逆向分析MSVCR90D.dll!_except_handler4_common函数

最新推荐文章于 2022-01-13 20:51:15 发布

原创

最新推荐文章于 2022-01-13 20:51:15 发布 · 5.2k 阅读

3 ·

CC 4.0 BY-SA版权

文章标签：

#exception #struct #image #pointers #header #security

本文详细分析了MSVCR90D.dll中的_except_handler4_common函数，该函数处理通过_except_handler4转发的异常。内容包括函数参数、局部变量、执行流程及关键步骤，如验证安全码、获取和处理异常记录等。通过对代码的反汇编，揭示了其与_except_handler3在异常帧处理上的不同，特别是加密的scopetable结构和解密方法。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

引言：_except_handler4_common执行_except_handler4转发而来的异常处理。

102DCA80 _EXCEPTION_DISPOSITION __cdecl _except_handler4_common( 102DCA80 unsigned int *CookiePointer, 102DCA80 void (__fastcall *CookieCheckFunction)(unsigned int), 102DCA80 _EXCEPTION_RECORD *ExceptionRecord, 102DCA80 _EXCEPTION_REGISTRATION_RECORD *EstablisherFrame, 102DCA80 _CONTEXT *ContextRecord, 102DCA80 void *DispatcherContext 102DCA80 ) 102DCA80 102DCA80 __except_handler4_common proc near ; CODE XREF: __except_handler4+1Fp 102DCA80 ; DATA XREF: .text:off_10308788o 102DCA80 102DCA80 FilterFunc = dword ptr -30h 102DCA80 ScopeTable = dword ptr -2Ch 102DCA80 TryLevel = dword ptr -28h 102DCA80 Revalidate = byte ptr -21h 102DCA80 RegistrationNode= dword ptr -20h 102DCA80 ScopeTableRecord= dword ptr -1Ch 102DCA80 FramePointer = dword ptr -18h 102DCA80 EnclosingLevel = dword ptr -14h 102DCA80 FilterResult = dword ptr -10h 102DCA80 Disposition = dword ptr -0Ch 102DCA80 ExceptionPointers= _EXCEPTION_POINTERS ptr -8 102DCA80 CookiePointer = dword ptr 8 102DCA80 CookieCheckFunction= dword ptr 0Ch 102DCA80 ExceptionRecord = dword ptr 10h 102DCA80 EstablisherFrame= dword ptr 14h 102DCA80 ContextRecord = dword ptr 18h 102DCA80 DispatcherContext= dword ptr 1Ch 102DCA80 102DCA80 mov edi, edi 102DCA82 push ebp 102DCA83 mov ebp, esp 102DCA85 sub esp, 30h 102DCA88 mov [ebp+Revalidate], 0 102DCA8C mov [ebp+Disposition], 1 ; 初始化返回值:ExceptionContinueSearch 102DCA93 mov eax, [ebp+EstablisherFrame] 102DCA96 sub eax, 8 ;[ebp-18]:ESP <---- 让eax指向这里 102DCA96 ;[ebp-14]:PEXCEPTION_POINTERS xpointers; 102DCA96 ; struct _EXCEPTION_REGISTRATION{ 102DCA96 ;[ebp-10]:struct _EXCEPTION_REGISTRATION *prev; 102DCA96 ;[ebp-0C]:void (*handler)(PEXCEPTION_RECORD,PEXCEPTION_REGISTRATION,PCONTEXT,PEXCEPTION_RECORD); 102DCA96 ;[ebp-08]:struct scopetable_entry *scopetable; 102DCA96 ;[ebp-04]:int trylevel; 102DCA96 ;[ebp-00]:int _ebp; 102DCA96 ; }; 102DCA99 mov [ebp+RegistrationNode], eax 102DCA9C mov ecx, [ebp+RegistrationNode] 102DCA9F add ecx, 18h 102DCAA2 mov [ebp+FramePointer], ecx ; 保存_ebp 102DCAA5 mov edx, [ebp+RegistrationNode] 102DCAA8 mov eax, [ebp+CookiePointer] 102DCAAB mov ecx, [edx+10h] ; 获取scopetable 102DCAAE xor ecx, [eax] ; 修复scopetable,scopetable ^=___security_cookie; 102DCAB0 mov [ebp+ScopeTable], ecx 102DCAB3 mov edx, [ebp+FramePointer] 102DCAB6 push edx ; FramePointer 102DCAB7 mov eax, [ebp+ScopeTable] 102DCABA push eax ; ScopeTable 102DCABB mov