(转)Windows SEH学习 x86-白红宇

windows 提供的异常处理机制实际上只是一个简单的框架。我们通常所用的异常处理（比如 C++ 的 throw、try、catch）都是编译器在系统提供的异常处理机制上进行加工了的增强版本。这里先抛开增强版的不提，先说原始版本。

原始版本的机制很简单：谁都可以触发异常，谁都可以处理异常（只要它能看得见）。但是不管是触发还是处理都得先注册。系统把这些注册信息保存在一个链表里，并且这个链表保存在线程的数据结构里。也就是说，异常所涉及的一些行为都是线程相关的。比如，线程 T1 触发的异常就只能由线程 T1 来处理，其他线程根本就不知道 T1 发生了什么事，更不会处理。等注册完毕后，线程就可以抛出或处理异常了，系统也可以做相应的管理工作了。

系统提供的管理工作简单来说包括（但不限于）：找到触发异常的线程的异常处理链表（前面注册的那个），然后按照规则对该异常进行分发，根据分发后的处理结果再进行下一步的分发或者结束处理。

系统管理所使用的数据结构：

#define EXCEPTION_CHAIN_END ((struct _EXCEPTION_REGISTRATION_RECORD * POINTER_32)-1)

typedef enum _EXCEPTION_DISPOSITION {

ExceptionContinueExecution,

ExceptionContinueSearch,

ExceptionNestedException,

ExceptionCollidedUnwind

} EXCEPTION_DISPOSITION;

typedef struct _EXCEPTION_RECORD {

DWORD ExceptionCode;

DWORD ExceptionFlags;

struct _EXCEPTION_RECORD *ExceptionRecord;

PVOID ExceptionAddress;

DWORD NumberParameters;

ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];

} EXCEPTION_RECORD;

typedef EXCEPTION_RECORD *PEXCEPTION_RECORD;

typedef

EXCEPTION_DISPOSITION

(*PEXCEPTION_ROUTINE) (

IN struct _EXCEPTION_RECORD *ExceptionRecord,

IN PVOID EstablisherFrame,

IN OUT struct _CONTEXT *ContextRecord,

IN OUT PVOID DispatcherContext

);

typedef struct _EXCEPTION_REGISTRATION_RECORD {

//指向下一个 EXCEPTION_REGISTRATION_RECORD，由此构成一个异常注册信息链表。

//链表中的最后一个结点会将 Next 置为 EXCEPTION_CHAIN_END，表示链表到此结束。

struct _EXCEPTION_REGISTRATION_RECORD *Next;

PEXCEPTION_ROUTINE Handler; //指向异常处理函数

} EXCEPTION_REGISTRATION_RECORD;

typedef EXCEPTION_REGISTRATION_RECORD *PEXCEPTION_REGISTRATION_RECORD;

当接收到异常后，系统找到当前线程的异常链表，从链表中的第一个结点开始遍历，找到一个 EXCEPTION_REGISTRATION_RECORD 就调用它的 Handler，并把该异常(类型为 EXCEPTION_RECORD 的参数)表示传递给该 Handler，Handler 处理并返回一个类型为 EXCEPTION_DISPOSITION 的枚举值。该返回值指示系统下一步该做什么：

ExceptionContinueExecution 表示：已经处理了异常，回到异常触发点继续执行。

ExceptionContinueSearch 表示：没有处理异常，继续遍历异常链表。

ExceptionCollidedUnwind 表示在展开过程中再次触发异常。

ExceptionNestedException这里先不做解释

这样系统根据不同的返回值来继续遍历异常链表或者回到触发点继续执行。

内核模式异常处理:

首先，CPU 执行的指令触发了异常，CPU 改执行 IDT 中 KiTrap??，KiTrap?? 会调用 KiDispatchException。

该函数原型如下：功能如名字一样，分发异常

VOID KiDispatchException (

IN PEXCEPTION_RECORD ExceptionRecord,

IN PKEXCEPTION_FRAME ExceptionFrame,

IN PKTRAP_FRAME TrapFrame,

IN KPROCESSOR_MODE PreviousMode,

IN BOOLEAN FirstChance );

Wrk中关于KiDispatchException的源代码在后面贴出，基本流程就是:

检查 ExceptionRecord->ExceptionCode，

如果是 STATUS_BREAKPOINT，那么将 CONTEXT::Eip 减一；

如果是 KI_EXCEPTION_ACCESS_VIOLATION，那么将检查是否是由 AtlThunk 触发（这个小环节没有深究），

如果是触发 NX（不可执行），那么将 ExceptionRecord->ExceptionInformation [0] 置为 0（貌似表示触发操作的类型，0表示读、1表示写）,MSDN有详细解释，推荐阅读

如果 PreviousMode 是 KernelMode，

那么如果 FirstChance 为 TRUE，那么将该异常传达给内核调试器，如果内核调试器没有处理，那么调用 RtlDispatchException 进行处理。

如果 FirstChance 为 FALSE，那么再次将该异常传达给内核调试器，如果内核调试器没有处理，那么 BUGCHECK。

如果 PreviousMode 是 UserMode，

那么，如果 FirstChance 为 TRUE，那么将该异常传达给内核调试器，如果内核调试器没有处理，那么将异常传达给应用层调试器。

如果仍然没有处理，那么将 KTRAP_FRAME 和 EXCEPTION_RECORD 拷贝到 UserMode 的栈中，并设置 KTRAP_FRAME::Eip 设置为　　　　　　 ntdll!KiUserExceptionDispatcher，返回（将该异常交由应用层异常处理程序进行处理）。

如果 FirstChance 为 FALSE，那么再次将异常传达给应用层调试器，如果仍然没有处理，那么调用 ZwTerminateProcess 结束进程，并 BUGCHECK。

VOID

KiDispatchException (

IN PEXCEPTION_RECORD ExceptionRecord,

IN PKEXCEPTION_FRAME ExceptionFrame,

IN PKTRAP_FRAME TrapFrame,

IN KPROCESSOR_MODE PreviousMode,

IN BOOLEAN FirstChance

)

/*++

Routine Description:

This function is called to dispatch an exception to the proper mode and

to cause the exception dispatcher to be called. If the previous mode is

kernel, then the exception dispatcher is called directly to process the

exception. Otherwise the exception record, exception frame, and trap

frame contents are copied to the user mode stack. The contents of the

exception frame and trap are then modified such that when control is

returned, execution will commense in user mode in a routine which will

call the exception dispatcher.

Arguments:

ExceptionRecord - Supplies a pointer to an exception record.

ExceptionFrame - Supplies a pointer to an exception frame. For NT386,

this should be NULL.

TrapFrame - Supplies a pointer to a trap frame.

PreviousMode - Supplies the previous processor mode.

FirstChance - Supplies a boolean value that specifies whether this is

the first (TRUE) or second (FALSE) chance for the exception.

Return Value:

None.

--*/

{

CONTEXT ContextRecord;

BOOLEAN DebugService;

EXCEPTION_RECORD ExceptionRecord1;

BOOLEAN ExceptionWasForwarded = FALSE;

ULONG64 FaultingRsp;

PMACHINE_FRAME MachineFrame;

ULONG64 UserStack1;

ULONG64 UserStack2;

// Move machine state from trap and exception frames to a context frame

// and increment the number of exceptions dispatched.

KeGetCurrentPrcb()->KeExceptionDispatchCount += ;

ContextRecord.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS | CONTEXT_SEGMENTS;

//在当前栈中分配一个 CONTEXT，调用 KeContextFromKframes 初始化它

KeContextFromKframes(TrapFrame, ExceptionFrame, &ContextRecord);

// If the exception is a break point, then convert the break point to a

// fault.

if (ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT) {

ContextRecord.Rip -= ;

}

// If the exception is an internal general protect fault, invalid opcode,

// or integer divide by zero, then attempt to resolve the problem without

// actually raising an exception.

if (KiPreprocessFault(ExceptionRecord,

TrapFrame,

&ContextRecord,

PreviousMode) != FALSE) {

goto Handled1;

}

// Select the method of handling the exception based on the previous mode.

if (PreviousMode == KernelMode) {

// Previous mode was kernel.

// If the kernel debugger is active, then give the kernel debugger

// the first chance to handle the exception. If the kernel debugger

// handles the exception, then continue execution. Otherwise, attempt

// to dispatch the exception to a frame based handler. If a frame

// based handler handles the exception, then continue execution.

// If a frame based handler does not handle the exception, give the

// kernel debugger a second chance, if it's present.

// If the exception is still unhandled call bugcheck.

if (FirstChance != FALSE) {

if ((KiDebugRoutine)(TrapFrame, //内核调试器处理 KdpTrap KdpStub

ExceptionFrame,

ExceptionRecord,

&ContextRecord,

PreviousMode,

FALSE) != FALSE) {

goto Handled1;

}

// Kernel debugger didn't handle exception.

// If interrupts are disabled, then bugcheck.

if (RtlDispatchException(ExceptionRecord, &ContextRecord) != FALSE) {

goto Handled1;

}

}

// This is the second chance to handle the exception.

if ((KiDebugRoutine)(TrapFrame,

ExceptionFrame,

ExceptionRecord,

&ContextRecord,

PreviousMode,

TRUE) != FALSE) {

goto Handled1;

}

//蓝屏

KeBugCheckEx(KMODE_EXCEPTION_NOT_HANDLED,

ExceptionRecord->ExceptionCode,

(ULONG64)ExceptionRecord->ExceptionAddress,

ExceptionRecord->ExceptionInformation[],

ExceptionRecord->ExceptionInformation[]);

} else {
//UserMode

// Previous mode was user.

// If this is the first chance and the current process has a debugger

// port, then send a message to the debugger port and wait for a reply.

// If the debugger handles the exception, then continue execution. Else

// transfer the exception information to the user stack, transition to

// user mode, and attempt to dispatch the exception to a frame based

// handler. If a frame based handler handles the exception, then continue

// execution with the continue system service. Else execute the

// NtRaiseException system service with FirstChance == FALSE, which

// will call this routine a second time to process the exception.

// If this is the second chance and the current process has a debugger

// port, then send a message to the debugger port and wait for a reply.

// If the debugger handles the exception, then continue execution. Else

// if the current process has a subsystem port, then send a message to

// the subsystem port and wait for a reply. If the subsystem handles the

// exception, then continue execution. Else terminate the process.

