学步园

引言：_except_handler3是BaseProcessStart的异常处理函数。

7C839AF0 ; int __cdecl _except_handler3(EXCEPTION_RECORD *argExceptionRecord,<br /> 7C839AF0 _EXCEPTION_REGISTRATION *argEstablisherFrame, _CONTEXT *argContextRecord)<br /> 7C839AF0<br /> 7C839AF0 varXPointers = dword ptr -8<br /> 7C839AF0 var_4 = dword ptr -4<br /> 7C839AF0 argExceptionRecord= dword ptr 8<br /> 7C839AF0 argEstablisherFrame= dword ptr 0Ch<br /> 7C839AF0 argContextRecord= dword ptr 10h<br /> 7C839AF0 ;<br /> 7C839AF0 ;<br /> 7C839AF0 ; VC++扩展SEH<br /> 7C839AF0 ; [ebp-14];PEXCEPTION_POINTERS xpointers;<br /> 7C839AF0 ; ;struct _EXCEPTION_REGISTRATION{<br /> 7C839AF0 ; [ebp-10]; struct _EXCEPTION_REGISTRATION *prev;<br /> 7C839AF0 ; [ebp-0C]; _except_handler handler;<br /> 7C839AF0 ; [ebp-08]; struct scopetable_entry *scopetable;<br /> 7C839AF0 ; [ebp-04]; int trylevel;<br /> 7C839AF0 ; [ebp-00]; int _ebp;<br /> 7C839AF0 ; ;};<br /> 7C839AF0 ; argEstablisherFrame当前指向[ebp-10]<br /> 7C839AF0 ;<br /> 7C839AF0 ;<br /> 7C839AF0 ; _except_handler定义<br /> 7C839AF0 ; typedef EXCEPTION_DISPOSITION __cdecl (*_except_handler)(<br /> 7C839AF0 ; _In_ struct _EXCEPTION_RECORD *_ExceptionRecord,<br /> 7C839AF0 ; _In_ void * _EstablisherFrame,<br /> 7C839AF0 ; _Inout_ struct _CONTEXT *_ContextRecord,<br /> 7C839AF0 ; _Inout_ void * _DispatcherContext<br /> 7C839AF0 ; );<br /> 7C839AF0 ;<br /> 7C839AF0 ;<br /> 7C839AF0 ; scopetable_entry定义<br /> 7C839AF0 ; struct scopetable_entry{<br /> 7C839AF0 ; DWORD prevlevel;<br /> 7C839AF0 ; PVOID lpfnFilter;<br /> 7C839AF0 ; PVOID lpfnHandler;<br /> 7C839AF0 ; }<br /> 7C839AF0<br /> 7C839AF0 push ebp<br /> 7C839AF1 mov ebp, esp<br /> 7C839AF3 sub esp, 8 ; EXCEPTION_POINTERS varXPointers;<br /> 7C839AF6 push ebx<br /> 7C839AF7 push esi<br /> 7C839AF8 push edi<br /> 7C839AF9 push ebp<br /> 7C839AFA cld ; Clear Direction Flag<br /> 7C839AFB mov ebx, [ebp+argEstablisherFrame]<br /> 7C839AFE mov eax, [ebp+argExceptionRecord]<br /> 7C839B01 test dword ptr [eax+4], 6 ;if(argExceptionRecord->ExceptionFlags &<br /> 7C839B01 ; EXCEPTION_UNWIND_CONTEXT)<br /> 7C839B01 ; goto loc_7C839BB9<br /> 7C839B01 ;EXCEPTION_UNWIND_CONTEXT在exsup.inc中定义<br /> 7C839B08 jnz loc_7C839BB9<br /> 7C839B0E mov [ebp+varXPointers], eax;varXPointers->ExceptionRecord=argExceptionRecord<br /> 7C839B11 mov eax, [ebp+argContextRecord]<br /> 7C839B14 mov [ebp+var_4], eax ;varXPointers->ContextRecord=argContextRecord<br /> 7C839B17 lea eax, [ebp+varXPointers]<br /> 7C839B1A mov [ebx-4], eax ;(PEXCEPTION_POINTERS)((DWORD)argEstablisherFrame-4)=xpointers<br /> 7C839B1D mov esi, [ebx+0Ch] ;esi=argEstablisherFrame->trylevel<br /> 7C839B20 mov edi, [ebx+8] ;edi=argEstablisherFrame->scopetable<br /> 7C839B23 push ebx<br /> 7C839B24 call __ValidateEH3RN<br /> 7C839B29 add esp, 4<br /> 7C839B2C or eax, eax<br /> 7C839B2E jz short loc_7C839BAB<br /> 7C839B30<br /> 7C839B30 loc_7C839B30: ;CODE XREF: __except_handler3+B2j<br /> 7C839B30 cmp esi, 0FFFFFFFFh ;if(argEstablisherFrame->trylevel==0xFFFFFFFF) goto loc_7C839BB2<br /> 7C839B33 jz short loc_7C839BB2 ;当前异常帧中所有__try/__except(嵌套)遍历完毕,跳走!<br /> 7C839B33 ;注：一个函数仅有一个异常帧,__try/__except嵌套也只产生一个异常帧<br /> 7C839B35 lea ecx, [esi+esi*2]<br /> 7C839B38 mov eax, [edi+ecx*4+4] ;eax=argEstablisherFrame->scopetable[trylevel].lpfnFilter<br /> 7C839B3C or eax, eax<br /> 7C839B3E jz short loc_7C839B99 ;if(lpfnFilter == NULL) goto loc_7C839B99<br /> 7C839B40 push esi<br /> 7C839B41 push ebp ;保存当前ebp<br /> 7C839B42 lea ebp, [ebx+10h] ;切换ebp,为lpfnFilter调用做准备<br /> 7C839B45 xor ebx, ebx<br /> 7C839B47 xor ecx, ecx<br /> 7C839B49 xor edx, edx<br /> 7C839B4B xor esi, esi<br /> 7C839B4D xor edi, edi<br /> 7C839B4F call eax ;call lpfnFilter<br /> 7C839B51 pop ebp ;恢复当前ebp<br /> 7C839B52 pop esi<br /> 7C839B53 mov ebx, [ebp+argEstablisherFrame]<br /> 7C839B56 or eax, eax ;检查lpfnFilter返回值.<br /> 7C839B58 jz short loc_7C839B99 ;if(eax==EXCEPTION_CONTINUE_SEARCH) goto loc_7C839B99<br /> 7C839B5A js short loc_7C839BA4 ;if(eax==EXCEPTION_CONTINUE_EXECUTION) goto loc_7C839BA4<br /> 7C839B5C mov edi, [ebx+8] ;if(eax==EXCEPTION_EXECUTE_HANDLER) goto 7C839B5F<br /> 7C839B5F push ebx<br /> 7C839B60 call __global_unwind2 ;全局展开<br /> 7C839B65 add esp, 4<br /> 7C839B68 lea ebp, [ebx+10h] ;切换ebp,注意之前没有保存当前ebp.<br /> 7C839B6B push esi<br /> 7C839B6C push ebx<br /> 7C839B6D call __local_unwind2 ;局部展开<br /> 7C839B72 add esp, 8<br /> 7C839B75 lea ecx, [esi+esi*2]<br /> 7C839B78 push 1<br /> 7C839B7A mov eax, [edi+ecx*4+8]<br /> 7C839B7E call __NLG_Notify<br /> 7C839B83 mov eax, [edi+ecx*4] ;eax = =argEstablisherFrame->scopetable[trylevel].prelevel<br /> 7C839B86 mov [ebx+0Ch], eax ;argEstablisherFrame->trylevel=eax<br /> 7C839B89 mov eax, [edi+ecx*4+8] ;eax=argEstablisherFrame->scopetable[trylevel].lpfnHandler<br /> 7C839B8D xor ebx, ebx<br /> 7C839B8F xor ecx, ecx<br /> 7C839B91 xor edx, edx<br /> 7C839B93 xor esi, esi<br /> 7C839B95 xor edi, edi<br /> 7C839B97 call eax ;call lpfnHandler 不再返回!