You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
343 lines
10 KiB
343 lines
10 KiB
;***
|
|
;exsup3.asm
|
|
;
|
|
; Copyright (c) 1994-2001, Microsoft Corporation. All rights reserved.
|
|
;
|
|
;Purpose:
|
|
; Exception handling for i386. This is just the C9.0 version of
|
|
; the language-specific exception handler. The C8.0 version is
|
|
; found in exsup2.asm, and the routines common to both C8 and C9
|
|
; are found in exsup.asm.
|
|
;
|
|
;Notes:
|
|
;
|
|
;Revision History:
|
|
; 01-10-94 PML Create VC/C++ 2.0 (C9.0) version from C8.0 original
|
|
; 01-11-95 SKS Remove MASM 5.X support
|
|
; 04-18-95 JWM Added NLG support
|
|
; 06-07-95 JWM __SetNLGCode() used, for multithread safety.
|
|
; 06-20-95 JWM __SetNLGCode() removed, code passed on stack (11803).
|
|
; 03-09-01 PML Add FPO directives for proper callstacks (vs7#221754)
|
|
; 03-13-02 PML Add anti-hacker security measures
|
|
;
|
|
;*******************************************************************************
|
|
|
|
;hnt = -D_WIN32 -Dsmall32 -Dflat32 -Mx $this;
|
|
|
|
;Define small32 and flat32 since these are not defined in the NT build process
|
|
small32 equ 1
|
|
flat32 equ 1
|
|
|
|
.xlist
|
|
include pversion.inc
|
|
?DFDATA = 1
|
|
?NODATA = 1
|
|
include cmacros.inc
|
|
include exsup.inc
|
|
.list
|
|
|
|
;REVIEW: can we get rid of _global_unwind2, and just use
|
|
; the C runtimes version, _global_unwind?
|
|
|
|
extrn __global_unwind2:near
|
|
extrn __local_unwind2:near
|
|
extrn __NLG_Notify:near
|
|
ifndef _NTSUBSET_
|
|
extrn __ValidateEH3RN:near
|
|
endif
|
|
|
|
;typedef struct _EXCEPTION_REGISTRATION PEXCEPTION_REGISTRATION;
|
|
;struct _EXCEPTION_REGISTRATION{
|
|
;/* _esp, xpointers at negative offset */
|
|
; int _esp;
|
|
; PEXCEPTION_POINTERS xpointers;
|
|
; struct _EXCEPTION_REGISTRATION *prev;
|
|
; void (*handler)(PEXCEPTION_RECORD, PEXCEPTION_REGISTRATION, PCONTEXT, PEXCEPTION_RECORD);
|
|
; struct scopetable_entry *scopetable;
|
|
; int trylevel;
|
|
;};
|
|
;private (at negative offsets from node ptr)
|
|
_esp = -8
|
|
xpointers = -4
|
|
_C9_EXCEPTION_REGISTRATION struc ; C9.0 version
|
|
;public:
|
|
er_prev dd ? ; prev (common)
|
|
er_handler dd ? ; handler (common)
|
|
;private:
|
|
scopetable dd ?
|
|
trylevel dd ?
|
|
_C9_EXCEPTION_REGISTRATION ends
|
|
FRAME_EBP_OFFSET equ 16
|
|
|
|
;#define EXCEPTION_MAXIMUM_PARAMETERS 4
|
|
;typedef struct _EXCEPTION_RECORD EXCEPTION_RECORD;
|
|
;typedef EXCEPTION_RECORD *PEXCEPTION_RECORD;
|
|
;struct _EXCEPTION_RECORD{
|
|
; NTSTATUS ExceptionCode;
|
|
; ULONG ExceptionFlags;
|
|
; struct _EXCEPTION_RECORD *ExceptionRecord;
|
|
; PVOID ExceptionAddress;
|
|
; ULONG NumberParameters;
|
|
; ULONG ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
|
|
;};
|
|
_EXCEPTION_RECORD struc
|
|
exception_number dd ?
|
|
exception_flags dd ?
|
|
exception_record dd ?
|
|
exception_address dd ?
|
|
number_parameters dd ?
|
|
exception_information dd 4 dup(?)
|
|
_EXCEPTION_RECORD ends
|
|
SIZEOF_EXCEPTION_RECORD equ 36
|
|
|
|
;/* following is the structure returned by the _exception_info() intrinsic. */
|
|
;typedef struct _EXCEPTION_POINTERS EXCEPTION_POINTERS;
|
|
;typedef struct EXCEPTION_POINTERS *PEXCEPTION_POINTERS;
|
|
;struct _EXCEPTION_POINTERS{
|
|
; PEXCEPTION_RECORD ExceptionRecord;
|
|
; PCONTEXT Context;
|
|
;};
|
|
_EXCEPTION_POINTERS struc
|
|
ep_xrecord dd ?
|
|
ep_context dd ?