// If the current process is a wow64 process, an alignment fault has

// occurred, and the AC bit is set in EFLAGS, then clear AC in EFLAGS

// and continue execution. Otherwise, attempt to resolve the exception.

if ((PsGetCurrentProcess()->Wow64Process != NULL) &&

(ExceptionRecord->ExceptionCode == STATUS_DATATYPE_MISALIGNMENT) &&

((TrapFrame->EFlags & EFLAGS_AC_MASK) != )) {

TrapFrame->EFlags &= ~EFLAGS_AC_MASK;

goto Handled2;

}

// If the exception happened while executing 32-bit code, then convert

// the exception to a wow64 exception. These codes are translated later

// by wow64.

if ((ContextRecord.SegCs & 0xfff8) == KGDT64_R3_CMCODE) {

switch (ExceptionRecord->ExceptionCode) {

case STATUS_BREAKPOINT:

ExceptionRecord->ExceptionCode = STATUS_WX86_BREAKPOINT;

break;

case STATUS_SINGLE_STEP:

ExceptionRecord->ExceptionCode = STATUS_WX86_SINGLE_STEP;

break;

}

// Clear the upper 32-bits of the stack address and 16-byte

// align the stack address.

FaultingRsp = (ContextRecord.Rsp & 0xfffffff0UI64);

} else {

FaultingRsp = ContextRecord.Rsp;

}

if (FirstChance == TRUE) {

// This is the first chance to handle the exception.

// If the current processor is not being debugged and user mode

// exceptions are not being ignored, or this is a debug service,

// then attempt to handle the exception via the kernel debugger.

DebugService = KdIsThisAKdTrap(ExceptionRecord,

&ContextRecord,

UserMode);

if (((PsGetCurrentProcess()->DebugPort == NULL) &&

(KdIgnoreUmExceptions == FALSE)) ||

(DebugService == TRUE)) {

// Attempt to handle the exception with the kernel debugger.

if ((KiDebugRoutine)(TrapFrame,

ExceptionFrame,

ExceptionRecord,

&ContextRecord,

PreviousMode,

FALSE) != FALSE) {

goto Handled1;

}

}

if ((ExceptionWasForwarded == FALSE) &&

(DbgkForwardException(ExceptionRecord, TRUE, FALSE))) {

goto Handled2;

}

// Clear the trace flag in the trap frame so a spurious trace

// trap is guaranteed not to occur in the trampoline code.

TrapFrame->EFlags &= ~EFLAGS_TF_MASK;

// Transfer exception information to the user stack, transition

// to user mode, and attempt to dispatch the exception to a frame

// based handler.

ExceptionRecord1.ExceptionCode = STATUS_ACCESS_VIOLATION;

repeat:

try {

// Compute address of aligned machine frame, compute address

// of exception record, compute address of context record,

// and probe user stack for writeability.

MachineFrame =

(PMACHINE_FRAME)((FaultingRsp - sizeof(MACHINE_FRAME)) & ~STACK_ROUND);

UserStack1 = (ULONG64)MachineFrame - EXCEPTION_RECORD_LENGTH;

UserStack2 = UserStack1 - CONTEXT_LENGTH;

ProbeForWriteSmallStructure((PVOID)UserStack2,

sizeof(MACHINE_FRAME) + EXCEPTION_RECORD_LENGTH + CONTEXT_LENGTH,

STACK_ALIGN);

// Fill in machine frame information.

MachineFrame->Rsp = FaultingRsp;

MachineFrame->Rip = ContextRecord.Rip;

// Copy exception record to the user stack.

*(PEXCEPTION_RECORD)UserStack1 = *ExceptionRecord;

// Copy context record to the user stack.

*(PCONTEXT)UserStack2 = ContextRecord;

// Set the address of the new stack pointer in the current

// trap frame.

TrapFrame->Rsp = UserStack2;

// Set the user mode 64-bit code selector.

TrapFrame->SegCs = KGDT64_R3_CODE | RPL_MASK;

// Set the address of the exception routine that will call the

// exception dispatcher and then return to the trap handler.

// The trap handler will restore the exception and trap frame

// context and continue execution in the routine that will

// call the exception dispatcher.

TrapFrame->Rip = (ULONG64)KeUserExceptionDispatcher;

return;

} except (KiCopyInformation(&ExceptionRecord1,

(GetExceptionInformation())->ExceptionRecord)) {

// If the exception is a stack overflow, then attempt to

// raise the stack overflow exception. Otherwise, the user's

// stack is not accessible, or is misaligned, and second

// chance processing is performed.

if (ExceptionRecord1.ExceptionCode == STATUS_STACK_OVERFLOW) {

ExceptionRecord1.ExceptionAddress = ExceptionRecord->ExceptionAddress;

*ExceptionRecord = ExceptionRecord1;

goto repeat;

}

}

}

// This is the second chance to handle the exception.

if (DbgkForwardException(ExceptionRecord, TRUE, TRUE)) {

goto Handled2;

} else if (DbgkForwardException(ExceptionRecord, FALSE, TRUE)) {

goto Handled2;

} else {

ZwTerminateProcess(NtCurrentProcess(), ExceptionRecord->ExceptionCode);

KeBugCheckEx(KMODE_EXCEPTION_NOT_HANDLED,

ExceptionRecord->ExceptionCode,

(ULONG64)ExceptionRecord->ExceptionAddress,

ExceptionRecord->ExceptionInformation[],

ExceptionRecord->ExceptionInformation[]);

}

}

// Move machine state from context frame to trap and exception frames and

// then return to continue execution with the restored state.

Handled1:

KeContextToKframes(TrapFrame,

ExceptionFrame,

&ContextRecord,

ContextRecord.ContextFlags,

PreviousMode);

// Exception was handled by the debugger or the associated subsystem

// and state was modified, if necessary, using the get state and set

// state capabilities. Therefore the context frame does not need to

// be transferred to the trap and exception frames.

Handled2:

return;

}

KiDispatchException

我们主要关注KernelMode的异常处理情况，重点是RtlDispatchException的操作:

函数流程大致如下：

遍历当前线程的异常链表，挨个调用 RtlpExecuteHandlerForException，RtlpExecuteHandlerForException 会调用异常处理函数。再根据返回值做出不同的处理：

对于 ExceptionContinueExecution，结束遍历，返回。（对于标记为‘EXCEPTION_NONCONTINUABLE’的异常，会调用 RtlRaiseException。）

对于 ExceptionContinueSearch，继续遍历下一个结点；

对于 ExceptionNestedException，则从指定的新异常继续遍历；

只有正确处理 ExceptionContinueExecution 才会返回 TRUE，其他情况都返回 FALSE。

BOOLEAN

RtlDispatchException (

IN PEXCEPTION_RECORD ExceptionRecord,

IN PCONTEXT ContextRecord

)

/*++

Routine Description:

This function attempts to dispatch an exception to a call frame based

handler by searching backwards through the stack based call frames. The

search begins with the frame specified in the context record and continues

backward until either a handler is found that handles the exception, the

stack is found to be invalid (i.e., out of limits or unaligned), or the end

of the call hierarchy is reached.

Arguments:

ExceptionRecord - Supplies a pointer to an exception record.

ContextRecord - Supplies a pointer to a context record.

Return Value:

If the exception is handled by one of the frame based handlers, then

a value of TRUE is returned. Otherwise a value of FALSE is returned.

--*/

{

BOOLEAN Completion = FALSE;

DISPATCHER_CONTEXT DispatcherContext;

EXCEPTION_DISPOSITION Disposition;

PEXCEPTION_REGISTRATION_RECORD RegistrationPointer;

PEXCEPTION_REGISTRATION_RECORD NestedRegistration;

ULONG HighAddress;

ULONG HighLimit;

ULONG LowLimit;

EXCEPTION_RECORD ExceptionRecord1;

ULONG Index;

// Get current stack limits.

RtlpGetStackLimits(&LowLimit, &HighLimit);

// Start with the frame specified by the context record and search

// backwards through the call frame hierarchy attempting to find an

// exception handler that will handler the exception.

RegistrationPointer = RtlpGetRegistrationHead();

NestedRegistration = ;

while (RegistrationPointer != EXCEPTION_CHAIN_END) {

// If the call frame is not within the specified stack limits or the

// call frame is unaligned, then set the stack invalid flag in the

// exception record and return FALSE. Else check to determine if the

// frame has an exception handler.

HighAddress = (ULONG)RegistrationPointer +

sizeof(EXCEPTION_REGISTRATION_RECORD);

if ( ((ULONG)RegistrationPointer < LowLimit) ||

(HighAddress > HighLimit) ||

(((ULONG)RegistrationPointer & )

// Allow for the possibility that the problem occured on the

// DPC stack.

ULONG TestAddress = (ULONG)RegistrationPointer;

) &&

KeGetCurrentIrql() >= DISPATCH_LEVEL) {

PKPRCB Prcb = KeGetCurrentPrcb();

ULONG DpcStack = (ULONG)Prcb->DpcStack;

if ((Prcb->DpcRoutineActive) &&

(HighAddress <= DpcStack) &&

(TestAddress >= DpcStack - KERNEL_STACK_SIZE)) {

// This error occured on the DPC stack, switch

// stack limits to the DPC stack and restart

// the loop.

HighLimit = DpcStack;

LowLimit = DpcStack - KERNEL_STACK_SIZE;

continue;

}

}

ExceptionRecord->ExceptionFlags |= EXCEPTION_STACK_INVALID;

goto DispatchExit;

}

// See if the handler is reasonable

if (!RtlIsValidHandler(RegistrationPointer->Handler)) {

ExceptionRecord->ExceptionFlags |= EXCEPTION_STACK_INVALID;

goto DispatchExit;

}

// The handler must be executed by calling another routine

// that is written in assembler. This is required because

// up level addressing of the handler information is required

// when a nested exception is encountered.

if (NtGlobalFlag & FLG_ENABLE_EXCEPTION_LOGGING) {

Index = RtlpLogExceptionHandler(

ExceptionRecord,

ContextRecord,

(PULONG)RegistrationPointer,

* sizeof(ULONG));

// can't use sizeof(EXCEPTION_REGISTRATION_RECORD

// because we need the 2 dwords above it.