<br /> 7C839B99<br /> 7C839B99 loc_7C839B99: ;CODE XREF: __except_handler3+4Ej<br /> 7C839B99 ;__except_handler3+68j<br /> 7C839B99 mov edi, [ebx+8] ;lpfnFilter返回EXCEPTION_CONTINUE_SEARCH的情况下<br /> 7C839B99 ;edi=argEstablisherFrame->scopetable<br /> 7C839B9C lea ecx, [esi+esi*2]<br /> 7C839B9F mov esi, [edi+ecx*4];esi=argEstablisherFrame->scopetable[trylevel].prevlevel<br /> 7C839BA2 jmp short loc_7C839B30<br /> 7C839BA4 ; ---------------------------------------------------------------------------<br /> 7C839BA4<br /> 7C839BA4 loc_7C839BA4: ;CODE XREF: __except_handler3+6Aj<br /> 7C839BA4 mov eax, 0 ;eax=ExceptionContinueExecution<br /> 7C839BA9 jmp short loc_7C839BCE ; 退出<br /> 7C839BAB ; ---------------------------------------------------------------------------<br /> 7C839BAB<br /> 7C839BAB loc_7C839BAB: ;CODE XREF: __except_handler3+3Ej<br /> 7C839BAB mov eax, [ebp+argExceptionRecord]<br /> 7C839BAE or dword ptr [eax+4], 8<br /> 7C839BB2<br /> 7C839BB2 loc_7C839BB2: ;CODE XREF: __except_handler3+43j<br /> 7C839BB2 mov eax, 1 ;7C839BAB ~ 7C839BB7的分析<br /> 7C839BB2 ;if(argExceptionRecord->ExceptionFlags==EXCEPTION_STACK_INVALID){<br /> 7C839BB2 ; eax = ExceptionContinueSearch<br /> 7C839BB2 ; goto loc_7C839BCE<br /> 7C839BB2 ;}<br /> 7C839BB7 jmp short loc_7C839BCE ; 退出<br /> 7C839BB9 ; ---------------------------------------------------------------------------<br /> 7C839BB9<br /> 7C839BB9 loc_7C839BB9: ; CODE XREF: __except_handler3+18j<br /> 7C839BB9 push ebp ; 保存当前ebp<br /> 7C839BBA lea ebp, [ebx+10h] ; 切换ebp<br /> 7C839BBD push 0FFFFFFFFh<br /> 7C839BBF push ebx<br /> 7C839BC0 call __local_unwind2 ; 局部展开<br /> 7C839BC5 add esp, 8<br /> 7C839BC8 pop ebp ; 恢复当前ebp<br /> 7C839BC9 mov eax, 1 ; eax = ExceptionContinueSearch<br /> 7C839BCE<br /> 7C839BCE loc_7C839BCE: ; CODE XREF: __except_handler3+B9j<br /> 7C839BCE ; __except_handler3+C7j<br /> 7C839BCE pop ebp<br /> 7C839BCF pop edi<br /> 7C839BD0 pop esi<br /> 7C839BD1 pop ebx<br /> 7C839BD2 mov esp, ebp<br /> 7C839BD4 pop ebp<br /> 7C839BD5 retn<br /> 7C839BD5 __except_handler3 endp

相应的伪代码：

