerminateProcess@4+0x43)* SEH frame at 0x18ffe4 prev=0xffffffff handler=0x77247428 (ntdll.dll!_FinalExceptionHandler@16)
SEH4
在缓冲区攻击期间(18.2章),scope table的地址可以被重写。所以从MSVC 2005开始,SEH3升级到SEH4后有了缓冲区溢出保护。现在scope table指针与一个security cookie(一个随机值)做异或运算。scope table扩展了包含两个指向security cookie指针的头部。每个元素都有另一个栈内偏移值:栈帧的地址(EBP)与security_cookie异或。该值将在异常处理过程中读取并检查其正确性。栈中的security cookie每次都是随机的,所以远程攻击者无法预测到它。
SEH4的previous try level初始化值是-2而不是-1。
seh4
这里有两个使用MSVC编译的SEH4例子:
Listing 68.10: MSVC 2012: one try block example
$SG85485 DB 'hello #1!', 0aH, 00H$SG85486 DB 'hello #2!', 0aH, 00H$SG85488 DB 'access violation, can''t recover', 0aH, 00H; scope table:xdata$x SEGMENT__sehtable$_main DD 0fffffffeH ; GS Cookie OffsetDD 00H ; GS Cookie XOR OffsetDD 0ffffffccH ; EH Cookie OffsetDD 00H ; EH Cookie XOR OffsetDD 0fffffffeH ; previous try levelDD FLAT:$LN12@main ; filterDD FLAT:$LN8@main ; handlerxdata$x ENDS$T2 = -36 ; size = 4_p$ = -32 ; size = 4tv68 = -28 ; size = 4__$SEHRec$ = -24 ; size = 24_main PROCpush ebpmov ebp, esppush -2push OFFSET __sehtable$_mainpush OFFSET __except_handler4mov eax, DWORD PTR fs:0push eaxadd esp, -20push ebxpush esipush edimov eax, DWORD PTR ___security_cookiexor DWORD PTR __$SEHRec$[ebp+16], eax ; xored pointer to scope tablexor eax, ebppush eax ; ebp ^ security_cookielea eax, DWORD PTR __$SEHRec$[ebp+8] ; pointer to VC_EXCEPTION_REGISTRATION_RECORDmov DWORD PTR fs:0, eaxmov DWORD PTR __$SEHRec$[ebp], espmov DWORD PTR _p$[ebp], 0mov DWORD PTR __$SEHRec$[ebp+20], 0 ; previous try levelpush OFFSET $SG85485 ; 'hello #1!'call _printfadd esp, 4mov eax, DWORD PTR _p$[ebp]mov DWORD PTR [eax], 13push OFFSET $SG85486 ; 'hello #2!'call _printfadd esp, 4mov DWORD PTR __$SEHRec$[ebp+20], -2 ; previous try leveljmp SHORT $LN6@main; filter:$LN7@main:$LN12@main:mov ecx, DWORD PTR __$SEHRec$[ebp+4]mov edx, DWORD PTR [ecx]mov eax, DWORD PTR [edx]mov DWORD PTR $T2[ebp], eaxcmp DWORD PTR $T2[ebp], -1073741819 ; c0000005Hjne SHORT $LN4@mainmov DWORD PTR tv68[ebp], 1jmp SHORT $LN5@main$LN4@main:mov DWORD PTR tv68[ebp], 0$LN5@main:mov eax, DWORD PTR tv68[ebp]$LN9@main:$LN11@main:ret 0; handler:$LN8@main:mov esp, DWORD PTR __$SEHRec$[ebp]push OFFSET $SG85488 ; 'access violation, can''t recover'call _printfadd esp, 4mov DWORD PTR __$SEHRec$[ebp+20], -2 ; previous try level$LN6@main:xor eax, eaxmov ecx, DWORD PTR __$SEHRec$[ebp+8]mov DWORD PTR fs:0, ecxpop ecxpop edipop esipop ebxmov esp, ebppop ebpret 0_main ENDP
Listing 68.11: MSVC 2012: two try blocks example