}

Disposition = RtlpExecuteHandlerForException(

ExceptionRecord,

(PVOID)RegistrationPointer,

ContextRecord,

(PVOID)&DispatcherContext,

(PEXCEPTION_ROUTINE)RegistrationPointer->Handler);

if (NtGlobalFlag & FLG_ENABLE_EXCEPTION_LOGGING) {

RtlpLogLastExceptionDisposition(Index, Disposition);

}

// If the current scan is within a nested context and the frame

// just examined is the end of the context region, then clear

// the nested context frame and the nested exception in the

// exception flags.

if (NestedRegistration == RegistrationPointer) {

ExceptionRecord->ExceptionFlags &= (~EXCEPTION_NESTED_CALL);

NestedRegistration = ;

}

// Case on the handler disposition.

switch (Disposition) {

// The disposition is to continue execution. If the

// exception is not continuable, then raise the exception

// STATUS_NONCONTINUABLE_EXCEPTION. Otherwise return

// TRUE.

case ExceptionContinueExecution :

if ((ExceptionRecord->ExceptionFlags &

EXCEPTION_NONCONTINUABLE) != ) {

ExceptionRecord1.ExceptionCode =

STATUS_NONCONTINUABLE_EXCEPTION;

ExceptionRecord1.ExceptionFlags = EXCEPTION_NONCONTINUABLE;

ExceptionRecord1.ExceptionRecord = ExceptionRecord;

ExceptionRecord1.NumberParameters = ;

RtlRaiseException(&ExceptionRecord1);

} else {

Completion = TRUE;

goto DispatchExit;

}

// The disposition is to continue the search. If the frame isn't

// suspect/corrupt, get next frame address and continue the search

case ExceptionContinueSearch :

if (ExceptionRecord->ExceptionFlags & EXCEPTION_STACK_INVALID)

goto DispatchExit;

break;

// The disposition is nested exception. Set the nested

// context frame to the establisher frame address and set

// nested exception in the exception flags.

case ExceptionNestedException :

ExceptionRecord->ExceptionFlags |= EXCEPTION_NESTED_CALL;

if (DispatcherContext.RegistrationPointer > NestedRegistration) {

NestedRegistration = DispatcherContext.RegistrationPointer;

}

break;

// All other disposition values are invalid. Raise

// invalid disposition exception.

default :

ExceptionRecord1.ExceptionCode = STATUS_INVALID_DISPOSITION;

ExceptionRecord1.ExceptionFlags = EXCEPTION_NONCONTINUABLE;

ExceptionRecord1.ExceptionRecord = ExceptionRecord;

ExceptionRecord1.NumberParameters = ;

RtlRaiseException(&ExceptionRecord1);

break;

}

// If chain goes in wrong direction or loops, report an

// invalid exception stack, otherwise go on to the next one.

RegistrationPointer = RegistrationPointer->Next;

}

// Call vectored continue handlers.

DispatchExit:

return Completion;

}

RtlDispatchException 源代码

EXCEPTION_DISPOSITION

RtlpExecuteHandlerForException (

IN PEXCEPTION_RECORD ExceptionRecord,

IN PVOID EstablisherFrame,

IN OUT PCONTEXT ContextRecord,

IN OUT PVOID DispatcherContext,

IN PEXCEPTION_ROUTINE ExceptionRoutine

);

RtlpExecuteHandlerForException

然后了解异常链表在线程中的位置

kd> dt _ETHREAD

ntdll!_ETHREAD

+0x000 Tcb : _KTHREAD

kd> dt _KTHREAD

ntdll!_KTHREAD

......

+0x074 Teb : Ptr32 Void

kd> dt _TEB

ntdll!_TEB

+0x000 NtTib : _NT_TIB

kd> dt _NT_TIB

ntdll!_NT_TIB

+0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD //异常处理链表

+0x004 StackBase : Ptr32 Void

+0x008 StackLimit : Ptr32 Void

+0x00c SubSystemTib : Ptr32 Void

+0x010 FiberData : Ptr32 Void

+0x010 Version : Uint4B

+0x014 ArbitraryUserPointer : Ptr32 Void

+0x018 Self : Ptr32 _NT_TIB

系统根据FS寄存器来寻找异常处理链表，在应用层，FS 寄存器“指向”当前执行线程的 _TEB 结构体。

在内核层，FS 寄存器“指向”另一个跟 CPU 相关的结构体：_KPCR，来看看它的结构，

kd> dt _kpcr

nt!_KPCR

+0x000 NtTib : _NT_TIB

+0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD

......省略

与 _TEB 一样，它的第一个域成员也是 _NT_TIB，只不过此时是 nt!_NT_TIB，而在应用层是 ntdll!_NT_TIB，但它们的结构是一样的。

这样，不论在应用层还是在内核层，系统都可以使用 FS:[0] 找到异常链表。

总结一下异常处理调用流程

硬件异常:

CPU 检测到异常 -> KiTrap?? -> KiDispatchException -> RtlDispatchException -> RtlpExecuteHandlerForException

软件异常:

RtlRaiseException -> RtlDispatchException -> RtlpExecuteHandlerForException

接下来看看RtlRaiseException 函数，大致流程就是:

首先调用 RtlDispatchException 分发异常，如果 RtlDispatchException 成功分发，有处理函数处理了这个异常，那么结束本函数。

如果没有成功分发，那么调用 ZwRaiseException 再次触发该异常，这次传入的异常的 FirstChance 被置为 FALSE。

DECLSPEC_NOINLINE

VOID

RtlRaiseException (

IN PEXCEPTION_RECORD ExceptionRecord

)

/*++

Routine Description:

This function raises a software exception by building a context record

and calling the raise exception system service.

Arguments:

ExceptionRecord - Supplies a pointer to an exception record.

Return Value:

None.

--*/

{

CONTEXT ContextRecord;

ULONG64 ControlPc;

ULONG64 EstablisherFrame;

PRUNTIME_FUNCTION FunctionEntry;

PVOID HandlerData;

ULONG64 ImageBase;

NTSTATUS Status = STATUS_INVALID_DISPOSITION;

// Capture the current context, unwind to the caller of this routine, set

// the exception address, and call the appropriate exception dispatcher.

RtlCaptureContext(&ContextRecord);

ControlPc = ContextRecord.Rip;

FunctionEntry = RtlLookupFunctionEntry(ControlPc, &ImageBase, NULL);

if (FunctionEntry != NULL) {

RtlVirtualUnwind(UNW_FLAG_NHANDLER,

ImageBase,

ControlPc,

FunctionEntry,

&ContextRecord,

&HandlerData,

&EstablisherFrame,

NULL);

ExceptionRecord->ExceptionAddress = (PVOID)ContextRecord.Rip;

if (RtlDispatchException(ExceptionRecord, &ContextRecord) != FALSE) {

return;

}

Status = ZwRaiseException(ExceptionRecord, &ContextRecord, FALSE);

}

// There should never be a return from either exception dispatch or the

// system service unless there is a problem with the argument list itself.

// Raise another exception specifying the status value returned.

RtlRaiseStatus(Status);

return;

}

RtlRaiseException

到这里，系统提供的 SEH 机制，大致完毕，我们可以回顾一下：

1. 系统的SEH的实现较简单，代码量不大，而且 wrk 基本上有所有关键函数的实现代码。

2. 系统的SEH的功能过于简单，实际过程中很难直接使用。整个异常处理过程无非就是遍历异常链表，挨个调用异常注册信息的处理函数，

如果其中有某个处理函数处理了该异常（返回值为 ExceptionContinueExecution），

那么就从异常触发点（如果是断点异常，则要回退一个字节的指令（int 3 指令本身））重新执行。

否则不管是整个链表中没有找到合适的处理函数（返回值为 ExceptionContinueSearch），

或者遍历过程中出现问题（返回值为 ExceptionNestedException），系统都会简单粗暴的 BUGCHECK。

那么问题来了:

线程运行过程中会调用很多个函数，每个函数都有可能注册异常处理，

它们提供的异常处理函数既可能处理该函数自身触发的异常，又可能需要处理其子孙函数触发的异常。

前者还好说，自己出了问题，多少还有可能自己修复。

而后者就很头疼了，它无法了解所有其调用的子孙函数内部的实现，要想修复子孙函数触发的异常，太困难了。

而一旦没有正确处理，或者没人处理，系统就崩掉，这个后果太严重。

于是实际上现实程序设计中，基本上没有直接使用系统的SEH机制，而是使用编译器提供的增强版本。

下面就学习编译器提供的增强版本。

增强版中的结构体

typedef struct _EXCEPTION_REGISTRATION PEXCEPTION_REGISTRATION;

struct _EXCEPTION_REGISTRATION{

PEXCEPTION_POINTERS xpointers;

struct _EXCEPTION_REGISTRATION *prev;

void (*handler)(PEXCEPTION_RECORD, PEXCEPTION_REGISTRATION, PCONTEXT, PEXCEPTION_RECORD);

struct scopetable_entry *scopetable; //类型为 scopetable_entry 的数组

int trylevel; //数组下标，用来索引 scopetable 中的数组成员。

int _ebp; //包含该 _EXCEPTION_REGISTRATION 结构体的函数的栈帧指针。

//对于没有 FPO 优化过的函数，一开头通常有个 push ebp 的操作，_ebp 的值就是被压入的 ebp 的值

};

也就是说它沿用了系统SEH的注册信息结构，只是在域成员名称上做了些改动，把 Next 改名为 prev，把 Handler 改为 handler。

除此之外，在原始版本基础上增加了4个域成员（scopetable、trylevel、_ebp、xpointers），用来支持它的增强功能。

scopetable_entry

+0x000 previousTryLevel : Uint4B

+0x004 lpfnFilter : Ptr32 int

+0x008 lpfnHandler : Ptr32 int

按照原始版本的设计，每一对“触发异常-处理异常”都会有一个注册信息即 EXCEPTION_REGISTRATION_RECORD。

也就是说，如果按照原始的设计，每一个 __try/__except(__finally) 都应该对应一个 EXCEPTION_REGISTRATION。但是实际的 MSC(微软编译器，我用的VS2010)实现不是这样的。

真正的实现是：

每个使用 __try/__except(__finally) 的函数，不管其内部嵌套或反复使用多少 __try/__except(__finally)，都只注册一遍，

即只将一个 EXCEPTION_REGISTRATION 挂入当前线程的异常链表中

（对于递归函数，每一次调用都会创建一个 EXCEPTION_REGISTRATION，并挂入线程的异常链表中，这是另外一回事）。

那如何处理函数内部出现的多个 __try/__except(__finally) 呢？

这多个 __except 代码块的功能可能大不相同，而注册信息 EXCEPTION_REGISTRATION 中只能提供一个处理函数 handler，怎么办？

MSC 的做法是，MSC 提供一个处理函数，即 EXCEPTION_REGISTRATION::handler 被设置为 MSC 的某个函数，而不是我们自己提供的 __except 代码块。

我们自己提供的多个 __except 块被存储在 EXCEPTION_REGISTRATION::scopetable 数组中。

我们看看上面的 scopetable_entry 定义，由于我没有找到它的定义代码，所以就贴了 windbg 中 dt 输出结果。

其中 scopetable_entry::lpfnHandler 就是程序猿提供的 __except 异常处理块代码。

而 lpfnFilter 就是 __except 的过滤块代码。对于 __finally 代码块，其 lpfnFilter 被置为 NULL，lpfnHandler 就是其包含的代码块。

下面，我们用一小段简单的伪代码来学习

VOID SimpleSEH()

{

__try

{

}

__except(ExceptionFilter_0(...))

{

ExceptCodeBlock_0;

}

__try

{

__try

{　　　　　　　　　　　　　　//假设触发异常

}

__except(ExceptionFilter_1(...))

{

ExceptCodeBlock_1;

}

}

__except(ExceptionFilter_2(...))

{

ExceptCodeBlock_2;

