Use SEH abnormal fine hardware breakpoint

xiaoxiao2021-04-08  385

SEH ("Structured Exception Handling", Structured Exception Processing. It is an operating system to provide powerful handler or abnormal weapons for program designers. You may be familiar with you in Visual C _try {} _finally { } And _Try {} _except {} structure, these are not inherent to compiler itself, essentially is only a wrapper that is provided in Windows.

The system's processing sequence (BY JEREMY GORDON): 1. The system first determines whether the exception should send an exception handling routine that should be sent, if the decision should be sent, and the target program is being debugged, the system hangs and The debugger sends an Exception_Debug_event message. Oh, isn't this the existence of the debugger? 2. If your program is not debugged or the debugger fails to handle exceptions, the system will continue to find if you have a thread-related The exception handling routine, if you install the thread-related exception handling routine, the system sends an exception to your program SEH processing routine, which is handled. 3. Each thread-related exception handling routine can handle or Do not process this exception, if he does not process and installs multiple thread-related exception handling routines, it can be handed over to other routine processing. 4. If these routines choose not to process exception, if the program is debugged State, the operating system will still hang the program again to notify Debugger. 5. If the program is not in the debugged state or the debugger is not able to handle, and you call SetunHandledExceptionFilter to install the last exception handling routine, the system stepping to it. 6. If you don't have the last exception handling routine or he does not process this exception, the system will call the default system handler, usually display a dialog, you can choose to close or finally attach it to the debug button on the debugger. If not The debugger can be attached to or the debugger can't process it. The system calls the EXITPROCESS termination. 7. However, before the end, the system still handles the thread exception handle to the thread, this is the thread exception handling routine. The chance to clean up.

From the above, it is worth mentioning that if a program applies setunhandledExceptionFilter to install an exception handler, and in this exception handler, complete the function code of the program, and via INT 3 (single step execution) is abnormal, Then if the program is debugged and processes the INT 3 exception, the exception handler installed by the setunhandledExceptionFilter will not be called, and the program function is not normal, which is an effective means of anti-debugging. To deal with this means Need to modify the exception distribution function of Windows, forcibly letting Windows always send an exception to the last exception handler.

Then there is two ways to install an exception handler, one is setunhandexceptionFilter, which is always installed to the end of the abnormal chain, and has certain limitations but this type of installation can ensure that the abnormal processing function is valid. In this case, no matter which thread is abnormal, it will call this routine. Another way is to find the abnormal chain directly to add an exception handler to an abnormal chain, so that the unusual processing function is thread is effective. Only this thread is useful.

The linked table of the unusual chain is put in FS: [0], each abnormal structure is as follows:

_EXCEPTION_REGISTRATION STRUC PREV DD

?

; Previous_exception_registration structure Handler DD

?

The exception handling routine entrance ... Oh, now I understand how to make it _exception_registration Ends prev is 0xfffffffffffffffffffffFff, which can be used to complete the installation using the following code: push offset perthread_handler;

//

Abnormal handler

Push fs: [

0

] MOV FS: [

0

], ESP;

//

Establish SEH's basic ERR structure, if you don't understand, take a closer study.

Perthread_Handler has four parameters: PEXCEPT: DWORD, Perr: DWORD, PCONTEXT: DWORD, PDISPATCH Sign as follows: PEXCEPT: ---

Pointer PERR of the Exception_Record structure:

---

The front ERR structure pointer PCONTEXT:

---

Context structure pointer PDispatch:

---

No meaning, exception_record, and the Context structure are as follows:

==================

Exception_Record Struct

======================

Exception_Record Struct ExceptionCode DWORD

?

;

//

Unusual code

ExceptionFlags DWORD

?

;

//

Abnormal logo

PEXCEPTIONRECORD DWORD

?

;

//

Pointer to another Exception_Record

ExceptionAddress DWORD

?

;

//

Unusual address

NumberParameters DWORD

?

;

//

The number of DWORDs included in Exceptioninformation below

ExceptionInformation DWORD EXCETION_MAXIMUM_PARAMETERS DUP (

?

EXCEPTION_RECORD ENDS;

//

EXCEPTION_MAXIMUM_PARAMETERS == 15

===================

Context struct

=======================================================================================================================================================

Context struct; _ contextflags dword

?

;

|

0

IDR0 DWORD

?

;

|

4

IDR1 DWORD

?

;

|

8

IDR2 DWORD

?

;

>

Debug register

C idr3 dword

?

;

|

10

IDR6 DWORD

?

;

|

14

IDR7 DWORD

?

;

|

18

FLOATSAVE FLOATING_SAVE_AREA

<>

Floating point register area

1C

~~~

88h Reggs DWORD

?

;

- |

8c regfs dword

?

;

|

Segment register

90

Reges dword

?

;

| /

94

Regds DWORD

?

;

- |

98

Regedi DWORD

?

; ____________

9C Regesi DWORD

?

;

|

Universal

A0 Regebx DWORD

?

;

|

send

A4 Regedx DWORD

?

;

|

Save

A8 regecx dword

?

;

|

Be aware of

AC Regeax DWORD

?

; _______

|

___group_

B0 Regebp DWORD

?

;

B4 Regeip DWORD

?

;

|

control

B8 Regcs DWORD

?

;

|

Store

BC Regflag DWORD

?

;

|

Instrument group

C0 Regesp DWORD

?

;

|

C4 Regss DWORD

?

;

C8 ExtendedRegisters DB Maximum_supported_extension DUP

?

Context Ends

Hardware breakpoints need to be implemented using IDR0-iDR3, then the perthread_handler function can clear the hardware breakpoint as follows:

PUSH EBP MOV EBP, ESP PUSH EBX MOV EAX, DWORD PTR SS: [EBP

10

]

//

Get the Context structure

PUSH EBP XOR EBX, EBX MOV DWORD PTR DS: [EAX

4

], EBX

//

Clear IDR0-IDR3, respectively

MOV DWORD PTR DS: [EAX

8

], EBX MOV DWORD PTR DS: [EAX

C], EBX MOV DWORD PTR DS: [EAX

10

], EBX MOV EAX,

0

POP EBX Leave Retn

10

转载请注明原文地址:https://www.9cbs.com/read-132799.html

New Post(0)