[노트] SEH 관련 참조

SEH 설치하는 코드가 어떻게 구성되는지 검색해본 결과를 노트한다.

[ 참고 사이트 ] http://www.rohitab.com/structured-exception-handling-in-assembly-language

SEH Macros

01	@TRY_BEGIN MACRO Handler

02	pushad                          ;;Save Current State

03	mov esi, offset Handler         ;;Address of New Exception Handler

04	push esi                        ;;Save Old Exception Handler

05	push dword ptr fs:[0]           ;;Install New Handler

06	mov dword ptr fs:[0], esp

07

ENDM

08	@TRY_EXCEPT MACRO Handler

09	jmp NoException&;Handler         ;;No Exception Occured, so jump over

10

Handler:

11	mov esp, [esp + 8]              ;;Exception Occured, Get old ESP

12	pop dword ptr fs:[0]            ;;Restore Old Exception Handler

13	add esp, 4                      ;;ESP value before SEH was set

14	popad                           ;;Restore Old State

15

ENDM

16	@TRY_END MACRO Handler

17	jmp ExceptionHandled&;Handler    ;;Exception was handled by @TRY_EXCEPT

18	NoException&;Handler:                ;;No Exception Occured

19	pop dword ptr fs:[0]            ;;Restore Old Exception Handler

20	add esp, 32 + 4                 ;;ESP value before SEH was set. 32 for pushad and ...

21	ExceptionHandled&;Handler:           ;;...4 for push offset Handler. (No Restore State)

22	;;Exception has been handled, or no exception occured

23

ENDM

[ 실제 샘플에서 사용된 방식 ]

009BAB94 >  6A FF              PUSH -1

009BAB96    50                 PUSH EAX

009BAB97    64:A1 00000000     MOV EAX,DWORD PTR FS:[0]

009BAB9D    50                 PUSH EAX                      ; Install New Handler

009BAB9E    8B4424 0C          MOV EAX,DWORD PTR SS:[ESP+C]

009BABA2    64:8925 00000000   MOV DWORD PTR FS:[0],ESP

009BABA9    896C24 0C          MOV DWORD PTR SS:[ESP+C],EBP

009BABAD    8D6C24 0C          LEA EBP,DWORD PTR SS:[ESP+C]

009BABB1    50                 PUSH EAX

009BABB2    C3                 RETN