$SG85486 DB 'in filter. code=0x%08X', 0aH, 00H$SG85488 DB 'yes, that is our exception', 0aH, 00H$SG85490 DB 'not our exception', 0aH, 00H$SG85497 DB 'hello!', 0aH, 00H$SG85499 DB '0x112233 raised. now let''s crash', 0aH, 00H$SG85501 DB 'access violation, can''t recover', 0aH, 00H$SG85503 DB 'user exception caught', 0aH, 00Hxdata$x SEGMENT__sehtable$_main DD 0fffffffeH ; GS Cookie OffsetDD 00H ; GS Cookie XOR OffsetDD 0ffffffc8H ; EH Cookie OffsetDD 00H ; EH Cookie OffsetDD 0fffffffeH ; previous try level for outer blockDD FLAT:$LN19@main ; outer block filterDD FLAT:$LN9@main ; outer block handlerDD 00H ; previous try level for inner blockDD FLAT:$LN18@main ; inner block filterDD FLAT:$LN13@main ; inner block handlerxdata$x ENDS$T2 = -40 ; size = 4$T3 = -36 ; size = 4_p$ = -32 ; size = 4tv72 = -28 ; size = 4__$SEHRec$ = -24 ; size = 24_main PROCpush ebpmov ebp, esppush -2 ; initial previous try levelpush OFFSET __sehtable$_mainpush OFFSET __except_handler4mov eax, DWORD PTR fs:0push eax ; prevadd esp, -24push ebxpush esipush edimov eax, DWORD PTR ___security_cookiexor DWORD PTR __$SEHRec$[ebp+16], eax ; xored pointer to scope tablexor eax, ebp ; ebp ^ security_cookiepush eaxlea eax, DWORD PTR __$SEHRec$[ebp+8] ; pointer to VC_EXCEPTION_REGISTRATION_RECORDmov DWORD PTR fs:0, eaxmov DWORD PTR __$SEHRec$[ebp], espmov DWORD PTR _p$[ebp], 0mov DWORD PTR __$SEHRec$[ebp+20], 0 ; entering outer try block, setting previous try level=0mov DWORD PTR __$SEHRec$[ebp+20], 1 ; entering inner try block, setting previous try level=1push OFFSET $SG85497 ; 'hello!'call _printfadd esp, 4push 0push 0push 0push 1122867 ; 00112233Hcall DWORD PTR __imp__RaiseException@16push OFFSET $SG85499 ; '0x112233 raised. now let''s crash'call _printfadd esp, 4mov eax, DWORD PTR _p$[ebp]mov DWORD PTR [eax], 13mov DWORD PTR __$SEHRec$[ebp+20], 0 ; exiting inner try block, set previous try level back to 0jmp SHORT $LN2@main; inner block filter:$LN12@main:$LN18@main:mov ecx, DWORD PTR __$SEHRec$[ebp+4]mov edx, DWORD PTR [ecx]mov eax, DWORD PTR [edx]mov DWORD PTR $T3[ebp], eaxcmp DWORD PTR $T3[ebp], -1073741819 ; c0000005Hjne SHORT $LN5@mainmov DWORD PTR tv72[ebp], 1jmp SHORT $LN6@main$LN5@main:mov DWORD PTR tv72[ebp], 0$LN6@main:mov eax, DWORD PTR tv72[ebp]$LN14@main:$LN16@main:ret 0; inner block handler:$LN13@main:mov esp, DWORD PTR __$SEHRec$[ebp]push OFFSET $SG85501 ; 'access violation, can''t recover'call _printfadd esp, 4mov DWORD PTR __$SEHRec$[ebp+20], 0 ; exiting inner try block, setting previous try level back to 0$LN2@main:mov DWORD PTR __$SEHRec$[ebp+20], -2 ; exiting both blocks, setting previous try level back to -2jmp SHORT $LN7@main; outer block filter:$LN8@main:$LN19@main:mov ecx, DWORD PTR __$SEHRec$[ebp+4]mov edx, DWORD PTR [ecx]mov eax, DWORD PTR [edx]mov DWORD PTR $T2[ebp], eaxmov ecx, DWORD PTR __$SEHRec$[ebp+4]push ecxmov edx, DWORD PTR $T2[ebp]push edxcall _filter_user_exceptionsadd esp, 8$LN10@main:$LN17@main:ret 0; outer block handler:$LN9@main:mov esp, DWORD PTR __$SEHRec$[ebp]push OFFSET $SG85503 ; 'user exception caught'call _printfadd esp, 4mov DWORD PTR __$SEHRec$[ebp+20], -2 ; exiting both blocks, setting previous try