SEH & assembly code

SEH(Structured Exception Handler)

This SEH is used like:

__try
{
    // code
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
    // exception handling
}

// with SEH, we can't call class's deconstructor() function
// because it's written in C base.(I guess)

The point of this page.

/* main.cpp in VSC++ compiler */
__try
{
code
}
__except()
{
}
/* ~main.cpp in VSC++ compiler */

01311000 | push ebp
01311001 | mov ebp,esp
01311003 | push FFFFFFFE
01311005 | push study_2016_11_12.1312538
0131100A | push <study_2016_11_12._except_handler4>
0131100F | mov eax,dword ptr fs:[0]
01311015 | push eax
01311016 | sub esp,8
01311019 | push ebx
0131101A | push esi
0131101B | push edi
0131101C | mov eax,dword ptr ds:[<__security_cookie>]
01311021 | xor dword ptr ss:[ebp-8],eax
01311024 | xor eax,ebp
01311026 | push eax
01311027 | lea eax,dword ptr ss:[ebp-10]
0131102A | mov dword ptr fs:[0],eax
01311030 | mov dword ptr ss:[ebp-18],esp
01311033 | mov dword ptr ss:[ebp-4],0
0131103A | mov ecx,dword ptr ds:[<&class std::basic_ostream<char,struct std::
01311040 | call <study_2016_11_12.std::operator<<<std::char_traits<char> >>
01311045 | call dword ptr ds:[<&getchar>]
0131104B | jmp study_2016_11_12.1311056
0131104D | mov eax,1
01311052 | ret

---------------------------------------------------------------------------------------------------
/* main.cpp in VSC++ compiler */
// code
/* ~main.cpp in VSC++ compiler */

013B1000 | mov ecx,dword ptr ds:[<&class std::basic_ostream<char,struct std::
013B1006 | call <study_2016_11_12.std::operator<<<std::char_traits<char> >>
013B100B | call dword ptr ds:[<&getchar>]
013B1011 | xor eax,eax
013B1013 | ret


As you see, when we use SEH in the function, SEH handler's address is stacked in stack.

" mov eax, dword ptr fs:[0] "

As far as I know, file segment fs[0] points to TIB(Win32 Thread Information Block) and it is set when we use it SEH.

Maybe later on, we can get good use to that like a signature for getting TIB.

simple description of x64dbg build

1. get project from x64dbg in git.
  - https://github.com/x64dbg/x64dbg

2. download visual studio 2013
  - https://www.visualstudio.com/downloads/#d-community
  - ps. I've tried to use vs2015 but failed. I got gui module object symbol crash.

3. download qt
  - https://www.qt.io/download-open-source/
  - x86 = http://download.qt.io/official_releases/qt/5.6/5.6.0/qt-opensource-windows-x86-msvc2013-5.6.0.exe
  - x64 = http://download.qt.io/official_releases/qt/5.6/5.6.0/qt-opensource-windows-x86-msvc2013_64-5.6.0.exe

4. download capstone_wrapper project from x64dbg
  - https://github.com/x64dbg/capstone_wrapper
  - put it x64dbg/src/

5. build x64dbg.sln the whole solution  <-- this will be engine

6. build x64dbg/src/gui/x64dbg.pro with qt <-- this will be debugger's gui
  - you might need to set the environment variable.
  - VSVARSALLPATH=C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat

7. get snapshot
  - https://sourceforge.net/projects/x64dbg/files/snapshots/
  - unzip it
  - in release file, copy all the file in release/x64 or release/x86
  - paste it in x64dbg/bin/x64 or x64dbg/bin/x32 instead of the files that we built

8. hit x64dbg.exe, Done!!

ps. I'v tried other versions of visual studio and qt but it only works in exact versions.

IDA patch assembly

Edit->Patch Program->Assemble an Instruction

Do job

Edit->Patch Program->Apply patches to input file

This blog's goal

There is a word that I like, "WinWin".

I intent to write my experience in this blog like personal diray
and for those who seek informations coincidencely simular category.

My english might not make sense.
My informations might not be 100% true.

I would love to hear feedbacks and corrections.

Welcome.