ecx, [ebp+CookieCheckFunction] 102DCABE push ecx ; CookieCheckFunction 102DCABF call ValidateLocalCookies ; 验证安全码:GSCookie和EHCookie 102DCAC4 add esp, 0Ch 102DCAC7 mov edx, [ebp+ExceptionRecord] 102DCACA mov eax, [edx+4] ; eax=ExceptionRecord->ExceptionFlags 102DCACD and eax, 66h ; 66h的作用? 6 = EXCEPTION_UNWIND_CONTEXT 102DCAD0 jnz loc_102DCBF6 ; 不等于0,跳走执行局部展开并退出 102DCAD6 mov ecx, [ebp+ExceptionRecord] 102DCAD9 mov [ebp+ExceptionPointers.ExceptionRecord], ecx 102DCADC mov edx, [ebp+ContextRecord] 102DCADF mov [ebp+ExceptionPointers.ContextRecord], edx 102DCAE2 mov eax, [ebp+RegistrationNode] 102DCAE5 lea ecx, [ebp+ExceptionPointers] 102DCAE8 mov [eax+4], ecx ; RegistrationNode->ExceptionPointers=ExceptionPointers 102DCAEB mov edx, [ebp+RegistrationNode] 102DCAEE mov eax, [edx+14h] 102DCAF1 mov [ebp+TryLevel], eax ; 获取当前__try的位置，TryLevel=RegistrationNode->TryLevel 102DCAF4 jmp short loc_102DCAFC ; 开始循环执行,查找过滤表达式等于.. 102DCAF6 ; --------------------------------------------------------------------------- 102DCAF6 102DCAF6 loc_102DCAF6: ; CODE XREF: __except_handler4_common:loc_102DCBEFj 102DCAF6 mov ecx, [ebp+EnclosingLevel] 102DCAF9 mov [ebp+TryLevel], ecx 102DCAFC 102DCAFC loc_102DCAFC: ; CODE XREF: __except_handler4_common+74j 102DCAFC cmp [ebp+TryLevel], 0FFFFFFFEh ; if(TryLevel==0xFFFFFFFE) goto loc_102DCBF4 102DCB00 jz loc_102DCBF4 ; 当前异常帧中所有嵌套的__try语句遍历完毕,跳走! 102DCB00 ; 注：一个函数仅有一个异常帧,即便有多个__try语句(包括嵌套)也只产生一个异常帧 102DCB06 mov edx, [ebp+TryLevel] 102DCB09 imul edx, 0Ch ; edx=sizeof(_EH4_SCOPETABLE_RECORD)*TryLevel 102DCB0C mov eax, [ebp+ScopeTable] 102DCB0F lea ecx, [eax+edx+10h] 102DCB13 mov [ebp+ScopeTableRecord], ecx ; 获取当前__try的结构,ScopeTableRecord=ScopeTable->ScopeRecord[TryLevel] 102DCB16 mov edx, [ebp+ScopeTableRecord] 102DCB19 mov eax, [edx+4] 102DCB1C mov [ebp+FilterFunc], eax ; 获取当前__try的过滤表达式,FilterFunc=ScopeTableRecord->FilterFunc 102DCB1F mov ecx, [ebp+ScopeTableRecord] 102DCB22 mov edx, [ecx] 102DCB24 mov [ebp+EnclosingLevel], edx ; 获取上一层__try的位置:EnclosingLevel=ScopeTableRecord->EnclosingLevel 102DCB27 cmp [ebp+FilterFunc], 0 102DCB2B jz loc_102DCBEF ; 若当前__try的过滤表达式不存在,则向上一层__try搜索 102DCB31 mov edx, [ebp+FramePointer] ; 传入过滤表达式所在的ebp 102DCB34 mov ecx, [ebp+FilterFunc] ; 传入过滤表达式所在的地址 102DCB37 call @_EH4_CallFilterFunc@8 ; 调用__try/__except的过滤表达式 102DCB3C mov [ebp+FilterResult], eax 102DCB3F mov [ebp+Revalidate], 1 102DCB43 cmp [ebp+FilterResult], 0 ; 检查过滤表达式的返回值(excpt.h) 102DCB47 jge short loc_102DCB5A ; if(FilterResult >= EXCEPTION_CONTINUE_SEARCH) goto loc_102DCB5A 102DCB49 mov [ebp+Disposition], 0 102DCB50 jmp loc_102DCBF4 ; 若过滤表达式返回EXCEPTION_CONTINUE_EXECUTION 102DCB50 ; return ExceptionContinueExecution; 102DCB55 ; --------------------------------------------------------------------------- 102DCB55 jmp loc_102DCBEF 102DCB5A ; --------------------------------------------------------------------------- 102DCB5A 102DCB5A loc_102DCB5A: