1
0
Fork 0

DBG: Implement most functions for exception handlers (SEH missing)

This commit is contained in:
Nukem 2016-01-24 18:38:46 -05:00
parent 92ae0058c6
commit dd7e3cfa85
5 changed files with 214 additions and 0 deletions

167
src/dbg/exhandlerinfo.cpp Normal file
View File

@ -0,0 +1,167 @@
/**
@file exhandlerinfo.cpp
@brief ???
*/
#include "exhandlerinfo.h"
#include "memory.h"
#include "disasm_helper.h"
#include "disasm_fast.h"
#include "_exports.h"
#include "module.h"
#include "thread.h"
bool ExHandlerGetInfo(EX_HANDLER_TYPE Type, EX_HANDLER_INFO* Info)
{
bool ret = false;
std::vector<duint> handlerEntries;
switch(Type)
{
case EX_HANDLER_SEH:
ret = ExHandlerGetSEH(handlerEntries);
break;
case EX_HANDLER_VEH:
ret = ExHandlerGetVEH(handlerEntries);
break;
case EX_HANDLER_VCH:
ret = ExHandlerGetVCH(handlerEntries);
break;
case EX_HANDLER_UNHANDLED:
ret = ExHandlerGetUnhandled(handlerEntries);
break;
}
// Check if a call failed
if(!ret)
{
Info->count = 0;
Info->addresses = nullptr;
return false;
}
// Convert vector to C-style array
Info->count = (int)handlerEntries.size();
Info->addresses = (duint*)BridgeAlloc(Info->count * sizeof(duint));
memcpy(Info->addresses, handlerEntries.data(), Info->count * sizeof(duint));
return false;
}
bool ExHandlerGetSEH(std::vector<duint> & Entries)
{
// TODO: 32-bit
// TODO: 64-bit
return false;
}
bool ExHandlerGetVEH(std::vector<duint> & Entries)
{
// Try the address for Windows XP first (or older)
//
// VECTORED_EXCEPTION_NODE RtlpCalloutEntryList;
static duint addr_RtlpCalloutEntryList = 0;
if(addr_RtlpCalloutEntryList || valfromstring("ntdll:RtlpCalloutEntryList", &addr_RtlpCalloutEntryList))
{
// Read header node
VECTORED_EXCEPTION_NODE node;
memset(&node, 0, sizeof(VECTORED_EXCEPTION_NODE));
if(!MemRead(addr_RtlpCalloutEntryList, &node, sizeof(VECTORED_EXCEPTION_NODE)))
return false;
// Move to the next link
duint listCurrent = (duint)node.ListEntry.Flink;
duint listEnd = addr_RtlpCalloutEntryList;
while(listCurrent && listCurrent != listEnd)
{
duint handler = (duint)node.handler;
MemDecodePointer(&handler);
Entries.push_back(handler);
// Move to next element
memset(&node, 0, sizeof(VECTORED_EXCEPTION_NODE));
if(!MemRead(listCurrent, &node, sizeof(VECTORED_EXCEPTION_NODE)))
break;
listCurrent = (duint)node.ListEntry.Flink;
}
}
// Otherwise try the Windows Vista or newer version
return ExHandlerGetVCH(Entries, true);
}
bool ExHandlerGetVCH(std::vector<duint> & Entries, bool UseVEH)
{
// VECTORED_HANDLER_LIST LdrpVectorHandlerList[2];
static duint addr_LdrpVectorHandlerList = 0;
if(!addr_LdrpVectorHandlerList && !valfromstring("ntdll:LdrpVectorHandlerList", &addr_LdrpVectorHandlerList))
return false;
// Increase array index when using continue handlers
if(!UseVEH)
addr_LdrpVectorHandlerList += (1 * sizeof(VECTORED_HANDLER_LIST));
// Read head entry
VECTORED_HANDLER_LIST list;
memset(&list, 0, sizeof(VECTORED_HANDLER_LIST));
if(!MemRead(addr_LdrpVectorHandlerList, &list, sizeof(VECTORED_HANDLER_LIST)))
return false;
// Sub-entries in list
duint listCurrent = (duint)list.Next;
duint listEnd = addr_LdrpVectorHandlerList;
while(listCurrent && listCurrent != listEnd)
{
duint handler = (duint)list.VectoredHandler;
MemDecodePointer(&handler);
Entries.push_back(handler);
// Move to next element
memset(&list, 0, sizeof(VECTORED_HANDLER_LIST));
if(!MemRead(listCurrent, &list, sizeof(VECTORED_HANDLER_LIST)))
break;
listCurrent = (duint)list.Next;
}
return true;
}
bool ExHandlerGetUnhandled(std::vector<duint> & Entries)
{
// Try the address for Windows Vista+
static duint addr_BasepCurrentTopLevelFilter = 0;
if(addr_BasepCurrentTopLevelFilter || valfromstring("kernelbase:BasepCurrentTopLevelFilter", &addr_BasepCurrentTopLevelFilter))
{
// Read external pointer
duint handlerValue = 0;
if(!MemRead(addr_BasepCurrentTopLevelFilter, &handlerValue, sizeof(duint)))
return false;
// Decode with remote process cookie
if(!MemDecodePointer(&handlerValue))
return false;
Entries.push_back(handlerValue);
return true;
}
return false;
}