}

}

编译时，编译器会为 SimpleSeh 分配一个 EXCEPTION_REGISTRATION 和一个拥有3个成员的 scopetable 数组，并将 EXCEPTION_REGISTRATION::scopetable 指向该数组（请留意：EXCEPTION_REGISTRATION::scopetable 只是一个指针，不是数组）。然后按照 __try 关键字出现的顺序，将对应的__except/__finally 都存入该数组，步骤如下：

scopetable[0].lpfnFilter = ExceptionFilter_0;

scopetable[0].lpfnHandler = ExceptCodeBlock_0;

scopetable[1].lpfnFilter = ExceptionFilter_1;

scopetable[1].lpfnHandler = ExceptCodeBlock_1;

scopetable[2].lpfnFilter = ExceptionFilter_2;

scopetable[2].lpfnHandler = ExceptCodeBlock_2;

我们假象当前开始执行 SimpleSEH 函数，在行16和17行之间触发了异常。

根据之前的流程：RtlRaiseException -> RtlDispatchException -> RtlpExecuteHandlerForException。

RtlpExecuteHandlerForException 会调用注册信息中的处理函数，即 EXCEPTION_REGISTRATION::handler。

该函数是由 MSC 提供的，内部会依次调用 scopetable 中的 lpfnHandler。

那咱们来模拟执行一下，在16和17行之前触发异常，那应该先从 scopetable[2] 的 ExceptionFilter_2 开始执行，

假设该函数返回 EXCEPTION_CONTINUE_SEARCH，那接下来应该是 scopetable[1]；

假设 ExceptionFilter_1 也返回 EXCEPTION_CONTINUE_SEARCH；

那么接下来是不是就应该轮到 scopetable[0] 了？不是。

再看看上面的伪代码，行16和行17之间的代码并没处于第一个 __try/__except 的范围中，该异常轮不到 scopetable[0] 来处理。

那怎么办？

SimpleSEH 执行的过程中怎么知道到 scopetable[1] 就应该停止？

MSC 是通过 scopetable_entry::previousTryLevel 来解决这个问题的。上面数组的设置，完整的形式其实是这样：

scopetable[].previousTryLevel = TRYLEVEL_NONE;

scopetable[].lpfnFilter = ExceptionFilter_0;

scopetable[].lpfnHandler = ExceptCodeBlock_0;

scopetable[].previousTryLevel = TRYLEVEL_NONE;

scopetable[].lpfnFilter = ExceptionFilter_1;

scopetable[].lpfnHandler = ExceptCodeBlock_1;

scopetable[].previousTryLevel = ;

scopetable[].lpfnFilter = ExceptionFilter_2;

scopetable[].lpfnHandler = ExceptCodeBlock_2;

scopetable_entry::previousTryLevel 包含的意思是“下一个该轮到数组下标为 previousTryLevel 的单元了”。

当 scopetable_entry::previousTryLevel 等于 TRYLEVEL_NONE(-1) 时，就会停止遍历 scopetable。

TRYLEVEL_NONE equ -

TRYLEVEL_INVALID equ -

咱再来模拟执行一遍，当14和15行之间触发异常时，首先遍历到 scopetable[2]，处理完后，找到 scopetable[2].previousTryLevel，发现其值为1，那么遍历到 scopetable[1]，处理完后，找到 scopetable[1].previousTryLevel，发现其值为 TRYLEVEL_NONE，于是停止遍历。

好像挺圆满的。

再假设下，如果行4和行5之间触发了同样的异常，执行流程应该如何。

首先，执行 scopetable[2]，然后在 scopetable[1]，然后……（省略若干同上字）。

停！这次的异常是在第一个 __try/__except 中触发的，轮不到 scopetable[2] 来处理，怎么办？

这个时候就轮到 EXCEPTION_REGISTRATION::trylevel 出场了。EXCEPTION_REGISTRATION::trylevel 的作用就是标识从那个数组单元开始遍历。

与 scopetable_entry::previousTryLevel 不同，EXCEPTION_REGISTRATION::trylevel 是动态变化的，也就是说，这个值在 SimpleSeh 执行过程中是会经常改变的。

比如：

执行到行4和行5之间，该值就会被修改为0；

执行到第12行，该值被修改为1；

执行到14行，该值为2。

这样，当异常触发时候，MSC 就能正确的遍历 scopetable 了。

到目前位置，已经熟悉了增强版的概要流程。下面结合真实代码来分析。代码分为三块：SEH 创建代码、MSC 提供的 handler 函数，以及展开函数。

先把后面分析要用的宏和结构体列出来：

#define EXCEPTION_NONCONTINUABLE 0x1 // Noncontinuable exception

#define EXCEPTION_UNWINDING 0x2 // Unwind is in progress

#define EXCEPTION_EXIT_UNWIND 0x4 // Exit unwind is in progress

#define EXCEPTION_STACK_INVALID 0x8 // Stack out of limits or unaligned

#define EXCEPTION_NESTED_CALL 0x10 // Nested exception handler call

#define EXCEPTION_TARGET_UNWIND 0x20 // Target unwind in progress

#define EXCEPTION_COLLIDED_UNWIND 0x40 // Collided exception handler call

#define EXCEPTION_UNWIND (EXCEPTION_UNWINDING | EXCEPTION_EXIT_UNWIND | \

EXCEPTION_TARGET_UNWIND | EXCEPTION_COLLIDED_UNWIND)

nt!_EXCEPTION_RECORD

+0x000 ExceptionCode : Int4B

+0x004 ExceptionFlags : Uint4B

+0x008 ExceptionRecord : Ptr32 _EXCEPTION_RECORD

+0x00c ExceptionAddress : Ptr32 Void

+0x010 NumberParameters : Uint4B

+] Uint4B

typedef enum _EXCEPTION_DISPOSITION {

ExceptionContinueExecution,

ExceptionContinueSearch,

ExceptionNestedException,

ExceptionCollidedUnwind

} EXCEPTION_DISPOSITION;

// scopetable_entry::lpfnFilter 的返回值，也就是 __except 过滤块的返回值

#define EXCEPTION_EXECUTE_HANDLER 1

#define EXCEPTION_CONTINUE_SEARCH 0

#define EXCEPTION_CONTINUE_EXECUTION -1

一、SEH 创建代码

#include <ntifs.h>

#include <devioctl.h>

VOID TestSeh();

LONG Filter_0();

LONG Filter_2();

NTSTATUS

DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)

{

TestSeh();

return STATUS_SUCCESS;

}

VOID TestSeh()

{

ULONG ulVal = ;

__try // 第一个 __try 域

{

ulVal = 0x11111111; // 最后一位为1表示“在 __try 代码块中”

}

__except(Filter_0())

{

ulVal = 0x11111110; // 最后一位为0表示“在 __except/__finally 代码块中”

}

__try // 第二个 __try 域

{

ulVal = 0x22222222;

__try // 第三个 __try 域

{

ulVal = 0x33333333;

*((ULONG*)NULL) = ulVal; // 触发异常

}

__finally

{

ulVal = 0x33333330;

}

}

__except(Filter_2())

{

ulVal = 0x22222220;

}

return;

}

LONG Filter_0()

{

return EXCEPTION_EXECUTE_HANDLER;

}

LONG Filter_2()

{

return EXCEPTION_EXECUTE_HANDLER;

}

将生成的文件用Ida反汇编查看，TestSeh() 函数如下

. ; _DWORD __stdcall TestSeh()

. _TestSeh@0 proc near ; CODE XREF: DriverEntry(x,x)+5p

. ulVal = dword ptr -1Ch

. ms_exc = CPPEH_RECORD ptr -18h

. mov edi, edi

. push ebp

. mov ebp, esp

. push 0FFFFFFFEh

. push offset scopetable ; ExceptionRegister->scopetable

.text:0001103C push offset __except_handler4 ; ExceptionRegistration-->handler 系统自己的

. ; prev

. push eax

. add esp, 0FFFFFFF4h

.text:0001104B push ebx

.text:0001104C push esi

.text:0001104D push edi

.text:0001104E mov eax, ___security_cookie

. xor [ebp+ms_exc.registration.ScopeTable], eax ; 对scopetable进行加密

. xor eax, ebp ; 对security_cookie进行异或加密

. push eax

. lea eax, [ebp+ms_exc.registration]

., eax ; registration挂入线程异常链表

. mov [ebp+ms_exc.old_esp], esp

. ; 进入第一个__try域,TryLevel=0

. mov [ebp+ulVal], 11111111h

.text:0001107A mov [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh ; 离开第一个__try域，TryLevel=TRYLEVEL_NONE (-2)

. jmp short loc_1109A

. ; ---------------------------------------------------------------------------

. $LN7: ; DATA XREF: .rdata:scopetableo

. call _Filter_0@0 ; Exception filter 0 for function 11030

. $LN9:

. retn

. ; ---------------------------------------------------------------------------

. $LN8: ; DATA XREF: .rdata:scopetableo

. mov esp, [ebp+ms_exc.old_esp] ; Exception handler 0 for function 11030

.text:0001108C mov [ebp+ulVal], 11111110h

. mov [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh

.text:0001109A

.text:0001109A loc_1109A: ; CODE XREF: TestSeh()+51j

. ; 第二个__try域，TryLevel=1

.text:000110A1 mov [ebp+ulVal], 22222222h

. ; 第三个__try域，TryLevel=2

.text:000110AF mov [ebp+ulVal], 33333333h

.text:000110B6 mov eax, [ebp+ulVal]

., eax ; *((ULONG*)NULL) = ulVal; 触发异常

. ; 离开第三个__try域，TryLevel=1

.text:000110C5 call $LN15 ; Finally handler 2 for function 11030

.text:000110CA ; ---------------------------------------------------------------------------

.text:000110CA

.text:000110CA loc_110CA: ; CODE XREF: TestSeh():$LN16j

.text:000110CA jmp short $LN18

.text:000110CC ; ---------------------------------------------------------------------------

.text:000110CC

.text:000110CC $LN15: ; CODE XREF: TestSeh()+95j

.text:000110CC ; DATA XREF: .rdata:scopetableo

.text:000110CC mov [ebp+ulVal], 33333330h ; Finally handler 2 for function 11030

.text:000110D3

.text:000110D3 $LN16:

.text:000110D3 retn

.text:000110D4 ; ---------------------------------------------------------------------------

.text:000110D4

.text:000110D4 $LN18: ; CODE XREF: TestSeh():loc_110CAj

.text:000110D4 mov [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh

.text:000110DB jmp short loc_110F4

.text:000110DD ; ---------------------------------------------------------------------------

.text:000110DD

.text:000110DD $LN11: ; DATA XREF: .rdata:scopetableo

.text:000110DD call _Filter_0@0 ; Exception filter 1 for function 11030

.text:000110E2

.text:000110E2 $LN13:

.text:000110E2 retn

.text:000110E3 ; ---------------------------------------------------------------------------

.text:000110E3

.text:000110E3 $LN12: ; DATA XREF: .rdata:scopetableo

.text:000110E3 mov esp, [ebp+ms_exc.old_esp] ; Exception handler 1 for function 11030

