//Microsoft Visual C++ Win32 SEH/C++ EH info parser //Version 3.0 2006.03.02 Igor Skochinsky <skochinsky@mail.ru> #include <idc.idc> #define __INCLUDED #include <ms_rtti.idc> static getEHRec() { auto id; id = GetStrucIdByName("EHRegistrationNode"); if (id==-1) { id = AddStruc(-1,"EHRegistrationNode"); ForceDWMember(id, 0, "pNext"); ForceDWMember(id, 4, "frameHandler"); ForceDWMember(id, 8, "state"); } return id; } static getEHRecCatch() { auto id; id = GetStrucIdByName("EHRegistrationNodeCatch"); if (id==-1) { id = AddStruc(-1,"EHRegistrationNodeCatch"); ForceDWMember(id, 0, "SavedESP"); ForceDWMember(id, 4, "pNext"); ForceDWMember(id, 8, "frameHandler"); ForceDWMember(id, 12, "state"); } return id; } static CommentStackEH(start, hasESP, EHCookie, GSCookie) { if (hasESP) CommentStack(start,-16, "__$EHRec$", getEHRecCatch()); else CommentStack(start,-12, "__$EHRec$", getEHRec()); if (GSCookie) CommentStack(start,-GSCookie, "__$GSCookie$",-1); if (EHCookie) CommentStack(start,-EHCookie, "__$EHCookie$",-1); } /* from frame.obj typedef struct _s_FuncInfo { unsigned int magicNumber; int maxState; const struct _s_UnwindMapEntry * pUnwindMap; unsigned int nTryBlocks; const struct _s_TryBlockMapEntry * pTryBlockMap; unsigned int nIPMapEntries; void * pIPtoStateMap; const struct _s_ESTypeList * pESTypeList; } FuncInfo; */ //handler: // mov eax, offset funcInfo // jmp ___CxxFrameHandler static ParseCxxHandler(func, handler, fixFunc) { auto x, start, y, z, end, i, count, t, u, i2, cnt2, a, hasESP; auto EHCookieOffset, GSCookieOffset; start = func; x = handler; y = x; z = x; EHCookieOffset=0; GSCookieOffset=0; // 8B 54 24 08 mov edx, [esp+8] if (matchBytes(x,"8B5424088D02")) x = x+6; // 8D 02 lea eax, [edx] else if (matchBytes(x,"8B5424088D42")) x = x+7; // 8D 42 xx lea eax, [edx+XXh] else if (matchBytes(x,"8B5424088D82")) x = x+10; // 8D 82 xx xx xx xx lea eax, [edx+XXh] else { Message("Function at %08X not recognized as exception handler!\n",x); return; } //EH cookie check: // 8B 4A xx mov ecx, [edx-XXh] // OR // 8B 8A xx xx xx xx mov ecx, [edx-XXh] // 33 C8 xor ecx, eax // E8 xx xx xx xx call __security_check_cookie if (matchBytes(x,"8B4A??33C8E8")) { //byte argument EHCookieOffset = (~Byte(x+2)+1)&0xFF; EHCookieOffset = 12 + EHCookieOffset; x = x+10; } else if (matchBytes(x,"8B8A????????33C8E8")) { //dword argument EHCookieOffset = (~Dword(x+2)+1); EHCookieOffset = 12 + EHCookieOffset; x = x+13; } if (matchBytes(x,"83C0")) x = x + 3; // 8B 4A xx add eax, XXh if (matchBytes(x,"8B4A??33C8E8")) { // 8B 4A xx mov ecx, [edx-XXh] // 33 C8 xor ecx, eax // E8 xx xx xx xx call __security_check_cookie GSCookieOffset = (~Byte(x+2)+1)&0xFF; GSCookieOffset = 12 + GSCookieOffset; x = x+10; } else if (matchBytes(x,"8B8A????????33C8E8")) { //dword argument GSCookieOffset = (~Dword(x+9)+1); GSCookieOffset = 12 + GSCookieOffset; x = x+13; } //Message("EH3: EH Cookie=%02X, GSCookie=%02X\n",EHCookieOffset, GSCookieOffset); if (Byte(x)==0xB8) { // 8B 4A xx xx xx mov eax, offset FuncInfo x = Dword(x+1); } else { Message("\"mov eax, offset FuncInfo\" not found at offset %08X!\n",x); return; } if (Dword(x)-0x19930520>0xF) { Message("Magic is not 1993052Xh!\n"); return; } Message(form("Detected function start at %08X\n",start)); u = x; //FuncInfo; //parse unwind handlers count = Dword(u+4); //maxState i=0; x = Dword(u+8); //pUnwindMap while (i<count) { t = Dword(x+4); //unwind action address if (t<MAXADDR && t>y) y=t; //find lowest if (t!=0 && t<z) z=t; //find highest x = x+8; i = i+1; } if (y==0) { Message("All pointers are NULL!\n"); return; } if (z>y) { Message("Something's very wrong!\n"); return; } end = FindFuncEnd(y); if (end==BADADDR) { if (fixFunc) MakeUnkn(y, 1); if (BADADDR == FindFuncEnd(y)) { Message(form("Can't find function end at 0x%08X\n",y)); return; } } Message(form("Handlers block: %08X-%08X\n", z, y)); if (GetFunctionFlags(start) == -1) { if (fixFunc) { MakeUnkn(start, 1); MakeCode(start); MakeFunction(start, BADADDR); } else { Message("There is no function defined at 0x%08X!\n", start); return; } } a = FindFuncEnd(start); Message("Function end: %08X\n", a); if (fixFunc) AnalyseArea(start,a); if (1)//(z>a) && ((z-a)>0x20)) { //the handlers block is too far from the function end, make it a separate chunk if (fixFunc) { Message("Making separate handlers block\n"); Unknown(z, y-z); MakeCode(z); MakeFunction(z,y); AnalyseArea(z,y); MakeCode(y); MakeFunction(y,BADADDR); } SetFunctionFlags(z, GetFunctionFlags(start) | FUNC_FRAME); SetFunctionCmt(z, form("Unwind handlers of %08X", start), 0); } else if (fixFunc) { Message("Merging handlers block with main function.\n"); Unknown(start, y-start); MakeCode(start); MakeFunction(start,y); AnalyseArea(start,y); } /* typedef const struct _s_TryBlockMapEntry { int tryLow; //00 int tryHigh; //04 int catchHigh; //08 int nCatches; //0C const struct _s_HandlerType * pHandlerArray; //10 } TryBlockMapEntry; typedef const struct _s_HandlerType { unsigned int adjectives; //00 struct TypeDescriptor * pType; //04 int dispCatchObj; //08 void * addressOfHandler; //0C } */ //parse catch blocks y = 0; z = 0x7FFFFFFF; i=0; count = Dword(u+12); //nTryBlocks x = Dword(u+16); //pTryBlocksMap Message("%d try blocks\n",count); while (i<count) { cnt2 = Dword(x+12); //nCatches a = Dword(x+16); //pHandlerArray i2 = 0; Message(" %d catches\n",cnt2); while (i2<cnt2) { t = Dword(a+12); //Message(" t=0x%08.8X\n",t); if (t!=BADADDR && t>y) y=t; //find lowest if (z>t) z=t; //find highest a = a+16; i2 = i2+1; } x = x+20; i = i+1; } hasESP = 0; if (count>0) { hasESP = 1; //Message("y=0x%08.8X, z=0x%08.8X\n",y,z); end = FindFuncEnd(y); if (end==BADADDR) { if (fixFunc) { MakeUnkn(y, 1); MakeCode(y); } if (BADADDR == FindFuncEnd(y)) { Message(form("Can't find function end at 0x%08X\n",y)); return; } } Message(form("Catch blocks: %08X-%08X\n", z, end)); y = FindFuncEnd(start); if (y ==-1 || end > y) { if (fixFunc) { Message("Merging catch blocks with main function.