|
|
_EXCEPTION_POINTERS ends
|
|
SIZEOF_EXCEPTION_POINTERS equ 8
|
|
|
|
extern __NLG_Destination:_NLG_INFO
|
|
|
|
assumes DS,DATA
|
|
assumes FS,DATA
|
|
|
|
__except_list equ 0
|
|
|
|
;struct _SCOPETABLE_ENTRY{
|
|
; int enclosing_level; /* lexical level of enclosing scope */
|
|
; int (*filter)(PEXCEPTION_RECORD); /* NULL for a termination handler */
|
|
; void (*specific_handler)(void); /* xcpt or termination handler */
|
|
;};
|
|
;struct _SCOPETABLE_ENTRY Scopetable[NUMTRYS];
|
|
_SCOPETABLE_ENTRY struc
|
|
enclosing_level dd ?
|
|
filter dd ?
|
|
specific_handler dd ?
|
|
_SCOPETABLE_ENTRY ends
|
|
|
|
BeginCODE
|
|
|
|
;EXTERN C __SetNLGCode:near
|
|
|
|
;/* _EXCEPT_HANDLER3 - Try to find an exception handler listed in the scope
|
|
; * table associated with the given registration record, that wants to accept
|
|
; * the current exception. If we find one, run it (and never return).
|
|
; * RETURNS: (*if* it returns)
|
|
; * DISPOSITION_DISMISS - dismiss the exception.
|
|
; * DISPOSITION_CONTINUE_SEARCH - pass the exception up to enclosing handlers
|
|
; */
|
|
;int _except_handler3(
|
|
; PEXCEPTION_RECORD exception_record,
|
|
; PEXCEPTION_REGISTRATION registration,
|
|
; PCONTEXT context,
|
|
; PEXCEPTION_REGISTRATION dispatcher)
|
|
;{
|
|
; int ix, filter_result;
|
|
;
|
|
; for(ix=registration->trylevel; ix!=-1; ix=registration->xscope[ix].enclosing_level){
|
|
; /* if filter==NULL, then this is an entry for a termination handler */
|
|
; if(registration->xscope[ix].filter){
|
|
; /* NB: call to the filter may trash the callee save
|
|
; registers. (this is *not* a standard cdecl function) */
|
|
; filter_result=(*registration->xscope[ix].filter)(xinfo);
|
|
; if(filter_result==FILTER_DISMISS)
|
|
; return(-1); /* dismiss */
|
|
; if(filter_result==FILTER_ACCEPT){
|
|
; _global_unwind2(registration);
|
|
; _local_unwind2(registration, ix);
|
|
; (*registration->xscope[ix].specific_handler)(void);
|
|
; assert(UNREACHED); /*should never return from handler*/
|
|
; }
|
|
; assert(filter_result==FILTER_CONTINUE_SEARCH);
|
|
; }
|
|
; }
|
|
; return(0); /* didnt find one */
|
|
;}
|
|
db 'VC20' ;; VC/C++ 2.0/32-bit (C9.0) version
|
|
db 'XC00' ;; so debugger can recognize this proc (cuda:3936)
|
|
|
|
xrecord equ [ebp+8]
|
|
registration equ [ebp+12]
|
|
context equ [ebp+16]
|
|
dispatcher equ [ebp+20]
|
|
|
|
xp equ [ebp-8]
|
|
|
|
_except_handler3 proc C
|
|
; FPO = 0 dwords locals allocated in prolog
|
|
; 3 dword parameters
|
|
; 10 bytes in prolog
|
|
; 7 registers saved (includes locals to work around debugger bug)
|
|
; 1 EBP is used
|
|
; 0 frame type = FPO
|
|
.FPO (0,3,10,7,1,0)
|
|
push ebp
|
|
mov ebp, esp
|
|
sub esp, 8
|
|
push ebx
|
|
push esi
|
|
push edi
|
|
push ebp
|
|
|
|
;4*4b for callee saves + 4b return address + 4b param = 24
|
|
|
|
;DF in indeterminate state at time of exception, so clear it
|
|
cld
|
|
|
|
mov ebx, registration ;ebx= PEXCEPTION_REGISTRATION
|
|
mov eax, xrecord
|
|
|
|
test [eax.exception_flags], EXCEPTION_UNWIND_CONTEXT
|
|
jnz _lh_unwinding
|
|
|
|
;build the EXCEPTION_POINTERS locally store its address in the
|
|
; registration record. this is the pointer that is returned by
|
|
; the _exception_info intrinsic.
