x64dbg/x64dbg
x64dbg
/
x64dbg
1
0
Fork 0
Code Releases 5 Activity

DBG: better behaviour for "exhandlers" on XP

This commit is contained in:
mrexodia 2017-08-25 13:02:37 +02:00
parent 5d94936237
commit 010a3bbf7e
No known key found for this signature in database
GPG Key ID: FC89E0AAA0C1AAD8
4 changed files with 28 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/dbg/commands/cmd-analysis.cpp
View File

@ -380,15 +380,20 @@ bool cbInstrExhandlers(int argc, char* argv[])
else
dputs(QT_TRANSLATE_NOOP("DBG", "Failed to get VEH (loaded symbols for ntdll.dll?)"));
if(ExHandlerGetInfo(EX_HANDLER_VCH, entries))
printExhandlers("VectoredContinueHandler (VCH)", entries);
else
dputs(QT_TRANSLATE_NOOP("DBG", "Failed to get VCH (loaded symbols for ntdll.dll?)"));
if(IsVistaOrLater())
{
if(ExHandlerGetInfo(EX_HANDLER_VCH, entries))
printExhandlers("VectoredContinueHandler (VCH)", entries);
else
dputs(QT_TRANSLATE_NOOP("DBG", "Failed to get VCH (loaded symbols for ntdll.dll?)"));
}
if(ExHandlerGetInfo(EX_HANDLER_UNHANDLED, entries))
printExhandlers("UnhandledExceptionFilter", entries);
else
else if(IsVistaOrLater())
dputs(QT_TRANSLATE_NOOP("DBG", "Failed to get UnhandledExceptionFilter (loaded symbols for kernelbase.dll?)"));
else
dputs(QT_TRANSLATE_NOOP("DBG", "Failed to get UnhandledExceptionFilter (loaded symbols for kernel32.dll?)"));
return true;
}

22
src/dbg/exhandlerinfo.cpp
View File

@ -10,6 +10,17 @@
#include "value.h"
#include "debugger.h"
bool IsVistaOrLater()
{
static bool vistaOrLater = []()
{
OSVERSIONINFOEXW osvi = { 0 };
osvi.dwOSVersionInfoSize = sizeof(osvi);
return GetVersionExW((LPOSVERSIONINFOW)&osvi) && osvi.dwMajorVersion > 5;
}();
return vistaOrLater;
}
bool ExHandlerGetInfo(EX_HANDLER_TYPE Type, std::vector<duint> & Entries)
{
Entries.clear();
@ -110,7 +121,7 @@ bool ExHandlerGetVEH(std::vector<duint> & Entries)
if(!MemRead(cur_entry, &entry, sizeof(entry)))
return false;
auto handler = entry.VectoredHandler;
MemDecodePointer(&handler, false); //TODO: Windows XP doesn't allow a remote process to query this value
MemDecodePointer(&handler, false);
Entries.push_back(handler);
if(!MemRead(cur_entry, &cur_entry, sizeof(cur_entry)))
return false;
@ -174,14 +185,9 @@ bool ExHandlerGetVCH(std::vector<duint> & Entries, bool GetVEH)
bool ExHandlerGetUnhandled(std::vector<duint> & Entries)
{
// Try the address for Windows Vista+
static duint addr_BasepCurrentTopLevelFilter = 0;
#ifdef _WIN64
auto symbol = "BasepCurrentTopLevelFilter";
#else
auto symbol = "_BasepCurrentTopLevelFilter";
#endif
auto symbol = ArchValue("_BasepCurrentTopLevelFilter", "BasepCurrentTopLevelFilter");
if(addr_BasepCurrentTopLevelFilter || valfromstring(symbol, &addr_BasepCurrentTopLevelFilter))
{
// Read external pointer
@ -191,7 +197,7 @@ bool ExHandlerGetUnhandled(std::vector<duint> & Entries)
return false;
// Decode with remote process cookie
if(!MemDecodePointer(&handlerValue, true))
if(!MemDecodePointer(&handlerValue, IsVistaOrLater()))
return false;
Entries.push_back(handlerValue);

3
src/dbg/exhandlerinfo.h
View File

@ -7,7 +7,7 @@ enum EX_HANDLER_TYPE
{
EX_HANDLER_SEH, // Structured
EX_HANDLER_VEH, // Vectored
EX_HANDLER_VCH, // Vectored continue
EX_HANDLER_VCH, // Vectored continue (Vista+)
EX_HANDLER_UNHANDLED, // Unhandled
};
@ -17,6 +17,7 @@ struct EX_HANDLER_INFO
duint* addresses;
};
bool IsVistaOrLater();
bool ExHandlerGetInfo(EX_HANDLER_TYPE Type, std::vector<duint> & Entries);
bool ExHandlerGetInfo(EX_HANDLER_TYPE Type, EX_HANDLER_INFO* Info);
bool ExHandlerGetSEH(std::vector<duint> & Entries);

3
src/dbg/exprfunc.cpp
View File

@ -9,6 +9,7 @@
#include "disasm_helper.h"
#include "function.h"
#include "value.h"
#include "exhandlerinfo.h"
namespace Exprfunc
{
@ -123,7 +124,7 @@ namespace Exprfunc
duint memdecodepointer(duint ptr)
{
auto decoded = ptr;
return MemDecodePointer(&decoded, true) ? decoded : ptr;
return MemDecodePointer(&decoded, IsVistaOrLater()) ? decoded : ptr;
}
duint dislen(duint addr)