// VC++扩展SEH的异常帧结构<br /> // [ebp-14];PEXCEPTION_POINTERS xpointers;<br /> // ;struct _EXCEPTION_REGISTRATION{<br /> // [ebp-10]; struct _EXCEPTION_REGISTRATION *prev;<br /> // [ebp-0C]; _except_handler handler;<br /> // [ebp-08]; struct scopetable_entry *scopetable;<br /> // [ebp-04]; int trylevel;<br /> // [ebp-00]; int _ebp;<br /> // ;};<br /> //<br /> // typedef enum _EXCEPTION_DISPOSITION {<br /> // ExceptionContinueExecution,<br /> // ExceptionContinueSearch,<br /> // ExceptionNestedException,<br /> // ExceptionCollidedUnwind<br /> // } EXCEPTION_DISPOSITION;<br /> //<br /> // _except_handler定义<br /> // typedef EXCEPTION_DISPOSITION __cdecl (*_except_handler)(<br /> // _In_ struct _EXCEPTION_RECORD *_ExceptionRecord,<br /> // _In_ void * _EstablisherFrame,<br /> // _Inout_ struct _CONTEXT *_ContextRecord,<br /> // _Inout_ void * _DispatcherContext<br /> // );<br /> //<br /> //<br /> // scopetable_entry定义<br /> // struct scopetable_entry{<br /> // DWORD prevtrylevel;<br /> // PVOID lpfnFilter;<br /> // PVOID lpfnHandler;<br /> // }</p> <p>EXCEPTION_DISPOSITION __cdecl __except_handler3 (<br /> _In_ struct _EXCEPTION_RECORD *argExceptionRecord,<br /> _In_ void * argEstablisherFrame,<br /> _Inout_ struct _CONTEXT *argContextRecord,<br /> _Inout_ void * argDispatcherContext<br /> )<br /> {<br /> EXCEPTION_POINTERS varXPointers;<br /> DWORD dwTryLevel,dwRetFilter;</p> <p> //方向标志复位<br /> __asm cld</p> <p> if(!(argExceptionRecord->ExceptionFlags & EXCEPTION_UNWIND_CONTEXT))<br /> {<br /> varXPointers->ExceptionRecord = argExceptionRecord;<br /> varXPointers->ContextRecord = argContextRecord;</p> <p> //提供VC++扩展SEH的异常帧结构中的[ebp-14]值<br /> //内联函数GetExceptionInformation将从[ebp-14]提取信息<br /> (PEXCEPTION_POINTERS)((DWORD)argEstablisherFrame-4)= &varXPointers;</p> <p> //验证SEH异常帧<br /> if(__ValidateEH3RN(argEstablisherFrame))<br /> {<br /> //一个函数仅有一个异常帧,一个函数可以有多个__try/__except结构<br /> //嵌套的__try/__except通过scopetable->prevtrylevel关联起来<br /> //向上搜索当前异常帧中嵌套的__try/__except过滤函数和处理函数<br /> dwTryLevel = argEstablisherFrame->trylevel;<br /> while(dwTryLevel != 0xFFFFFFFF)<br /> {<br /> //不存在过滤函数,继续向上一层__try/__except搜索<br /> if(!argEstablisherFrame->scopetable[dwTryLevel].lpfnFilter)<br /> {<br /> dwTryLevel = argEstablisherFrame->scopetable[dwTryLevel].prevtrylevel;<br /> continue;<br /> }</p> <p> //保存当前ebp<br /> __asm push ebp<br /> //切换ebp回lpfnFilter所在位置<br /> __asm lea ebp,&argEstablisherFrame->_ebp;<br /> //调用过滤函数<br /> dwRetFilter = argEstablisherFrame->scopetable[dwTryLevel].lpfnFilter();<br /> //恢复当前ebp<br /> __asm pop ebp<br /> //检查过滤函数的返回值<br /> if(dwRetFilter == EXCEPTION_CONTINUE_SEARCH)<br /> {<br /> dwTryLevel = argEstablisherFrame->scopetable[dwTryLevel].prevtrylevel;<br /> continue;<br /> }<br /> else if(dwRetFilter == EXCEPTION_CONTINUE_EXECUTION)<br /> {<br /> //异常已经修复,重新执行引发异常的指令<br /> return ExceptionContinueExecution;<br /> }<br /> //找到__except(EXCEPTION_EXECUTE_HANDLER)<br /> //全局展开<br /> __global_unwind2(argEstablisherFrame);<br /> //切换ebp,注意:之前没有保存当前ebp<br /> __asm lea ebp,&argEstablisherFrame->_ebp;<br /> //对当前__try/__except进行局部展开<br /> __local_unwind2(argEstablisherFrame,dwTryLevel);<br /> //作用未知!<br /> __NLG_Notify(1);<br /> //把异常帧的trylevel设置成__except(EXCEPTION_EXECUTE_HANDLER)<br /> //的上一个__try/__except<br /> argEstablisherFrame->trylevel =<br /> argEstablisherFrame->scopetable[dwTryLevel].prevtrylevel;<br /> //调用__except {}块，这个调用并不会返回<br /> argEstablisherFrame->scopetable[dwTryLevel].lpfnHandler();<br /> }</p> <p> //当前异常帧搜索结束,但仍然没有找到__except(EXCEPTION_EXECUTE_HANDLER)<br /> //向下一个异常帧搜索,也就是向__except_handler3的调用函数搜索异常帧<br /> return ExceptionContinueSearch;</p> <p> }<br /> else<br /> {<br /> //异常帧的栈无效<br /> //向下一个异常帧搜索,也就是向__except_handler3的调用函数搜索异常帧<br /> if(argExceptionRecord->ExceptionFlags==EXCEPTION_STACK_INVALID)<br /> {<br /> return ExceptionContinueSearch;<br /> }<br /> }<br /> }<br /> else<br /> {<br /> //保存当前ebp<br /> __asm push ebp<br /> //切换ebp回引发异常的函数<br /> __asm lea,&argEstablisherFrame->_ebp;<br /> //对引发异常的函数进行局部展开<br /> __local_unwind2(argEstablisherFrame,0xFFFFFFFF);<br /> //恢复当前ebp<br /> __asm pop ebp</p> <p> return ExceptionContinueSearch;<br /> }<br /> }

示意图(也就是__try/__except的示意图)：

遗留：还不太清楚__NLG_Notify的作用，哪位朋友可以提点一下，非常感谢!!附__NLG_Notify：

7C80E01B __NLG_Notify proc near ; CODE XREF: __local_unwind2+57p<br /> 7C80E01B ; __except_handler3+8Ep<br /> 7C80E01B push ebx<br /> 7C80E01C push ecx<br /> 7C80E01D mov ebx, offset __NLG_Destination<br /> 7C80E022 mov ecx, [ebp+8]<br /> 7C80E025<br /> 7C80E025 loc_7C80E025: ; CODE XREF: __NLG_Notify1+7j<br /> 7C80E025 mov [ebx+8], ecx<br /> 7C80E028 mov [ebx+4], eax ; eax=pEstablisherFrame->scopetable[trylevel].lpfnHandler<br /> 7C80E02B mov [ebx+0Ch], ebp<br /> 7C80E02E push ebp<br /> 7C80E02F push ecx<br /> 7C80E030 push eax<br /> 7C80E030 __NLG_Notify endp ; sp-analysis failed<br /> 7C80E030<br /> 7C80E031<br /> 7C80E031 ; =============== S U B R O U T I N E =======================================<br /> 7C80E031<br /> 7C80E031<br /> 7C80E031 __NLG_Dispatch2 proc near<br /> 7C80E031 pop eax<br /> 7C80E032 pop ecx<br /> 7C80E033 pop ebp<br /> 7C80E034 pop ecx<br /> 7C80E035 pop ebx<br /> 7C80E036 retn 4<br /> 7C80E036 __NLG_Dispatch2 endp ; sp-analysis failed<br /> 7C80E036