-
-
[求助]一个seh问题
-
发表于:
2016-6-3 11:01
6392
-
问题的代码在注释的地方:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
typedef struct _EXCEPTION_REGISTRATION_RECORD
{
_EXCEPTION_REGISTRATION_RECORD *next;
PVOID handle;
}EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
int *a = NULL;
int b;
EXCEPTION_DISPOSITION __cdecl ExceptionHandle(EXCEPTION_RECORD *pRecord,
EXCEPTION_REGISTRATION_RECORD *pFram,
CONTEXT *pContext,
PVOID pValue)
{
DWORD dwThreadID = GetCurrentThreadId();
printf("except:%X\n", dwThreadID);
printf("exception code:%X, exception addr:%X, eip:%X\n", pRecord->ExceptionCode, pRecord->ExceptionAddress, pContext->Eip);
pContext->Eax = (DWORD)&b;
return ExceptionContinueExecution;
}
int _tmain(int argc, _TCHAR* argv[])
{
__asm
{
push ExceptionHandle
push fs:[0]
mov fs:[0], esp
}
DWORD dwThreadID = GetCurrentThreadId();
printf("normal:%X\n", dwThreadID);
__asm
{
push eax
mov eax, a
mov [eax], 10
pop eax
}
__asm
{
/*
mov eax, [esp]
mov fs:[0], eax
add esp, 4
add esp, 4
*/
pop fs:[0]
add esp,4
}
printf("after, b:%d\n", b);
EXCEPTION_ILLEGAL_INSTRUCTION;
MessageBox(NULL, _T("end"), _T("alert"), 0);
return 0;
}
问题描述:
1. 如果使用
pop fs:[0]
add esp,4
就会出现无限次跳入ExceptionHandle中
2. 如果使用
mov eax, [esp]
mov fs:[0], eax
add esp, 4
add esp, 4
只进入ExceptionHandle中一次,然后正常返回
3. 我研究了下两端代码是等效的啊
ps:
1. 我的编译环境是vs2010 运行环境xpsp3
2. 在vs2010链接选项中增加 /SAFESEH:NO
[课程]Linux pwn 探索篇!