.text:000110E6 mov [ebp+ulVal], 22222220h ; 第二个__except处理

.text:000110ED mov [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh

.text:000110F4

.text:000110F4 loc_110F4: ; CODE XREF: TestSeh()+ABj

.text:000110F4 mov ecx, [ebp+ms_exc.registration.Next] ; 恢复旧的EXCEPTION_REGISTRATION,从链表中摘除ExceptionRegistration

., ecx

.text:000110FE pop ecx

.text:000110FF pop edi

. pop esi

. pop ebx

. mov esp, ebp

. pop ebp

. retn

. _TestSeh@0 endp

用WinDbg来看看 scopetable 的内容：

kd> uf SEHx86!TestSeh

SEHx86!TestSeh []:

91de8030 8bff mov edi,edi

91de8032 push ebp

91de8033 8bec mov ebp,esp

91de8035 6afe push 0FFFFFFFEh

91de8037 68c890de91 push offset SEHx86!__safe_se_handler_table+0x8 (91de90c8)

91de803c 683081de91 push offset SEHx86!_except_handler4 (91de8130)

91de8041 64a100000000 mov eax,dword ptr fs:[00000000h]

91de8047 push eax

91de8048 83c4f4 add esp,0FFFFFFF4h

91de804b push ebx

91de804c push esi

91de804d push edi

91de804e a100a0de91 mov eax,dword ptr [SEHx86!__security_cookie (91dea000)]

91de8053 3145f8 ],eax

91de8056 33c5 xor eax,ebp

91de8058 push eax

91de8059 8d45f0 lea eax,[ebp-10h]

91de805c 64a300000000 mov dword ptr fs:[00000000h],eax

91de8062 8965e8 mov dword ptr [ebp-18h],esp

91de8065 c745e400000000

91de806c c745fc00000000 ],

91de8073 c745e411111111 mov dword ptr [ebp-1Ch],11111111h

91de807a c745fcfeffffff ],0FFFFFFFEh

91de8081 eb17 jmp SEHx86!TestSeh+0x6a (91de809a)

SEHx86!TestSeh+0x6a []:

91de809a c745fc01000000 ],

91de80a1 c745e422222222 mov dword ptr [ebp-1Ch],22222222h

91de80a8 c745fc02000000 ],

91de80af c745e433333333 mov dword ptr [ebp-1Ch],33333333h

91de80b6 8b45e4 mov eax,dword ptr [ebp-1Ch]

91de80b9 a300000000 mov dword ptr ds:[00000000h],eax

91de80be c745fc01000000 ],

91de80c5 e802000000 call SEHx86!TestSeh+0x9c (91de80cc)

91de80ca eb08 jmp SEHx86!TestSeh+0xa4 (91de80d4)

SEHx86!TestSeh+0xa4 []:

91de80d4 c745fcfeffffff ],0FFFFFFFEh

91de80db eb17 jmp SEHx86!TestSeh+0xc4 (91de80f4)

SEHx86!TestSeh+0xc4 []:

91de80f4 8b4df0 mov ecx,dword ptr [ebp-10h]

91de80f7 6489],ecx

91de80fe pop ecx

91de80ff 5f pop edi

91de8100 5e pop esi

91de8101 5b pop ebx

91de8102 8be5 mov esp,ebp

91de8104 5d pop ebp

91de8105 c3 ret

uf Windbg

kd> dd 91de90c8

91de90c8 【fffffffe 00000000 ffffffd4 00000000】 >>>16个字节的空间

91de90d8 【fffffffe 91de8083 91de8089】【fffffffe >>>3个socpetable_entry结构

91de90e8 91de80dd 91de80e3】【00000001 00000000

91de90f8 91de80cc】 00000000 00000000 00000000

91de9108 00000000 00000000 00000000 00000000

91de9118 00000000 00000000 00000000 00000000

91de9128 00000000 00000000 00000000 00000000

91de9138 00000000 00000000 00000000 00000000

接下来再看系统自己的handler函数

; _EXCEPTION_DISPOSITION __cdecl _except_handler4(_EXCEPTION_RECORD *ExceptionRecord, _EXCEPTION_REGISTRATION_RECORD *EstablisherFrame, _CONTEXT *ContextRecord, void *DispatcherContext)

. __except_handler4 proc near ; DATA XREF: TestSeh()+Co

. ; .rdata:___safe_se_handler_tableo

. ExceptionPointers= _EXCEPTION_POINTERS ptr -14h

. ScopeTableRecord= dword ptr -0Ch

. Disposition = dword ptr -

. Revalidate = byte ptr -

. ExceptionRecord = dword ptr

. EstablisherFrame= dword ptr 0Ch

. ContextRecord = dword ptr 10h

. DispatcherContext= dword ptr 14h

. mov edi, edi ; 这里的_EXCEPTION_REGISTRATION_RECORD是编译器增强版，不是wrk中的定义

. push ebp

. mov ebp, esp

. sub esp, 14h

. push ebx

. mov ebx, [ebp+EstablisherFrame]

.text:0001113C push esi

.] ; scopetable

. xor esi, ___security_cookie ; 解密scopetable

. push edi

. mov eax, [esi]

. ; BOOLEAN 用来表示是否执行过任何 scopetable_entry::lpfnFilter

. ; 函数的返回值，初始化为EXCEPTION_EXECUTE_HANDLER(0)

. lea edi, [ebx+10h] ; ebx为ExceptionRigstration,+10h即为_ebp

. cmp eax, 0FFFFFFFEh

.text:0001115A jz short loc_11169

.] ; 检验scopetable(1)

.text:0001115F add ecx, edi

. xor ecx, [eax+edi] ; cookie

. call @__security_check_cookie@4 ; __security_check_cookie(x)

. loc_11169: ; CODE XREF: __except_handler4+2Aj

. mov ecx, [esi+0Ch] ; 检验scopetable(2)

.text:0001116F add ecx, edi

. xor ecx, [eax+edi] ; cookie

. call @__security_check_cookie@4 ; __security_check_cookie(x)

. mov eax, [ebp+ExceptionRecord]

.], 66h ; wrk中的定义EXCEPTION_UNWIND equ 00066H

.text:0001117C ; ExceptionRecord->ExceptionFlags & EXCEPTION_UNWIND

.text:0001117C ; 判断是异常处理过程还是展开过程

. jnz $LN31 ; 展开

. mov ecx, [ebp+ContextRecord] ; 异常处理过程

. lea edx, [ebp+ExceptionPointers]

.], edx ; ebx是第二个参数ExceptionRigstrationRecord，

.text:0001118C ; [ebx-4]就是前文提到过的xpointers

.text:0001118F mov ebx, [ebx+0Ch] ; ebx = TryLevel

. mov [ebp+ExceptionPointers.ExceptionRecord], eax ; 将参数拷贝到自己的函数栈

. mov [ebp+ExceptionPointers.ContextRecord], ecx

. cmp ebx, 0FFFFFFFEh

.text:0001119B jz short loc_111FC

.text:000111A0

.text:000111A0 loc_111A0: ; CODE XREF: __except_handler4+A0j

.] ; eax=ebx*3

.+14h] ; 这里的eax*4加上上面的ebx*3,相当于是*12,

.text:000111A3 ; 为了跳过trylevel个scopetable_entry(大小为12个字节)

.text:000111A3 ; 然后+14h,为了过上文提到过的10h的一个坑，

.text:000111A3 ; 即ecx = scopetable[i].lpfnFilter

.+10h] ; eax = &scopetable[i]

.text:000111AB mov [ebp+ScopeTableRecord], eax ; ScopeTableRecord存放的就是当前异常

.text:000111AB ; 的ScopeTableEntry

.text:000111AE mov eax, [eax] ; eax = scopetable[i].previousTryLevel

.text:000111B0 mov [ebp+ExceptionRecord], eax

.text:000111B3 test ecx, ecx

.text:000111B5 jz short loc_111CB ; ecx =0,即lpfnHandler为NULL，则跳转

.text:000111B7 mov edx, edi ; edi = _ebp

.text:000111B9 call @_EH4_CallFilterFunc@8 ; 在函数里面 call ecx,即调用lpfnFilter

. ; 表示是否执行过 lpfnFilter

.text:000111C2 test eax, eax ; 检验lpfnHandler函数的返回值

.text:000111C4 jl short loc_11206 ; 如果是 EXCEPTION_CONTINUE_EXECUTION (-1) 就跳

.text:000111C6 jg short loc_1120F ; 如果是 EXCEPTION_EXECUTE_HANDLER (1) 就跳

.text:000111C8 mov eax, [ebp+ExceptionRecord] ; eax = scopetable[i].previousTryLevel

.text:000111CB

.text:000111CB loc_111CB: ; CODE XREF: __except_handler4+85j

.text:000111CB mov ebx, eax

.text:000111CD cmp eax, 0FFFFFFFEh ; cmp scopetable[i].previousTryLevel, TRYLEVEL_INVALID

.text:000111D0 jnz short loc_111A0 ; 不为TRYLEVEL_INVALID(-2)，跳转,寻找下一个

.text:000111D6 jz short loc_111FC ; 没有执行过 lpfnFilter，无需进行安全检查

.text:000111D8

.text:000111D8 loc_111D8: ; CODE XREF: __except_handler4+DDj

.text:000111D8 ; __except_handler4+14Fj

.text:000111D8 mov eax, [esi]

.text:000111DA cmp eax, 0FFFFFFFEh ; 根据 scopetable 空间的第一个DWORD值

.text:000111DA ; 判断是否需要做进一步的安全检查

.text:000111DD jz short loc_111EC

.] ; 检验scopetable完整性(1)

.text:000111E2 add ecx, edi

.text:000111E4 xor ecx, [eax+edi] ; cookie

.text:000111E7 call @__security_check_cookie@4 ; __security_check_cookie(x)

.text:000111EC

.text:000111EC loc_111EC: ; CODE XREF: __except_handler4+ADj

.text:000111EC mov ecx, [esi+0Ch] ; 检验scopetable完整性(2)

.text:000111F2 add ecx, edi

.text:000111F4 xor ecx, [edx+edi] ; cookie

.text:000111F7 call @__security_check_cookie@4 ; __security_check_cookie(x)

.text:000111FC

.text:000111FC loc_111FC: ; CODE XREF: __except_handler4+6Bj

.text:000111FC ; __except_handler4+A6j ...