26
src/dbg/exhandlerinfo.h Normal file
View File

@ -0,0 +1,26 @@
#ifndef _EXHANDLERINFO_H
#define _EXHANDLERINFO_H
#include "_global.h"
enum EX_HANDLER_TYPE
{
EX_HANDLER_SEH, // Structured
EX_HANDLER_VEH, // Vectored
EX_HANDLER_VCH, // Vectored continue
EX_HANDLER_UNHANDLED, // Unhandled
};
struct EX_HANDLER_INFO
{
int count;
duint* addresses;
};
bool ExHandlerGetInfo(EX_HANDLER_TYPE Type, EX_HANDLER_INFO* Info);
bool ExHandlerGetSEH(std::vector<duint> & Entries);
bool ExHandlerGetVEH(std::vector<duint> & Entries);
bool ExHandlerGetVCH(std::vector<duint> & Entries, bool UseVEH);
bool ExHandlerGetUnhandled(std::vector<duint> & Entries);
#endif //_EXHANDLERINFO_H

View File

@ -215,5 +215,18 @@ typedef struct _TEB
PVOID StackReserved; PVOID StackReserved;
} TEB, *PTEB; } TEB, *PTEB;
typedef struct _VECTORED_EXCEPTION_NODE
{
LIST_ENTRY ListEntry;
PVECTORED_EXCEPTION_HANDLER handler;
} VECTORED_EXCEPTION_NODE, *PVECTORED_EXCEPTION_NODE;
typedef struct _LdrpVectorHandlerList
{
struct _LdrpVectorHandlerList* Prev;
struct _LdrpVectorHandlerList* Next;
DWORD Depth;
PVECTORED_EXCEPTION_HANDLER VectoredHandler;
} VECTORED_HANDLER_LIST, *PVECTORED_HANDLER_LIST;
#endif /* _UNDOCUMENTED_H */ #endif /* _UNDOCUMENTED_H */

View File

@ -42,6 +42,7 @@
<ClCompile Include="error.cpp" /> <ClCompile Include="error.cpp" />
<ClCompile Include="exception.cpp" /> <ClCompile Include="exception.cpp" />
<ClCompile Include="exceptiondirectoryanalysis.cpp" /> <ClCompile Include="exceptiondirectoryanalysis.cpp" />
<ClCompile Include="exhandlerinfo.cpp" />
<ClCompile Include="expressionparser.cpp" /> <ClCompile Include="expressionparser.cpp" />
<ClCompile Include="filehelper.cpp" /> <ClCompile Include="filehelper.cpp" />
<ClCompile Include="function.cpp" /> <ClCompile Include="function.cpp" />
@ -119,6 +120,7 @@
<ClInclude Include="error.h" /> <ClInclude Include="error.h" />
<ClInclude Include="exception.h" /> <ClInclude Include="exception.h" />
<ClInclude Include="exceptiondirectoryanalysis.h" /> <ClInclude Include="exceptiondirectoryanalysis.h" />
<ClInclude Include="exhandlerinfo.h" />
<ClInclude Include="expressionparser.h" /> <ClInclude Include="expressionparser.h" />
<ClInclude Include="filehelper.h" /> <ClInclude Include="filehelper.h" />
<ClInclude Include="function.h" /> <ClInclude Include="function.h" />

View File

@ -293,6 +293,9 @@
<ClCompile Include="_scriptapi_symbol.cpp"> <ClCompile Include="_scriptapi_symbol.cpp">
<Filter>Source Files\Interfaces/Exports\_scriptapi</Filter> <Filter>Source Files\Interfaces/Exports\_scriptapi</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="exhandlerinfo.cpp">
<Filter>Source Files\Information</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="x64_dbg.h"> <ClInclude Include="x64_dbg.h">
@ -646,5 +649,8 @@
<ClInclude Include="_scriptapi_symbol.h"> <ClInclude Include="_scriptapi_symbol.h">
<Filter>Header Files\Interfaces/Exports\_scriptapi</Filter> <Filter>Header Files\Interfaces/Exports\_scriptapi</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="exhandlerinfo.h">
<Filter>Header Files\Information</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
</Project> </Project>