level back to -2$LN7@main:xor eax, eaxmov ecx, DWORD PTR __$SEHRec$[ebp+8]mov DWORD PTR fs:0, ecxpop ecxpop edipop esipop ebxmov esp, ebppop ebpret 0_main ENDP_code$ = 8 ; size = 4_ep$ = 12 ; size = 4_filter_user_exceptions PROCpush ebpmov ebp, espmov eax, DWORD PTR _code$[ebp]push eaxpush OFFSET $SG85486 ; 'in filter. code=0x%08X'call _printfadd esp, 8cmp DWORD PTR _code$[ebp], 1122867 ; 00112233Hjne SHORT $LN2@filter_usepush OFFSET $SG85488 ; 'yes, that is our exception'call _printfadd esp, 4mov eax, 1jmp SHORT $LN3@filter_usejmp SHORT $LN3@filter_use$LN2@filter_use:push OFFSET $SG85490 ; 'not our exception'call _printfadd esp, 4xor eax, eax$LN3@filter_use:pop ebpret 0_filter_user_exceptions ENDP
这里是cookie的含义:Cookie Offset用于区分栈中saved_EBP的地址和EBP⊕security_cookie。附加的Cookie XOR Offset用于区分EBP⊕security_cookie是否保存在栈中。如果这个等式不为true,会由于栈受到破坏而停止这个过程。
security_cookie⊕(Cookie XOR Offset+address_of_saved_EBP) == stack[address_of_saved_EBP + CookieOffset]
如果Cookie Offset为-2,这意味着它不存在。
在我的tracer工具也实现了Cookie检查,具体请看Github。
MSVC 2005之后的编译器开启/GS选项仍可能会回滚到SEH3。不过,CRT的代码总是使用SEH4。
68.3.3 Windows x64
正如你所认为的,每个函数序言在设置SEH帧效率不高。另一个性能问题是,函数执行期间多次尝试改变previous try level。这种情况在x64完全改变了:现在所有指向try块,filter和handler函数都保存在PE文件的.pdata段,由它提供给操作系统异常处理所需信息。
这里有两个使用x64编译的例子:
Listing 68.12: MSVC 2012
$SG86276 DB 'hello #1!', 0aH, 00H$SG86277 DB 'hello #2!', 0aH, 00H$SG86279 DB 'access violation, can''t recover', 0aH, 00Hpdata SEGMENT$pdata$main DD imagerel $LN9DD imagerel $LN9+61DD imagerel $unwind$mainpdata ENDSpdata SEGMENT$pdata$main$filt$0 DD imagerel main$filt$0DD imagerel main$filt$0+32DD imagerel $unwind$main$filt$0pdata ENDSxdata SEGMENT$unwind$main DD 020609HDD 030023206HDD imagerel __C_specific_handlerDD 01HDD imagerel $LN9+8DD imagerel $LN9+40DD imagerel main$filt$0DD imagerel $LN9+40$unwind$main$filt$0 DD 020601HDD 050023206Hxdata ENDS_TEXT SEGMENTmain PROC$LN9:push rbxsub rsp, 32xor ebx, ebxlea rcx, OFFSET FLAT:$SG86276 ; 'hello #1!'call printfmov DWORD PTR [rbx], 13lea rcx, OFFSET FLAT:$SG86277 ; 'hello #2!'call printfjmp SHORT $LN8@main$LN6@main:lea rcx, OFFSET FLAT:$SG86279 ; 'access violation, can''t recover'call printfnpad 1 ; align next label$LN8@main:xor eax, eaxadd rsp, 32pop rbxret 0main ENDP_TEXT ENDStext$x SEGMENTmain$filt$0 PROCpush rbpsub rsp, 32mov rbp, rdx$LN5@main$filt$:mov rax, QWORD PTR [rcx]xor ecx, ecxcmp DWORD PTR [rax], -1073741819; c0000005Hsete clmov eax, ecx$LN7@main$filt$:add rsp, 32pop rbpret 0int 3main$filt$0 ENDPtext$x ENDS
Listing 68.13: MSVC 2012