.text:000111FC mov eax, [ebp+Disposition] ; 函数返回EXCEPTION_EXCUTE_HANDLER (1)

.text:000111FF pop edi

. pop esi

. pop ebx

. mov esp, ebp

. pop ebp

. retn

. ; ---------------------------------------------------------------------------

. loc_11206: ; CODE XREF: __except_handler4+94j

. ; 函数返回EXECEPTION_CONTINUE_SEARCH (0)

.text:0001120D jmp short loc_111D8

.text:0001120F ; ---------------------------------------------------------------------------

.text:0001120F

.text:0001120F loc_1120F: ; CODE XREF: __except_handler4+96j

.text:0001120F mov ecx, [ebp+EstablisherFrame] ; 全局展开操作

. call @_EH4_GlobalUnwind@4 ; _EH4_GlobalUnwind(x)

. mov eax, [ebp+EstablisherFrame]

.text:0001121A cmp [eax+0Ch], ebx

.text:0001121D jz short loc_11231

.text:0001121F push offset ___security_cookie

. push edi

. mov edx, ebx

. mov ecx, eax

. call @_EH4_LocalUnwind@16 ; _EH4_LocalUnwind(x,x,x,x)

.text:0001122E mov eax, [ebp+EstablisherFrame]

. loc_11231: ; CODE XREF: __except_handler4+EDj

. mov ecx, [ebp+ExceptionRecord]

. mov [eax+0Ch], ecx

. mov eax, [esi]

. cmp eax, 0FFFFFFFEh

.text:0001123C jz short loc_1124B

. add ecx, edi

. xor ecx, [eax+edi] ; cookie

. call @__security_check_cookie@4 ; __security_check_cookie(x)

.text:0001124B

.text:0001124B loc_1124B: ; CODE XREF: __except_handler4+10Cj

.text:0001124B mov ecx, [esi+0Ch]

. add ecx, edi

. xor ecx, [edx+edi] ; cookie

. call @__security_check_cookie@4 ; __security_check_cookie(x)

.text:0001125B mov eax, [ebp+ScopeTableRecord]

. mov edx, edi

. call @_EH4_TransferToHandler@8 ; _EH4_TransferToHandler(x,x)

. $LN31: ; CODE XREF: __except_handler4+50j

. mov edx, 0FFFFFFFEh

.text:0001126D cmp [ebx+0Ch], edx

. jz short loc_111FC

. push offset ___security_cookie

. push edi

. mov ecx, ebx

.text:0001127A call @_EH4_LocalUnwind@16 ; _EH4_LocalUnwind(x,x,x,x)

.text:0001127F jmp loc_111D8

.text:0001127F __except_handler4 endp

在函数的最后有展开操作，先学习一下展开的概念

我们假设一系列使用 SEH 的函数调用流程：

func1 -> func2 -> func3，然后在 func3 执行的过程中触发了异常。

看看分发异常流程 RtlRaiseException -> RtlDispatchException -> RtlpExecuteHandlerForException

RtlDispatchException 会遍历异常链表，对每个 EXCEPTION_REGISTRATION 都调用 RtlpExecuteHandlerForException。

RtlpExecuteHandlerForException 会调用 EXCEPTION_REGISTRATION::handler，也就是 PassThrough!_except_handler4。如咱们上面分析，该函数内部遍历 EXCEPTION_REGISTRATION::scopetable，如果遇到有 scopetable_entry::lpfnFilter 返回 EXCEPTION_EXECUTE_HANDLER，那么 scopetable_entry::lpfnHandler 就会被调用，来处理该异常。

因为 lpfnHandler 不会返回到 PassThrough!_except_handler4，于是执行完 lpfnHandler 后，就会从 lpfnHandler 之后的代码继续执行下去。也就是说，假设 func3 中触发了一个异常，该异常被 func1 中的 __except 处理块处理了，那 __except 处理块执行完毕后，就从其后的指令继续执行下去，即异常处理完毕后，接着执行的就是 func1 的代码。不会再回到 func2 或者 func3，这样就有个问题，func2 和 func3 中占用的资源怎么办？这些资源比如申请的内存是不会自动释放的，岂不是会有资源泄漏问题？

这就需要用到“展开”了。

所谓“展开”就是进行清理，这里的清理主要包含动态分配的资源的清理，栈空间是由 func1 的“mov esp,ebp” 这类操作顺手清理

那这个展开工作由谁来完成呢？由 func1 来完成肯定不合适，毕竟 func2 和 func3 有没有申请资源、申请了哪些资源，func1 无从得知。于是这个展开工作还得要交给 func2 和 func3 自己来完成。

展开分为两种：“全局展开”和“局部展开”。

全局展开是指针对异常链表中的某一段，局部展开针对指定 EXCEPTION_REGISTRATION。用上面的例子来讲，局部展开就是针对 func3 或 func2 （某一个函数）内部进行清理，全局展开就是 func2 和 func3 的局部清理的总和。再归纳一下，局部展开是指具体某一函数内部的清理，而全局展开是指，从异常触发点（func3）到异常处理点（func1）之间所有函数（包含异常触发点 func3）的局部清理的总和。

下面来看看wrk中RtlUwind的源代码:

VOID

RtlUnwind (

IN PVOID TargetFrame OPTIONAL,

IN PVOID TargetIp OPTIONAL,

IN PEXCEPTION_RECORD ExceptionRecord OPTIONAL,

IN PVOID ReturnValue

)

/*++

Routine Description:

This function initiates an unwind of procedure call frames. The machine

state at the time of the call to unwind is captured in a context record

and the unwinding flag is set in the exception flags of the exception

record. If the TargetFrame parameter is not specified, then the exit unwind

flag is also set in the exception flags of the exception record. A backward

walk through the procedure call frames is then performed to find the target

of the unwind operation.

N.B. The captured context passed to unwinding handlers will not be

a completely accurate context set for the 386. This is because

there isn't a standard stack frame in which registers are stored.

Only the integer registers are affected. The segment and

control registers (ebp, esp) will have correct values for

the flat 32 bit environment.

N.B. If you change the number of arguments, make sure you change the

adjustment of ESP after the call to RtlpCaptureContext (for

STDCALL calling convention)

Arguments:

TargetFrame - Supplies an optional pointer to the call frame that is the

target of the unwind. If this parameter is not specified, then an exit

unwind is performed.

TargetIp - Supplies an optional instruction address that specifies the

continuation address of the unwind. This address is ignored if the

target frame parameter is not specified.

ExceptionRecord - Supplies an optional pointer to an exception record.

ReturnValue - Supplies a value that is to be placed in the integer

function return register just before continuing execution.

Return Value:

None.

--*/

{

PCONTEXT ContextRecord;

CONTEXT ContextRecord1;

DISPATCHER_CONTEXT DispatcherContext;

EXCEPTION_DISPOSITION Disposition;

PEXCEPTION_REGISTRATION_RECORD RegistrationPointer;

PEXCEPTION_REGISTRATION_RECORD PriorPointer;

ULONG HighAddress;

ULONG HighLimit;

ULONG LowLimit;

EXCEPTION_RECORD ExceptionRecord1;

EXCEPTION_RECORD ExceptionRecord2;

// Get current stack limits.

RtlpGetStackLimits(&LowLimit, &HighLimit);

// If an exception record is not specified, then build a local exception

// record for use in calling exception handlers during the unwind operation.

if (ARGUMENT_PRESENT(ExceptionRecord) == FALSE) {

ExceptionRecord = &ExceptionRecord1;

ExceptionRecord1.ExceptionCode = STATUS_UNWIND;

ExceptionRecord1.ExceptionFlags = ;

ExceptionRecord1.ExceptionRecord = NULL;

ExceptionRecord1.ExceptionAddress = _ReturnAddress(); //返回地址

ExceptionRecord1.NumberParameters = ;

}

// If the target frame of the unwind is specified, then set EXCEPTION_UNWINDING

// flag in the exception flags. Otherwise set both EXCEPTION_EXIT_UNWIND and

// EXCEPTION_UNWINDING flags in the exception flags.

if (ARGUMENT_PRESENT(TargetFrame) == TRUE) {

ExceptionRecord->ExceptionFlags |= EXCEPTION_UNWINDING;

} else {

ExceptionRecord->ExceptionFlags |= (EXCEPTION_UNWINDING |

EXCEPTION_EXIT_UNWIND);

}

// Capture the context.

ContextRecord = &ContextRecord1;

ContextRecord1.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL | CONTEXT_SEGMENTS;

RtlpCaptureContext(ContextRecord);

// Adjust captured context to pop our arguments off the stack

ContextRecord->Esp += sizeof(TargetFrame) +

sizeof(TargetIp) +

sizeof(ExceptionRecord) +

sizeof(ReturnValue);

ContextRecord->Eax = (ULONG)ReturnValue;

// Scan backward through the call frame hierarchy, calling exception

// handlers as they are encountered, until the target frame of the unwind

// is reached.

RegistrationPointer = RtlpGetRegistrationHead();//异常链表头

while (RegistrationPointer != EXCEPTION_CHAIN_END) {

// If this is the target of the unwind, then continue execution

// by calling the continue system service.

//说明展开完毕

if ((ULONG)RegistrationPointer == (ULONG)TargetFrame) {

ZwContinue(ContextRecord, FALSE);

// If the target frame is lower in the stack than the current frame,

// then raise STATUS_INVALID_UNWIND exception.

} else if ( (ARGUMENT_PRESENT(TargetFrame) == TRUE) &&

((ULONG)TargetFrame < (ULONG)RegistrationPointer) ) {

//超出了异常链表的查找范围

ExceptionRecord2.ExceptionCode = STATUS_INVALID_UNWIND_TARGET;

ExceptionRecord2.ExceptionFlags = EXCEPTION_NONCONTINUABLE;

ExceptionRecord2.ExceptionRecord = ExceptionRecord;

ExceptionRecord2.NumberParameters = ;

RtlRaiseException(&ExceptionRecord2);

}

// If the call frame is not within the specified stack limits or the

// call frame is unaligned, then raise the exception STATUS_BAD_STACK.

// Else restore the state from the specified frame to the context

// record.

HighAddress = (ULONG)RegistrationPointer +

sizeof(EXCEPTION_REGISTRATION_RECORD);

//低于线程栈底或者高于线程栈顶，进行错误处理

if ( ((ULONG)RegistrationPointer < LowLimit) ||

(HighAddress > HighLimit) ||

(((ULONG)RegistrationPointer & )

// Allow for the possibility that the problem occured on the

// DPC stack.

ULONG TestAddress = (ULONG)RegistrationPointer;

//& 0x3 检查是否4字节对齐，IRQL级别，如果当前正在执行dpc操作，restart

) &&

KeGetCurrentIrql() >= DISPATCH_LEVEL) {

PKPRCB Prcb = KeGetCurrentPrcb();

ULONG DpcStack = (ULONG)Prcb->DpcStack;

if ((Prcb->DpcRoutineActive) &&

(HighAddress <= DpcStack) &&

(TestAddress >= DpcStack - KERNEL_STACK_SIZE)) {

// This error occured on the DPC stack, switch

// stack limits to the DPC stack and restart

// the loop.