\n"); Unknown(start, end-start); MakeCode(start); MakeFunction(start,end); AnalyseArea(start,end); } else Message("Catch blocks are not inside the function!\n"); } } //comment unwind handlers i=0; count = Dword(u+4); //maxState x = Dword(u+8); //pUnwindMap while (i<count) { t = Dword(x+4); //unwind action address if (t!=0) MakeComm(t, form("state %d -> %d",i, Dword(x))); x = x+8; i = i+1; } Parse_FuncInfo(u, 0); CommentStackEH(func, hasESP, EHCookieOffset, GSCookieOffset); } static fixCxx(s, doSEH, fixFunc) { auto x, start; start = s; if ((Word(start) != 0xA164) || (Dword(start+2)!=0)) { Message("Should start with \"move eax, large fs:0\"!\n"); return; } if ( !doSEH && (Byte(start-10) == 0x55) && (Dword(start-9) == 0xFF6AEC8B)) { //(ebp frame) //00: 55 push ebp //01: 8B EC mov ebp, esp //03: 6A FF push 0FFFFFFFFh //05: 68 xx xx xx xx push loc_xxxxxxxx //0A: 64 A1 00 00 00 00 mov eax, large fs:0 //10: 50 push eax //11: 64 89 25 00 00 00 00 mov large fs:0, esp start = start - 10; x = Dword(start+6); //Message("Match 1\n"); } else if (!doSEH && (Word(start+9) == 0xFF6A) && (Byte(start+11)==0x68)) { //00: 64 A1 00 00 00 00 mov eax, large fs:0 //06: xx xx xx //09: 6A FF push 0FFFFFFFFh //0B: 68 xx xx xx xx push loc_xxxxxxxx //10: 50 push eax // x = Dword(start+12); //Message("Match 2\n"); } else if (!doSEH && (Word(start-7) == 0xFF6A) && (Byte(start-5)==0x68)) { //-7: 6A FF push 0FFFFFFFFh //-5: 68 xx xx xx xx push loc_xxxxxxxx //00: 64 A1 00 00 00 00 mov eax, large fs:0 //06: 50 push eax //07: 64 89 25 00 00 00 00 mov large fs:0, esp // x = Dword(start-4); start = start-7; //Message("Match 3\n"); } else if (!doSEH && (Word(start+6) == 0xFF6A) && (Byte(start+8)==0x68)) { //00: 64 A1 00 00 00 00 mov eax, large fs:0 //06: 6A FF push 0FFFFFFFFh //08: 68 xx xx xx xx push loc_xxxxxxxx //0D: 50 push eax //0E: 64 89 25 00 00 00 00 mov large fs:0, esp x = Dword(start+9); //Message("Match 4\n"); } else if (doSEH && (Byte(start-5)==0x68) && (Byte(start-10)==0x68) && (Dword(start-15)==0x6AEC8B55)) { //-15: 55 push ebp //-14: 8B EC mov ebp, esp //-12: 6A F? push 0FFFFFFF?h //-10: 68 xx xx xx xx push offset __sehtable$_func1 //-5 : 68 xx xx xx xx push offset _except_handlerx //00 : 64 A1 00 00 00 00 mov eax, large fs:0 x = Dword(start-9); //Message("Match 5\n"); if (Byte(start-11) == 0xFF) //-1 = SEH3 fixSEHFunc(start-15,x, 3, fixFunc); else if (Byte(start-11) == 0xFE) //-2 = SEH4 fixSEHFunc(start-15,x, 4, fixFunc); else Message("Unknown SEH handler!\n"); return; } else { //probably a custom handler //Message("\"push 0FFFFFFFFh; push offset loc\" not found!