|
|
mov xp.ep_xrecord, eax
|
|
mov eax, context
|
|
mov xp.ep_context, eax
|
|
lea eax, xp
|
|
mov [ebx.xpointers], eax
|
|
|
|
mov esi, [ebx.trylevel] ;esi= try level
|
|
mov edi, [ebx.scopetable] ;edi= scope table base
|
|
|
|
ifdef _NTSUBSET_
|
|
mov eax, 1
|
|
else
|
|
push ebx ;validate scopetable against
|
|
call __ValidateEH3RN ;* hacker attacks
|
|
add esp, 4
|
|
endif
|
|
or eax, eax
|
|
jz short _lh_abort
|
|
|
|
_lh_top:
|
|
cmp esi, -1
|
|
je short _lh_bagit
|
|
lea ecx, [esi+esi*2] ;ecx= trylevel*3
|
|
mov eax, [(edi+ecx*4).filter]
|
|
or eax, eax
|
|
je short _lh_continue ;term handler, so keep looking
|
|
|
|
;clear *all* registers before call, so save ebp and scopetable offset
|
|
push esi
|
|
push ebp
|
|
|
|
lea ebp, FRAME_EBP_OFFSET[ebx] ;target frame pointer
|
|
xor ebx, ebx ;clear registers to prevent
|
|
xor ecx, ecx ;* bleed-through of exploitable
|
|
xor edx, edx ;* data
|
|
xor esi, esi
|
|
xor edi, edi
|
|
|
|
call eax ;call the filter
|
|
|
|
pop ebp
|
|
pop esi
|
|
mov ebx, registration
|
|
|
|
; Accept <0, 0, >0 instead of just -1, 0, +1
|
|
or eax, eax
|
|
jz short _lh_continue
|
|
js short _lh_dismiss
|
|
;assert(eax==FILTER_ACCEPT)
|
|
|
|
;reload xscope base, cuz it was trashed by the filter call
|
|
mov edi, [ebx.scopetable]
|
|
;load handler address before we loose components of address mode
|
|
push ebx ;registration*
|
|
call __global_unwind2 ;run term handlers
|
|
add esp, 4
|
|
|
|
;setup ebp for the local unwinder and the specific handler
|
|
lea ebp, FRAME_EBP_OFFSET[ebx]
|
|
|
|
;the stop try level == accepting except level
|
|
push esi ;stop try level
|
|
push ebx ;registration*
|
|
call __local_unwind2
|
|
add esp, 8
|
|
lea ecx, [esi+esi*2] ;ecx=trylevel*3
|
|
|
|
push 01h
|
|
mov eax, [(edi+ecx*4).specific_handler]
|
|
call __NLG_Notify
|
|
|
|
; set the current trylevel to our enclosing level immediately
|
|
; before giving control to the handler. it is the enclosing
|
|
; level, if any, that guards the handler.
|
|
mov eax, [(edi+ecx*4).enclosing_level]
|
|
mov [ebx.trylevel], eax
|
|
mov eax, [(edi+ecx*4).specific_handler]
|
|
xor ebx, ebx ;clear registers to prevent
|
|
xor ecx, ecx ;* bleed-through of exploitable
|
|
xor edx, edx ;* data
|
|
xor esi, esi
|
|
xor edi, edi
|
|
call eax ;call the except handler
|
|
;assert(0) ;(NB! should not return)
|
|
|
|
_lh_continue:
|
|
;reload the scope table base, possibly trashed by call to filter
|
|
mov edi, [ebx.scopetable]
|
|
lea ecx, [esi+esi*2]
|
|
mov esi, [edi+ecx*4+0] ;load the enclosing trylevel
|
|
jmp short _lh_top
|
|
|
|
_lh_dismiss:
|
|
mov eax, DISPOSITION_DISMISS ;dismiss the exception
|
|
jmp short _lh_return
|
|
|
|
_lh_abort:
|
|
mov eax, xrecord ;invalid scopetable, return
|
|
or [eax.exception_flags], EXCEPTION_STACK_INVALID
|
|
_lh_bagit:
|
|
mov eax, DISPOSITION_CONTINUE_SEARCH
|
|
jmp short _lh_return
|
|
|
|
_lh_unwinding:
|
|
push ebp
|
|
lea ebp, FRAME_EBP_OFFSET[ebx]
|
|
push -1
|
|
push ebx
|
|
call __local_unwind2
|
|
add esp, 8
|
|
pop ebp
|
|
;the return value is not really relevent in an unwind context
|
|
mov eax, DISPOSITION_CONTINUE_SEARCH
|
|
|
|
_lh_return:
|
|
pop ebp
|
|
pop edi
|
|
pop esi
|
|
pop ebx
|
|
mov esp,ebp
|
|
pop ebp
|
|
ret
|
|
_except_handler3 endp
|
|
|
|
public __seh_longjmp_unwind@4
|
|
__seh_longjmp_unwind@4 proc near
|
|
push ebp
|
|
mov ecx, 8[esp]
|
|
mov ebp, [ecx.saved_ebp]
|
|
mov eax, [ecx.saved_trylevel]
|
|
push eax
|
|
mov eax, [ecx.saved_xregistration]
|
|
push eax
|
|
call __local_unwind2
|
|
add esp, 8
|
|
pop ebp
|
|
ret 4
|
|
__seh_longjmp_unwind@4 endp
|
|
|
|
EndCODE
|
|
END
|