HighLimit = DpcStack;

LowLimit = DpcStack - KERNEL_STACK_SIZE;

continue;

}

}

ExceptionRecord2.ExceptionCode = STATUS_BAD_STACK;

ExceptionRecord2.ExceptionFlags = EXCEPTION_NONCONTINUABLE;

ExceptionRecord2.ExceptionRecord = ExceptionRecord;

ExceptionRecord2.NumberParameters = ;

RtlRaiseException(&ExceptionRecord2);

} else {
//一般情况的展开

// The handler must be executed by calling another routine

// that is written in assembler. This is required because

// up level addressing of the handler information is required

// when a collided unwind is encountered.

//在内部调用Handler处理函数

Disposition = RtlpExecuteHandlerForUnwind(

ExceptionRecord,

(PVOID)RegistrationPointer,

ContextRecord,

(PVOID)&DispatcherContext,

RegistrationPointer->Handler);

// Case on the handler disposition.

//检查Handler的返回值

switch (Disposition) {

// The disposition is to continue the search. Get next

// frame address and continue the search.

case ExceptionContinueSearch :

break;

// The disposition is colided unwind. Maximize the target

// of the unwind and change the context record pointer.

case ExceptionCollidedUnwind :

// Pick up the registration pointer that was active at

// the time of the unwind, and simply continue.

RegistrationPointer = DispatcherContext.RegistrationPointer;

break;

// All other disposition values are invalid. Raise

// invalid disposition exception.

default :

ExceptionRecord2.ExceptionCode = STATUS_INVALID_DISPOSITION;

ExceptionRecord2.ExceptionFlags = EXCEPTION_NONCONTINUABLE;

ExceptionRecord2.ExceptionRecord = ExceptionRecord;

ExceptionRecord2.NumberParameters = ;

RtlRaiseException(&ExceptionRecord2);

break;

}

// Step to next registration record

PriorPointer = RegistrationPointer;

RegistrationPointer = RegistrationPointer->Next;

// Unlink the unwind handler, since it's been called.

RtlpUnlinkHandler(PriorPointer);

// If chain goes in wrong direction or loops, raise an

// exception.

}

}

if (TargetFrame == EXCEPTION_CHAIN_END) {

// Caller simply wants to unwind all exception records.

// This differs from an exit_unwind in that no "exit" is desired.

// Do a normal continue, since we've effectively found the

// "target" the caller wanted.

ZwContinue(ContextRecord, FALSE);

} else {

// Either (1) a real exit unwind was performed, or (2) the

// specified TargetFrame is not present in the exception handler

// list. In either case, give debugger and subsystem a chance

// to see the unwind.

ZwRaiseException(ExceptionRecord, ContextRecord, FALSE);

}

return;

}

wrk RtlUnwind

代码不长，主要功能也不复杂：从异常链表头开始遍历，一直遍历到指定 EXCEPTION_REGISTRATION_RECORD，对每个遍历到的 EXCEPTION_REGISTRATION_RECORD，执行 RtlpExecuteHandlerForUnwind 进行局部展开。

汇编代码如下，就不写注释了，直接看wrk源码更清晰

.text:00475C9B ; int __stdcall RtlUnwind(int, int, PEXCEPTION_RECORD ExceptionRecord, int)

.text:00475C9B public _RtlUnwind@16

.text:00475C9B _RtlUnwind@16 proc near ; CODE XREF: __global_unwind2+13p

.text:00475C9B ; _EH4_GlobalUnwind(x)+10p

.text:00475C9B

.text:00475C9B var_384= dword ptr -384h

.text:00475C9B var_380= dword ptr -380h

.text:00475C9B var_37C= dword ptr -37Ch

.text:00475C9B var_378= EXCEPTION_RECORD ptr -378h

.text:00475C9B var_328= dword ptr -328h

.text:00475C9B var_324= dword ptr -324h

.text:00475C9B var_320= dword ptr -320h

.text:00475C9B var_31C= dword ptr -31Ch

.text:00475C9B var_318= dword ptr -318h

.text:00475C9B Context= CONTEXT ptr -2D8h

.text:00475C9B ExceptionRecord= dword ptr 10h

.text:00475C9B arg_C= dword ptr 14h

.text:00475C9B

.text:00475C9B 8B FF mov edi, edi

. push ebp

.text:00475C9E 8B EC mov ebp, esp

. E4 F8 and esp, 0FFFFFFF8h

. EC sub esp, 384h

. 2A mov eax, ___security_cookie

. C4 xor eax, esp

. +mov [esp+384h+var_4], eax

. push ebx

. push esi

. push edi

. mov edi, [ebp+ExceptionRecord]

. lea eax, [esp+390h+var_380]

. push eax

. lea esi, [esp+394h+var_37C]

. 3D call _RtlpGetStackLimits@8 ; RtlpGetStackLimits(x,x)

. C0 test al, al

. 0A jnz short loc_475CD9

. C0 push 0C0000028h ; Status

.text:00475CD4 E8 9B D0 FB FF call _RtlRaiseStatus@4 ; RtlRaiseStatus(x)

.text:00475CD9 ; ---------------------------------------------------------------------------

.text:00475CD9

.text:00475CD9 loc_475CD9: ; CODE XREF: RtlUnwind(x,x,x,x)+32j

. F6 xor esi, esi

.text:00475CDB 3B FE cmp edi, esi

. 1F jnz short loc_475CFE

. lea edi, [esp+390h+var_328]

. +mov [esp+390h+var_328], 0C0000027h

. 6C mov [esp+390h+var_324], esi

. mov [esp+390h+var_320], esi

. mov [esp+390h+var_31C], eax

. mov [esp+390h+var_318], esi

.text:00475CFE

.text:00475CFE loc_475CFE: ; CODE XREF: RtlUnwind(x,x,x,x)+42j

. cmp [ebp+arg_0], esi

. jz short loc_475D09

. 4F ],

. jmp short loc_475D0D

.text:00475D09 ; ---------------------------------------------------------------------------

.text:00475D09

.text:00475D09 loc_475D09: ; CODE XREF: RtlUnwind(x,x,x,x)+66j

. 4F ],

.text:00475D0D

.text:00475D0D loc_475D0D: ; CODE XREF: RtlUnwind(x,x,x,x)+6Cj

. B8 +lea eax, [esp+390h+Context]

. push eax

. BC +mov [esp+394h+Context.ContextFlags], 10007h

. FE FF call _RtlpCaptureContext@4 ; RtlpCaptureContext(x)

. mov eax, [ebp+arg_C]

. 7C +add [esp+390h+Context._Esp], 10h

. +mov [esp+390h+Context._Eax], eax

. FE FF call _RtlpGetRegistrationHead@0 ; RtlpGetRegistrationHead()

.text:00475D3C 8B D8 mov ebx, eax

. FB FF cmp ebx, 0FFFFFFFFh

. DC jz loc_475E23

. F6 xor esi, esi

. inc esi

.text:00475D4A

.text:00475D4A loc_475D4A: ; CODE XREF: RtlUnwind(x,x,x,x)+180j

. cmp ebx, [ebp+arg_0]

. jnz short loc_475D60

. ; TestAlert

. BC +lea eax, [esp+394h+Context]

. push eax ; Context

.text:00475D59 E8 2A D5 FB FF call _ZwContinue@8 ; ZwContinue(x,x)

.text:00475D5E EB 2A jmp short loc_475D8A

.text:00475D60 ; ---------------------------------------------------------------------------

.text:00475D60

.text:00475D60 loc_475D60: ; CODE XREF: RtlUnwind(x,x,x,x)+B2j

. 7D

. jz short loc_475D8A

. 5D cmp [ebp+arg_0], ebx

. 1F jnb short loc_475D8A

. lea eax, [esp+390h+var_378]

. push eax ; ExceptionRecord

. 1C +mov [esp+394h+var_378.ExceptionCode], 0C0000029h

. mov [esp+394h+var_378.ExceptionFlags], esi

. 7C mov [esp+394h+var_378.ExceptionRecord], edi

. CF FB FF call _RtlRaiseException@4 ; RtlRaiseException(x)

.text:00475D8A ; ---------------------------------------------------------------------------

.text:00475D8A

.text:00475D8A loc_475D8A: ; CODE XREF: RtlUnwind(x,x,x,x)+C3j

.text:00475D8A ; RtlUnwind(x,x,x,x)+C9j

.text:00475D8A ; RtlUnwind(x,x,x,x)+CEj

. cmp ebx, [esp+390h+var_37C]

. jb short loc_475DF9

. cmp eax, [esp+390h+var_380]

. ja short loc_475DF9

. 5B jnz short loc_475DF9

.text:00475DA1 E8 ED A4 FF FF call _RtlIsValidHandler@8 ; RtlIsValidHandler(x,x)

. C0 test al, al

. 4F jz short loc_475DF9

. lea eax, [esp+394h+var_384]

. push eax

. C0 +lea eax, [esp+398h+Context]

. push eax

. push ebx

. push edi

.text:00475DBC E8 A7 FF FD FF call _RtlpExecuteHandlerForUnwind@20 ; RtlpExecuteHandlerForUnwind(x,x,x,x,x)

. dec eax

. jz short loc_475DED

. dec eax

. dec eax

. jz short loc_475DE9

. lea eax, [esp+390h+var_378]

. push eax ; ExceptionRecord

. 1C +mov [esp+394h+var_378.ExceptionCode], 0C0000026h

. mov [esp+394h+var_378.ExceptionFlags], esi

. 7C mov [esp+394h+var_378.ExceptionRecord], edi

. CF FB FF call _RtlRaiseException@4 ; RtlRaiseException(x)

.text:00475DE2 ; ---------------------------------------------------------------------------

.text:00475DE7 EB db 0EBh ;

. db

.text:00475DE9 ; ---------------------------------------------------------------------------

.text:00475DE9

.text:00475DE9 loc_475DE9: ; CODE XREF: RtlUnwind(x,x,x,x)+12Bj

. 0C mov ebx, [esp+390h+var_384]

.text:00475DED

.text:00475DED loc_475DED: ; CODE XREF: RtlUnwind(x,x,x,x)+127j

.text:00475DED 8B C3 mov eax, ebx

.text:00475DEF 8B 1B mov ebx, [ebx]

. push eax

. FE FF call _RtlpUnlinkHandler@4 ; RtlpUnlinkHandler(x)

.text:00475DF7 EB 1F jmp short loc_475E18

.text:00475DF9 ; ---------------------------------------------------------------------------

.text:00475DF9

.text:00475DF9 loc_475DF9: ; CODE XREF: RtlUnwind(x,x,x,x)+F3j

.text:00475DF9 ; RtlUnwind(x,x,x,x)+FCj

.text:00475DF9 ; RtlUnwind(x,x,x,x)+101j

.text:00475DF9 ; RtlUnwind(x,x,x,x)+10Dj

. lea eax, [esp+390h+var_378]