\n"); return; } Message(form("Fixing function at 0x%08X\n",start)); ParseCxxHandler(start, x, fixFunc); } static doEHProlog(name,fixFunc) { auto i,s,a; a=LocByName(name); if (a==BADADDR) return; Message("%s = %08X\n",name,a); i=RfirstB(a); while(i!=BADADDR) { Message("- %08X - ",i); // -5: mov eax, offset loc_XXXXXX // 0: call __EH_prolog if (Byte(i-5)==0xB8) ParseCxxHandler(i-5, Dword(i-4),fixFunc); else { Message(form("No mov eax, offset loc_XXXXXX at %08X!!!\n",i-5)); return; } if (SetFunctionFlags(i,GetFunctionFlags(i) | FUNC_FRAME)) { MakeFrame(i,GetFrameLvarSize(i), 4, GetFrameArgsSize(i)); if (fixFunc) AnalyseArea(i, FindFuncEnd(i)+1); Message("OK\n"); } else Message("Error\n"); i=RnextB(a,i); } } static doEHPrologs(name, fixFunc) { doEHProlog("j"+name,fixFunc); doEHProlog("j_"+name,fixFunc); doEHProlog(name,fixFunc); doEHProlog("_"+name,fixFunc); } static fixEHPrologs(fixFunc) { doEHPrologs("_EH_prolog",fixFunc); doEHPrologs("_EH_prolog3",fixFunc); doEHPrologs("_EH_prolog3_catch",fixFunc); doEHPrologs("_EH_prolog3_GS",fixFunc); doEHPrologs("_EH_prolog3_catch_GS",fixFunc); } static isInCodeSeg(a) { if (SegName(a)==".text") return 1; else return 0; } //check a scopetable entry static checkEntry(a,i,ver) { auto x; x = Dword(a); //EnclosingLevel should be negative or less than i if (x&0x80000000) { if (ver==3 && x!=0xFFFFFFFF) return 0; if (ver==4 && x!=0xFFFFFFFE) return 0; } else if (x>=i) return 0; x = Dword(a+4); if ((x!=0) && !isInCodeSeg(x)) //filter should be zero or point to the code return 0; x = Dword(a+8); if (!isInCodeSeg(x)) //handler should point to the code return 0; //check if there are xref to fields (i.e. after the end of the scopetable) if (((ver!=3)||(i>0)) && isRef(GetFlags(a))) return 0; if (isRef(GetFlags(a+4)) || isRef(GetFlags(a+8))) return 0; return 1; } //check if there's a valid scopetable and calculate number of entries in it static checkScopeTable(a, ver) { auto i,k; if (ver==4) { k = Dword(a); if ((k&0x80000000)==0) //first field should be negative return 0; if ((k!=0xFFFFFFFE) && (k&3)!=0) //GS cookie offset should be -2 or dword-aligned return 0; k = Dword(a+8); if ((k&0x80000000)==0) //offset should be negative return 0; if ((k&3)!=0) //EH cookie offset should be dword-aligned return 0; a = a+16; //move to the scope entries list } i = 0; while (checkEntry(a,i,ver)) { i = i+1; a = a+12; } return i; } /* struct _EH4_EXCEPTION_REGISTRATION_RECORD { void* SavedESP; _EXCEPTION_POINTERS* ExceptionPointers; _EXCEPTION_REGISTRATION_RECORD* Next; enum _EXCEPTION_DISPOSITION (*Handler)(_EXCEPTION_RECORD*, void*, _CONTEXT*, void*); DWORD EncodedScopeTable; unsigned long TryLevel; }; */ static getSEHRec() { auto id; id = GetStrucIdByName("SEHRegistrationNode"); if (id==-1) { id = AddStruc(-1,"SEHRegistrationNode"); ForceDWMember(id, 0, "SavedESP"); ForceDWMember(id, 4, "ExceptionPointers"); ForceDWMember(id, 8, "Next"); ForceDWMember(id, 12, "Handler"); ForceDWMember(id, 16, "EncodedScopeTable"); ForceDWMember(id, 20, "TryLevel"); } return id; } static CommentStackSEH(start, scopetable) { auto x; CommentStack(start,-24, "__$SEHRec$", getSEHRec()); if (scopetable) { x = Dword(scopetable); if (x!