$SG86277 DB 'in filter. code=0x%08X', 0aH, 00H$SG86279 DB 'yes, that is our exception', 0aH, 00H$SG86281 DB 'not our exception', 0aH, 00H$SG86288 DB 'hello!', 0aH, 00H$SG86290 DB '0x112233 raised. now let''s crash', 0aH, 00H$SG86292 DB 'access violation, can''t recover', 0aH, 00H$SG86294 DB 'user exception caught', 0aH, 00Hpdata SEGMENT$pdata$filter_user_exceptions DD imagerel $LN6DD imagerel $LN6+73DD imagerel $unwind$filter_user_exceptions$pdata$main DD imagerel $LN14DD imagerel $LN14+95DD imagerel $unwind$mainpdata ENDSpdata SEGMENT$pdata$main$filt$0 DD imagerel main$filt$0DD imagerel main$filt$0+32DD imagerel $unwind$main$filt$0$pdata$main$filt$1 DD imagerel main$filt$1DD imagerel main$filt$1+30DD imagerel $unwind$main$filt$1pdata ENDSxdata SEGMENT$unwind$filter_user_exceptions DD 020601HDD 030023206H$unwind$main DD 020609HDD 030023206HDD imagerel __C_specific_handlerDD 02HDD imagerel $LN14+8DD imagerel $LN14+59DD imagerel main$filt$0DD imagerel $LN14+59DD imagerel $LN14+8DD imagerel $LN14+74DD imagerel main$filt$1DD imagerel $LN14+74$unwind$main$filt$0 DD 020601HDD 050023206H$unwind$main$filt$1 DD 020601HDD 050023206Hxdata ENDS_TEXT SEGMENTmain PROC$LN14:push rbxsub rsp, 32xor ebx, ebxlea rcx, OFFSET FLAT:$SG86288 ; 'hello!'call printfxor r9d, r9dxor r8d, r8dxor edx, edxmov ecx, 1122867 ; 00112233Hcall QWORD PTR __imp_RaiseExceptionlea rcx, OFFSET FLAT:$SG86290 ; '0x112233 raised. now let''s crash'call printfmov DWORD PTR [rbx], 13jmp SHORT $LN13@main$LN11@main:lea rcx, OFFSET FLAT:$SG86292 ; 'access violation, can''t recover'call printfnpad 1 ; align next label$LN13@main:jmp SHORT $LN9@main$LN7@main:lea rcx, OFFSET FLAT:$SG86294 ; 'user exception caught'call printfnpad 1 ; align next label$LN9@main:xor eax, eaxadd rsp, 32pop rbxret 0main ENDPtext$x SEGMENTmain$filt$0 PROCpush rbpsub rsp, 32mov rbp, rdx$LN10@main$filt$:mov rax, QWORD PTR [rcx]xor ecx, ecxcmp DWORD PTR [rax], -1073741819; c0000005Hsete clmov eax, ecx$LN12@main$filt$:add rsp, 32pop rbpret 0int 3main$filt$0 ENDPmain$filt$1 PROCpush rbpsub rsp, 32mov rbp, rdx$LN6@main$filt$:mov rax, QWORD PTR [rcx]mov rdx, rcxmov ecx, DWORD PTR [rax]call filter_user_exceptionsnpad 1 ; align next label$LN8@main$filt$:add rsp, 32pop rbpret 0int 3main$filt$1 ENDPtext$x ENDS_TEXT SEGMENTcode$ = 48ep$ = 56filter_user_exceptions PROC$LN6:push rbxsub rsp, 32mov ebx, ecxmov edx, ecxlea rcx, OFFSET FLAT:$SG86277 ; 'in filter. code=0x%08X'call printfcmp ebx, 1122867; 00112233Hjne SHORT $LN2@filter_uselea rcx, OFFSET FLAT:$SG86279 ; 'yes, that is our exception'call printfmov eax, 1add rsp, 32pop rbxret 0$LN2@filter_use:lea rcx, OFFSET FLAT:$SG86281 ; 'not our exception'call printfxor eax, eaxadd rsp, 32pop rbxret 0filter_user_exceptions ENDP_TEXT ENDS
读Sko12获取更多详细的信息。
除了异常信息,.pdata还包含了几乎所有函数的开始和结束地址,因此它可能对于自动化分析工具有用。
68.3.4 更多关于SEH的信息
Matt Pietrek. “A Crash Course on the Depths of Win32™ Structured Exception Handling”. In: MSDN magazine (). URL: http://go.yurichev.com/17293.
Igor Skochinsky. Compiler Internals: Exceptions and RTTI. Also available as http://go.yurichev.com/ 17294. 2012.
当前内容版权归 Dennis Yurichev 或其关联方所有,如需对内容或内容相关联开源项目进行关注与资助,请访问 Dennis Yurichev .