. push eax ; ExceptionRecord

. 1C +mov [esp+394h+var_378.ExceptionCode], 0C0000028h

. mov [esp+394h+var_378.ExceptionFlags], esi

. 7C mov [esp+394h+var_378.ExceptionRecord], edi

. CF FB FF call _RtlRaiseException@4 ; RtlRaiseException(x)

.text:00475E18 ; ---------------------------------------------------------------------------

.text:00475E18

.text:00475E18 loc_475E18: ; CODE XREF: RtlUnwind(x,x,x,x)+15Cj

. FB FF cmp ebx, 0FFFFFFFFh

. FF FF FF jnz loc_475D4A

. F6 xor esi, esi

.text:00475E23

.text:00475E23 loc_475E23: ; CODE XREF: RtlUnwind(x,x,x,x)+A6j

. 7D FF cmp [ebp+arg_0], 0FFFFFFFFh

. push esi ; SearchFrames

. BC +lea eax, [esp+394h+Context]

. push eax ; Context

. jnz short loc_475E39

. D4 FB FF call _ZwContinue@8 ; ZwContinue(x,x)

. jmp short loc_475E3F

.text:00475E39 ; ---------------------------------------------------------------------------

.text:00475E39

.text:00475E39 loc_475E39: ; CODE XREF: RtlUnwind(x,x,x,x)+195j

. push edi ; ExceptionRecord

.text:00475E3A E8 C5 E4 FB FF call _ZwRaiseException@12 ; ZwRaiseException(x,x,x)

.text:00475E3F

.text:00475E3F loc_475E3F: ; CODE XREF: RtlUnwind(x,x,x,x)+19Cj

. 8C +mov ecx, [esp+390h+var_4]

.text:00475E46 5F pop edi

.text:00475E47 5E pop esi

.text:00475E48 5B pop ebx

. CC xor ecx, esp

. FE FF call @__security_check_cookie@4 ; __security_check_cookie(x)

.text:00475E50 8B E5 mov esp, ebp

.text:00475E52 5D pop ebp

. retn 10h

.text:00475E53 _RtlUnwind@16 endp

asm RtlUnwind

再看_except_handler4中的局部展开

.text:000113C8 ; int __fastcall _EH4_LocalUnwind(_EXCEPTION_REGISTRATION_RECORD *EstablisherFrame, int TryLevel, int FrameEBP, int *CookiePointer)

.text:000113C8 @_EH4_LocalUnwind@16 proc near ; CODE XREF: __except_handler4+F9p

.text:000113C8 ; __except_handler4+14Ap

.text:000113C8

.text:000113C8

.text:000113C8 push ebp

.+FrameEBP] ; 切换ebp准备局部展开

.text:000113CD push edx ; TryLevel

.text:000113CE push ecx ; EstablisherFrame

.text:000113CF push [esp+0Ch+CookiePointer] ; CookiePointer

.text:000113D3 call __local_unwind4

.text:000113D8 add esp, 0Ch

.text:000113DB pop ebp

.text:000113DC @_EH4_LocalUnwind@16 endp

text:0001128C ; int __cdecl _local_unwind4(int *CookiePointer, _EXCEPTION_REGISTRATION_RECORD *EstablisherFrame, int TryLevel)

.text:0001128C __local_unwind4 proc near ; CODE XREF: _unwind_handler4+2Dp

.text:0001128C ; _seh_longjmp_unwind4(x)+10p ...

.text:0001128C

.text:0001128C var_20 = dword ptr -20h

.text:0001128C TryLevel = dword ptr 0Ch

.text:0001128C

.text:0001128C push ebx

.text:0001128D push esi

.text:0001128E push edi

.text:0001128F mov edx, [esp+0Ch+CookiePointer]

. mov eax, [esp+0Ch+EstablisherFrame]

. mov ecx, [esp+0Ch+TryLevel]

.text:0001129B push ebp

.text:0001129C push edx

.text:0001129D push eax

.text:0001129E push ecx

.text:0001129F push ecx

.text:000112A0 push offset _unwind_handler4 ; Handler,局部展开发生异常时调用

.text:000112AC mov eax, ___security_cookie

.text:000112B1 xor eax, esp

.text:000112B3 mov [esp+28h+var_20], eax

., esp ; 安装新的SEH

.text:000112BE

.text:000112BE _lu_top: ; CODE XREF: __local_unwind4+64j

.text:000112BE ; __local_unwind4+80j

.text:000112BE mov eax, [esp+28h+EstablisherFrame]

.] ; 获取ScopeTable

.text:000112C5 mov ecx, [esp+28h+CookiePointer]

.text:000112C9 xor ebx, [ecx] ; 解密scopetable

.text:000112CB mov esi, [eax+0Ch] ; 获取TryLevel

.text:000112CE cmp esi, 0FFFFFFFEh ; 判断是否遍历完毕

.text:000112D1 jz short _lu_done

.text:000112D3 mov edx, [esp+28h+TryLevel]

.text:000112D7 cmp edx, 0FFFFFFFEh

.text:000112DA jz short loc_112E0

.text:000112DC cmp esi, edx ; 判断当前__try是否在EXCEPTION_EXECUTE_HANDLER的__try语句里层

.text:000112DE jbe short _lu_done

.text:000112E0

.text:000112E0 loc_112E0: ; CODE XREF: __local_unwind4+4Ej

.+10h] ; 和_except_handler4中作用一样，不过这里是+0x10,取scopetable

.text:000112E7 mov ecx, [ebx]

.text:000112E9 mov [eax+0Ch], ecx ; 使当前异常帧指向上一个__try语句,也就是移除当前异常帧指向的

.text:000112F0 jnz short _lu_top

.text:000112F2 push 101h

.text:000112FA call __NLG_Notify

. call __NLG_Call ; 进入__finally块处理

.text:0001130C jmp short _lu_top ; 遍历上一个__try/__except(或__finally)

.text:0001130E ; ---------------------------------------------------------------------------

.text:0001130E

.text:0001130E _lu_done: ; CODE XREF: __local_unwind4+45j

.text:0001130E ; __local_unwind4+52j

. add esp, 18h

. pop edi

. pop esi

.text:0001131A pop ebx

.text:0001131B retn

.text:0001131B __local_unwind4 endp

看到了有人写出了C语言代码，直接就抄过来了

* 操作系统原始的SEH异常帧结构

* struct _EXCEPTION_REGISTRATION_RECORD{

* struct _EXCEPTION_REGISTRATION_RECORD *Next;

* _except_handler Handler;

* SEH异常处理函数原型

* EXCEPTION_DISPOSITION (__cdecl *PEXCEPTION_ROUTINE)(

* struct _EXCEPTION_RECORD *_ExceptionRecord,

* void * _EstablisherFrame,

* struct _CONTEXT *_ContextRecord,

* void * _DispatcherContext

* );

* C/C++编译器扩展SEH的异常帧结构:

* [ebp-18] ESP

* [ebp-14] PEXCEPTION_POINTERS xpointers;

* struct _EXCEPTION_REGISTRATION{

* [ebp-10] struct _EXCEPTION_REGISTRATION *Prev;

* [ebp-0C] PEXCEPTION_ROUTINE Handler;

* [ebp-08] struct _EH4_SCOPETABLE *ScopeTable;

* [ebp-04] int TryLevel;

* [ebp-00] int _Ebp;

* };

* C/C++运行库使用的SCOPE TABLE结构

* struct _EH4_SCOPETABLE {

* DWORD GSCookieOffset;

* DWORD GSCookieXOROffset;

* DWORD EHCookieOffset;

* DWORD EHCookieXOROffset;

* struct _EH4_SCOPETABLE_RECORD ScopeRecord;

* };

* C/C++运行库使用的SCOPE TABLE RECORD结构

* struct _EH4_SCOPETABLE_RECORD {

* DWORD EnclosingLevel; //上一层__try块

* PVOID FilterFunc; //过滤表达式

* union

* PVOID HandlerAddress; //__except块代码

* PVOID FinallyFunc; //__finally块代码

* };

* };

* 参数说明:

* CookiePointer - 安全码所在地址,用于解密异常帧的ScopeTable.

* EstablisherFrame - 当前异常帧结构

* TryLevel - __try/__except(EXCEPTION_EXECUTE_HANDLER)所在的__try

int __cdecl _local_unwind4(int *CookiePointer,

_EXCEPTION_REGISTRATION_RECORD *EstablisherFrame,

int TryLevel

)

{

//安装SEH,_local_unwind4局部展开发生异常时调用

__asm push _unwind_handler4

__asm push dword ptr fs:[]

__asm mov fs:[],esp

//解密ScopeTable

struct _EH4_SCOPETABLE * pScopeTable = EstablisherFrame->ScopeTable ^ (*CookiePointer);

struct _EH4_SCOPETABLE_RECORD * pScopeRecord = &pScopeTable->ScopeRecord;

//当前异常帧不存在__try块,退出!

while(EstablisherFrame->TryLevel != 0xFFFFFFFE)

{

//越里层的__try其TryLevel值越高,捕获异常的__try通常在引发异常__try的外层

//这里判断当前异常帧指向的__try的TryLevel值是否正常.

if(EstablisherFrame->TryLevel!=0xFFFFFFFE && EstablisherFrame->TryLevel <= TryLevel) break;

//移除当前__try/__except(__finally)信息,使其指向上一层__try块

EstablisherFrame->TryLevel = pScopeRecord->EnclosingLevel;

//__except过滤表达式存在,也就是__finally块不存在,向上一层__try/__except(__finally)遍历

if(pScopeRecord->FilterFunc) continue;

//作用未知!

__NLG_Notify();

//进入__finally块处理

pScopeRecord->FinallyFunc();

}

//恢复SEH

__asm pop dword ptr fs:[]

}

到这里概要流程就讲完了。在处理异常和展开过程中多处涉及到遍历操作，咱们来总结一下这些遍历操作。

1. 在异常处理过程中，每个被"卷入是非"的异常都至少会遍历异常链表两次（如果发生嵌套异常，比如在展开过程中

EXCEPTION_REGISTRATION_RECORD::Handler 又触发异常，则会遍历更多次。不过这也可以算作是一个新异常了。看如何理解。）。

一次是在 RtlDispatchException 中，遍历的目的是找到愿意处理该异常的 _EXCEPTION_REGISTRATION_RECORD。

另一次是在展开过程中、RtlUnwind 函数内，遍历的目录是为了对每个遍历到的 EXCEPTION_REGISTRATION_RECORD 进行局部展开。

2. 同样的，每个被"卷入是非"的异常的 scopetable 也会被遍历至少两次，

一次是在 modulename!_except_handler? 中，遍历目的也是找到愿意处理该异常的 scopetable_entry。

另一次是在展开过程中、_local_unwind4 函数内，遍历的目的是找到所有指定范围内的 scopetable_entry::lpfnFilter 为 NULL 的 scopetable_entry，调用它们的 lpfnHandler （即 __finally 处理块）。

转载（）