=-2) CommentStack(start,x, "__$GSCookie$", -1); x = Dword(scopetable+8); CommentStack(start,x, "__$EHCookie$", -1); } } static fixSEHFunc(func, scopetable, ver, fixFunc) { auto k,i,t,u,x,y,z,hasESP,end; k = checkScopeTable(scopetable, ver); if (k==0) { Message("Bad scopetable\n"); return; } Message("function: %08X, scopetable: %08X (%d entries)\n", func, scopetable, k); x = scopetable; if (ver==4) x = x+16; //parse the scopetable! y = 0; z = 0x7FFFFFFF; i = 0; hasESP = 0; while (i<k) { t = Dword(x+4); if (t) { hasESP=1; if (t>y) y=t; //find lowest if (z>t) z=t; //find highest //Message("t=0x%08.8X\n",t); //check the code just before, it could be jump to the end of try if (Byte(t-2)==0xEB) t = getRelJmpTarget(t-2); else if (Byte(t-5)==0xE9) t = getRelJmpTarget(t-5); //Message("t=0x%08.8X\n",t); if (t>y) y=t; //find lowest if (z>t) z=t; //find highest } t = Dword(x+8); //check the code just before, it could be jump to the end of try if (t>y) y=t; //find lowest if (z>t) z=t; //find highest //Message("t=0x%08.8X\n",t); if (Byte(t-2)==0xEB) t = getRelJmpTarget(t-2); else if (Byte(t-5)==0xE9) t = getRelJmpTarget(t-5); //Message("t=0x%08.8X\n",t); if (t>y) y=t; //find lowest if (z>t) z=t; //find highest x = x+12; i = i+1; } //Message("y=0x%08.8X, z=0x%08.8X\n",y,z); if (1) { end = FindFuncEnd(y); if (end==BADADDR) { if (fixFunc) { MakeUnkn(y, 1); MakeCode(y); } if (BADADDR == FindFuncEnd(y)) { Message(form("Can't find function end at 0x%08X\n",y)); return; } } //Message(form("Except blocks: %08X-%08X\n", z, end)); z = FindFuncEnd(func); if (z ==-1 || end > z && fixFunc) { //Message("Merging except blocks with main function.\n"); Unknown(func, end-func); MakeCode(func); MakeFunction(func,end); AnalyseArea(func,end); } } //walk once more and fix finally entries x = scopetable; if (ver==4) x = x+16; i = 0; while (fixFunc && i<k) { if (Dword(x+4)==0 && Dword(x+8)==y) { //the last handler is a finally handler //check that it ends with a ret, call or jmp z = FindFuncEnd(y); if (z!=BADADDR && !(Byte(z-1)==0xC3 || Byte(z-5)==0xE9 || Byte(z-5)==0xE8 || Byte(z-2)==0xEB || Byte(z-1)==0xCC || Word(z-6)==0x15FF) ) { //we need to add the following funclet to our function end = FindFuncEnd(z); if (end!=BADADDR) { Unknown(z, end-z); MakeCode(z); SetFunctionEnd(func,end); } } } x = x+12; i = i+1; } //comment the table and handlers x = scopetable; ExtLinA(x,0,form("; SEH scopetable for %08X",func)); if (ver==4) { OffCmt(x,"GSCookieOffset"); OffCmt(x+4,"GSCookieXOROffset"); OffCmt(x+8,"EHCookieOffset"); OffCmt(x+12,"EHCookieXOROffset"); x = x+16; CommentStackSEH(func,scopetable); } else CommentStackSEH(func,0); i = 0; while (i<k) { ForceDword(x); SoftOff(x+4); SoftOff(x+8); MakeComm(x, form("try block %d, enclosed by %d",i, Dword(x))); t = Dword(x+4); //exception filter if (t!