我写了一个简单的触发异常的main函数,编译后静态反汇编就不知道怎么该还原代码!特别是_except块中的代码和过滤器表达式中的代码的地址不知道怎么找。请大家帮帮我。谢谢。
附源代码和反汇编代码(部分)
#include <windows.h>
#include <stdio.h>
EXCEPTION_DISPOSITION __cdecl _except_handler(
struct _EXCEPTION_RECORD *ExceptionRecord,
void *EstablisherFrame,
struct _CONTEXT *ContextRecord,
struct _DISPATCHER_CONTEXT *DispatcherContext
)
{
printf("Home Grown handler:Exception Code:%08X Exception Flags %X",
ExceptionRecord->ExceptionCode,ExceptionRecord->ExceptionFlags);
if(ExceptionRecord->ExceptionFlags & 1)
printf(" EH_NONCONTINUABLE");
if(ExceptionRecord->ExceptionFlags & 2)
printf(" EH_UNWINDING");
if(ExceptionRecord->ExceptionFlags & 4)
printf(" EH_EXIT_UNWIND");
if(ExceptionRecord->ExceptionFlags & 8)
printf(" EH_STACK_INVALID");
if(ExceptionRecord->ExceptionFlags & 0x10)
printf(" EH_NESTED_CALL");
printf("\n");
return ExceptionContinueSearch;
}
void HomeGrownFrame(void)
{
DWORD handler = (DWORD)_except_handler;
__asm
{
push handler
push fs:[0]
mov fs:[0],esp
}
*(PDWORD)0 = 0;
printf("I should never get here!\n");
__asm
{
mov eax,[esp]
mov fs:[0],eax
add esp,8
}
}
int main()
{
__try
{
HomeGrownFrame();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
printf("Caught the exception in main()\n");
}
return 0;
}
.text:00401100 ; int __cdecl main(int argc, const char **argv, const char *envp)
.text:00401100 _main proc near ; CODE XREF: ___tmainCRTStartup+15Ap
.text:00401100
.text:00401100 var_18 = dword ptr -18h
.text:00401100 var_10 = dword ptr -10h
.text:00401100 var_8 = dword ptr -8
.text:00401100 var_4 = dword ptr -4
.text:00401100 argc = dword ptr 8
.text:00401100 argv = dword ptr 0Ch
.text:00401100 envp = dword ptr 10h
.text:00401100
.text:00401100 push ebp
.text:00401101 mov ebp, esp ; EBP-00 : _ebp
.text:00401103 push 0FFFFFFFEh ; EBP-04 trylevel
.text:00401105 push offset dword_40B320 ; EBP-08 scopetable数组指针
.text:0040110A push offset __except_handler4 ; EBP-0C handler函数地址
.text:0040110F mov eax, large fs:0
.text:00401115 push eax ; EBP-10 指向前一个EXCEPTION_REGISTRATION结构
.text:00401116 sub esp, 8 ; EBP-14 指向一个EXCEPTION_POINTERS结构
.text:00401116 ; EBP-18 ESP
.text:00401119 push ebx
.text:0040111A push esi
.text:0040111B push edi
.text:0040111C mov eax, dword_40C0D4
.text:00401121 xor [ebp+var_8], eax ; scopetable = 44BF19B0
.text:00401124 xor eax, ebp
.text:00401126 push eax
.text:00401127 lea eax, [ebp+var_10]
.text:0040112A mov large fs:0, eax ; 安装EXCEPTION_REGISTRATION结构
.text:00401130 mov [ebp+var_18], esp ; 保存所有prolog代码执行完毕之后的堆栈指针(ESP)
.text:00401133 mov [ebp+var_4], 0 ; trylevel = 0
.text:0040113A call sub_4010B0
.text:0040113F mov [ebp+var_4], 0FFFFFFFEh
.text:00401146 jmp short loc_401165
.text:00401148 ; ---------------------------------------------------------------------------
.text:00401148 mov eax, 1
.text:0040114D retn
.text:0040114E ; ---------------------------------------------------------------------------
.text:0040114E mov esp, [ebp+var_18]
.text:00401151 push offset aCaughtTheExcep ; "Caught the exception in main()\n"
.text:00401156 call sub_401179 ; printf函数
.text:0040115B add esp, 4
.text:0040115E mov [ebp+var_4], 0FFFFFFFEh
.text:00401165
.text:00401165 loc_401165: ; CODE XREF: _main+46j
.text:00401165 xor eax, eax
.text:00401167 mov ecx, [ebp+var_10]
.text:0040116A mov large fs:0, ecx
.text:00401171 pop ecx
.text:00401172 pop edi
.text:00401173 pop esi
.text:00401174 pop ebx
.text:00401175 mov esp, ebp
.text:00401177 pop ebp
.text:00401178 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课