SEH(Structured Exception Handler)
This SEH is used like:
__try
{
// code
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
// exception handling
}
// with SEH, we can't call class's deconstructor() function
// because it's written in C base.(I guess)
The point of this page.
/* main.cpp in VSC++ compiler */
__try
{
code
}
__except()
{
}
/* ~main.cpp in VSC++ compiler */
01311000 | push ebp
01311001 | mov ebp,esp
01311003 | push FFFFFFFE
01311005 | push study_2016_11_12.1312538
0131100A | push <study_2016_11_12._except_handler4>
0131100F | mov eax,dword ptr fs:[0]
01311015 | push eax
01311016 | sub esp,8
01311019 | push ebx
0131101A | push esi
0131101B | push edi
0131101C | mov eax,dword ptr ds:[<__security_cookie>]
01311021 | xor dword ptr ss:[ebp-8],eax
01311024 | xor eax,ebp
01311026 | push eax
01311027 | lea eax,dword ptr ss:[ebp-10]
0131102A | mov dword ptr fs:[0],eax
01311030 | mov dword ptr ss:[ebp-18],esp
01311033 | mov dword ptr ss:[ebp-4],0
0131103A | mov ecx,dword ptr ds:[<&class std::basic_ostream<char,struct std::
01311040 | call <study_2016_11_12.std::operator<<<std::char_traits<char> >>
01311045 | call dword ptr ds:[<&getchar>]
0131104B | jmp study_2016_11_12.1311056
0131104D | mov eax,1
01311052 | ret
---------------------------------------------------------------------------------------------------
/* main.cpp in VSC++ compiler */
// code
/* ~main.cpp in VSC++ compiler */
013B1000 | mov ecx,dword ptr ds:[<&class std::basic_ostream<char,struct std::
013B1006 | call <study_2016_11_12.std::operator<<<std::char_traits<char> >>
013B100B | call dword ptr ds:[<&getchar>]
013B1011 | xor eax,eax
013B1013 | ret
As you see, when we use SEH in the function, SEH handler's address is stacked in stack.
" mov eax, dword ptr fs:[0] "
As far as I know, file segment fs[0] points to TIB(Win32 Thread Information Block) and it is set when we use it SEH.
Maybe later on, we can get good use to that like a signature for getting TIB.
2016년 11월 17일 목요일
2016년 11월 2일 수요일
simple description of x64dbg build
1. get project from x64dbg in git.
- https://github.com/x64dbg/x64dbg
2. download visual studio 2013
- https://www.visualstudio.com/downloads/#d-community
- ps. I've tried to use vs2015 but failed. I got gui module object symbol crash.
3. download qt
- https://www.qt.io/download-open-source/
- x86 = http://download.qt.io/official_releases/qt/5.6/5.6.0/qt-opensource-windows-x86-msvc2013-5.6.0.exe
- x64 = http://download.qt.io/official_releases/qt/5.6/5.6.0/qt-opensource-windows-x86-msvc2013_64-5.6.0.exe
4. download capstone_wrapper project from x64dbg
- https://github.com/x64dbg/capstone_wrapper
- put it x64dbg/src/
5. build x64dbg.sln the whole solution <-- this will be engine
6. build x64dbg/src/gui/x64dbg.pro with qt <-- this will be debugger's gui
- you might need to set the environment variable.
- VSVARSALLPATH=C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat
7. get snapshot
- https://sourceforge.net/projects/x64dbg/files/snapshots/
- unzip it
- in release file, copy all the file in release/x64 or release/x86
- paste it in x64dbg/bin/x64 or x64dbg/bin/x32 instead of the files that we built
8. hit x64dbg.exe, Done!!
ps. I'v tried other versions of visual studio and qt but it only works in exact versions.
- https://github.com/x64dbg/x64dbg
2. download visual studio 2013
- https://www.visualstudio.com/downloads/#d-community
- ps. I've tried to use vs2015 but failed. I got gui module object symbol crash.
3. download qt
- https://www.qt.io/download-open-source/
- x86 = http://download.qt.io/official_releases/qt/5.6/5.6.0/qt-opensource-windows-x86-msvc2013-5.6.0.exe
- x64 = http://download.qt.io/official_releases/qt/5.6/5.6.0/qt-opensource-windows-x86-msvc2013_64-5.6.0.exe
4. download capstone_wrapper project from x64dbg
- https://github.com/x64dbg/capstone_wrapper
- put it x64dbg/src/
5. build x64dbg.sln the whole solution <-- this will be engine
6. build x64dbg/src/gui/x64dbg.pro with qt <-- this will be debugger's gui
- you might need to set the environment variable.
- VSVARSALLPATH=C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat
7. get snapshot
- https://sourceforge.net/projects/x64dbg/files/snapshots/
- unzip it
- in release file, copy all the file in release/x64 or release/x86
- paste it in x64dbg/bin/x64 or x64dbg/bin/x32 instead of the files that we built
8. hit x64dbg.exe, Done!!
ps. I'v tried other versions of visual studio and qt but it only works in exact versions.
피드 구독하기:
글 (Atom)