=0) ExtLinA(t,0,form("; __except() filter for try block %d",i)); u = Dword(x+8); if (t!=0) ExtLinA(u,0,form("; __except {} handler for try block %d",i)); else ExtLinA(u,0,form("; __finally {} handler for try block %d",i)); x = x+12; i = i+1; } } static doSEHProlog(name, ver, fixFunc) { auto i,s,locals,scopetable,k,l,func,a; a=LocByName(name); if (a==BADADDR) return; Message("%s = %08X\n",name,a); i=RfirstB(a); while(i!=BADADDR) { Message("- %08X - ",i); // -10 68 xx xx xx xx push xx // or // -7 6A xx push xx // -5 68 xx xx xx xx push OFFSET __sehtable$_func // 0 e8 00 00 00 00 call __SEH_prolog // // locals = -1; scopetable=0; if (Byte(i-5)==0x68) { scopetable = Dword(i-4); if (Byte(i-7)==0x6A) { func = i-7; locals = Byte(func+1); } else if (Byte(i-10)==0x68) { func = i-10; locals = Dword(func+1); } if (GetFunctionFlags(func)==-1 && fixFunc) { MakeUnkn(func, 1); MakeCode(func); MakeFunction(func, BADADDR); } if (SetFunctionFlags(func,GetFunctionFlags(func)|FUNC_FRAME)) { MakeFrame(func, GetFrameLvarSize(func), 4, GetFrameArgsSize(func)); fixSEHFunc(func, scopetable, ver, fixFunc); Message("OK\n"); } else Message("Error\n"); } i=RnextB(a,i); } } static doSEHPrologs(name, ver, fixFunc) { doSEHProlog("j"+name, ver, fixFunc); doSEHProlog("j_"+name, ver, fixFunc); doSEHProlog(name, ver, fixFunc); doSEHProlog("_"+name, ver, fixFunc); } static fixSEHPrologs(fixFunc) { doSEHPrologs("_SEH_prolog",3, fixFunc); doSEHPrologs("__SEH_prolog",3, fixFunc); doSEHPrologs("_SEH_prolog4",4, fixFunc); doSEHPrologs("__SEH_prolog4",4, fixFunc); doSEHPrologs("_SEH_prolog4_GS",4, fixFunc); doSEHPrologs("__SEH_prolog4_GS",4, fixFunc); } static findFunc(name) { auto a; a = LocByName("j_"+name); if (a==BADADDR) a = LocByName(name); return a; } static doSEH(fixFunc) { auto start, a; start = 0; while (1) { //mov eax, large fs:0 start = FindBinary(start+1, 3, "64 A1 00 00 00 00"); if (start==BADADDR) break; fixCxx(start,1,fixFunc); } fixSEHPrologs(fixFunc); } static doEH(fixFunc) { auto start, a; start = 0; while (1) { //mov eax, large fs:0 start = FindBinary(start+1, 3, "64 A1 00 00 00 00"); if (start==BADADDR) break; fixCxx(start,0,fixFunc); } fixEHPrologs(fixFunc); } static main(void) { auto seh, fixseh, eh, fixeh; seh = AskYN(1, "Do you wish to parse all Win32 SEH handlers?"); if (seh==-1) return; if (seh) { fixseh = AskYN(1, "Do you wish to fix function boundaries as needed?"); if (fixseh==-1) return; } eh = AskYN(1, "Do you wish to parse all C++ EH handlers?"); if (eh==-1) return; if (eh) { fixeh = AskYN(1, "Do you wish to fix function boundaries as needed?"); if (fixeh==-1) return; } if (seh) doSEH(fixseh); if (eh) doEH(fixeh); //fixCxx(ScreenEA()); }